Merge "Added RBAC for vip_sg_ids"

2025-02-27 06:17:13 +00:00
parent 208d66b4e3 5396c627f4
commit 083dd12b08
2 changed files with 20 additions and 0 deletions
@@ -462,6 +462,10 @@ class LoadBalancersController(base.BaseController):

        self._auth_validate_action(context, load_balancer.project_id,
                                   constants.RBAC_POST)
+        if not isinstance(load_balancer.vip_sg_ids, wtypes.UnsetType):
+            self._auth_validate_action(
+                context, load_balancer.project_id,
+                f"{constants.RBAC_POST}:vip_sg_ids")

        self._validate_vip_request_object(load_balancer, context=context)

@@ -732,6 +736,9 @@ class LoadBalancersController(base.BaseController):

        self._auth_validate_action(context, db_lb.project_id,
                                   constants.RBAC_PUT)
+        if not isinstance(load_balancer.vip_sg_ids, wtypes.UnsetType):
+            self._auth_validate_action(context, db_lb.project_id,
+                                       f"{constants.RBAC_PUT}:vip_sg_ids")

        if not isinstance(load_balancer.vip_qos_policy_id, wtypes.UnsetType):
            network_driver = utils.get_network_driver()
@@ -34,6 +34,12 @@ rules = [
        "Create a Load Balancer",
        [{'method': 'POST', 'path': '/v2/lbaas/loadbalancers'}]
    ),
+    policy.DocumentedRuleDefault(
+        f'{constants.RBAC_LOADBALANCER}{constants.RBAC_POST}:vip_sg_ids',
+        constants.RULE_API_WRITE,
+        "Create a Load Balancer with VIP Security Groups",
+        [{'method': 'POST', 'path': '/v2/lbaas/loadbalancers'}]
+    ),
    policy.DocumentedRuleDefault(
        f'{constants.RBAC_LOADBALANCER}{constants.RBAC_GET_ONE}',
        constants.RULE_API_READ,
@@ -48,6 +54,13 @@ rules = [
        [{'method': 'PUT',
          'path': '/v2/lbaas/loadbalancers/{loadbalancer_id}'}]
    ),
+    policy.DocumentedRuleDefault(
+        f'{constants.RBAC_LOADBALANCER}{constants.RBAC_PUT}:vip_sg_ids',
+        constants.RULE_API_WRITE,
+        "Update the VIP Security Groups of a Load Balancer",
+        [{'method': 'PUT',
+          'path': '/v2/lbaas/loadbalancers/{loadbalancer_id}'}]
+    ),
    policy.DocumentedRuleDefault(
        f'{constants.RBAC_LOADBALANCER}{constants.RBAC_DELETE}',
        constants.RULE_API_WRITE,