Update Neutron S-RBAC policies with what is in Neutron repo now

Recently Neutron made some fixes in RBAC policies, see [1], [2], [3] and [4]. This patch updates custom policies deployed by Tripleo accordingly. [1] https://review.opendev.org/c/openstack/neutron/+/872397 [2] https://review.opendev.org/c/openstack/neutron/+/872396 [3] https://review.opendev.org/c/openstack/neutron/+/872400 [4] https://review.opendev.org/c/openstack/neutron/+/872280 Closes-bz: #2176187 Change-Id: Ifb4dc278d8380fad6be2f56b9602d0c811dac721
2023-03-08 12:06:01 +01:00 · 2023-03-08 12:06:01 +01:00 · 3a2a314afc
parent 1c7b14cadd
commit 3a2a314afc
1 changed files with 10 additions and 4 deletions
--- a/environments/enable-secure-rbac.yaml
+++ b/environments/enable-secure-rbac.yaml
@ -878,7 +878,7 @@ parameter_defaults:
      value: "rule:admin_api"
    neutron-get_flavor:
      key: "get_flavor"
-      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
+      value: "rule:admin_api or role:reader"
    neutron-update_flavor:
      key: "update_flavor"
      value: "rule:admin_api"
@ -1181,10 +1181,13 @@ parameter_defaults:
      value: "rule:admin_api or role:data_plane_integrator"
    neutron-delete_port:
      key: "delete_port"
-      value: "rule:context_is_advsvc or rule:admin_api or (role:member and project_id:%(project_id)s)"
+      value: "rule:context_is_advsvc or rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner"
+    neutron-shared_policy:
+      key: "shared_qos_policy"
+      value: "field:policies:shared=True"
    neutron-get_policy:
      key: "get_policy"
-      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
+      value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy"
    neutron-create_policy:
      key: "create_policy"
      value: "rule:admin_api"
@ -1362,12 +1365,15 @@ parameter_defaults:
    neutron-admin_owner_or_sg_owner:
      key: "admin_owner_or_sg_owner"
      value: "rule:owner or rule:admin_or_sg_owner"
+    neutron-shared_security_group:
+      key: "shared_security_group"
+      value: "field:security_groups:shared=True"
    neutron-create_security_group:
      key: "create_security_group"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-get_security_group:
      key: "get_security_group"
-      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
+      value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_security_group"
    neutron-update_security_group:
      key: "update_security_group"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"