Fix new Network API policy rules

During the migration to the new policy rules with common personas, some actions like create_network or get_network were defined to be available only for PROJECT_MEMBER persona but wasn't allowed for SYSTEM_ADMIN. That is of course mistake and this patch fixes it. Related-blueprint: bp/secure-rbac-roles Change-Id: I820f727d7ff1d35cfa1900e9020c21576873814a (cherry picked from commit 83a6418d68)
2021-04-01 13:23:35 +02:00 · 2021-04-01 13:23:35 +02:00 · ec268b650f
parent fec9d8f073
commit ec268b650f
1 changed files with 3 additions and 3 deletions
--- a/neutron/conf/policies/network.py
+++ b/neutron/conf/policies/network.py
@ -45,7 +45,7 @@ rules = [

    policy.DocumentedRuleDefault(
        name='create_network',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
        scope_types=['project'],
        description='Create a network',
        operations=ACTION_POST,
@ -93,7 +93,7 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='create_network:port_security_enabled',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
        scope_types=['project'],
        description=(
            'Specify ``port_security_enabled`` '
@ -186,7 +186,7 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='get_network:router:external',
-        check_str=base.PROJECT_READER,
+        check_str=base.SYSTEM_OR_PROJECT_READER,
        scope_types=['project'],
        description='Get ``router:external`` attribute of a network',
        operations=ACTION_GET,