summaryrefslogtreecommitdiff
path: root/neutron/conf/policies/base.py
diff options
context:
space:
mode:
Diffstat (limited to 'neutron/conf/policies/base.py')
-rw-r--r--neutron/conf/policies/base.py14
1 files changed, 14 insertions, 0 deletions
diff --git a/neutron/conf/policies/base.py b/neutron/conf/policies/base.py
index 14e419e7d1..395e4fd7f5 100644
--- a/neutron/conf/policies/base.py
+++ b/neutron/conf/policies/base.py
@@ -43,6 +43,20 @@ RULE_NET_OWNER = 'rule:network_owner'
RULE_PARENT_OWNER = 'rule:ext_parent_owner'
RULE_SG_OWNER = 'rule:sg_owner'
+# In some cases we need to check owner of the parent resource, it's like that
+# for example for QoS rules (check owner of QoS policy rule belongs to) or
+# Floating IP port forwarding (check owner of FIP which PF is using). It's like
+# that becasue those resources (QOS rules, FIP PFs) don't have project_id
+# attribute at all and they belongs to the same project as parent resource (QoS
+# policy, FIP).
+PARENT_OWNER_MEMBER = 'role:member and ' + RULE_PARENT_OWNER
+PARENT_OWNER_READER = 'role:reader and ' + RULE_PARENT_OWNER
+ADMIN_OR_PARENT_OWNER_MEMBER = (
+ '(' + ADMIN + ') or (' + PARENT_OWNER_MEMBER + ')')
+ADMIN_OR_PARENT_OWNER_READER = (
+ '(' + ADMIN + ') or (' + PARENT_OWNER_READER + ')')
+
+
rules = [
policy.RuleDefault(
'context_is_admin',
View Lorry Controller Status