[S-RBAC] Fix policies for local_ip_association

slawqo · slawqo · commit 126a22b737f0 · 2025-10-13T08:41:34.000Z
Policies for those API actions should not rely on the "PROJECT_READER" or "PROJECT_MEMBER" rules as this resource don't have project_id attribute and instead belongs to the project of the parent resource (which is local_ip). This patch updates those rules to: base.ADMIN_OR_PARENT_OWNER_MEMBER base.ADMIN_OR_PARENT_OWNER_READER Closes-bug: #2126576 Change-Id: Ie12c4e40edc09b3477db7c8ffa3067856ea42866 Signed-off-by: Slawek Kaplonski <skaplons@redhat.com> (cherry picked from commit 8ff3d9d)
diff --git a/neutron/conf/policies/local_ip_association.py b/neutron/conf/policies/local_ip_association.py
@@ -27,9 +27,7 @@
 rules = [
     policy.DocumentedRuleDefault(
         name='create_local_ip_port_association',
-        check_str=neutron_policy.policy_or(
-            base.ADMIN_OR_PROJECT_MEMBER,
-            base.PARENT_OWNER_MEMBER),
+        check_str=base.ADMIN_OR_PARENT_OWNER_MEMBER,
         scope_types=['project'],
         description='Create a Local IP port association',
         operations=[
@@ -46,9 +44,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_local_ip_port_association',
-        check_str=neutron_policy.policy_or(
-            base.ADMIN_OR_PROJECT_READER,
-            base.PARENT_OWNER_READER),
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a Local IP port association',
         operations=[
@@ -69,9 +65,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='delete_local_ip_port_association',
-        check_str=neutron_policy.policy_or(
-            base.ADMIN_OR_PROJECT_MEMBER,
-            base.PARENT_OWNER_MEMBER),
+        check_str=base.ADMIN_OR_PARENT_OWNER_MEMBER,
         scope_types=['project'],
         description='Delete a Local IP port association',
         operations=[
diff --git a/neutron/tests/unit/conf/policies/test_local_ip_association.py b/neutron/tests/unit/conf/policies/test_local_ip_association.py
@@ -28,17 +28,17 @@ def setUp(self):
         super().setUp()
         self.local_ip = {
             'id': uuidutils.generate_uuid(),
+            'tenant_id': self.project_id,
             'project_id': self.project_id}
         self.alt_local_ip = {
             'id': uuidutils.generate_uuid(),
+            'tenant_id': self.alt_project_id,
             'project_id': self.alt_project_id}
 
         self.target = {
-            'project_id': self.project_id,
             'local_ip_id': self.local_ip['id'],
             'ext_parent_local_ip_id': self.local_ip['id']}
         self.alt_target = {
-            'project_id': self.alt_project_id,
             'local_ip_id': self.alt_local_ip['id'],
             'ext_parent_local_ip_id': self.alt_local_ip['id']}
 
