diff options
author | Slawek Kaplonski <skaplons@redhat.com> | 2023-02-01 11:48:34 +0100 |
---|---|---|
committer | Slawek Kaplonski <skaplons@redhat.com> | 2023-03-08 10:08:25 +0000 |
commit | ee28d85db943ebc6c525fad97b225236df054016 (patch) | |
tree | bf36006fb59def186e1e5940267a6b95d93fad2a | |
parent | 9dd8ab4b6a61600432189f508d4996367a231aed (diff) | |
download | neutron-ee28d85db943ebc6c525fad97b225236df054016.tar.gz |
[Secure RBAC] Add shared_security_groups rule
For shared security groups we need to have additional rule which will allow
to list shared SGs for projects which aren't owners of the SG.
Closes-bug: #2004015
Change-Id: Ic2a0e390f5baed6772bfeb5306052acaff657923
(cherry picked from commit 5d505e7b7c3d9cd6b54f24baa58ded8a07fb6290)
-rw-r--r-- | neutron/conf/policies/security_group.py | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/neutron/conf/policies/security_group.py b/neutron/conf/policies/security_group.py index 1dfd9097d2..5bd649dac8 100644 --- a/neutron/conf/policies/security_group.py +++ b/neutron/conf/policies/security_group.py @@ -42,6 +42,11 @@ rules = [ RULE_ADMIN_OR_SG_OWNER), description=('Rule for resource owner, ' 'admin or security group owner access')), + policy.RuleDefault( + name='shared_security_group', + check_str='field:security_groups:shared=True', + description='Definition of a shared security group' + ), # TODO(amotoki): admin_or_owner is the right rule? # Does an empty string make more sense for create_security_group? policy.DocumentedRuleDefault( @@ -63,7 +68,10 @@ rules = [ ), policy.DocumentedRuleDefault( name='get_security_group', - check_str=base.ADMIN_OR_PROJECT_READER, + check_str=base.policy_or( + base.ADMIN_OR_PROJECT_READER, + 'rule:shared_security_group' + ), scope_types=['project'], description='Get a security group', operations=[ |