Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 75f185c8f6e0e863523b159c5b8ccf70b49e8edf^! / .
commit75f185c8f6e0e863523b159c5b8ccf70b49e8edf[log] [tgz]
authorricolin <rlin@vexxhost.com>Wed Jan 22 00:06:47 2025 +0800
committerricolin <rlin@vexxhost.com>Sat Jan 25 00:38:04 2025 +0800
tree34bc89e2770e09d280878f92c06098441aaca1f7
parente547ce9024b71ac5036f5cb7f7936ccede6384cc [diff]
[stable/zed] Allow cross network address pair

Change-Id: I72f6f4380fe191aba0c5a1d14ae1f103d1341edb

diff --git a/images/neutron/Dockerfile b/images/neutron/Dockerfile
index 3b160de..2b4ad70 100644
--- a/images/neutron/Dockerfile
+++ b/images/neutron/Dockerfile

@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: Apache-2.0
-# Atmosphere-Rebuild-Time: 2024-06-28T12:14:26Z
+# Atmosphere-Rebuild-Time: 2025-01-24T11:51:19Z
 
 ARG REGISTRY
 ARG RELEASE
@@ -14,7 +14,7 @@
 ARG NETWORKING_BAREMETAL_GIT_REF=fc8ddc5f68eba645239e5faa3c370dab5cc94bc9
 ADD --keep-git-dir=true https://opendev.org/openstack/networking-baremetal.git#${NETWORKING_BAREMETAL_GIT_REF} /src/networking-baremetal
 RUN git -C /src/networking-baremetal fetch --unshallow
-ARG POLICY_SERVER_GIT_REF=85f47edbcf66aaf3a289dc3ae76191adce91018f
+ARG POLICY_SERVER_GIT_REF=d87012b56741cb2ad44fa4dec9c5f24001ad60fe
 ADD --keep-git-dir=true https://github.com/vexxhost/neutron-policy-server.git#${POLICY_SERVER_GIT_REF} /src/neutron-policy-server
 RUN git -C /src/neutron-policy-server fetch --unshallow
 ARG LOG_PASER_GIT_REF=9bc923c1294864ec709c538ba5c309065ef710d5

diff --git a/releasenotes/notes/add-neutron-policy-server-address-pair-193aa1434c376c10.yaml b/releasenotes/notes/add-neutron-policy-server-address-pair-193aa1434c376c10.yaml
new file mode 100644
index 0000000..e606b10
--- /dev/null
+++ b/releasenotes/notes/add-neutron-policy-server-address-pair-193aa1434c376c10.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Add support for Neutron policy check when perform port update with
+    add address pairs. This will add a POST method ``/address-pair``.
+    It will check if both ports (to be paired) are created within same project.
+    With this check, we can give non-admin user to operate address pair binding
+    without risk on expose resource to other projects.

diff --git a/roles/neutron/vars/main.yml b/roles/neutron/vars/main.yml
index 9790b5f..33e3436 100644
--- a/roles/neutron/vars/main.yml
+++ b/roles/neutron/vars/main.yml

@@ -113,3 +113,6 @@
       delete_port: "(rule:admin_only or rule:context_is_advsvc or role:member and project_id:%(project_id)s or rule:network_owner) and http://neutron-server:9697/port-delete"
       update_port:mac_address: "(rule:admin_only or rule:context_is_advsvc) and http://neutron-server:9697/port-update"
       update_port:fixed_ips: "(rule:context_is_advsvc or rule:network_owner or rule:admin_only) and http://neutron-server:9697/port-update"
+      update_port:allowed_address_pairs: "(rule:admin_only or rule:network_owner) or (project_id:%(project_id)s and http://neutron-server:9697/address-pair )"
+      update_port:allowed_address_pairs:ip_address: "(rule:admin_only or rule:network_owner) or project_id:%(project_id)s"
+      update_port:allowed_address_pairs:mac_address: "(rule:admin_only or rule:network_owner) or project_id:%(project_id)s"