[Secure RBAC] Add shared_security_groups rule

For shared security groups we need to have additional rule which will allow
to list shared SGs for projects which aren't owners of the SG.

Closes-bug: #2004015
Change-Id: Ic2a0e390f5baed6772bfeb5306052acaff657923
(cherry picked from commit 5d505e7b7c3d9cd6b54f24baa58ded8a07fb6290)

1 files changed, 9 insertions, 1 deletions

diff --git a/neutron/conf/policies/security_group.py b/neutron/conf/policies/security_group.py
index 1dfd9097d2..5bd649dac8 100644
--- a/neutron/conf/policies/security_group.py
+++ b/neutron/conf/policies/security_group.py
@@ -42,6 +42,11 @@ rules = [
             RULE_ADMIN_OR_SG_OWNER),
         description=('Rule for resource owner, '
                      'admin or security group owner access')),
+    policy.RuleDefault(
+        name='shared_security_group',
+        check_str='field:security_groups:shared=True',
+        description='Definition of a shared security group'
+    ),
     # TODO(amotoki): admin_or_owner is the right rule?
     # Does an empty string make more sense for create_security_group?
     policy.DocumentedRuleDefault(
@@ -63,7 +68,10 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='get_security_group',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.policy_or(
+            base.ADMIN_OR_PROJECT_READER,
+            'rule:shared_security_group'
+        ),
         scope_types=['project'],
         description='Get a security group',
         operations=[