From 515005c324872622eefec0e2e2adadd3ee4550ca Mon Sep 17 00:00:00 2001
From: Adam Young <ayoung@redhat.com>
Date: Oct 18 2018 22:48:48 +0000
Subject: use is_admin_project


---

diff --git a/common/common.yaml b/common/common.yaml
index b3529ce..9a38aa8 100644
--- a/common/common.yaml
+++ b/common/common.yaml
@@ -1,14 +1,14 @@
 # COMMON
 
 # A global reader role, that is able to read things that don't have a project_id associated
-global_reader: "(role:global_reader)"
+global_reader: "(role:global_reader and is_admin_project:True)"
 
 # The specification for readers, who should only be able to read, never modify, data.
 # This rule incorporates other less strict reader specifications, so any reader
 reader: "((role:reader and project_id:%(project_id)s) or rule:global_reader)"
 
 # This is the default admin specification, able to control every part of the cloud without issue
-admin: "(is_admin:True or role:admin)"
+admin: "(is_admin:True or role:admin  and (is_admin_project:True or  project_id:%(project_id)s))"
 
 # This is a helper role specification for members, since some deployers use "member", and some use "_member_"
 _member_role: "(role:Member or role:member or role:_member_)"
@@ -29,7 +29,7 @@ owner: "(rule:_member_role and user_id:%(user_id)s)"
 
 
 # Decides what is required for the 'is_admin:True' check to succeed.
-"context_is_admin": "role:admin"
+"context_is_admin": "role:admin and (is_admin_project:True or project_id:%(project_id)s)"
 
 
 # END COMMON
diff --git a/services/neutron/policy.json b/services/neutron/policy.json
index e867e5a..b0b5601 100644
--- a/services/neutron/policy.json
+++ b/services/neutron/policy.json
@@ -1,9 +1,9 @@
 {
-  "global_reader": "(role:global_reader)",
+  "global_reader": "(role:global_reader and is_admin_project:True )",
   "reader": "((role:reader and project_id:%(project_id)s) or rule:global_reader)",
-  "_member_role": "(role:Member or role:member or role:_member_)",
+  "_member_role": "(role:Member or role:member or role:_member_ and project_id:%(project_id)s)",
   "member": "(rule:_member_role and project_id:%(project_id)s)",
-  "admin": "(is_admin:True or role:admin)",
+  "admin": "(is_admin:True or role:admin and (is_admin_project:True or project_id:%(project_id)s)",
   "owner": "(rule:_member_role and user_id:%(user_id)s)",
   "context_is_advsvc":  "role:advsvc",
   "network_owner": "(rule:_member_role and tenant_id:%(network:tenant_id)s)",