Define missing policies for attributes with enforce_policy

Some attributes defined with enforce_policy True in the API
definitions are missing in the in-code policy definiton.
This commit adds them.

Partially Implements: blueprint neutron-policy-in-code

Change-Id: I820d6c95e9af7959b4edfc6557862a5b2c236ee7
This commit is contained in:
Akihiro Motoki 2019-01-07 19:06:35 +09:00
parent 15c782b5a1
commit b0ed6bb04e
3 changed files with 29 additions and 2 deletions

View File

@ -37,6 +37,11 @@ rules = [
'create_network:is_default',
base.RULE_ADMIN_ONLY,
description='Access rule for creating network with is_default'),
policy.RuleDefault(
'create_network:port_security_enabled',
base.RULE_ANY,
description=('Access rule for creating network '
'with port_security_enabled')),
policy.RuleDefault(
'create_network:segments',
base.RULE_ADMIN_ONLY,
@ -120,6 +125,16 @@ rules = [
base.RULE_ADMIN_ONLY,
description=('Access rule for updating router:external attribute '
'of network')),
policy.RuleDefault(
'update_network:is_default',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating is_default attribute '
'of network')),
policy.RuleDefault(
'update_network:port_security_enabled',
base.RULE_ADMIN_OR_OWNER,
description=('Access rule for updating port_security_enabled '
'attribute of network')),
policy.RuleDefault(
'delete_network',

View File

@ -75,7 +75,11 @@ rules = [
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'port with binding profile')),
# TODO(amotoki): Add create_port:binding:vnic_type
policy.RuleDefault(
'create_port:binding:vnic_type',
base.RULE_ANY,
description=('Access rule for creating '
'port with binding vnic_type')),
policy.RuleDefault(
'create_port:allowed_address_pairs',
base.RULE_ADMIN_OR_NET_OWNER,
@ -157,7 +161,11 @@ rules = [
'update_port:binding:profile',
base.RULE_ADMIN_ONLY,
description='Access rule for updating binding profile of port'),
# TODO(amotoki): Add update_port:binding:vnic_type
policy.RuleDefault(
'update_port:binding:vnic_type',
base.policy_or(base.RULE_ADMIN_OR_OWNER,
base.RULE_ADVSVC),
description='Access rule for updating binding vnic_type of port'),
policy.RuleDefault(
'update_port:allowed_address_pairs',
base.RULE_ADMIN_OR_NET_OWNER,

View File

@ -38,6 +38,10 @@ rules = [
policy.RuleDefault('update_subnet',
base.RULE_ADMIN_OR_NET_OWNER,
description='Access rule for updating subnet'),
policy.RuleDefault('update_subnet:segment_id',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating segment_id '
'attribute of subnet')),
policy.RuleDefault('update_subnet:service_types',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating '