From e14b697cabfbec542570c465f9b8030405aa1e48 Mon Sep 17 00:00:00 2001
From: Roey Chen <roeyc@vmware.com>
Date: Tue, 28 Mar 2017 02:16:58 -0700
Subject: [PATCH] Prevent non-admin user specifying port's
 provider-security-groups

This is controlled via policy.json file, adding the relevant rules.

Change-Id: I79e14418909a4e03f87ab3f2ad02945160daa43d
---
 etc/policy.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/etc/policy.json b/etc/policy.json
index f5f9dc3a63..b50ff30ad7 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -45,6 +45,7 @@
     "create_port:binding:host_id": "rule:admin_only",
     "create_port:binding:profile": "rule:admin_only",
     "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "create_port:provider_security_groups": "rule:admin_only",
     "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "get_port:queue_id": "rule:admin_only",
     "get_port:binding:vif_type": "rule:admin_only",
@@ -57,6 +58,7 @@
     "update_port:binding:host_id": "rule:admin_only",
     "update_port:binding:profile": "rule:admin_only",
     "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "update_port:provider_security_groups": "rule:admin_only",
     "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
 
     "get_router:ha": "rule:admin_only",