From 6a8be744acdf869d5e27d9cfa5753e445f18fbd7 Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Wed, 8 Mar 2023 12:06:01 +0100 Subject: [PATCH] Update Neutron S-RBAC policies with what is in Neutron repo now Recently Neutron made some fixes in RBAC policies, see [1], [2], [3] and [4]. This patch updates custom policies deployed by Tripleo accordingly. [1] https://review.opendev.org/c/openstack/neutron/+/872397 [2] https://review.opendev.org/c/openstack/neutron/+/872396 [3] https://review.opendev.org/c/openstack/neutron/+/872400 [4] https://review.opendev.org/c/openstack/neutron/+/872280 Closes-bz: #2176187 Change-Id: Ifb4dc278d8380fad6be2f56b9602d0c811dac721 --- environments/enable-secure-rbac.yaml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/environments/enable-secure-rbac.yaml b/environments/enable-secure-rbac.yaml index 2376349c4d..324e786692 100644 --- a/environments/enable-secure-rbac.yaml +++ b/environments/enable-secure-rbac.yaml @@ -878,7 +878,7 @@ parameter_defaults: value: "rule:admin_api" neutron-get_flavor: key: "get_flavor" - value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or role:reader" neutron-update_flavor: key: "update_flavor" value: "rule:admin_api" @@ -1181,10 +1181,13 @@ parameter_defaults: value: "rule:admin_api or role:data_plane_integrator" neutron-delete_port: key: "delete_port" - value: "rule:context_is_advsvc or rule:admin_api or (role:member and project_id:%(project_id)s)" + value: "rule:context_is_advsvc or rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner" + neutron-shared_policy: + key: "shared_qos_policy" + value: "field:policies:shared=True" neutron-get_policy: key: "get_policy" - value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy" neutron-create_policy: key: "create_policy" value: "rule:admin_api" @@ -1362,12 +1365,15 @@ parameter_defaults: neutron-admin_owner_or_sg_owner: key: "admin_owner_or_sg_owner" value: "rule:owner or rule:admin_or_sg_owner" + neutron-shared_security_group: + key: "shared_security_group" + value: "field:security_groups:shared=True" neutron-create_security_group: key: "create_security_group" value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_security_group: key: "get_security_group" - value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_security_group" neutron-update_security_group: key: "update_security_group" value: "rule:admin_api or (role:member and project_id:%(project_id)s)"