From ca78bf4a6b9ede08c98bb449b657f001d84f5efc Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Thu, 1 Apr 2021 10:25:34 +0200
Subject: [PATCH] Fix Floating IP policy rules

During migration to the new secure API rules of the Floating IP API we
made some mistakes. This patch fixes it by:

* allow SYSTEM_ADMIN to create floating IPs,
* fix wrong name of the deprecated rule for update and delete floating
  IP

Related-blueprint: bp/secure-rbac-roles
Change-Id: Idba1cf4949f089deb9cc54a6648ec795c59a7377
(cherry picked from commit dd6cd3fb8a0a1ed3b9d5bb2ecba8422433f657e8)
---
 neutron/conf/policies/floatingip.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/neutron/conf/policies/floatingip.py b/neutron/conf/policies/floatingip.py
index e41549633ca..682f9b56d9a 100644
--- a/neutron/conf/policies/floatingip.py
+++ b/neutron/conf/policies/floatingip.py
@@ -25,7 +25,7 @@ DEPRECATION_REASON = (
 rules = [
     policy.DocumentedRuleDefault(
         name='create_floatingip',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
         description='Create a floating IP',
         operations=[
             {
@@ -90,7 +90,7 @@ rules = [
         ],
         scope_types=['system', 'project'],
         deprecated_rule=policy.DeprecatedRule(
-            name='create_floatingip',
+            name='update_floatingip',
             check_str=base.RULE_ADMIN_OR_OWNER,
             deprecated_reason=DEPRECATION_REASON,
             deprecated_since=versionutils.deprecated.WALLABY)
@@ -107,7 +107,7 @@ rules = [
         ],
         scope_types=['system', 'project'],
         deprecated_rule=policy.DeprecatedRule(
-            name='create_floatingip',
+            name='delete_floatingip',
             check_str=base.RULE_ADMIN_OR_OWNER,
             deprecated_reason=DEPRECATION_REASON,
             deprecated_since=versionutils.deprecated.WALLABY)