Merge "Update Neutron S-RBAC policies with what is in Neutron repo now"

2023-04-04 03:43:26 +00:00 · 2023-04-04 03:43:26 +00:00 · 1393d39be3
parent 2589c5a9b0 3a2a314afc
commit 1393d39be3
1 changed files with 10 additions and 4 deletions
--- a/environments/enable-secure-rbac.yaml
+++ b/environments/enable-secure-rbac.yaml
@ -878,7 +878,7 @@ parameter_defaults:
      value: "rule:admin_api"
    neutron-get_flavor:
      key: "get_flavor"
-      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
+      value: "rule:admin_api or role:reader"
    neutron-update_flavor:
      key: "update_flavor"
      value: "rule:admin_api"
@ -1181,10 +1181,13 @@ parameter_defaults:
      value: "rule:admin_api or role:data_plane_integrator"
    neutron-delete_port:
      key: "delete_port"
-      value: "rule:context_is_advsvc or rule:admin_api or (role:member and project_id:%(project_id)s)"
+      value: "rule:context_is_advsvc or rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner"
+    neutron-shared_policy:
+      key: "shared_qos_policy"
+      value: "field:policies:shared=True"
    neutron-get_policy:
      key: "get_policy"
-      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
+      value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy"
    neutron-create_policy:
      key: "create_policy"
      value: "rule:admin_api"
@ -1362,12 +1365,15 @@ parameter_defaults:
    neutron-admin_owner_or_sg_owner:
      key: "admin_owner_or_sg_owner"
      value: "rule:owner or rule:admin_or_sg_owner"
+    neutron-shared_security_group:
+      key: "shared_security_group"
+      value: "field:security_groups:shared=True"
    neutron-create_security_group:
      key: "create_security_group"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-get_security_group:
      key: "get_security_group"
-      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
+      value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_security_group"
    neutron-update_security_group:
      key: "update_security_group"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"