[Policy] Set scope_types for BaseCheck rules

To be able to do policy checks for e.g. subattriutes, Neutron is creating rule objects which are subclasses of the oslo_policy.BaseCheck objects but we didn't set scope_types in that newly created rules. As we are now moving to the new secure RBAC rules, which allows us to enforce scope checks, we need to set those scope types for such objects to let oslo.policy to enforce it when needed. Related-Bug: #1923503 Change-Id: Ie9b4b908621a0e2ca7c9f7d8a3057c95e28f0dbd
2021-09-06 12:05:16 +02:00 · 2021-09-06 12:05:16 +02:00 · 48f4e05b6e
parent 1d2a4cb35a
commit 48f4e05b6e
1 changed files with 4 additions and 0 deletions
--- a/neutron/policy.py
+++ b/neutron/policy.py
@ -206,6 +206,10 @@ def _build_match_rule(action, target, pluralized):
       (e.g.: create_router:external_gateway_info:network_id)
    """
    match_rule = policy.RuleCheck('rule', action)
+    registered_rule = _ENFORCER.registered_rules.get(action)
+    if registered_rule and registered_rule.scope_types:
+        match_rule.scope_types = registered_rule.scope_types
+
    resource, enforce_attr_based_check = get_resource_and_action(
        action, pluralized)
    if enforce_attr_based_check: