[stable/zed] [PS-292] fix: update neutron policy rules (#1808)
This is an automated cherry-pick of #1796
/assign ricolin
diff --git a/roles/neutron/vars/main.yml b/roles/neutron/vars/main.yml
index 83cc213..fa2c97e 100644
--- a/roles/neutron/vars/main.yml
+++ b/roles/neutron/vars/main.yml
@@ -109,6 +109,6 @@
__neutron_policy_server_helm_values:
conf:
policy:
- delete_port: "((rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or role:member and project_id:%(project_id)s) and http://neutron-server:9697/port-delete"
- update_port:mac_address: "((rule:admin_only) or (rule:service_api)) and http://neutron-server:9697/port-update"
- update_port:fixed_ips: "((rule:admin_only) or (rule:service_api) or role:member and rule:network_owner) and http://neutron-server:9697/port-update"
+ delete_port: "(rule:admin_only or rule:context_is_advsvc or role:member and project_id:%(project_id)s or rule:network_owner) and http://neutron-server:9697/port-delete"
+ update_port:mac_address: "(rule:admin_only or rule:context_is_advsvc) and http://neutron-server:9697/port-update"
+ update_port:fixed_ips: "(rule:context_is_advsvc or rule:network_owner or rule:admin_only) and http://neutron-server:9697/port-update"