From 9c2f0bba61575088526da8a2da376cb1bf4a3043 Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Wed, 3 Mar 2021 10:29:25 +0100
Subject: [PATCH] Add new policy rules NET_OWNER and PARENT_OWNER

In old policies we have rules ADMIN_OR_NET_OWNER and
ADMIN_OR_PARENT_OWNER but now as we are moving to new secure RBAC
roles we need to extract "admin-ness" from those rules as
ADMIN is already checked in the default roles, like SYSTEM_ADMIN or
PROJECT_ADMIN.
This patch proposes such new rules and uses them in the subnet policies
which were already migrated to the new secure-rbac policies.

Change-Id: Id61d24ca2d7b1293e9f1bc84f52944321880dbbd
---
 neutron/conf/policies/base.py   | 3 +++
 neutron/conf/policies/subnet.py | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/neutron/conf/policies/base.py b/neutron/conf/policies/base.py
index 44f6520973e..4b1ad4a515c 100644
--- a/neutron/conf/policies/base.py
+++ b/neutron/conf/policies/base.py
@@ -78,6 +78,9 @@ SYSTEM_ADMIN_OR_PROJECT_MEMBER = (
 SYSTEM_OR_PROJECT_READER = (
     '(' + SYSTEM_READER + ') or (' + PROJECT_READER + ')')
 
+# Additional rules needed in Neutron
+RULE_NET_OWNER = 'rule:network_owner'
+RULE_PARENT_OWNER = 'rule:ext_parent_owner'
 
 rules = [
     policy.RuleDefault(
diff --git a/neutron/conf/policies/subnet.py b/neutron/conf/policies/subnet.py
index 456e6b4362c..134cb8a705b 100644
--- a/neutron/conf/policies/subnet.py
+++ b/neutron/conf/policies/subnet.py
@@ -41,7 +41,7 @@ rules = [
         name='create_subnet',
         check_str=base.policy_or(
             base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_ADMIN_OR_NET_OWNER),
+            base.RULE_NET_OWNER),
         scope_types=['system', 'project'],
         description='Create a subnet',
         operations=ACTION_POST,
@@ -111,7 +111,7 @@ rules = [
         name='update_subnet',
         check_str=base.policy_or(
             base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_ADMIN_OR_NET_OWNER),
+            base.RULE_NET_OWNER),
         scope_types=['system', 'project'],
         description='Update a subnet',
         operations=ACTION_PUT,
@@ -149,7 +149,7 @@ rules = [
         name='delete_subnet',
         check_str=base.policy_or(
             base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_ADMIN_OR_NET_OWNER),
+            base.RULE_NET_OWNER),
         scope_types=['system', 'project'],
         description='Delete a subnet',
         operations=ACTION_DELETE,