4 files changed, 52 insertions, 9 deletions

diff --git a/doc/source/cli/command-objects/network-rbac.rst b/doc/source/cli/command-objects/network-rbac.rst
index c49f29bb..45fd354d 100644
--- a/doc/source/cli/command-objects/network-rbac.rst
+++ b/doc/source/cli/command-objects/network-rbac.rst
@@ -19,7 +19,8 @@ Create network RBAC policy
     openstack network rbac create
         --type <type>
         --action <action>
-        --target-project <target-project> [--target-project-domain <target-project-domain>]
+        [--target-project <target-project> | --target-all-projects]
+        [--target-project-domain <target-project-domain>]
         [--project <project> [--project-domain <project-domain>]]
         <rbac-policy>
 
@@ -33,7 +34,11 @@ Create network RBAC policy
 
 .. option:: --target-project <target-project>
 
-    The project to which the RBAC policy will be enforced (name or ID) (required)
+    The project to which the RBAC policy will be enforced (name or ID)
+
+.. option:: --target-all-projects
+
+    Allow creating RBAC policy for all projects.
 
 .. option:: --target-project-domain <target-project-domain>
 
diff --git a/openstackclient/network/v2/network_rbac.py b/openstackclient/network/v2/network_rbac.py
index 90754737..6cf82559 100644
--- a/openstackclient/network/v2/network_rbac.py
+++ b/openstackclient/network/v2/network_rbac.py
@@ -51,11 +51,14 @@ def _get_attrs(client_manager, parsed_args):
     attrs['object_id'] = object_id
 
     identity_client = client_manager.identity
-    project_id = identity_common.find_project(
-        identity_client,
-        parsed_args.target_project,
-        parsed_args.target_project_domain,
-    ).id
+    if parsed_args.target_project is not None:
+        project_id = identity_common.find_project(
+            identity_client,
+            parsed_args.target_project,
+            parsed_args.target_project_domain,
+        ).id
+    elif parsed_args.target_all_projects:
+        project_id = '*'
     attrs['target_tenant'] = project_id
     if parsed_args.project is not None:
         project_id = identity_common.find_project(
@@ -96,13 +99,19 @@ class CreateNetworkRBAC(command.ShowOne):
             help=_('Action for the RBAC policy '
                    '("access_as_external" or "access_as_shared")')
         )
-        parser.add_argument(
+        target_project_group = parser.add_mutually_exclusive_group(
+            required=True)
+        target_project_group.add_argument(
             '--target-project',
-            required=True,
             metavar="<target-project>",
             help=_('The project to which the RBAC policy '
                    'will be enforced (name or ID)')
         )
+        target_project_group.add_argument(
+            '--target-all-projects',
+            action='store_true',
+            help=_('Allow creating RBAC policy for all projects.')
+        )
         parser.add_argument(
             '--target-project-domain',
             metavar='<target-project-domain>',
diff --git a/openstackclient/tests/unit/network/v2/test_network_rbac.py b/openstackclient/tests/unit/network/v2/test_network_rbac.py
index 935ce075..70c38528 100644
--- a/openstackclient/tests/unit/network/v2/test_network_rbac.py
+++ b/openstackclient/tests/unit/network/v2/test_network_rbac.py
@@ -163,6 +163,30 @@ class TestCreateNetworkRBAC(TestNetworkRBAC):
         self.assertEqual(self.columns, columns)
         self.assertEqual(self.data, list(data))
 
+    def test_network_rbac_create_with_target_all_projects(self):
+        arglist = [
+            '--type', self.rbac_policy.object_type,
+            '--action', self.rbac_policy.action,
+            '--target-all-projects',
+            self.rbac_policy.object_id,
+        ]
+        verifylist = [
+            ('type', self.rbac_policy.object_type),
+            ('action', self.rbac_policy.action),
+            ('target_all_projects', True),
+            ('rbac_object', self.rbac_policy.object_id),
+        ]
+        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
+
+        columns, data = self.cmd.take_action(parsed_args)
+
+        self.network.create_rbac_policy.assert_called_with(**{
+            'object_id': self.rbac_policy.object_id,
+            'object_type': self.rbac_policy.object_type,
+            'action': self.rbac_policy.action,
+            'target_tenant': '*',
+        })
+
     def test_network_rbac_create_all_options(self):
         arglist = [
             '--type', self.rbac_policy.object_type,
diff --git a/releasenotes/notes/bug-1728525-2c40f0c19adbd0e8.yaml b/releasenotes/notes/bug-1728525-2c40f0c19adbd0e8.yaml
new file mode 100644
index 00000000..67264af1
--- /dev/null
+++ b/releasenotes/notes/bug-1728525-2c40f0c19adbd0e8.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Add ``target-all-projects`` option in ``rbac create`` command.
+    [Bug `1728525 <https://bugs.launchpad.net/python-openstackclient/+bug/1728525>`_]