From b0ed6bb04e8c68e53eecdbc6ddc25b838b96d8a7 Mon Sep 17 00:00:00 2001 From: Akihiro Motoki Date: Mon, 7 Jan 2019 19:06:35 +0900 Subject: [PATCH] Define missing policies for attributes with enforce_policy Some attributes defined with enforce_policy True in the API definitions are missing in the in-code policy definiton. This commit adds them. Partially Implements: blueprint neutron-policy-in-code Change-Id: I820d6c95e9af7959b4edfc6557862a5b2c236ee7 --- neutron/conf/policies/network.py | 15 +++++++++++++++ neutron/conf/policies/port.py | 12 ++++++++++-- neutron/conf/policies/subnet.py | 4 ++++ 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/neutron/conf/policies/network.py b/neutron/conf/policies/network.py index 2ae95e679ee..8988f2e559c 100644 --- a/neutron/conf/policies/network.py +++ b/neutron/conf/policies/network.py @@ -37,6 +37,11 @@ rules = [ 'create_network:is_default', base.RULE_ADMIN_ONLY, description='Access rule for creating network with is_default'), + policy.RuleDefault( + 'create_network:port_security_enabled', + base.RULE_ANY, + description=('Access rule for creating network ' + 'with port_security_enabled')), policy.RuleDefault( 'create_network:segments', base.RULE_ADMIN_ONLY, @@ -120,6 +125,16 @@ rules = [ base.RULE_ADMIN_ONLY, description=('Access rule for updating router:external attribute ' 'of network')), + policy.RuleDefault( + 'update_network:is_default', + base.RULE_ADMIN_ONLY, + description=('Access rule for updating is_default attribute ' + 'of network')), + policy.RuleDefault( + 'update_network:port_security_enabled', + base.RULE_ADMIN_OR_OWNER, + description=('Access rule for updating port_security_enabled ' + 'attribute of network')), policy.RuleDefault( 'delete_network', diff --git a/neutron/conf/policies/port.py b/neutron/conf/policies/port.py index a87514a5435..7cef39dac38 100644 --- a/neutron/conf/policies/port.py +++ b/neutron/conf/policies/port.py @@ -75,7 +75,11 @@ rules = [ base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'port with binding profile')), - # TODO(amotoki): Add create_port:binding:vnic_type + policy.RuleDefault( + 'create_port:binding:vnic_type', + base.RULE_ANY, + description=('Access rule for creating ' + 'port with binding vnic_type')), policy.RuleDefault( 'create_port:allowed_address_pairs', base.RULE_ADMIN_OR_NET_OWNER, @@ -157,7 +161,11 @@ rules = [ 'update_port:binding:profile', base.RULE_ADMIN_ONLY, description='Access rule for updating binding profile of port'), - # TODO(amotoki): Add update_port:binding:vnic_type + policy.RuleDefault( + 'update_port:binding:vnic_type', + base.policy_or(base.RULE_ADMIN_OR_OWNER, + base.RULE_ADVSVC), + description='Access rule for updating binding vnic_type of port'), policy.RuleDefault( 'update_port:allowed_address_pairs', base.RULE_ADMIN_OR_NET_OWNER, diff --git a/neutron/conf/policies/subnet.py b/neutron/conf/policies/subnet.py index 285bc479aea..be22862b7d2 100644 --- a/neutron/conf/policies/subnet.py +++ b/neutron/conf/policies/subnet.py @@ -38,6 +38,10 @@ rules = [ policy.RuleDefault('update_subnet', base.RULE_ADMIN_OR_NET_OWNER, description='Access rule for updating subnet'), + policy.RuleDefault('update_subnet:segment_id', + base.RULE_ADMIN_ONLY, + description=('Access rule for updating segment_id ' + 'attribute of subnet')), policy.RuleDefault('update_subnet:service_types', base.RULE_ADMIN_ONLY, description=('Access rule for updating '