]> review.fuel-infra Code Review - openstack-build/neutron-build.git/commitdiff
Code Review / openstack-build / neutron-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 82acd06)
Fix tenant access to qos policies
authorMiguel Angel Ajo <mangelajo@redhat.com>
Tue, 18 Aug 2015 06:35:00 +0000 (08:35 +0200)
committerMiguel Angel Ajo <mangelajo@redhat.com>
Wed, 19 Aug 2015 04:58:41 +0000 (04:58 +0000)
fix policy.json to not allow tenants to create policies or rules
by default and allow tenants attach ports and networks to policies,
please note that policy access is checked in the QoSPolicy neutron
object in such case.

Closes-Bug: #1485858

Change-Id: Ide1cd30979f99612fe89dddf3dc0e029d3f4d34a

etc/policy.json patch | blob | history
neutron/tests/etc/policy.json patch | blob | history

diff --git a/etc/policy.json b/etc/policy.json
index 125b762d4bb7ba6045960dbdd1bc3a1276e3714c..a07a80c29ae084c6bae8770bfcd9d7c61d2564ea 100644 (file)
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -39,14 +39,12 @@
     "get_network:provider:physical_network": "rule:admin_only",
     "get_network:provider:segmentation_id": "rule:admin_only",
     "get_network:queue_id": "rule:admin_only",
-    "get_network:qos_policy_id": "rule:admin_only",
     "create_network:shared": "rule:admin_only",
     "create_network:router:external": "rule:admin_only",
     "create_network:segments": "rule:admin_only",
     "create_network:provider:network_type": "rule:admin_only",
     "create_network:provider:physical_network": "rule:admin_only",
     "create_network:provider:segmentation_id": "rule:admin_only",
-    "create_network:qos_policy_id": "rule:admin_only",
     "update_network": "rule:admin_or_owner",
     "update_network:segments": "rule:admin_only",
     "update_network:shared": "rule:admin_only",
@@ -54,7 +52,6 @@
     "update_network:provider:physical_network": "rule:admin_only",
     "update_network:provider:segmentation_id": "rule:admin_only",
     "update_network:router:external": "rule:admin_only",
-    "update_network:qos_policy_id": "rule:admin_only",
     "delete_network": "rule:admin_or_owner",
 
     "create_port": "",
@@ -65,14 +62,12 @@
     "create_port:binding:profile": "rule:admin_only",
     "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "create_port:qos_policy_id": "rule:admin_only",
     "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "get_port:queue_id": "rule:admin_only",
     "get_port:binding:vif_type": "rule:admin_only",
     "get_port:binding:vif_details": "rule:admin_only",
     "get_port:binding:host_id": "rule:admin_only",
     "get_port:binding:profile": "rule:admin_only",
-    "get_port:qos_policy_id": "rule:admin_only",
     "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
     "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
@@ -81,7 +76,6 @@
     "update_port:binding:profile": "rule:admin_only",
     "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "update_port:qos_policy_id": "rule:admin_only",
     "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
 
     "get_router:ha": "rule:admin_only",
@@ -180,5 +174,15 @@
     "update_service_profile": "rule:admin_only",
     "delete_service_profile": "rule:admin_only",
     "get_service_profiles": "rule:admin_only",
-    "get_service_profile": "rule:admin_only"
+    "get_service_profile": "rule:admin_only",
+
+    "get_policy": "rule:regular_user",
+    "create_policy": "rule:admin_only",
+    "update_policy": "rule:admin_only",
+    "delete_policy": "rule:admin_only",
+    "get_policy_bandwidth_limit_rule": "rule:regular_user",
+    "create_policy_bandwidth_limit_rule": "rule:admin_only",
+    "delete_policy_bandwidth_limit_rule": "rule:admin_only",
+    "update_policy_bandwidth_limit_rule": "rule:admin_only"
+
 }
diff --git a/neutron/tests/etc/policy.json b/neutron/tests/etc/policy.json
index 125b762d4bb7ba6045960dbdd1bc3a1276e3714c..a07a80c29ae084c6bae8770bfcd9d7c61d2564ea 100644 (file)
--- a/neutron/tests/etc/policy.json
+++ b/neutron/tests/etc/policy.json
@@ -39,14 +39,12 @@
     "get_network:provider:physical_network": "rule:admin_only",
     "get_network:provider:segmentation_id": "rule:admin_only",
     "get_network:queue_id": "rule:admin_only",
-    "get_network:qos_policy_id": "rule:admin_only",
     "create_network:shared": "rule:admin_only",
     "create_network:router:external": "rule:admin_only",
     "create_network:segments": "rule:admin_only",
     "create_network:provider:network_type": "rule:admin_only",
     "create_network:provider:physical_network": "rule:admin_only",
     "create_network:provider:segmentation_id": "rule:admin_only",
-    "create_network:qos_policy_id": "rule:admin_only",
     "update_network": "rule:admin_or_owner",
     "update_network:segments": "rule:admin_only",
     "update_network:shared": "rule:admin_only",
@@ -54,7 +52,6 @@
     "update_network:provider:physical_network": "rule:admin_only",
     "update_network:provider:segmentation_id": "rule:admin_only",
     "update_network:router:external": "rule:admin_only",
-    "update_network:qos_policy_id": "rule:admin_only",
     "delete_network": "rule:admin_or_owner",
 
     "create_port": "",
@@ -65,14 +62,12 @@
     "create_port:binding:profile": "rule:admin_only",
     "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "create_port:qos_policy_id": "rule:admin_only",
     "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "get_port:queue_id": "rule:admin_only",
     "get_port:binding:vif_type": "rule:admin_only",
     "get_port:binding:vif_details": "rule:admin_only",
     "get_port:binding:host_id": "rule:admin_only",
     "get_port:binding:profile": "rule:admin_only",
-    "get_port:qos_policy_id": "rule:admin_only",
     "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
     "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
@@ -81,7 +76,6 @@
     "update_port:binding:profile": "rule:admin_only",
     "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "update_port:qos_policy_id": "rule:admin_only",
     "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
 
     "get_router:ha": "rule:admin_only",
@@ -180,5 +174,15 @@
     "update_service_profile": "rule:admin_only",
     "delete_service_profile": "rule:admin_only",
     "get_service_profiles": "rule:admin_only",
-    "get_service_profile": "rule:admin_only"
+    "get_service_profile": "rule:admin_only",
+
+    "get_policy": "rule:regular_user",
+    "create_policy": "rule:admin_only",
+    "update_policy": "rule:admin_only",
+    "delete_policy": "rule:admin_only",
+    "get_policy_bandwidth_limit_rule": "rule:regular_user",
+    "create_policy_bandwidth_limit_rule": "rule:admin_only",
+    "delete_policy_bandwidth_limit_rule": "rule:admin_only",
+    "update_policy_bandwidth_limit_rule": "rule:admin_only"
+
 }