From 8fad40bd2f945a9c7e9dd446bc5ba0c112730c04 Mon Sep 17 00:00:00 2001
From: Felipe Monteiro <felipe.monteiro@att.com>
Date: Mon, 10 Apr 2017 19:45:23 +0100
Subject: [PATCH] Adding missing neutron policies to policy.json

Currently, Neutron's policy.json does not exhaustively
list all the policy actions within Neutron.

This has some downsides:
  1) It makes it harder to override these policy actions
  2) It is inconsistent
  3) The policy.json should be a "golden copy" of all the
     policy actions enforced by the system.
  4) It makes it harder to RBAC test Neutron
     (because it is very difficult to determine which
      policy actions are valid and which are not).

The current policy actions that are enforced by the system
but not contained in the policy.json are as follows:
  - create_security_group
  - delete_security_group
  - delete_security_group_rule
  - get_security_group_rules
  - get_security_groups
  - get_security_group_rule
  - get_security_group
  - update_security_group
  - update_router
  - update_router:external_gateway_info
  - update_router:external_gateway_info:network_id

Closes-Bug: #1676674
Change-Id: I4625c8f55bfa46b1a2209642e425677a47455219
---
 etc/policy.json               | 15 ++++++++++++++-
 neutron/tests/etc/policy.json | 15 ++++++++++++++-
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/etc/policy.json b/etc/policy.json
index 49e1ae95efb..86e07074129 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -102,6 +102,9 @@
     "create_router:ha": "rule:admin_only",
     "get_router": "rule:admin_or_owner",
     "get_router:distributed": "rule:admin_only",
+    "update_router": "rule:admin_or_owner",
+    "update_router:external_gateway_info": "rule:admin_or_owner",
+    "update_router:external_gateway_info:network_id": "rule:admin_or_owner",
     "update_router:external_gateway_info:enable_snat": "rule:admin_only",
     "update_router:distributed": "rule:admin_only",
     "update_router:ha": "rule:admin_only",
@@ -210,5 +213,15 @@
     "delete_trunk": "rule:admin_or_owner",
     "get_subports": "",
     "add_subports": "rule:admin_or_owner",
-    "remove_subports": "rule:admin_or_owner"
+    "remove_subports": "rule:admin_or_owner",
+
+    "get_security_groups": "rule:admin_or_owner",
+    "get_security_group": "rule:admin_or_owner",
+    "create_security_group": "rule:admin_or_owner",
+    "update_security_group": "rule:admin_or_owner",
+    "delete_security_group": "rule:admin_or_owner",
+    "get_security_group_rules": "rule:admin_or_owner",
+    "get_security_group_rule": "rule:admin_or_owner",
+    "create_security_group_rule": "rule:admin_or_owner",
+    "delete_security_group_rule": "rule:admin_or_owner"
 }
diff --git a/neutron/tests/etc/policy.json b/neutron/tests/etc/policy.json
index 49e1ae95efb..86e07074129 100644
--- a/neutron/tests/etc/policy.json
+++ b/neutron/tests/etc/policy.json
@@ -102,6 +102,9 @@
     "create_router:ha": "rule:admin_only",
     "get_router": "rule:admin_or_owner",
     "get_router:distributed": "rule:admin_only",
+    "update_router": "rule:admin_or_owner",
+    "update_router:external_gateway_info": "rule:admin_or_owner",
+    "update_router:external_gateway_info:network_id": "rule:admin_or_owner",
     "update_router:external_gateway_info:enable_snat": "rule:admin_only",
     "update_router:distributed": "rule:admin_only",
     "update_router:ha": "rule:admin_only",
@@ -210,5 +213,15 @@
     "delete_trunk": "rule:admin_or_owner",
     "get_subports": "",
     "add_subports": "rule:admin_or_owner",
-    "remove_subports": "rule:admin_or_owner"
+    "remove_subports": "rule:admin_or_owner",
+
+    "get_security_groups": "rule:admin_or_owner",
+    "get_security_group": "rule:admin_or_owner",
+    "create_security_group": "rule:admin_or_owner",
+    "update_security_group": "rule:admin_or_owner",
+    "delete_security_group": "rule:admin_or_owner",
+    "get_security_group_rules": "rule:admin_or_owner",
+    "get_security_group_rule": "rule:admin_or_owner",
+    "create_security_group_rule": "rule:admin_or_owner",
+    "delete_security_group_rule": "rule:admin_or_owner"
 }