[S-RBAC] Change policies for port's binding:profile field
According to the neutron API-REF [1] port's "binding:profile" field is
intended to be used for the "machine-machine communication for compute
services like Nova, Ironic or Zun to pass information to a Neutron
back-end." so it should be by allowed only for the users with the
SERVICE role granted, not even for ADMIN.
This patch updates that policies to be available only for SERVICE role
when new, secure RBAC policies are enabled.
Additionally this patch updates some policies for create, update and get
port APIs to make them all work in the same way and allow them for the
SERVICE users too.
Finally this new policy for create/update_port:binding:profile have to
be overwritten in the fullstack tests to be allowed also for admin user.
It is done by adding custom policy file for the fullstack tests only.
Reviewed: https:/ /review. opendev. org/c/openstack /neutron/ +/909075 /opendev. org/openstack/ neutron/ commit/ a644b3c62bab1ad 3f1abb892811c00 cf385415f9
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit a644b3c62bab1ad 3f1abb892811c00 cf385415f9
Author: Slawek Kaplonski <email address hidden>
Date: Thu Feb 15 09:50:27 2024 +0100
[S-RBAC] Change policies for port's binding:profile field
According to the neutron API-REF [1] port's "binding:profile" field is
intended to be used for the "machine-machine communication for compute
services like Nova, Ironic or Zun to pass information to a Neutron
back-end." so it should be by allowed only for the users with the
SERVICE role granted, not even for ADMIN.
This patch updates that policies to be available only for SERVICE role
when new, secure RBAC policies are enabled.
Additionally this patch updates some policies for create, update and get
port APIs to make them all work in the same way and allow them for the
SERVICE users too.
Finally this new policy for create/ update_ port:binding: profile have to
be overwritten in the fullstack tests to be allowed also for admin user.
It is done by adding custom policy file for the fullstack tests only.
[1] https:/ /docs.openstack .org/api- ref/network/ v2/index. html#create- port
Closes-Bug: #2052937 e8977cfc623789a 09067e6a895
Change-Id: I5c0094ff21439f