Update policy for RBAC
Change-Id: I04a0260c6858ad365ab739d6c2b0bd51c5e2c63e
diff --git a/releasenotes/notes/update-2023.2-neutron-policy-to-fix-rbac-3fc26b2adbcbd588.yaml b/releasenotes/notes/update-2023.2-neutron-policy-to-fix-rbac-3fc26b2adbcbd588.yaml
new file mode 100644
index 0000000..98a5263
--- /dev/null
+++ b/releasenotes/notes/update-2023.2-neutron-policy-to-fix-rbac-3fc26b2adbcbd588.yaml
@@ -0,0 +1,8 @@
+---
+security:
+ - |
+ Update `update_port:fixed_ips` policy for neutron policy server
+ check to stay with RBAC rule.
+ This issue is not affect much on service security as policy `update_port:fixed_ips`
+ always comes next to `update_port`, but still we should honor
+ SRABC design to add role member check on.
diff --git a/roles/neutron/vars/main.yml b/roles/neutron/vars/main.yml
index 1d59c24..fe2cb56 100644
--- a/roles/neutron/vars/main.yml
+++ b/roles/neutron/vars/main.yml
@@ -112,4 +112,4 @@
policy:
delete_port: "(rule:context_is_advsvc or role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)) and http://neutron-server:9697/port-delete"
update_port:mac_address: "(rule:admin_only or rule:context_is_advsvc) and http://neutron-server:9697/port-update"
- update_port:fixed_ips: "(rule:context_is_advsvc or rule:network_owner or rule:admin_only) and http://neutron-server:9697/port-update"
+ update_port:fixed_ips: "(rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)) and http://neutron-server:9697/port-update"