[Secure RBAC] Fix policy to get flavors

Flavors are resources which don't have owner and should be able to be listed/showed by any user with READER role. This patch fixes policy for "get_flavor" action to match this requirement. Additionall it removes "project_id" field from the target object in the flavor policy unit tests. Closes-Bug: #2004017 Change-Id: I254e88f7c32343034f4799b63b1088c3f966d7a6 (cherry picked from commit 1c27d8b5b4)
2023-02-01 12:22:50 +01:00 · 2023-02-01 12:22:50 +01:00 · 899c966945
parent 1ac90fba3e
commit 899c966945
2 changed files with 6 additions and 2 deletions
--- a/neutron/conf/policies/flavor.py
+++ b/neutron/conf/policies/flavor.py
@ -47,7 +47,11 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='get_flavor',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        # NOTE: it can't be ADMIN_OR_PROJECT_READER constant from the base
+        # module because that is using "project_id" in the check string and the
+        # service_provider resource don't belongs to any project thus such
+        # check string would fail enforcement.
+        check_str='role:reader',
        description='Get a flavor',
        operations=[
            {
--- a/neutron/tests/unit/conf/policies/test_flavor.py
+++ b/neutron/tests/unit/conf/policies/test_flavor.py
@ -23,7 +23,7 @@ class FlavorAPITestCase(base.PolicyBaseTestCase):

    def setUp(self):
        super(FlavorAPITestCase, self).setUp()
-        self.target = {'project_id': self.project_id}
+        self.target = {}


 class SystemAdminTests(FlavorAPITestCase):