From 83a6418d683bf5226819eae5bb5a0054d39564c1 Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Thu, 1 Apr 2021 13:23:35 +0200
Subject: [PATCH] Fix new Network API policy rules

During the migration to the new policy rules with common personas, some
actions like create_network or get_network were defined to be available
only for PROJECT_MEMBER persona but wasn't allowed for SYSTEM_ADMIN.
That is of course mistake and this patch fixes it.

Related-blueprint: bp/secure-rbac-roles
Change-Id: I820f727d7ff1d35cfa1900e9020c21576873814a
---
 neutron/conf/policies/network.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/neutron/conf/policies/network.py b/neutron/conf/policies/network.py
index 8d8dff6cf9c..f6ceb4858ec 100644
--- a/neutron/conf/policies/network.py
+++ b/neutron/conf/policies/network.py
@@ -45,7 +45,7 @@ rules = [
 
     policy.DocumentedRuleDefault(
         name='create_network',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
         scope_types=['project'],
         description='Create a network',
         operations=ACTION_POST,
@@ -93,7 +93,7 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='create_network:port_security_enabled',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
         scope_types=['project'],
         description=(
             'Specify ``port_security_enabled`` '
@@ -186,7 +186,7 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='get_network:router:external',
-        check_str=base.PROJECT_READER,
+        check_str=base.SYSTEM_OR_PROJECT_READER,
         scope_types=['project'],
         description='Get ``router:external`` attribute of a network',
         operations=ACTION_GET,