Merge "Reorder subnet RBAC policy check strings"

2024-07-04 21:35:25 +00:00 · 2024-07-04 21:35:25 +00:00 · 82ebd4df9f
commit 82ebd4df9f
parent cfab008eef 729920da5e
1 changed files with 16 additions and 10 deletions
--- a/neutron/conf/policies/subnet.py
+++ b/neutron/conf/policies/subnet.py
@ -95,17 +95,19 @@ rules = [
    policy.DocumentedRuleDefault(
        name='get_subnet',
        check_str=neutron_policy.policy_or(
-            base.ADMIN_OR_NET_OWNER_MEMBER,
            base.PROJECT_READER,
-            'rule:shared'),
+            'rule:shared',
+            base.ADMIN_OR_NET_OWNER_MEMBER,
+        ),
        scope_types=['project'],
        description='Get a subnet',
        operations=ACTION_GET,
        deprecated_rule=policy.DeprecatedRule(
            name='get_subnet',
            check_str=neutron_policy.policy_or(
+                'rule:shared',
                neutron_policy.RULE_ADMIN_OR_OWNER,
-                'rule:shared'),
+            ),
            deprecated_reason=DEPRECATED_REASON,
            deprecated_since=versionutils.deprecated.WALLABY)
    ),
@ -124,9 +126,10 @@ rules = [
    policy.DocumentedRuleDefault(
        name='get_subnets_tags',
        check_str=neutron_policy.policy_or(
-            base.ADMIN_OR_NET_OWNER_MEMBER,
            base.PROJECT_READER,
-            'rule:shared'),
+            'rule:shared',
+            base.ADMIN_OR_NET_OWNER_MEMBER,
+        ),
        scope_types=['project'],
        description='Get the subnet tags',
        operations=ACTION_GET_TAGS,
@ -134,8 +137,8 @@ rules = [
    policy.DocumentedRuleDefault(
        name='update_subnet',
        check_str=neutron_policy.policy_or(
-            base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MEMBER),
+            base.PROJECT_MEMBER,
+            base.ADMIN_OR_NET_OWNER_MEMBER),
        scope_types=['project'],
        description='Update a subnet',
        operations=ACTION_PUT,
@ -172,8 +175,9 @@ rules = [
    policy.DocumentedRuleDefault(
        name='update_subnets_tags',
        check_str=neutron_policy.policy_or(
+            base.PROJECT_MEMBER,
            base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MEMBER),
+        ),
        scope_types=['project'],
        description='Update the subnet tags',
        operations=ACTION_PUT_TAGS,
@ -181,8 +185,9 @@ rules = [
    policy.DocumentedRuleDefault(
        name='delete_subnet',
        check_str=neutron_policy.policy_or(
+            base.PROJECT_MEMBER,
            base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MEMBER),
+        ),
        scope_types=['project'],
        description='Delete a subnet',
        operations=ACTION_DELETE,
@ -195,8 +200,9 @@ rules = [
    policy.DocumentedRuleDefault(
        name='delete_subnets_tags',
        check_str=neutron_policy.policy_or(
+            base.PROJECT_MEMBER,
            base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MEMBER),
+        ),
        scope_types=['project'],
        description='Delete the subnet tags',
        operations=ACTION_DELETE_TAGS,