[Secure RBAC] Add shared_qos_policy rule

For shared QoS policies we need to have additional rule which will allow to list shared policies for projects which aren't owners of the QoS policy. Closes-bug: #2004013 Closes-bug: #2004014 Change-Id: I593896ab087e3d916b10d7d5f6b22b501060b934
author: Slawek Kaplonski <skaplons@redhat.com> 2023-02-01 11:25:04 +0100
committer: Slawek Kaplonski <skaplons@redhat.com> 2023-02-01 11:28:46 +0100
commit: 221cf9497fed414b01206ece6c6d41d0ec7d4088 (patch)
tree: dc44707a534c495b52dc668e1093e96739208f43 /neutron/conf
parent: 06e2e22d31471da1f37dddb50dcae6851f8b0852 (diff)
download: neutron-221cf9497fed414b01206ece6c6d41d0ec7d4088.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/neutron/conf/policies/qos.py b/neutron/conf/policies/qos.py
index 3aed7f0090..b9d1a3ca5f 100644
--- a/neutron/conf/policies/qos.py
+++ b/neutron/conf/policies/qos.py
@@ -21,9 +21,16 @@ The QoS API now supports project scope and default roles.
 
 
 rules = [
+    policy.RuleDefault(
+        'shared_qos_policy',
+        'field:policies:shared=True',
+        description='Rule of shared qos policy'),
     policy.DocumentedRuleDefault(
         name='get_policy',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.policy_or(
+            base.ADMIN_OR_PROJECT_READER,
+            'rule:shared_qos_policy'
+        ),
         scope_types=['project'],
         description='Get QoS policies',
         operations=[
author	Slawek Kaplonski <skaplons@redhat.com>	2023-02-01 11:25:04 +0100
committer	Slawek Kaplonski <skaplons@redhat.com>	2023-02-01 11:28:46 +0100
commit	221cf9497fed414b01206ece6c6d41d0ec7d4088 (patch)
tree	dc44707a534c495b52dc668e1093e96739208f43 /neutron/conf
parent	06e2e22d31471da1f37dddb50dcae6851f8b0852 (diff)
download	neutron-221cf9497fed414b01206ece6c6d41d0ec7d4088.tar.gz