Merge "Allow service role more RBAC access for Octavia" into stable/2025.1

Zuul · openstack-gerrit · commit d2b4404bc4fb · 2026-06-05T18:35:44.000Z
diff --git a/neutron/conf/policies/network_ip_availability.py b/neutron/conf/policies/network_ip_availability.py
@@ -24,7 +24,7 @@
 rules = [
     policy.DocumentedRuleDefault(
         name='get_network_ip_availability',
-        check_str=base.ADMIN,
+        check_str=base.ADMIN_OR_SERVICE,
         scope_types=['project'],
         description='Get network IP availability',
         operations=[
diff --git a/neutron/conf/policies/port.py b/neutron/conf/policies/port.py
@@ -258,7 +258,8 @@
         name='create_port:allowed_address_pairs',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Specify ``allowed_address_pairs`` '
@@ -275,7 +276,8 @@
         name='create_port:allowed_address_pairs:mac_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Specify ``mac_address` of `allowed_address_pairs`` '
@@ -292,7 +294,8 @@
         name='create_port:allowed_address_pairs:ip_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Specify ``ip_address`` of ``allowed_address_pairs`` '
@@ -650,7 +653,8 @@
         name='update_port:allowed_address_pairs',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description='Update ``allowed_address_pairs`` attribute of a port',
         operations=ACTION_PUT,
@@ -664,7 +668,8 @@
         name='update_port:allowed_address_pairs:mac_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Update ``mac_address`` of ``allowed_address_pairs`` '
@@ -681,7 +686,8 @@
         name='update_port:allowed_address_pairs:ip_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Update ``ip_address`` of ``allowed_address_pairs`` '
diff --git a/neutron/conf/policies/subnet.py b/neutron/conf/policies/subnet.py
@@ -126,6 +126,7 @@
             'rule:shared',
             'rule:external_network',
             base.ADMIN_OR_NET_OWNER_READER,
+            base.SERVICE,
         ),
         scope_types=['project'],
         description='Get a subnet',
diff --git a/neutron/tests/unit/conf/policies/test_network_ip_availability.py b/neutron/tests/unit/conf/policies/test_network_ip_availability.py
@@ -99,7 +99,7 @@ def setUp(self):
         self.context = self.service_ctx
 
     def test_get_network_ip_availability(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'get_network_ip_availability', self.target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'get_network_ip_availability',
+                self.target))
diff --git a/neutron/tests/unit/conf/policies/test_port.py b/neutron/tests/unit/conf/policies/test_port.py
@@ -1811,25 +1811,22 @@ def test_create_port_with_binding_vnic_type(self):
                            'create_port:binding:vnic_type', self.target))
 
     def test_create_port_with_allowed_address_pairs(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'create_port:allowed_address_pairs',
-            self.target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'create_port:allowed_address_pairs',
+                self.target))
 
     def test_create_port_with_allowed_address_pairs_and_mac_address(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'create_port:allowed_address_pairs:mac_address',
-            self.alt_target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'create_port:allowed_address_pairs:mac_address',
+                self.alt_target))
 
     def test_create_port_with_allowed_address_pairs_and_ip_address(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'create_port:allowed_address_pairs:ip_address',
-            self.target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'create_port:allowed_address_pairs:ip_address',
+                self.target))
 
     def test_create_port_tags(self):
         self.assertRaises(
@@ -1927,25 +1924,22 @@ def test_update_port_with_binding_vnic_type(self):
                 self.context, 'update_port:binding:vnic_type', self.target))
 
     def test_update_port_with_allowed_address_pairs(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'update_port:allowed_address_pairs',
-            self.target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'update_port:allowed_address_pairs',
+                self.target))
 
     def test_update_port_with_allowed_address_pairs_and_mac_address(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'update_port:allowed_address_pairs:mac_address',
-            self.target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'update_port:allowed_address_pairs:mac_address',
+                self.target))
 
     def test_update_port_with_allowed_address_pairs_and_ip_address(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'update_port:allowed_address_pairs:ip_address',
-            self.target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'update_port:allowed_address_pairs:ip_address',
+                self.target))
 
     def test_update_port_data_plane_status(self):
         self.assertRaises(
diff --git a/neutron/tests/unit/conf/policies/test_subnet.py b/neutron/tests/unit/conf/policies/test_subnet.py
@@ -927,10 +927,8 @@ def test_create_subnet_tags(self):
             self.context, 'create_subnet:tags', self.target)
 
     def test_get_subnet(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'get_subnet', self.target)
+        self.assertTrue(
+            policy.enforce(self.context, 'get_subnet', self.target))
 
     def test_get_subnet_segment_id(self):
         self.assertRaises(
diff --git a/releasenotes/notes/octavia-service-role-b8ee74e5cb52ea30.yaml b/releasenotes/notes/octavia-service-role-b8ee74e5cb52ea30.yaml
@@ -0,0 +1,33 @@
+---
+features:
+  - |
+    Updated RBAC rules so that they allow the ``service`` role to pass the
+    following policies by default:
+
+    - ``get_subnet``
+
+    - ``get_network_ip_availability``
+
+    - ``create_port:allowed_address_pairs``
+
+    - ``create_port:allowed_address_pairs:mac_address``
+
+    - ``create_port:allowed_address_pairs:ip_address``
+
+    - ``update_port:allowed_address_pairs``
+
+    - ``update_port:allowed_address_pairs:mac_address``
+
+    - ``update_port:allowed_address_pairs:ip_address``
+
+    This allows for integration with the Octavia project using the
+    ``service`` role instead of the ``admin`` role for integration
+    with Neutron.
+upgrade:
+  - |
+    Default RBAC policies for ``get_subnet``, ``get_network_ip_availability``,
+    ``create_port:allowed_address_pairs``, ``create_port:allowed_address_pairs:mac_address``,
+    ``create_port:allowed_address_pairs:ip_address``, ``update_port:allowed_address_pairs``,
+    ``update_port:allowed_address_pairs:mac_address`` and
+    ``update_port:allowed_address_pairs:ip_address`` have been updated to allow the
+    ``service`` role.
