From 1241f9b60337c46f9fa5890285ab315c20bf6b48 Mon Sep 17 00:00:00 2001 From: Akihiro Motoki Date: Sun, 16 Dec 2018 21:32:14 +0900 Subject: [PATCH] Convert policy.json into policy-in-code This commit converts the existing neutron-dynamic-routing policy.json into policy-in-code. Partially Implements: blueprint neutron-policy-in-code Change-Id: I4f99739ca8b979ddf69c52c3f1b36e320326db8d --- devstack/lib/dr | 4 - etc/neutron/policy.d/dynamic_routing.conf | 22 --- etc/oslo-policy-generator/policy.conf | 3 + neutron_dynamic_routing/policies/__init__.py | 25 ++++ neutron_dynamic_routing/policies/base.py | 17 +++ .../policies/bgp_dragent.py | 67 +++++++++ neutron_dynamic_routing/policies/bgp_peer.py | 71 ++++++++++ .../policies/bgp_speaker.py | 127 ++++++++++++++++++ setup.cfg | 7 +- tox.ini | 4 + 10 files changed, 318 insertions(+), 29 deletions(-) delete mode 100644 etc/neutron/policy.d/dynamic_routing.conf create mode 100644 etc/oslo-policy-generator/policy.conf create mode 100644 neutron_dynamic_routing/policies/__init__.py create mode 100644 neutron_dynamic_routing/policies/base.py create mode 100644 neutron_dynamic_routing/policies/bgp_dragent.py create mode 100644 neutron_dynamic_routing/policies/bgp_peer.py create mode 100644 neutron_dynamic_routing/policies/bgp_speaker.py diff --git a/devstack/lib/dr b/devstack/lib/dr index 1f1dcac2..7edb87b4 100644 --- a/devstack/lib/dr +++ b/devstack/lib/dr @@ -42,10 +42,6 @@ function configure_dr_agent_scheduler_driver { function dr_install { setup_develop $NEUTRON_DYNAMIC_ROUTING_DIR - if is_service_enabled q-dr neutron-dr && is_service_enabled q-svc neutron-api; then - sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d - cp -v $NEUTRON_DYNAMIC_ROUTING_DIR/etc/neutron/policy.d/dynamic_routing.conf $NEUTRON_CONF_DIR/policy.d - fi } ############################# diff --git a/etc/neutron/policy.d/dynamic_routing.conf b/etc/neutron/policy.d/dynamic_routing.conf deleted file mode 100644 index 812beb2c..00000000 --- a/etc/neutron/policy.d/dynamic_routing.conf +++ /dev/null @@ -1,22 +0,0 @@ -{ - "get_bgp_speaker": "rule:admin_only", - "create_bgp_speaker": "rule:admin_only", - "update_bgp_speaker": "rule:admin_only", - "delete_bgp_speaker": "rule:admin_only", - - "get_bgp_peer": "rule:admin_only", - "create_bgp_peer": "rule:admin_only", - "update_bgp_peer": "rule:admin_only", - "delete_bgp_peer": "rule:admin_only", - "add_bgp_peer": "rule:admin_only", - "remove_bgp_peer": "rule:admin_only", - - "add_gateway_network": "rule:admin_only", - "remove_gateway_network": "rule:admin_only", - "get_advertised_routes":"rule:admin_only", - - "add_bgp_speaker_to_dragent": "rule:admin_only", - "remove_bgp_speaker_from_dragent": "rule:admin_only", - "list_bgp_speaker_on_dragent": "rule:admin_only", - "list_dragent_hosting_bgp_speaker": "rule:admin_only" -} diff --git a/etc/oslo-policy-generator/policy.conf b/etc/oslo-policy-generator/policy.conf new file mode 100644 index 00000000..59cbe6d5 --- /dev/null +++ b/etc/oslo-policy-generator/policy.conf @@ -0,0 +1,3 @@ +[DEFAULT] +output_file = etc/policy.yaml.sample +namespace = neutron-dynamic-routing diff --git a/neutron_dynamic_routing/policies/__init__.py b/neutron_dynamic_routing/policies/__init__.py new file mode 100644 index 00000000..4a92b75e --- /dev/null +++ b/neutron_dynamic_routing/policies/__init__.py @@ -0,0 +1,25 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import itertools + +from neutron_dynamic_routing.policies import bgp_dragent +from neutron_dynamic_routing.policies import bgp_peer +from neutron_dynamic_routing.policies import bgp_speaker + + +def list_rules(): + return itertools.chain( + bgp_speaker.list_rules(), + bgp_peer.list_rules(), + bgp_dragent.list_rules(), + ) diff --git a/neutron_dynamic_routing/policies/base.py b/neutron_dynamic_routing/policies/base.py new file mode 100644 index 00000000..463ec829 --- /dev/null +++ b/neutron_dynamic_routing/policies/base.py @@ -0,0 +1,17 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# TODO(amotoki): Define these in neutron or neutron-lib +RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' +RULE_ADMIN_ONLY = 'rule:admin_only' +RULE_ANY = 'rule:regular_user' diff --git a/neutron_dynamic_routing/policies/bgp_dragent.py b/neutron_dynamic_routing/policies/bgp_dragent.py new file mode 100644 index 00000000..06217e62 --- /dev/null +++ b/neutron_dynamic_routing/policies/bgp_dragent.py @@ -0,0 +1,67 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from neutron_dynamic_routing.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'add_bgp_speaker_to_dragent', + base.RULE_ADMIN_ONLY, + 'Add a BGP speaker to a dynamic routing agent', + [ + { + 'method': 'POST', + 'path': '/agents/{agent_id}/bgp-drinstances', + }, + ] + ), + policy.DocumentedRuleDefault( + 'remove_bgp_speaker_from_dragent', + base.RULE_ADMIN_ONLY, + 'Remove a BGP speaker from a dynamic routing agent', + [ + { + 'method': 'DELETE', + 'path': '/agents/{agent_id}/bgp-drinstances/{bgp_speaker_id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'list_bgp_speaker_on_dragent', + base.RULE_ADMIN_ONLY, + 'List BGP speakers hosted by a dynamic routing agent', + [ + { + 'method': 'GET', + 'path': '/agents/{agent_id}/bgp-drinstances', + }, + ] + ), + policy.DocumentedRuleDefault( + 'list_dragent_hosting_bgp_speaker', + base.RULE_ADMIN_ONLY, + 'List dynamic routing agents hosting a BGP speaker', + [ + { + 'method': 'GET', + 'path': '/bgp-speakers/{bgp_speaker_id}/bgp-dragents', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/neutron_dynamic_routing/policies/bgp_peer.py b/neutron_dynamic_routing/policies/bgp_peer.py new file mode 100644 index 00000000..51dad29f --- /dev/null +++ b/neutron_dynamic_routing/policies/bgp_peer.py @@ -0,0 +1,71 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from neutron_dynamic_routing.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_bgp_peer', + base.RULE_ADMIN_ONLY, + 'Create a BGP peer', + [ + { + 'method': 'POST', + 'path': '/bgp-peers', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_bgp_peer', + base.RULE_ADMIN_ONLY, + 'Update a BGP peer', + [ + { + 'method': 'PUT', + 'path': '/bgp-peers/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_bgp_peer', + base.RULE_ADMIN_ONLY, + 'Delete a BGP peer', + [ + { + 'method': 'DELETE', + 'path': '/bgp-peers/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_bgp_peer', + base.RULE_ADMIN_ONLY, + 'Get BGP peers', + [ + { + 'method': 'GET', + 'path': '/bgp-peers', + }, + { + 'method': 'GET', + 'path': '/bgp-peers/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/neutron_dynamic_routing/policies/bgp_speaker.py b/neutron_dynamic_routing/policies/bgp_speaker.py new file mode 100644 index 00000000..cc72468e --- /dev/null +++ b/neutron_dynamic_routing/policies/bgp_speaker.py @@ -0,0 +1,127 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from neutron_dynamic_routing.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_bgp_speaker', + base.RULE_ADMIN_ONLY, + 'Create a BGP speaker', + [ + { + 'method': 'POST', + 'path': '/bgp-speakers', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_bgp_speaker', + base.RULE_ADMIN_ONLY, + 'Update a BGP speaker', + [ + { + 'method': 'PUT', + 'path': '/bgp-speakers/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_bgp_speaker', + base.RULE_ADMIN_ONLY, + 'Delete a BGP speaker', + [ + { + 'method': 'DELETE', + 'path': '/bgp-speakers/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_bgp_speaker', + base.RULE_ADMIN_ONLY, + 'Get BGP speakers', + [ + { + 'method': 'GET', + 'path': '/bgp-speakers', + }, + { + 'method': 'GET', + 'path': '/bgp-speakers/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'add_bgp_peer', + base.RULE_ADMIN_ONLY, + 'Add a BGP peer to a BGP speaker', + [ + { + 'method': 'PUT', + 'path': '/bgp-speakers/{id}/add_bgp_peer', + }, + ] + ), + policy.DocumentedRuleDefault( + 'remove_bgp_peer', + base.RULE_ADMIN_ONLY, + 'Remove a BGP peer from a BGP speaker', + [ + { + 'method': 'PUT', + 'path': '/bgp-speakers/{id}/remove_bgp_peer', + }, + ] + ), + policy.DocumentedRuleDefault( + 'add_gateway_network', + base.RULE_ADMIN_ONLY, + 'Add a gateway network to a BGP speaker', + [ + { + 'method': 'PUT', + 'path': '/bgp-speakers/{id}/add_gateway_network', + }, + ] + ), + policy.DocumentedRuleDefault( + 'remove_gateway_network', + base.RULE_ADMIN_ONLY, + 'Remove a gateway network from a BGP speaker', + [ + { + 'method': 'PUT', + 'path': '/bgp-speakers/{id}/remove_gateway_network', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_advertised_routes', + base.RULE_ADMIN_ONLY, + 'Get advertised routes of a BGP speaker', + [ + { + 'method': 'GET', + 'path': '/bgp-speakers/{id}/get_advertised_routes', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/setup.cfg b/setup.cfg index 083bcdbc..52d1ef4b 100644 --- a/setup.cfg +++ b/setup.cfg @@ -21,9 +21,6 @@ classifier = [files] packages = neutron_dynamic_routing -data_files = - etc/neutron/policy.d = - etc/neutron/policy.d/dynamic_routing.conf [global] setup-hooks = @@ -36,6 +33,10 @@ neutron.db.alembic_migrations = neutron-dynamic-routing = neutron_dynamic_routing.db.migration:alembic_migrations oslo.config.opts = bgp.agent = neutron_dynamic_routing.services.bgp.common.opts:list_bgp_agent_opts +oslo.policy.policies = + neutron-dynamic-routing = neutron_dynamic_routing.policies:list_rules +neutron.policies = + neutron-dynamic-routing = neutron_dynamic_routing.policies:list_rules tempest.test_plugins = neutron_dynamic_routing = neutron_dynamic_routing.tests.tempest.plugin:NeutronDynamicRoutingTempestPlugin neutron.service_plugins = diff --git a/tox.ini b/tox.ini index 91c2e8f8..e79f3e62 100644 --- a/tox.ini +++ b/tox.ini @@ -64,6 +64,7 @@ commands = flake8 neutron-db-manage --subproject neutron-dynamic-routing --database-connection sqlite:// check_migration {[testenv:genconfig]commands} + {[testenv:genpolicy]commands} [testenv:cover] basepython = python3 @@ -117,6 +118,9 @@ local-check-factory = neutron_lib.hacking.checks.factory [testenv:genconfig] commands = {toxinidir}/tools/generate_config_file_samples.sh +[testenv:genpolicy] +commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf + [testenv:lower-constraints] basepython = python3 deps =