Prevent non-admin user specifying port's provider-security-groups

This is controlled via policy.json file, adding the relevant rules.

Change-Id: I79e14418909a4e03f87ab3f2ad02945160daa43d
This commit is contained in:
Roey Chen 2017-03-28 02:16:58 -07:00 committed by garyk
parent 210eb89c4a
commit e14b697cab

View File

@ -45,6 +45,7 @@
"create_port:binding:host_id": "rule:admin_only", "create_port:binding:host_id": "rule:admin_only",
"create_port:binding:profile": "rule:admin_only", "create_port:binding:profile": "rule:admin_only",
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
"create_port:provider_security_groups": "rule:admin_only",
"get_port": "rule:admin_or_owner or rule:context_is_advsvc", "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
"get_port:queue_id": "rule:admin_only", "get_port:queue_id": "rule:admin_only",
"get_port:binding:vif_type": "rule:admin_only", "get_port:binding:vif_type": "rule:admin_only",
@ -57,6 +58,7 @@
"update_port:binding:host_id": "rule:admin_only", "update_port:binding:host_id": "rule:admin_only",
"update_port:binding:profile": "rule:admin_only", "update_port:binding:profile": "rule:admin_only",
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
"update_port:provider_security_groups": "rule:admin_only",
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc", "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
"get_router:ha": "rule:admin_only", "get_router:ha": "rule:admin_only",