From e65d4e8475b974cfcfcdd1272c3aad70cad75ba3 Mon Sep 17 00:00:00 2001
From: huangtianhua <huangtianhua@huawei.com>
Date: Wed, 17 May 2017 09:55:16 +0800
Subject: [PATCH] Mark the default policy usage for neutron resource

The default policy usage of some neutron resources
is limited to administrators only. This change will
add the docstring and resource type policy for
the resources:
OS::Neutron::ProviderNet
OS::Neutron::Segment

Change-Id: Ia8c0bf1d0ceaf92416539ffba7ee85c6aa50e256
Closes-Bug: #1690328
---
 etc/heat/policy.json                                    | 2 ++
 heat/engine/resources/openstack/neutron/provider_net.py | 3 +++
 heat/engine/resources/openstack/neutron/segment.py      | 3 +++
 3 files changed, 8 insertions(+)

diff --git a/etc/heat/policy.json b/etc/heat/policy.json
index e8aad04fa4..f805f2c545 100644
--- a/etc/heat/policy.json
+++ b/etc/heat/policy.json
@@ -91,8 +91,10 @@
     "resource_types:OS::Neutron::Quota": "rule:project_admin",
     "resource_types:OS::Nova::Quota": "rule:project_admin",
     "resource_types:OS::Manila::ShareType": "rule:project_admin",
+    "resource_types:OS::Neutron::ProviderNet": "rule:project_admin",
     "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin",
     "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin",
+    "resource_types:OS::Neutron::Segment": "rule:project_admin",
     "resource_types:OS::Nova::HostAggregate": "rule:project_admin",
     "resource_types:OS::Cinder::QoSSpecs": "rule:project_admin",
     "resource_types:OS::Cinder::QoSAssociation": "rule:project_admin",
diff --git a/heat/engine/resources/openstack/neutron/provider_net.py b/heat/engine/resources/openstack/neutron/provider_net.py
index e7690b526c..1d1ad545fe 100644
--- a/heat/engine/resources/openstack/neutron/provider_net.py
+++ b/heat/engine/resources/openstack/neutron/provider_net.py
@@ -25,6 +25,9 @@ class ProviderNet(net.Net):
 
     Provider networks specify details of physical realisation of the existing
     network.
+
+    The default policy usage of this resource is limited to
+    administrators only.
     """
 
     required_service_extension = 'provider'
diff --git a/heat/engine/resources/openstack/neutron/segment.py b/heat/engine/resources/openstack/neutron/segment.py
index 40f5887983..4e8e2960c7 100644
--- a/heat/engine/resources/openstack/neutron/segment.py
+++ b/heat/engine/resources/openstack/neutron/segment.py
@@ -26,6 +26,9 @@ class Segment(neutron.NeutronResource):
 
     This requires enabling the segments service plug-in by appending
     'segments' to the list of service_plugins in the neutron.conf.
+
+    The default policy usage of this resource is limited to
+    administrators only.
     """
 
     required_service_extension = 'segment'