Adding missing neutron policies to policy.json

Currently, Neutron's policy.json does not exhaustively list all the policy actions within Neutron. This has some downsides: 1) It makes it harder to override these policy actions 2) It is inconsistent 3) The policy.json should be a "golden copy" of all the policy actions enforced by the system. 4) It makes it harder to RBAC test Neutron (because it is very difficult to determine which policy actions are valid and which are not). The current policy actions that are enforced by the system but not contained in the policy.json are as follows: - create_security_group - delete_security_group - delete_security_group_rule - get_security_group_rules - get_security_groups - get_security_group_rule - get_security_group - update_security_group - update_router - update_router:external_gateway_info - update_router:external_gateway_info:network_id Closes-Bug: #1676674 Change-Id: I4625c8f55bfa46b1a2209642e425677a47455219
2017-04-10 19:45:23 +01:00
parent b4ac177451
commit 8fad40bd2f
2 changed files with 28 additions and 2 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -102,6 +102,9 @@
    "create_router:ha": "rule:admin_only",
    "get_router": "rule:admin_or_owner",
    "get_router:distributed": "rule:admin_only",
+    "update_router": "rule:admin_or_owner",
+    "update_router:external_gateway_info": "rule:admin_or_owner",
+    "update_router:external_gateway_info:network_id": "rule:admin_or_owner",
    "update_router:external_gateway_info:enable_snat": "rule:admin_only",
    "update_router:distributed": "rule:admin_only",
    "update_router:ha": "rule:admin_only",
@@ -210,5 +213,15 @@
    "delete_trunk": "rule:admin_or_owner",
    "get_subports": "",
    "add_subports": "rule:admin_or_owner",
-    "remove_subports": "rule:admin_or_owner"
+    "remove_subports": "rule:admin_or_owner",
+
+    "get_security_groups": "rule:admin_or_owner",
+    "get_security_group": "rule:admin_or_owner",
+    "create_security_group": "rule:admin_or_owner",
+    "update_security_group": "rule:admin_or_owner",
+    "delete_security_group": "rule:admin_or_owner",
+    "get_security_group_rules": "rule:admin_or_owner",
+    "get_security_group_rule": "rule:admin_or_owner",
+    "create_security_group_rule": "rule:admin_or_owner",
+    "delete_security_group_rule": "rule:admin_or_owner"
 }
--- a/neutron/tests/etc/policy.json
+++ b/neutron/tests/etc/policy.json
@@ -102,6 +102,9 @@
    "create_router:ha": "rule:admin_only",
    "get_router": "rule:admin_or_owner",
    "get_router:distributed": "rule:admin_only",
+    "update_router": "rule:admin_or_owner",
+    "update_router:external_gateway_info": "rule:admin_or_owner",
+    "update_router:external_gateway_info:network_id": "rule:admin_or_owner",
    "update_router:external_gateway_info:enable_snat": "rule:admin_only",
    "update_router:distributed": "rule:admin_only",
    "update_router:ha": "rule:admin_only",
@@ -210,5 +213,15 @@
    "delete_trunk": "rule:admin_or_owner",
    "get_subports": "",
    "add_subports": "rule:admin_or_owner",
-    "remove_subports": "rule:admin_or_owner"
+    "remove_subports": "rule:admin_or_owner",
+
+    "get_security_groups": "rule:admin_or_owner",
+    "get_security_group": "rule:admin_or_owner",
+    "create_security_group": "rule:admin_or_owner",
+    "update_security_group": "rule:admin_or_owner",
+    "delete_security_group": "rule:admin_or_owner",
+    "get_security_group_rules": "rule:admin_or_owner",
+    "get_security_group_rule": "rule:admin_or_owner",
+    "create_security_group_rule": "rule:admin_or_owner",
+    "delete_security_group_rule": "rule:admin_or_owner"
 }