Merge "[S-RBAC] Get availability zone API available for READER role" into stable/2023.1stable/2023.1

2 files changed, 5 insertions, 7 deletions

diff --git a/neutron/conf/policies/availability_zone.py b/neutron/conf/policies/availability_zone.py
index faaea686d5..bd5e239d3b 100644
--- a/neutron/conf/policies/availability_zone.py
+++ b/neutron/conf/policies/availability_zone.py
@@ -22,7 +22,11 @@ DEPRECATION_REASON = (
 rules = [
     policy.DocumentedRuleDefault(
         name='get_availability_zone',
-        check_str=base.ADMIN,
+        # NOTE: it can't be ADMIN_OR_PROJECT_READER constant from the base
+        # module because that is using "project_id" in the check string and the
+        # availability_zone resource don't belongs to any project thus such
+        # check string would fail enforcement.
+        check_str='role:reader',
         description='List availability zones',
         operations=[
             {
diff --git a/neutron/tests/unit/conf/policies/test_availability_zone.py b/neutron/tests/unit/conf/policies/test_availability_zone.py
index ad797da9b4..85d9679121 100644
--- a/neutron/tests/unit/conf/policies/test_availability_zone.py
+++ b/neutron/tests/unit/conf/policies/test_availability_zone.py
@@ -70,12 +70,6 @@ class ProjectMemberTests(AdminTests):
         super(ProjectMemberTests, self).setUp()
         self.context = self.project_member_ctx
 
-    def test_get_availability_zone(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, "get_availability_zone", self.target)
-
 
 class ProjectReaderTests(ProjectMemberTests):