Comment 4 for bug 1997089

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/874399
Committed: https://opendev.org/openstack/neutron/commit/924339ab111f824af5c13c185611b7368c2a6c65
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 924339ab111f824af5c13c185611b7368c2a6c65
Author: Slawek Kaplonski <email address hidden>
Date: Mon Nov 21 15:32:21 2022 +0100

    [S-RBAC] Allow admin user to do all API requests by default

    By default ADMIN user in the new Secure RBAC policies should behave in
    the same way as in the legacy rules so basically every API operation for
    any project should be allowed for ADMIN user.
    In the new rules there are roles like PROJECT_MEMBER and PROJECT_READER
    and those personas don't inherits directly from ADMIN which means that
    if something is possible to e.g. PROJECT_MEMBER it isn't automatically
    also allowed to ADMIN and we need to explicitly allow ADMIN user to do
    such requests. It was done like that for many of API calls already but
    not for all of them (probably by mistake).

    This patch introduces new composite check ADMIN_OR_PROJECT_MEMBER and
    uses it in the check strings where ADMIN or PROJECT_MEMBER user is
    allowed to use the API.
    It also changes some of the check strings which used "policy_or" to
    combine ADMIN and PROJECT_MEMBER or PROJECT_READER so that those
    composite checks ADMIN_OR_PROJECT_MEMBER and ADMIN_OR_PROJECT_READER are
    used everywhere.

    Closes-Bug: #1997089

    Change-Id: Iab5cd6c7aa07ca8527c5fa8396c9ed0da65b4fa7
    (cherry picked from commit 6d8ada0ac93beed05b45adb9582c3ef23bef49d2)