openstack/neutron
Code Issues Proposed changes
924339ab11
neutron/neutron
History
Slawek Kaplonski 924339ab11 [S-RBAC] Allow admin user to do all API requests by default 
By default ADMIN user in the new Secure RBAC policies should behave in
the same way as in the legacy rules so basically every API operation for
any project should be allowed for ADMIN user.
In the new rules there are roles like PROJECT_MEMBER and PROJECT_READER
and those personas don't inherits directly from ADMIN which means that
if something is possible to e.g. PROJECT_MEMBER it isn't automatically
also allowed to ADMIN and we need to explicitly allow ADMIN user to do
such requests. It was done like that for many of API calls already but
not for all of them (probably by mistake).

This patch introduces new composite check ADMIN_OR_PROJECT_MEMBER and
uses it in the check strings where ADMIN or PROJECT_MEMBER user is
allowed to use the API.
It also changes some of the check strings which used "policy_or" to
combine ADMIN and PROJECT_MEMBER or PROJECT_READER so that those
composite checks ADMIN_OR_PROJECT_MEMBER and ADMIN_OR_PROJECT_READER are
used everywhere.

Closes-Bug: #1997089

Change-Id: Iab5cd6c7aa07ca8527c5fa8396c9ed0da65b4fa7
(cherry picked from commit 6d8ada0ac9)
2023-02-20 11:07:54 +00:00
..
agent Fullstack: Wait placement process fixtrue to really stop 2023-02-07 10:36:29 +00:00
api dhcp/rpc: retrieve network details with segments 2022-09-01 14:48:54 +02:00
cmd Script to remove duplicated port bindings 2022-08-18 08:13:56 +00:00
common Improve scheduling L3/DHCP agents, missing lower binding indexes 2023-02-13 17:53:00 +01:00
conf [S-RBAC] Allow admin user to do all API requests by default 2023-02-20 11:07:54 +00:00
core_extensions Revert "Set system_scope='all' in elevated context" 2021-06-15 10:29:20 +02:00
db Improve scheduling L3/DHCP agents, missing lower binding indexes 2023-02-13 17:53:00 +01:00
debug Fix typos in log/error messages 2022-06-01 21:17:29 +05:30
exceptions Add port-resource-request-groups extension 2021-10-21 14:30:07 +02:00
extensions [api]adds port_forwarding id when list floatingip 2022-08-26 08:45:09 +08:00
hacking Fix remaining typos in comments and tests 2022-07-06 21:20:27 +05:30
ipam Fix remaining typos in comments and tests 2022-07-06 21:20:27 +05:30
locale Imported Translations from Zanata 2022-04-30 03:45:16 +00:00
notifiers Retry connections to Nova 2022-09-02 11:26:40 +02:00
objects Improve scheduling L3/DHCP agents, missing lower binding indexes 2023-02-13 17:53:00 +01:00
pecan_wsgi Merge "Handle properly InvalidScope exceptions to not return error 500" 2022-04-19 06:42:29 +00:00
plugins Merge "Do not ignore attributes in bulk port create" into stable/zed 2023-02-13 15:42:34 +00:00
privileged Format the protocol number to be passed to pyroute2 2022-08-29 12:44:14 +02:00
profiling Remove "six" library 2020-07-28 16:55:52 +00:00
quota Implement specific tracked resource count method per quota driver 2022-07-28 06:01:18 +02:00
scheduler Improve scheduling L3/DHCP agents, missing lower binding indexes 2023-02-13 17:53:00 +01:00
server Use monkey_patch for neutron API server. 2022-04-28 13:34:36 +00:00
services [OVN] Allow logging all traffic related to an ACL 2023-02-02 12:34:47 +00:00
tests [S-RBAC] Allow admin user to do all API requests by default 2023-02-20 11:07:54 +00:00
__init__.py Remove usage of six.PY2 2020-05-22 12:59:01 -04:00
_i18n.py
auth.py Add fake_project_id middleware for noauth 2021-07-05 21:18:09 +05:30
manager.py Remove usage of six.add_metaclass 2020-05-21 14:41:18 -04:00
neutron_plugin_base_v2.py Remove usage of six.add_metaclass 2020-05-21 14:41:18 -04:00
opts.py Merge "Fix some pylint indentation warnings" 2022-07-05 17:19:29 +00:00
policy.py Bump oslo.policy to 3.12.0 2022-05-02 12:47:16 +02:00
service.py Re-use existing ProcessLauncher from wsgi in RPC workers 2020-02-07 14:51:06 +01:00
version.py
worker.py
wsgi.py Fix some pylint indentation warnings 2022-07-01 17:52:59 -04:00