Merge "[S-RBAC] Fix policies for CUD subnets APIs" into stable/zed

Author: Zuul

neutron/conf/policies/subnet.py

@@ -35,13 +35,18 @@
     {'method': 'GET', 'path': RESOURCE_PATH},
 ]
 
+# TODO(slaweq): remove it once network will be added to the
+# EXT_PARENT_RESOURCE_MAPPING in neutron_lib and rule base.PARENT_OWNER_MEMBER
+# will be possible to use instead of RULE_NET_OWNER_MEMBER
+RULE_NET_OWNER_MEMBER = 'role:member and ' + base.RULE_NET_OWNER
+
 
 rules = [
     policy.DocumentedRuleDefault(
         name='create_subnet',
         check_str=base.policy_or(
-            base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_NET_OWNER),
+            base.ADMIN,
+            RULE_NET_OWNER_MEMBER),
         scope_types=['project'],
         description='Create a subnet',
         operations=ACTION_POST,
@@ -111,7 +116,7 @@
         name='update_subnet',
         check_str=base.policy_or(
             base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_NET_OWNER),
+            RULE_NET_OWNER_MEMBER),
         scope_types=['project'],
         description='Update a subnet',
         operations=ACTION_PUT,
@@ -149,7 +154,7 @@
         name='delete_subnet',
         check_str=base.policy_or(
             base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_NET_OWNER),
+            RULE_NET_OWNER_MEMBER),
         scope_types=['project'],
         description='Delete a subnet',
         operations=ACTION_DELETE,

neutron/tests/unit/conf/policies/test_subnet.py

@@ -29,19 +29,33 @@ def setUp(self):
 
         self.network = {
             'id': uuidutils.generate_uuid(),
+            'tenant_id': self.project_id,
             'project_id': self.project_id}
+        self.alt_network = {
+            'id': uuidutils.generate_uuid(),
+            'tenant_id': self.alt_project_id,
+            'project_id': self.alt_project_id}
+
+        networks = {
+            self.network['id']: self.network,
+            self.alt_network['id']: self.alt_network}
 
         self.target = {
             'project_id': self.project_id,
+            'tenant_id': self.project_id,
             'network_id': self.network['id'],
             'ext_parent_network_id': self.network['id']}
         self.alt_target = {
             'project_id': self.alt_project_id,
-            'network_id': self.network['id'],
-            'ext_parent_network_id': self.network['id']}
+            'tenant_id': self.alt_project_id,
+            'network_id': self.alt_network['id'],
+            'ext_parent_network_id': self.alt_network['id']}
+
+        def get_network(context, id, fields=None):
+            return networks.get(id)
 
         self.plugin_mock = mock.Mock()
-        self.plugin_mock.get_network.return_value = self.network
+        self.plugin_mock.get_network.side_effect = get_network
         mock.patch(
             'neutron_lib.plugins.directory.get_plugin',
             return_value=self.plugin_mock).start()