Merge "Allow port create/update by shared nw owners"

etc/policy.json

@@ -73,7 +73,8 @@
     "create_port": "",
     "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
-    "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
     "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:binding:host_id": "rule:admin_only",
     "create_port:binding:profile": "rule:admin_only",
@@ -88,7 +89,8 @@
     "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
-    "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
     "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:binding:host_id": "rule:admin_only",
     "update_port:binding:profile": "rule:admin_only",

neutron/tests/etc/policy.json

@@ -73,7 +73,8 @@
     "create_port": "",
     "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
-    "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
     "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:binding:host_id": "rule:admin_only",
     "create_port:binding:profile": "rule:admin_only",
@@ -88,7 +89,8 @@
     "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
-    "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
     "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:binding:host_id": "rule:admin_only",
     "update_port:binding:profile": "rule:admin_only",

releasenotes/notes/allow_port_create_update_shared_owners-2a57b1c72d91ace2.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Tenants who can access shared networks, can now create/update
+    ports on a specified subnet instead of the default subnet.
+    This is now the default behavior and can be changed by modifying
+    policy.json file.