Fix policy rules for adding and removing router interfaces

Currently "add_router_interface" and "remove_router_interface"
policy rules have the "update_router" prefix and thus are never
enforced. Removing the prefix activates the rules.

Also moved some rules, so that all router-related rules are
now grouped together.

Closes-Bug: 1356678
Change-Id: Ib6cc45f2c6d0c7ae394274d6196262529b9fd855

diff --git a/etc/policy.json b/etc/policy.json
index d21427cb4ee106094b3defaa83b4528f8bae4976..e132310aaf361ecfcc7643267f373b6636a85c44 100644 (file)
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -63,10 +63,17 @@
     "update_port:mac_learning_enabled": "rule:admin_or_network_owner",
     "delete_port": "rule:admin_or_owner",
 
+    "create_router": "rule:regular_user",
     "create_router:external_gateway_info:enable_snat": "rule:admin_only",
     "create_router:distributed": "rule:admin_only",
+    "get_router": "rule:admin_or_owner",
+    "get_router:distributed": "rule:admin_only",
     "update_router:external_gateway_info:enable_snat": "rule:admin_only",
     "update_router:distributed": "rule:admin_only",
+    "delete_router": "rule:admin_or_owner",
+
+    "add_router_interface": "rule:admin_or_owner",
+    "remove_router_interface": "rule:admin_or_owner",
 
     "create_firewall": "",
     "get_firewall": "rule:admin_or_owner",
@@ -105,13 +112,6 @@
     "get_loadbalancer-agent": "rule:admin_only",
     "get_loadbalancer-pools": "rule:admin_only",
 
-    "create_router": "rule:regular_user",
-    "get_router": "rule:admin_or_owner",
-    "get_router:distributed": "rule:admin_only",
-    "update_router:add_router_interface": "rule:admin_or_owner",
-    "update_router:remove_router_interface": "rule:admin_or_owner",
-    "delete_router": "rule:admin_or_owner",
-
     "create_floatingip": "rule:regular_user",
     "update_floatingip": "rule:admin_or_owner",
     "delete_floatingip": "rule:admin_or_owner",