Convert policy.json into policy-in-code
This commit converts the existing neutron-dynamic-routing policy.json into policy-in-code. Partially Implements: blueprint neutron-policy-in-code Change-Id: I4f99739ca8b979ddf69c52c3f1b36e320326db8d
This commit is contained in:
parent
2b9bb078f5
commit
1241f9b603
@ -42,10 +42,6 @@ function configure_dr_agent_scheduler_driver {
|
||||
|
||||
function dr_install {
|
||||
setup_develop $NEUTRON_DYNAMIC_ROUTING_DIR
|
||||
if is_service_enabled q-dr neutron-dr && is_service_enabled q-svc neutron-api; then
|
||||
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d
|
||||
cp -v $NEUTRON_DYNAMIC_ROUTING_DIR/etc/neutron/policy.d/dynamic_routing.conf $NEUTRON_CONF_DIR/policy.d
|
||||
fi
|
||||
}
|
||||
|
||||
#############################
|
||||
|
@ -1,22 +0,0 @@
|
||||
{
|
||||
"get_bgp_speaker": "rule:admin_only",
|
||||
"create_bgp_speaker": "rule:admin_only",
|
||||
"update_bgp_speaker": "rule:admin_only",
|
||||
"delete_bgp_speaker": "rule:admin_only",
|
||||
|
||||
"get_bgp_peer": "rule:admin_only",
|
||||
"create_bgp_peer": "rule:admin_only",
|
||||
"update_bgp_peer": "rule:admin_only",
|
||||
"delete_bgp_peer": "rule:admin_only",
|
||||
"add_bgp_peer": "rule:admin_only",
|
||||
"remove_bgp_peer": "rule:admin_only",
|
||||
|
||||
"add_gateway_network": "rule:admin_only",
|
||||
"remove_gateway_network": "rule:admin_only",
|
||||
"get_advertised_routes":"rule:admin_only",
|
||||
|
||||
"add_bgp_speaker_to_dragent": "rule:admin_only",
|
||||
"remove_bgp_speaker_from_dragent": "rule:admin_only",
|
||||
"list_bgp_speaker_on_dragent": "rule:admin_only",
|
||||
"list_dragent_hosting_bgp_speaker": "rule:admin_only"
|
||||
}
|
3
etc/oslo-policy-generator/policy.conf
Normal file
3
etc/oslo-policy-generator/policy.conf
Normal file
@ -0,0 +1,3 @@
|
||||
[DEFAULT]
|
||||
output_file = etc/policy.yaml.sample
|
||||
namespace = neutron-dynamic-routing
|
25
neutron_dynamic_routing/policies/__init__.py
Normal file
25
neutron_dynamic_routing/policies/__init__.py
Normal file
@ -0,0 +1,25 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import itertools
|
||||
|
||||
from neutron_dynamic_routing.policies import bgp_dragent
|
||||
from neutron_dynamic_routing.policies import bgp_peer
|
||||
from neutron_dynamic_routing.policies import bgp_speaker
|
||||
|
||||
|
||||
def list_rules():
|
||||
return itertools.chain(
|
||||
bgp_speaker.list_rules(),
|
||||
bgp_peer.list_rules(),
|
||||
bgp_dragent.list_rules(),
|
||||
)
|
17
neutron_dynamic_routing/policies/base.py
Normal file
17
neutron_dynamic_routing/policies/base.py
Normal file
@ -0,0 +1,17 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
# TODO(amotoki): Define these in neutron or neutron-lib
|
||||
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||
RULE_ADMIN_ONLY = 'rule:admin_only'
|
||||
RULE_ANY = 'rule:regular_user'
|
67
neutron_dynamic_routing/policies/bgp_dragent.py
Normal file
67
neutron_dynamic_routing/policies/bgp_dragent.py
Normal file
@ -0,0 +1,67 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from neutron_dynamic_routing.policies import base
|
||||
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
'add_bgp_speaker_to_dragent',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Add a BGP speaker to a dynamic routing agent',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/agents/{agent_id}/bgp-drinstances',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'remove_bgp_speaker_from_dragent',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Remove a BGP speaker from a dynamic routing agent',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/agents/{agent_id}/bgp-drinstances/{bgp_speaker_id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'list_bgp_speaker_on_dragent',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'List BGP speakers hosted by a dynamic routing agent',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/agents/{agent_id}/bgp-drinstances',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'list_dragent_hosting_bgp_speaker',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'List dynamic routing agents hosting a BGP speaker',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/bgp-speakers/{bgp_speaker_id}/bgp-dragents',
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
71
neutron_dynamic_routing/policies/bgp_peer.py
Normal file
71
neutron_dynamic_routing/policies/bgp_peer.py
Normal file
@ -0,0 +1,71 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from neutron_dynamic_routing.policies import base
|
||||
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_bgp_peer',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a BGP peer',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/bgp-peers',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_bgp_peer',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update a BGP peer',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/bgp-peers/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_bgp_peer',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Delete a BGP peer',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/bgp-peers/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_bgp_peer',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Get BGP peers',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/bgp-peers',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/bgp-peers/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
127
neutron_dynamic_routing/policies/bgp_speaker.py
Normal file
127
neutron_dynamic_routing/policies/bgp_speaker.py
Normal file
@ -0,0 +1,127 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from neutron_dynamic_routing.policies import base
|
||||
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_bgp_speaker',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a BGP speaker',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/bgp-speakers',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_bgp_speaker',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update a BGP speaker',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/bgp-speakers/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_bgp_speaker',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Delete a BGP speaker',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/bgp-speakers/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_bgp_speaker',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Get BGP speakers',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/bgp-speakers',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/bgp-speakers/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'add_bgp_peer',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Add a BGP peer to a BGP speaker',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/bgp-speakers/{id}/add_bgp_peer',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'remove_bgp_peer',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Remove a BGP peer from a BGP speaker',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/bgp-speakers/{id}/remove_bgp_peer',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'add_gateway_network',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Add a gateway network to a BGP speaker',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/bgp-speakers/{id}/add_gateway_network',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'remove_gateway_network',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Remove a gateway network from a BGP speaker',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/bgp-speakers/{id}/remove_gateway_network',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_advertised_routes',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Get advertised routes of a BGP speaker',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/bgp-speakers/{id}/get_advertised_routes',
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
@ -21,9 +21,6 @@ classifier =
|
||||
[files]
|
||||
packages =
|
||||
neutron_dynamic_routing
|
||||
data_files =
|
||||
etc/neutron/policy.d =
|
||||
etc/neutron/policy.d/dynamic_routing.conf
|
||||
|
||||
[global]
|
||||
setup-hooks =
|
||||
@ -36,6 +33,10 @@ neutron.db.alembic_migrations =
|
||||
neutron-dynamic-routing = neutron_dynamic_routing.db.migration:alembic_migrations
|
||||
oslo.config.opts =
|
||||
bgp.agent = neutron_dynamic_routing.services.bgp.common.opts:list_bgp_agent_opts
|
||||
oslo.policy.policies =
|
||||
neutron-dynamic-routing = neutron_dynamic_routing.policies:list_rules
|
||||
neutron.policies =
|
||||
neutron-dynamic-routing = neutron_dynamic_routing.policies:list_rules
|
||||
tempest.test_plugins =
|
||||
neutron_dynamic_routing = neutron_dynamic_routing.tests.tempest.plugin:NeutronDynamicRoutingTempestPlugin
|
||||
neutron.service_plugins =
|
||||
|
4
tox.ini
4
tox.ini
@ -64,6 +64,7 @@ commands =
|
||||
flake8
|
||||
neutron-db-manage --subproject neutron-dynamic-routing --database-connection sqlite:// check_migration
|
||||
{[testenv:genconfig]commands}
|
||||
{[testenv:genpolicy]commands}
|
||||
|
||||
[testenv:cover]
|
||||
basepython = python3
|
||||
@ -117,6 +118,9 @@ local-check-factory = neutron_lib.hacking.checks.factory
|
||||
[testenv:genconfig]
|
||||
commands = {toxinidir}/tools/generate_config_file_samples.sh
|
||||
|
||||
[testenv:genpolicy]
|
||||
commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
|
||||
|
||||
[testenv:lower-constraints]
|
||||
basepython = python3
|
||||
deps =
|
||||
|
Loading…
Reference in New Issue
Block a user