[S-RBAC] Allow admin user to do all API requests by default
By default ADMIN user in the new Secure RBAC policies should behave in
the same way as in the legacy rules so basically every API operation for
any project should be allowed for ADMIN user.
In the new rules there are roles like PROJECT_MEMBER and PROJECT_READER
and those personas don't inherits directly from ADMIN which means that
if something is possible to e.g. PROJECT_MEMBER it isn't automatically
also allowed to ADMIN and we need to explicitly allow ADMIN user to do
such requests. It was done like that for many of API calls already but
not for all of them (probably by mistake).
This patch introduces new composite check ADMIN_OR_PROJECT_MEMBER and
uses it in the check strings where ADMIN or PROJECT_MEMBER user is
allowed to use the API.
It also changes some of the check strings which used "policy_or" to
combine ADMIN and PROJECT_MEMBER or PROJECT_READER so that those
composite checks ADMIN_OR_PROJECT_MEMBER and ADMIN_OR_PROJECT_READER are
used everywhere.
Closes-Bug: #1997089
Change-Id: Iab5cd6c7aa07ca8527c5fa8396c9ed0da65b4fa7
(cherry picked from commit 6d8ada0ac93beed05b45adb9582c3ef23bef49d2)
Reviewed: https:/ /review. opendev. org/c/openstack /neutron/ +/874399 /opendev. org/openstack/ neutron/ commit/ 924339ab111f824 af5c13c185611b7 368c2a6c65
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/zed
commit 924339ab111f824 af5c13c185611b7 368c2a6c65
Author: Slawek Kaplonski <email address hidden>
Date: Mon Nov 21 15:32:21 2022 +0100
[S-RBAC] Allow admin user to do all API requests by default
By default ADMIN user in the new Secure RBAC policies should behave in
the same way as in the legacy rules so basically every API operation for
any project should be allowed for ADMIN user.
In the new rules there are roles like PROJECT_MEMBER and PROJECT_READER
and those personas don't inherits directly from ADMIN which means that
if something is possible to e.g. PROJECT_MEMBER it isn't automatically
also allowed to ADMIN and we need to explicitly allow ADMIN user to do
such requests. It was done like that for many of API calls already but
not for all of them (probably by mistake).
This patch introduces new composite check ADMIN_OR_ PROJECT_ MEMBER and PROJECT_ MEMBER and ADMIN_OR_ PROJECT_ READER are
uses it in the check strings where ADMIN or PROJECT_MEMBER user is
allowed to use the API.
It also changes some of the check strings which used "policy_or" to
combine ADMIN and PROJECT_MEMBER or PROJECT_READER so that those
composite checks ADMIN_OR_
used everywhere.
Closes-Bug: #1997089
Change-Id: Iab5cd6c7aa07ca 8527c5fa8396c9e d0da65b4fa7 05b45adb9582c3e f23bef49d2)
(cherry picked from commit 6d8ada0ac93beed