Merge "[ATMOSPHERE-640] Allow cross network address pair" into main
diff --git a/images/neutron/Dockerfile b/images/neutron/Dockerfile
index 4d2a0cf..53bb7fb 100644
--- a/images/neutron/Dockerfile
+++ b/images/neutron/Dockerfile
@@ -1,5 +1,5 @@
# SPDX-License-Identifier: Apache-2.0
-# Atmosphere-Rebuild-Time: 2024-06-25T22:49:25Z
+# Atmosphere-Rebuild-Time: 2025-01-24T11:51:19Z
ARG REGISTRY
ARG RELEASE
@@ -14,7 +14,7 @@
ARG NETWORKING_BAREMETAL_GIT_REF=8b92ad81c0bdbfde60a6f0c47ff0133c08bb617e
ADD --keep-git-dir=true https://opendev.org/openstack/networking-baremetal.git#${NETWORKING_BAREMETAL_GIT_REF} /src/networking-baremetal
RUN git -C /src/networking-baremetal fetch --unshallow
-ARG POLICY_SERVER_GIT_REF=85f47edbcf66aaf3a289dc3ae76191adce91018f
+ARG POLICY_SERVER_GIT_REF=d87012b56741cb2ad44fa4dec9c5f24001ad60fe
ADD --keep-git-dir=true https://github.com/vexxhost/neutron-policy-server.git#${POLICY_SERVER_GIT_REF} /src/neutron-policy-server
RUN git -C /src/neutron-policy-server fetch --unshallow
ARG LOG_PASER_GIT_REF=9bc923c1294864ec709c538ba5c309065ef710d5
diff --git a/releasenotes/notes/add-neutron-policy-server-address-pair-193aa1434c376c10.yaml b/releasenotes/notes/add-neutron-policy-server-address-pair-193aa1434c376c10.yaml
new file mode 100644
index 0000000..e606b10
--- /dev/null
+++ b/releasenotes/notes/add-neutron-policy-server-address-pair-193aa1434c376c10.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - |
+ Add support for Neutron policy check when perform port update with
+ add address pairs. This will add a POST method ``/address-pair``.
+ It will check if both ports (to be paired) are created within same project.
+ With this check, we can give non-admin user to operate address pair binding
+ without risk on expose resource to other projects.
diff --git a/roles/neutron/vars/main.yml b/roles/neutron/vars/main.yml
index c5dd507..4388610 100644
--- a/roles/neutron/vars/main.yml
+++ b/roles/neutron/vars/main.yml
@@ -125,3 +125,6 @@
delete_port: "((rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or role:member and project_id:%(project_id)s) and http://neutron-server:9697/port-delete"
update_port:mac_address: "((rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s) and http://neutron-server:9697/port-update"
update_port:fixed_ips: "((rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner) and http://neutron-server:9697/port-update"
+ update_port:allowed_address_pairs: "((rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s) or (role:member and project_id:%(project_id)s and http://neutron-server:9697/address-pair )"
+ update_port:allowed_address_pairs:ip_address: "((rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s) or (role:member and project_id:%(project_id)s)"
+ update_port:allowed_address_pairs:mac_address: "((rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s) or (role:member and project_id:%(project_id)s)"