diff options
author | Slawek Kaplonski <skaplons@redhat.com> | 2023-02-01 12:22:50 +0100 |
---|---|---|
committer | Slawek Kaplonski <skaplons@redhat.com> | 2023-02-01 12:22:50 +0100 |
commit | 1c27d8b5b41f7bc63d2f3fa61f94be7e98e2101d (patch) | |
tree | 677367733b321f4756f33b0a188a3c61076bb448 /neutron/conf | |
parent | 06e2e22d31471da1f37dddb50dcae6851f8b0852 (diff) | |
download | neutron-1c27d8b5b41f7bc63d2f3fa61f94be7e98e2101d.tar.gz |
[Secure RBAC] Fix policy to get flavors
Flavors are resources which don't have owner and should be able to
be listed/showed by any user with READER role. This patch fixes policy
for "get_flavor" action to match this requirement.
Additionall it removes "project_id" field from the target object in
the flavor policy unit tests.
Closes-Bug: #2004017
Change-Id: I254e88f7c32343034f4799b63b1088c3f966d7a6
Diffstat (limited to 'neutron/conf')
-rw-r--r-- | neutron/conf/policies/flavor.py | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/neutron/conf/policies/flavor.py b/neutron/conf/policies/flavor.py index 6e281d2e61..9801bb9f75 100644 --- a/neutron/conf/policies/flavor.py +++ b/neutron/conf/policies/flavor.py @@ -47,7 +47,11 @@ rules = [ ), policy.DocumentedRuleDefault( name='get_flavor', - check_str=base.ADMIN_OR_PROJECT_READER, + # NOTE: it can't be ADMIN_OR_PROJECT_READER constant from the base + # module because that is using "project_id" in the check string and the + # service_provider resource don't belongs to any project thus such + # check string would fail enforcement. + check_str='role:reader', description='Get a flavor', operations=[ { |