openstack
/
neutron
Code Issues Proposed changes
neutron/neutron/conf/policies
History
Slawek Kaplonski 6e3525188f [S-RBAC] Fix policies for CUD subnets APIs 
In new, secure RBAC policies for create subnet there was
rule "ADMIN_OR_PROJECT_MEMBER" used and that was wrong as this rule is
basically allows any member (PROJECT_MEMBER) create subnet in networks
visible to them, not necessarily this project needs to be owner of that
network. So it allowed users to create new subnets in the shared or
provider networks as well.
Now policy for create subnet is ADMIN OR NET_OWNER_MEMBER to avoid that.

Additionally this patch also fixes policies for update and delete subnet
APIs where there was rule NET_OWNER used and that effectively allowed to
update or delete subnet to the network owner who has READER role only.
Now this is also fixed by using NET_OWNER_MEMBER rule instead.

Closes-Bug: #2023679

Change-Id: Ia494872b58f368581fb29fa40b7da17e1071db22
 		2023-06-21 09:52:39 +00:00
..
__init__.py [S-RBAC] Add API policies for get and activate port bindings 2023-05-29 16:29:58 +02:00
address_group.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
address_scope.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
agent.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
auto_allocated_topology.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
availability_zone.py [S-RBAC] Get availability zone API available for READER role 2023-04-17 17:31:20 +02:00
base.py [S-RBAC] Fix new policies for get QoS rules APIs 2023-05-09 12:30:50 +02:00
flavor.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
floatingip.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
floatingip_pools.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
floatingip_port_forwarding.py [S-RBAC] Fix new policies for FIP PFs APIs 2023-05-09 12:54:28 +02:00
l3_conntrack_helper.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
local_ip.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
local_ip_association.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
logging.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
metering.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
ndp_proxy.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
network.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
network_ip_availability.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
network_segment_range.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
port.py port-hints: api extension 2023-05-09 11:49:17 +02:00
port_bindings.py [S-RBAC] Add API policies for get and activate port bindings 2023-05-29 16:29:58 +02:00
qos.py [S-RBAC] Get QoS rule types API available for READER role 2023-05-11 11:15:29 +00:00
quotas.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
rbac.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
router.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
security_group.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
segment.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
service_type.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
subnet.py [S-RBAC] Fix policies for CUD subnets APIs 2023-06-21 09:52:39 +00:00
subnetpool.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00
trunk.py Use neutron-lib policy rules 2023-03-07 21:24:33 +03:00