openstack/neutron
Code Issues Proposed changes
Files
b898d2e3c08b50e576ee849fbe8614c66f360c62
neutron/neutron/conf/policies/security_group.py
Slawek Kaplonski b898d2e3c0 List SG rules which belongs to tenant's SG 
In case when user's security group contains rules created e.g.
by admin, and such rules has got admin's tenant as tenant_id,
owner of security group should be able to see those rules.
Some time ago this was addressed for request:

GET /v2.0/security-groups/<sec_group_id>

But it is also required to behave in same way for

GET /v2.0/security-group-rules

So this patch fixes this behaviour for listing of security
group rules.
To achieve that this patch also adds new policy rule:
ADMIN_OWNER_OR_SG_OWNER which is similar to already existing
ADMIN_OWNER_OR_NETWORK_OWNER used e.g. for listing or creating
ports.

Change-Id: I09114712582d2d38d14cf1683b87a8ce3a8e8c3c
Closes-Bug: #1824248
2019-11-27 15:45:09 +01:00

134 lines
3.7 KiB
Python
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron.conf.policies import base
SG_COLLECTION_PATH = '/security-groups'
SG_RESOURCE_PATH = '/security-groups/{id}'
RULE_COLLECTION_PATH = '/security-group-rules'
RULE_RESOURCE_PATH = '/security-group-rules/{id}'
RULE_ADMIN_OR_SG_OWNER = 'rule:admin_or_sg_owner'
RULE_ADMIN_OWNER_OR_SG_OWNER = 'rule:admin_owner_or_sg_owner'
rules = [
policy.RuleDefault(
'admin_or_sg_owner',
base.policy_or('rule:context_is_admin',
'tenant_id:%(security_group:tenant_id)s'),
description='Rule for admin or security group owner access'),
policy.RuleDefault(
'admin_owner_or_sg_owner',
base.policy_or('rule:owner',
RULE_ADMIN_OR_SG_OWNER),
description=('Rule for resource owner, '
'admin or security group owner access')),
# TODO(amotoki): admin_or_owner is the right rule?
# Does an empty string make more sense for create_security_group?
policy.DocumentedRuleDefault(
'create_security_group',
base.RULE_ADMIN_OR_OWNER,
'Create a security group',
[
{
'method': 'POST',
'path': SG_COLLECTION_PATH,
},
]
),
policy.DocumentedRuleDefault(
'get_security_group',
base.RULE_ANY,
'Get a security group',
[
{
'method': 'GET',
'path': SG_COLLECTION_PATH,
},
{
'method': 'GET',
'path': SG_RESOURCE_PATH,
},
]
),
policy.DocumentedRuleDefault(
'update_security_group',
base.RULE_ADMIN_OR_OWNER,
'Update a security group',
[
{
'method': 'PUT',
'path': SG_RESOURCE_PATH,
},
]
),
policy.DocumentedRuleDefault(
'delete_security_group',
base.RULE_ADMIN_OR_OWNER,
'Delete a security group',
[
{
'method': 'DELETE',
'path': SG_RESOURCE_PATH,
},
]
),
# TODO(amotoki): admin_or_owner is the right rule?
# Does an empty string make more sense for create_security_group_rule?
policy.DocumentedRuleDefault(
'create_security_group_rule',
base.RULE_ADMIN_OR_OWNER,
'Create a security group rule',
[
{
'method': 'POST',
'path': RULE_COLLECTION_PATH,
},
]
),
policy.DocumentedRuleDefault(
'get_security_group_rule',
RULE_ADMIN_OWNER_OR_SG_OWNER,
'Get a security group rule',
[
{
'method': 'GET',
'path': RULE_COLLECTION_PATH,
},
{
'method': 'GET',
'path': RULE_RESOURCE_PATH,
},
]
),
policy.DocumentedRuleDefault(
'delete_security_group_rule',
base.RULE_ADMIN_OR_OWNER,
'Delete a security group rule',
[
{
'method': 'DELETE',
'path': RULE_RESOURCE_PATH,
},
]
),
]
def list_rules():
return rules
View Git Blame Copy Permalink