Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[S-RBAC] Fix policies for CUD subnets APIs
In new, secure RBAC policies for create subnet there was rule "ADMIN_OR_PROJECT_MEMBER" used and that was wrong as this rule is basically allows any member (PROJECT_MEMBER) create subnet in networks visible to them, not necessarily this project needs to be owner of that network. So it allowed users to create new subnets in the shared or provider networks as well. Now policy for create subnet is ADMIN OR NET_OWNER_MEMBER to avoid that. Additionally this patch also fixes policies for update and delete subnet APIs where there was rule NET_OWNER used and that effectively allowed to update or delete subnet to the network owner who has READER role only. Now this is also fixed by using NET_OWNER_MEMBER rule instead. Conflicts: neutron/conf/policies/subnet.py Closes-Bug: #2023679 Change-Id: Ia494872b58f368581fb29fa40b7da17e1071db22 (cherry picked from commit 6e35251)
- Loading branch information
Showing
2 changed files
with
26 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters