Merge branch 'neutron_policy_tweaks_20201015' into 'arcus/train'

Retire use of advsvc Neutron role and replace with custom policy See merge request !40

Merge branch 'neutron_policy_tweaks_20201015' into 'arcus/train'
65fb114c · Paul Browne · 04e0d577 · 5aceb725 · 65fb114c
Commit 65fb114c authored 4 years ago by Paul Browne
--- a/etc/kayobe/kolla/config/neutron/policy.json
+++ b/etc/kayobe/kolla/config/neutron/policy.json
 {
-        "admin_only": "rule:context_is_admin",
+        "context_is_admin": "role:admin",
+        "context_is_baremetal_ports": "role:baremetal_ports",
        "context_is_advsvc": "role:advsvc",

-        "create_port:binding:host_id": "rule:admin_only or rule:context_is_advsvc",
-        "create_port:binding:profile": "rule:admin_only or rule:context_is_advsvc",
+        "admin_only": "rule:context_is_admin",
+        "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
+        "shared": "field:networks:shared=True",
+
+        "create_port:binding:host_id": "rule:admin_only or rule:context_is_baremetal_ports",
+        "create_port:binding:profile": "rule:admin_only or rule:context_is_baremetal_ports",
+        "create_port:mac_address": "rule:context_is_advsvc or rule:context_is_baremetal_ports or rule:admin_or_network_owner",
+
+        "update_port:binding:host_id": "rule:admin_only or rule:context_is_baremetal_ports",
+        "update_port:binding:profile": "rule:admin_only or rule:context_is_baremetal_ports",
+        "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc or rule:context_is_baremetal_ports",
+
+        "get_port:binding:host_id": "rule:admin_only or rule:context_is_baremetal_ports",
+        "get_port:binding:profile": "rule:admin_only or rule:context_is_baremetal_ports",

-        "update_port:binding:host_id": "rule:admin_only or rule:context_is_advsvc",
-        "update_port:binding:profile": "rule:admin_only or rule:context_is_advsvc",
+        "create_port:fixed_ips": "rule:context_is_advsvc or rule:context_is_baremetal_ports or rule:admin_or_network_owner or rule:shared",
+        "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:context_is_baremetal_ports or rule:admin_or_network_owner",
+        "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:context_is_baremetal_ports or rule:admin_or_network_owner or rule:shared",

-        "get_port:binding:host_id": "rule:admin_only or rule:context_is_advsvc",
-        "get_port:binding:profile": "rule:admin_only or rule:context_is_advsvc"
+        "update_port:fixed_ips": "rule:context_is_advsvc or rule:context_is_baremetal_ports or rule:admin_or_network_owner",
+        "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:context_is_baremetal_ports or rule:admin_or_network_owner",
+        "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:context_is_baremetal_ports or rule:admin_or_network_owner or rule:shared"
 }