Merge "[stable/2023.1] Allow cross network address pair" into stable/2023.1
diff --git a/images/neutron/Dockerfile b/images/neutron/Dockerfile
index d49ee59..d90107e 100644
--- a/images/neutron/Dockerfile
+++ b/images/neutron/Dockerfile
@@ -1,5 +1,5 @@
# SPDX-License-Identifier: Apache-2.0
-# Atmosphere-Rebuild-Time: 2024-06-25T22:49:25Z
+# Atmosphere-Rebuild-Time: 2025-01-24T11:51:19Z
ARG REGISTRY
ARG RELEASE
@@ -14,7 +14,7 @@
ARG NETWORKING_BAREMETAL_GIT_REF=bfcd09e4716be0dbf49ee88d18020084c60d0650
ADD --keep-git-dir=true https://opendev.org/openstack/networking-baremetal.git#${NETWORKING_BAREMETAL_GIT_REF} /src/networking-baremetal
RUN git -C /src/networking-baremetal fetch --unshallow
-ARG POLICY_SERVER_GIT_REF=85f47edbcf66aaf3a289dc3ae76191adce91018f
+ARG POLICY_SERVER_GIT_REF=d87012b56741cb2ad44fa4dec9c5f24001ad60fe
ADD --keep-git-dir=true https://github.com/vexxhost/neutron-policy-server.git#${POLICY_SERVER_GIT_REF} /src/neutron-policy-server
RUN git -C /src/neutron-policy-server fetch --unshallow
ARG LOG_PASER_GIT_REF=9bc923c1294864ec709c538ba5c309065ef710d5
diff --git a/releasenotes/notes/add-neutron-policy-server-address-pair-193aa1434c376c10.yaml b/releasenotes/notes/add-neutron-policy-server-address-pair-193aa1434c376c10.yaml
new file mode 100644
index 0000000..e606b10
--- /dev/null
+++ b/releasenotes/notes/add-neutron-policy-server-address-pair-193aa1434c376c10.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - |
+ Add support for Neutron policy check when perform port update with
+ add address pairs. This will add a POST method ``/address-pair``.
+ It will check if both ports (to be paired) are created within same project.
+ With this check, we can give non-admin user to operate address pair binding
+ without risk on expose resource to other projects.
diff --git a/roles/neutron/vars/main.yml b/roles/neutron/vars/main.yml
index 9790b5f..33e3436 100644
--- a/roles/neutron/vars/main.yml
+++ b/roles/neutron/vars/main.yml
@@ -113,3 +113,6 @@
delete_port: "(rule:admin_only or rule:context_is_advsvc or role:member and project_id:%(project_id)s or rule:network_owner) and http://neutron-server:9697/port-delete"
update_port:mac_address: "(rule:admin_only or rule:context_is_advsvc) and http://neutron-server:9697/port-update"
update_port:fixed_ips: "(rule:context_is_advsvc or rule:network_owner or rule:admin_only) and http://neutron-server:9697/port-update"
+ update_port:allowed_address_pairs: "(rule:admin_only or rule:network_owner) or (project_id:%(project_id)s and http://neutron-server:9697/address-pair )"
+ update_port:allowed_address_pairs:ip_address: "(rule:admin_only or rule:network_owner) or project_id:%(project_id)s"
+ update_port:allowed_address_pairs:mac_address: "(rule:admin_only or rule:network_owner) or project_id:%(project_id)s"