Fix new Network API policy rules
During the migration to the new policy rules with common personas, some actions like create_network or get_network were defined to be available only for PROJECT_MEMBER persona but wasn't allowed for SYSTEM_ADMIN. That is of course mistake and this patch fixes it. Related-blueprint: bp/secure-rbac-roles Change-Id: I820f727d7ff1d35cfa1900e9020c21576873814a
This commit is contained in:
parent
07c0cc4a66
commit
83a6418d68
|
@ -45,7 +45,7 @@ rules = [
|
|||
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_network',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Create a network',
|
||||
operations=ACTION_POST,
|
||||
|
@ -93,7 +93,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_network:port_security_enabled',
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``port_security_enabled`` '
|
||||
|
@ -186,7 +186,7 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_network:router:external',
|
||||
check_str=base.PROJECT_READER,
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get ``router:external`` attribute of a network',
|
||||
operations=ACTION_GET,
|
||||
|
|
Loading…
Reference in New Issue