Merge "Allow service role to create/update port device_id" into stable/2025.1

Zuul · openstack-gerrit · commit 827124df9b50 · 2026-06-05T10:20:42.000Z
diff --git a/neutron/conf/policies/port.py b/neutron/conf/policies/port.py
@@ -81,6 +81,20 @@
             deprecated_reason=DEPRECATED_REASON,
             deprecated_since=versionutils.deprecated.WALLABY)
     ),
+    policy.DocumentedRuleDefault(
+        name='create_port:device_id',
+        check_str=neutron_policy.policy_or(
+            base.ADMIN_OR_PROJECT_MEMBER,
+            base.SERVICE),
+        scope_types=['project'],
+        description='Specify ``device_id`` attribute when creating a port',
+        operations=ACTION_POST,
+        deprecated_rule=policy.DeprecatedRule(
+            name='create_port:device_id',
+            check_str=neutron_policy.RULE_ANY,
+            deprecated_reason=DEPRECATED_REASON,
+            deprecated_since=versionutils.deprecated.WALLABY)
+    ),
     policy.DocumentedRuleDefault(
         name='create_port:device_owner',
         check_str=neutron_policy.policy_or(
@@ -460,6 +474,20 @@
             deprecated_reason=DEPRECATED_REASON,
             deprecated_since=versionutils.deprecated.WALLABY)
     ),
+    policy.DocumentedRuleDefault(
+        name='update_port:device_id',
+        check_str=neutron_policy.policy_or(
+            base.ADMIN_OR_PROJECT_MEMBER,
+            base.SERVICE),
+        scope_types=['project'],
+        description='Update ``device_id`` attribute of a port',
+        operations=ACTION_PUT,
+        deprecated_rule=policy.DeprecatedRule(
+            name='update_port:device_id',
+            check_str=neutron_policy.RULE_ANY,
+            deprecated_reason=DEPRECATED_REASON,
+            deprecated_since=versionutils.deprecated.WALLABY)
+    ),
     policy.DocumentedRuleDefault(
         name='update_port:device_owner',
         check_str=neutron_policy.policy_or(
diff --git a/neutron/tests/unit/conf/policies/test_port.py b/neutron/tests/unit/conf/policies/test_port.py
@@ -75,6 +75,16 @@ def test_create_port(self):
             base_policy.InvalidScope,
             policy.enforce, self.context, 'create_port', self.alt_target)
 
+    def test_create_port_with_device_id(self):
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce, self.context, 'create_port:device_id',
+            self.target)
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce, self.context, 'create_port:device_id',
+            self.alt_target)
+
     def test_create_port_with_device_owner(self):
         self.assertRaises(
             base_policy.InvalidScope,
@@ -283,6 +293,16 @@ def test_update_port(self):
             base_policy.InvalidScope,
             policy.enforce, self.context, 'update_port', self.alt_target)
 
+    def test_update_port_with_device_id(self):
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce, self.context, 'update_port:device_id',
+            self.target)
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce, self.context, 'update_port:device_id',
+            self.alt_target)
+
     def test_update_port_with_device_owner(self):
         self.assertRaises(
             base_policy.InvalidScope,
@@ -454,6 +474,14 @@ def test_create_port(self):
         self.assertTrue(
             policy.enforce(self.context, 'create_port', self.alt_target))
 
+    def test_create_port_with_device_id(self):
+        self.assertTrue(
+            policy.enforce(self.context, 'create_port:device_id',
+                           self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'create_port:device_id',
+                           self.alt_target))
+
     def test_create_port_with_device_owner(self):
         target = self.target.copy()
         target['device_owner'] = 'network:test'
@@ -663,6 +691,14 @@ def test_update_port(self):
         self.assertTrue(
             policy.enforce(self.context, 'update_port', self.alt_target))
 
+    def test_update_port_with_device_id(self):
+        self.assertTrue(
+            policy.enforce(self.context, 'update_port:device_id',
+                           self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'update_port:device_id',
+                           self.alt_target))
+
     def test_update_port_with_device_owner(self):
         target = self.target.copy()
         target['device_owner'] = 'network:test'
@@ -822,6 +858,15 @@ def test_create_port(self):
             base_policy.PolicyNotAuthorized,
             policy.enforce, self.context, 'create_port', self.alt_target)
 
+    def test_create_port_with_device_id(self):
+        self.assertTrue(
+            policy.enforce(self.context, 'create_port:device_id',
+                           self.target))
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce, self.context, 'create_port:device_id',
+            self.alt_target)
+
     def test_create_port_with_device_owner(self):
         target = self.target.copy()
         target['device_owner'] = 'network:test'
@@ -1062,6 +1107,14 @@ def test_update_port(self):
             base_policy.PolicyNotAuthorized,
             policy.enforce, self.context, 'update_port', self.alt_target)
 
+    def test_update_port_with_device_id(self):
+        self.assertTrue(
+            policy.enforce(self.context, 'update_port:device_id', self.target))
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce, self.context, 'update_port:device_id',
+            self.alt_target)
+
     def test_update_port_with_device_owner(self):
         target = self.target.copy()
         target['device_owner'] = 'network:test'
@@ -1438,6 +1491,16 @@ def test_create_port_with_device_owner(self):
             policy.enforce, self.context, 'create_port:device_owner',
             alt_target)
 
+    def test_create_port_with_device_id(self):
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce, self.context, 'create_port:device_id',
+            self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce, self.context, 'create_port:device_id',
+            self.alt_target)
+
     def test_create_port_with_mac_address(self):
         self.assertRaises(
             base_policy.PolicyNotAuthorized,
@@ -1646,6 +1709,16 @@ def test_update_port_with_fixed_ips_and_subnet_id(self):
             self.context, 'update_port:fixed_ips:subnet_id',
             self.alt_target)
 
+    def test_update_port_with_device_id(self):
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce, self.context, 'update_port:device_id',
+            self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce, self.context, 'update_port:device_id',
+            self.alt_target)
+
     def test_update_port_with_binding_vnic_type(self):
         self.assertRaises(
             base_policy.PolicyNotAuthorized,
@@ -1683,6 +1756,14 @@ def test_create_port(self):
         self.assertTrue(
             policy.enforce(self.context, 'create_port', self.target))
 
+    def test_create_port_with_device_id(self):
+        self.assertTrue(
+            policy.enforce(self.context, 'create_port:device_id',
+                           self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'create_port:device_id',
+                           self.alt_target))
+
     def test_create_port_with_device_owner(self):
         self.assertTrue(
             policy.enforce(
@@ -1791,6 +1872,14 @@ def test_update_port(self):
         self.assertTrue(
             policy.enforce(self.context, 'update_port', self.target))
 
+    def test_update_port_with_device_id(self):
+        self.assertTrue(
+            policy.enforce(self.context, 'update_port:device_id',
+                           self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'update_port:device_id',
+                           self.alt_target))
+
     def test_update_port_with_device_owner(self):
         self.assertTrue(
             policy.enforce(
diff --git a/releasenotes/notes/service-role-port-device-id-61eb7b781b3b01ca.yaml b/releasenotes/notes/service-role-port-device-id-61eb7b781b3b01ca.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Added ``service`` role to the ``create_port:device_id`` and
+    ``update_port:device_id`` policies to allow service users
+    for other OpenStack projects to complete Secure RBAC.
