From a25b9f74d604b042d5fdbd07be401f375b0b71f3 Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Thu, 1 Apr 2021 16:10:04 +0200
Subject: [PATCH] Fix create_port new API policy roles

Some rules for create port, using new personas policies allowed to
create port PROJECT_MEMBER persona but not SYSTEM_ADMIN. So this patch
fixes it by adding SYSTEM_ADMIN to that rules too.

Related-blueprint: bp/secure-rbac-roles
Change-Id: I65130b299541dd4559e2d758fb4ab9d68c6f2cfa
(cherry picked from commit 2bc1572740d9eb6cff8c8d893c5a24ab10ed37b0)
---
 neutron/conf/policies/port.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/neutron/conf/policies/port.py b/neutron/conf/policies/port.py
index fa1ebbecc4a..53cc4a40b1f 100644
--- a/neutron/conf/policies/port.py
+++ b/neutron/conf/policies/port.py
@@ -51,7 +51,7 @@ rules = [
 
     policy.DocumentedRuleDefault(
         name='create_port',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
         scope_types=['system', 'project'],
         description='Create a port',
         operations=ACTION_POST,
@@ -211,7 +211,7 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='create_port:binding:vnic_type',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
         scope_types=['project'],
         description=(
             'Specify ``binding:vnic_type`` '