[S-RBAC] Fix new policies for get QoS rules APIs

During transition to the new secure RBAC API policies, we made mistake
with policies for QoS rules by defining them to be available for
ADMIN_OR_PROJECT_READER. This can't be like that as QoS rules don't have
tenant_id attribute and belongs always to the owner of the QoS policy.

To fix that, this patch introduces new rules:
ADMIN_OR_PARENT_OWNER_READER
ADMIN_OR_PARENT_OWNER_MEMBER

and uses those in the QoS rules APIs.

Closes-Bug: #2018727
Change-Id: I522aeab5094b3f4854303d5e18f3abf6130fb33c

1 files changed, 14 insertions, 0 deletions

diff --git a/neutron/conf/policies/base.py b/neutron/conf/policies/base.py
index 14e419e7d1..395e4fd7f5 100644
--- a/neutron/conf/policies/base.py
+++ b/neutron/conf/policies/base.py
@@ -43,6 +43,20 @@ RULE_NET_OWNER = 'rule:network_owner'
 RULE_PARENT_OWNER = 'rule:ext_parent_owner'
 RULE_SG_OWNER = 'rule:sg_owner'
 
+# In some cases we need to check owner of the parent resource, it's like that
+# for example for QoS rules (check owner of QoS policy rule belongs to) or
+# Floating IP port forwarding (check owner of FIP which PF is using). It's like
+# that becasue those resources (QOS rules, FIP PFs) don't have project_id
+# attribute at all and they belongs to the same project as parent resource (QoS
+# policy, FIP).
+PARENT_OWNER_MEMBER = 'role:member and ' + RULE_PARENT_OWNER
+PARENT_OWNER_READER = 'role:reader and ' + RULE_PARENT_OWNER
+ADMIN_OR_PARENT_OWNER_MEMBER = (
+    '(' + ADMIN + ') or (' + PARENT_OWNER_MEMBER + ')')
+ADMIN_OR_PARENT_OWNER_READER = (
+    '(' + ADMIN + ') or (' + PARENT_OWNER_READER + ')')
+
+
 rules = [
     policy.RuleDefault(
         'context_is_admin',