diff options
| -rw-r--r-- | neutron/conf/policies/security_group.py | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/neutron/conf/policies/security_group.py b/neutron/conf/policies/security_group.py index 1dfd9097d2..5bd649dac8 100644 --- a/neutron/conf/policies/security_group.py +++ b/neutron/conf/policies/security_group.py @@ -42,6 +42,11 @@ rules = [ RULE_ADMIN_OR_SG_OWNER), description=('Rule for resource owner, ' 'admin or security group owner access')), + policy.RuleDefault( + name='shared_security_group', + check_str='field:security_groups:shared=True', + description='Definition of a shared security group' + ), # TODO(amotoki): admin_or_owner is the right rule? # Does an empty string make more sense for create_security_group? policy.DocumentedRuleDefault( @@ -63,7 +68,10 @@ rules = [ ), policy.DocumentedRuleDefault( name='get_security_group', - check_str=base.ADMIN_OR_PROJECT_READER, + check_str=base.policy_or( + base.ADMIN_OR_PROJECT_READER, + 'rule:shared_security_group' + ), scope_types=['project'], description='Get a security group', operations=[ |