diff options
author | Slawek Kaplonski <skaplons@redhat.com> | 2023-02-01 11:25:04 +0100 |
---|---|---|
committer | Slawek Kaplonski <skaplons@redhat.com> | 2023-02-01 11:28:46 +0100 |
commit | 221cf9497fed414b01206ece6c6d41d0ec7d4088 (patch) | |
tree | dc44707a534c495b52dc668e1093e96739208f43 /neutron/conf | |
parent | 06e2e22d31471da1f37dddb50dcae6851f8b0852 (diff) | |
download | neutron-221cf9497fed414b01206ece6c6d41d0ec7d4088.tar.gz |
[Secure RBAC] Add shared_qos_policy rule
For shared QoS policies we need to have additional rule which will allow
to list shared policies for projects which aren't owners of the QoS
policy.
Closes-bug: #2004013
Closes-bug: #2004014
Change-Id: I593896ab087e3d916b10d7d5f6b22b501060b934
Diffstat (limited to 'neutron/conf')
-rw-r--r-- | neutron/conf/policies/qos.py | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/neutron/conf/policies/qos.py b/neutron/conf/policies/qos.py index 3aed7f0090..b9d1a3ca5f 100644 --- a/neutron/conf/policies/qos.py +++ b/neutron/conf/policies/qos.py @@ -21,9 +21,16 @@ The QoS API now supports project scope and default roles. rules = [ + policy.RuleDefault( + 'shared_qos_policy', + 'field:policies:shared=True', + description='Rule of shared qos policy'), policy.DocumentedRuleDefault( name='get_policy', - check_str=base.ADMIN_OR_PROJECT_READER, + check_str=base.policy_or( + base.ADMIN_OR_PROJECT_READER, + 'rule:shared_qos_policy' + ), scope_types=['project'], description='Get QoS policies', operations=[ |