Fix new API policies for RBAC

During the migration to the new policies we set policy for {create,update}_rbac_policy:target_tenant was allowed for all admin users. That means that PROJECT_ADMIN was able to e.g. create RBAC policy for the object which belongs to different tenant. This patch fixes it as PROJECT_ADMIN should be only able to create or update RBAC for own objects. Related-blueprint: bp/secure-rbac-roles Change-Id: Idd8bfd7075bb537cb8f0398a1e513e74f4ac5eef
2021-04-06 15:35:39 +02:00 · 2021-04-06 15:35:39 +02:00 · de69a55378
parent 58c9912be0
commit de69a55378
1 changed files with 2 additions and 2 deletions
--- a/neutron/conf/policies/rbac.py
+++ b/neutron/conf/policies/rbac.py
@ -53,7 +53,7 @@ rules = [
        name='create_rbac_policy:target_tenant',
        check_str=base.policy_or(
            base.SYSTEM_ADMIN,
-            'rule:restrict_wildcard'),
+            '(not field:rbac_policy:target_tenant=*)'),
        description='Specify ``target_tenant`` when creating an RBAC policy',
        operations=[
            {
@ -89,7 +89,7 @@ rules = [
        name='update_rbac_policy:target_tenant',
        check_str=base.policy_or(
            base.SYSTEM_ADMIN,
-            'rule:restrict_wildcard'),
+            '(not field:rbac_policy:target_tenant=*)'),
        description='Update ``target_tenant`` attribute of an RBAC policy',
        operations=[
            {