[S-RBAC] Fix policies for the local_ip association APIs

This patch updates local_ip association API policies so that POST and
DELETE actions are allowed for the PARENT_OWNER_MEMBER role and GET is
allowed for the PARENT_OWNER_READER.

Additionally this patch fixes unit tests for the api policies for that
APIs so that owner check is done during unit tests and issues like the
one mentioned above can be catched by unit tests.

Closes-bug: #2125657

Change-Id: I6844995d2b4c6e5ec4e2772d48d1a2b606dc558b
Signed-off-by: Slawek Kaplonski <[email protected]>
(cherry picked from commit cc3813b)

Author: slawqo

neutron/conf/policies/local_ip_association.py

@@ -29,7 +29,7 @@
         name='create_local_ip_port_association',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_MEMBER),
         scope_types=['project'],
         description='Create a Local IP port association',
         operations=[
@@ -48,7 +48,7 @@
         name='get_local_ip_port_association',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_PROJECT_READER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_READER),
         scope_types=['project'],
         description='Get a Local IP port association',
         operations=[
@@ -71,7 +71,7 @@
         name='delete_local_ip_port_association',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_MEMBER),
         scope_types=['project'],
         description='Delete a Local IP port association',
         operations=[

neutron/tests/unit/conf/policies/test_local_ip_association.py

@@ -29,18 +29,29 @@ def setUp(self):
         self.local_ip = {
             'id': uuidutils.generate_uuid(),
             'project_id': self.project_id}
+        self.alt_local_ip = {
+            'id': uuidutils.generate_uuid(),
+            'project_id': self.alt_project_id}
 
         self.target = {
             'project_id': self.project_id,
             'local_ip_id': self.local_ip['id'],
             'ext_parent_local_ip_id': self.local_ip['id']}
         self.alt_target = {
             'project_id': self.alt_project_id,
-            'local_ip_id': self.local_ip['id'],
-            'ext_parent_local_ip_id': self.local_ip['id']}
+            'local_ip_id': self.alt_local_ip['id'],
+            'ext_parent_local_ip_id': self.alt_local_ip['id']}
+
+        local_ips = {
+            self.local_ip['id']: self.local_ip,
+            self.alt_local_ip['id']: self.alt_local_ip,
+        }
+
+        def get_local_ip(context, lip_id, fields=None):
+            return local_ips[lip_id]
 
         self.plugin_mock = mock.Mock()
-        self.plugin_mock.get_local_ip.return_value = self.local_ip
+        self.plugin_mock.get_local_ip.side_effect = get_local_ip
         mock.patch(
             'neutron_lib.plugins.directory.get_plugin',
             return_value=self.plugin_mock).start()