From 971747f4f23b4d8a3bf315011d0a441d03972860 Mon Sep 17 00:00:00 2001 From: Elena Ezhova Date: Thu, 21 Aug 2014 18:36:42 +0400 Subject: [PATCH] Fix policy rules for adding and removing router interfaces Currently "add_router_interface" and "remove_router_interface" policy rules have the "update_router" prefix and thus are never enforced. Removing the prefix activates the rules. Also moved some rules, so that all router-related rules are now grouped together. Closes-Bug: 1356678 Change-Id: Ib6cc45f2c6d0c7ae394274d6196262529b9fd855 --- etc/policy.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/etc/policy.json b/etc/policy.json index d21427cb4e..e132310aaf 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -63,10 +63,17 @@ "update_port:mac_learning_enabled": "rule:admin_or_network_owner", "delete_port": "rule:admin_or_owner", + "create_router": "rule:regular_user", "create_router:external_gateway_info:enable_snat": "rule:admin_only", "create_router:distributed": "rule:admin_only", + "get_router": "rule:admin_or_owner", + "get_router:distributed": "rule:admin_only", "update_router:external_gateway_info:enable_snat": "rule:admin_only", "update_router:distributed": "rule:admin_only", + "delete_router": "rule:admin_or_owner", + + "add_router_interface": "rule:admin_or_owner", + "remove_router_interface": "rule:admin_or_owner", "create_firewall": "", "get_firewall": "rule:admin_or_owner", @@ -105,13 +112,6 @@ "get_loadbalancer-agent": "rule:admin_only", "get_loadbalancer-pools": "rule:admin_only", - "create_router": "rule:regular_user", - "get_router": "rule:admin_or_owner", - "get_router:distributed": "rule:admin_only", - "update_router:add_router_interface": "rule:admin_or_owner", - "update_router:remove_router_interface": "rule:admin_or_owner", - "delete_router": "rule:admin_or_owner", - "create_floatingip": "rule:regular_user", "update_floatingip": "rule:admin_or_owner", "delete_floatingip": "rule:admin_or_owner",