From 90edcf64419c708424c26f31a68e5c9c39bb7993 Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Fri, 5 Mar 2021 15:08:19 +0100
Subject: [PATCH] Add new policy rule SG_OWNER

During the migration to new, secure-rbac policies we already proposed
rules NET_OWNER and PARENT_OWNER to extract "ADMIN" from the old,
deprecated rules.
We missed to do the same for SG_OWNER so this patch adds it and also
switch new SG rules to use that new rule instead of old one.

Change-Id: Ic3ddfbfd0df59ffd10576f02730202c8b740ed26
---
 neutron/conf/policies/base.py           | 5 +++++
 neutron/conf/policies/security_group.py | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/neutron/conf/policies/base.py b/neutron/conf/policies/base.py
index 661b6042f94..836a1b5ba65 100644
--- a/neutron/conf/policies/base.py
+++ b/neutron/conf/policies/base.py
@@ -81,6 +81,7 @@ SYSTEM_OR_PROJECT_READER = (
 # Additional rules needed in Neutron
 RULE_NET_OWNER = 'rule:network_owner'
 RULE_PARENT_OWNER = 'rule:ext_parent_owner'
+RULE_SG_OWNER = 'rule:sg_owner'
 
 rules = [
     policy.RuleDefault(
@@ -141,6 +142,10 @@ rules = [
         'ext_parent_owner',
         'tenant_id:%(ext_parent:tenant_id)s',
         description='Rule for common parent owner check'),
+    policy.RuleDefault(
+        name='sg_owner',
+        check_str='tenant_id:%(security_group:tenant_id)s',
+        description='Rule for security group owner access'),
 ]
 
 
diff --git a/neutron/conf/policies/security_group.py b/neutron/conf/policies/security_group.py
index 2f78c13ec26..f3a9d3d1e6c 100644
--- a/neutron/conf/policies/security_group.py
+++ b/neutron/conf/policies/security_group.py
@@ -140,7 +140,7 @@ rules = [
         name='get_security_group_rule',
         check_str=base.policy_or(
             base.SYSTEM_OR_PROJECT_READER,
-            RULE_ADMIN_OWNER_OR_SG_OWNER),
+            base.RULE_SG_OWNER),
         scope_types=['system', 'project'],
         description='Get a security group rule',
         operations=[