[Secure RBAC] Fix policy to get flavors

Flavors are resources which don't have owner and should be able to be listed/showed by any user with READER role. This patch fixes policy for "get_flavor" action to match this requirement. Additionall it removes "project_id" field from the target object in the flavor policy unit tests. Closes-Bug: #2004017 Change-Id: I254e88f7c32343034f4799b63b1088c3f966d7a6
author: Slawek Kaplonski <skaplons@redhat.com> 2023-02-01 12:22:50 +0100
committer: Slawek Kaplonski <skaplons@redhat.com> 2023-02-01 12:22:50 +0100
commit: 1c27d8b5b41f7bc63d2f3fa61f94be7e98e2101d (patch)
tree: 677367733b321f4756f33b0a188a3c61076bb448 /neutron/conf
parent: 06e2e22d31471da1f37dddb50dcae6851f8b0852 (diff)
download: neutron-1c27d8b5b41f7bc63d2f3fa61f94be7e98e2101d.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/neutron/conf/policies/flavor.py b/neutron/conf/policies/flavor.py
index 6e281d2e61..9801bb9f75 100644
--- a/neutron/conf/policies/flavor.py
+++ b/neutron/conf/policies/flavor.py
@@ -47,7 +47,11 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='get_flavor',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        # NOTE: it can't be ADMIN_OR_PROJECT_READER constant from the base
+        # module because that is using "project_id" in the check string and the
+        # service_provider resource don't belongs to any project thus such
+        # check string would fail enforcement.
+        check_str='role:reader',
         description='Get a flavor',
         operations=[
             {
author	Slawek Kaplonski <skaplons@redhat.com>	2023-02-01 12:22:50 +0100
committer	Slawek Kaplonski <skaplons@redhat.com>	2023-02-01 12:22:50 +0100
commit	1c27d8b5b41f7bc63d2f3fa61f94be7e98e2101d (patch)
tree	677367733b321f4756f33b0a188a3c61076bb448 /neutron/conf
parent	06e2e22d31471da1f37dddb50dcae6851f8b0852 (diff)
download	neutron-1c27d8b5b41f7bc63d2f3fa61f94be7e98e2101d.tar.gz