Merge "[S-RBAC] Fix new policies for get QoS rules APIs" into stable/zed

Author: Zuul

neutron/conf/policies/base.py

@@ -62,6 +62,20 @@ def policy_or(*args):
 RULE_PARENT_OWNER = 'rule:ext_parent_owner'
 RULE_SG_OWNER = 'rule:sg_owner'
 
+# In some cases we need to check owner of the parent resource, it's like that
+# for example for QoS rules (check owner of QoS policy rule belongs to) or
+# Floating IP port forwarding (check owner of FIP which PF is using). It's like
+# that becasue those resources (QOS rules, FIP PFs) don't have project_id
+# attribute at all and they belongs to the same project as parent resource (QoS
+# policy, FIP).
+PARENT_OWNER_MEMBER = 'role:member and ' + RULE_PARENT_OWNER
+PARENT_OWNER_READER = 'role:reader and ' + RULE_PARENT_OWNER
+ADMIN_OR_PARENT_OWNER_MEMBER = (
+    '(' + ADMIN + ') or (' + PARENT_OWNER_MEMBER + ')')
+ADMIN_OR_PARENT_OWNER_READER = (
+    '(' + ADMIN + ') or (' + PARENT_OWNER_READER + ')')
+
+
 rules = [
     policy.RuleDefault(
         'context_is_admin',

neutron/conf/policies/qos.py

@@ -125,7 +125,7 @@
 
     policy.DocumentedRuleDefault(
         name='get_policy_bandwidth_limit_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS bandwidth limit rule',
         operations=[
@@ -201,7 +201,7 @@
 
     policy.DocumentedRuleDefault(
         name='get_policy_packet_rate_limit_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS packet rate limit rule',
         operations=[
@@ -257,7 +257,7 @@
 
     policy.DocumentedRuleDefault(
         name='get_policy_dscp_marking_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS DSCP marking rule',
         operations=[
@@ -333,7 +333,7 @@
 
     policy.DocumentedRuleDefault(
         name='get_policy_minimum_bandwidth_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS minimum bandwidth rule',
         operations=[
@@ -408,7 +408,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_policy_minimum_packet_rate_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS minimum packet rate rule',
         operations=[
@@ -463,7 +463,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_alias_bandwidth_limit_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS bandwidth limit rule through alias',
         operations=[
@@ -514,7 +514,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_alias_dscp_marking_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS DSCP marking rule through alias',
         operations=[
@@ -565,7 +565,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_alias_minimum_bandwidth_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS minimum bandwidth rule through alias',
         operations=[