Convert policy.json into policy-in-code
This commit converts the existing neutron-dynamic-routing policy.json into policy-in-code. Partially Implements: blueprint neutron-policy-in-code Change-Id: I4f99739ca8b979ddf69c52c3f1b36e320326db8d
This commit is contained in:
parent
2b9bb078f5
commit
1241f9b603
@ -42,10 +42,6 @@ function configure_dr_agent_scheduler_driver {
|
|||||||
|
|
||||||
function dr_install {
|
function dr_install {
|
||||||
setup_develop $NEUTRON_DYNAMIC_ROUTING_DIR
|
setup_develop $NEUTRON_DYNAMIC_ROUTING_DIR
|
||||||
if is_service_enabled q-dr neutron-dr && is_service_enabled q-svc neutron-api; then
|
|
||||||
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d
|
|
||||||
cp -v $NEUTRON_DYNAMIC_ROUTING_DIR/etc/neutron/policy.d/dynamic_routing.conf $NEUTRON_CONF_DIR/policy.d
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#############################
|
#############################
|
||||||
|
@ -1,22 +0,0 @@
|
|||||||
{
|
|
||||||
"get_bgp_speaker": "rule:admin_only",
|
|
||||||
"create_bgp_speaker": "rule:admin_only",
|
|
||||||
"update_bgp_speaker": "rule:admin_only",
|
|
||||||
"delete_bgp_speaker": "rule:admin_only",
|
|
||||||
|
|
||||||
"get_bgp_peer": "rule:admin_only",
|
|
||||||
"create_bgp_peer": "rule:admin_only",
|
|
||||||
"update_bgp_peer": "rule:admin_only",
|
|
||||||
"delete_bgp_peer": "rule:admin_only",
|
|
||||||
"add_bgp_peer": "rule:admin_only",
|
|
||||||
"remove_bgp_peer": "rule:admin_only",
|
|
||||||
|
|
||||||
"add_gateway_network": "rule:admin_only",
|
|
||||||
"remove_gateway_network": "rule:admin_only",
|
|
||||||
"get_advertised_routes":"rule:admin_only",
|
|
||||||
|
|
||||||
"add_bgp_speaker_to_dragent": "rule:admin_only",
|
|
||||||
"remove_bgp_speaker_from_dragent": "rule:admin_only",
|
|
||||||
"list_bgp_speaker_on_dragent": "rule:admin_only",
|
|
||||||
"list_dragent_hosting_bgp_speaker": "rule:admin_only"
|
|
||||||
}
|
|
3
etc/oslo-policy-generator/policy.conf
Normal file
3
etc/oslo-policy-generator/policy.conf
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
[DEFAULT]
|
||||||
|
output_file = etc/policy.yaml.sample
|
||||||
|
namespace = neutron-dynamic-routing
|
25
neutron_dynamic_routing/policies/__init__.py
Normal file
25
neutron_dynamic_routing/policies/__init__.py
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
import itertools
|
||||||
|
|
||||||
|
from neutron_dynamic_routing.policies import bgp_dragent
|
||||||
|
from neutron_dynamic_routing.policies import bgp_peer
|
||||||
|
from neutron_dynamic_routing.policies import bgp_speaker
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return itertools.chain(
|
||||||
|
bgp_speaker.list_rules(),
|
||||||
|
bgp_peer.list_rules(),
|
||||||
|
bgp_dragent.list_rules(),
|
||||||
|
)
|
17
neutron_dynamic_routing/policies/base.py
Normal file
17
neutron_dynamic_routing/policies/base.py
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
|
# TODO(amotoki): Define these in neutron or neutron-lib
|
||||||
|
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||||
|
RULE_ADMIN_ONLY = 'rule:admin_only'
|
||||||
|
RULE_ANY = 'rule:regular_user'
|
67
neutron_dynamic_routing/policies/bgp_dragent.py
Normal file
67
neutron_dynamic_routing/policies/bgp_dragent.py
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from neutron_dynamic_routing.policies import base
|
||||||
|
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'add_bgp_speaker_to_dragent',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Add a BGP speaker to a dynamic routing agent',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'POST',
|
||||||
|
'path': '/agents/{agent_id}/bgp-drinstances',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'remove_bgp_speaker_from_dragent',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Remove a BGP speaker from a dynamic routing agent',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'DELETE',
|
||||||
|
'path': '/agents/{agent_id}/bgp-drinstances/{bgp_speaker_id}',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'list_bgp_speaker_on_dragent',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'List BGP speakers hosted by a dynamic routing agent',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'GET',
|
||||||
|
'path': '/agents/{agent_id}/bgp-drinstances',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'list_dragent_hosting_bgp_speaker',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'List dynamic routing agents hosting a BGP speaker',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'GET',
|
||||||
|
'path': '/bgp-speakers/{bgp_speaker_id}/bgp-dragents',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return rules
|
71
neutron_dynamic_routing/policies/bgp_peer.py
Normal file
71
neutron_dynamic_routing/policies/bgp_peer.py
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from neutron_dynamic_routing.policies import base
|
||||||
|
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'create_bgp_peer',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Create a BGP peer',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'POST',
|
||||||
|
'path': '/bgp-peers',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'update_bgp_peer',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Update a BGP peer',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'PUT',
|
||||||
|
'path': '/bgp-peers/{id}',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'delete_bgp_peer',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Delete a BGP peer',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'DELETE',
|
||||||
|
'path': '/bgp-peers/{id}',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'get_bgp_peer',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Get BGP peers',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'GET',
|
||||||
|
'path': '/bgp-peers',
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'method': 'GET',
|
||||||
|
'path': '/bgp-peers/{id}',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return rules
|
127
neutron_dynamic_routing/policies/bgp_speaker.py
Normal file
127
neutron_dynamic_routing/policies/bgp_speaker.py
Normal file
@ -0,0 +1,127 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from neutron_dynamic_routing.policies import base
|
||||||
|
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'create_bgp_speaker',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Create a BGP speaker',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'POST',
|
||||||
|
'path': '/bgp-speakers',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'update_bgp_speaker',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Update a BGP speaker',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'PUT',
|
||||||
|
'path': '/bgp-speakers/{id}',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'delete_bgp_speaker',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Delete a BGP speaker',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'DELETE',
|
||||||
|
'path': '/bgp-speakers/{id}',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'get_bgp_speaker',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Get BGP speakers',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'GET',
|
||||||
|
'path': '/bgp-speakers',
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'method': 'GET',
|
||||||
|
'path': '/bgp-speakers/{id}',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'add_bgp_peer',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Add a BGP peer to a BGP speaker',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'PUT',
|
||||||
|
'path': '/bgp-speakers/{id}/add_bgp_peer',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'remove_bgp_peer',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Remove a BGP peer from a BGP speaker',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'PUT',
|
||||||
|
'path': '/bgp-speakers/{id}/remove_bgp_peer',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'add_gateway_network',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Add a gateway network to a BGP speaker',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'PUT',
|
||||||
|
'path': '/bgp-speakers/{id}/add_gateway_network',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'remove_gateway_network',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Remove a gateway network from a BGP speaker',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'PUT',
|
||||||
|
'path': '/bgp-speakers/{id}/remove_gateway_network',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'get_advertised_routes',
|
||||||
|
base.RULE_ADMIN_ONLY,
|
||||||
|
'Get advertised routes of a BGP speaker',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'GET',
|
||||||
|
'path': '/bgp-speakers/{id}/get_advertised_routes',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return rules
|
@ -21,9 +21,6 @@ classifier =
|
|||||||
[files]
|
[files]
|
||||||
packages =
|
packages =
|
||||||
neutron_dynamic_routing
|
neutron_dynamic_routing
|
||||||
data_files =
|
|
||||||
etc/neutron/policy.d =
|
|
||||||
etc/neutron/policy.d/dynamic_routing.conf
|
|
||||||
|
|
||||||
[global]
|
[global]
|
||||||
setup-hooks =
|
setup-hooks =
|
||||||
@ -36,6 +33,10 @@ neutron.db.alembic_migrations =
|
|||||||
neutron-dynamic-routing = neutron_dynamic_routing.db.migration:alembic_migrations
|
neutron-dynamic-routing = neutron_dynamic_routing.db.migration:alembic_migrations
|
||||||
oslo.config.opts =
|
oslo.config.opts =
|
||||||
bgp.agent = neutron_dynamic_routing.services.bgp.common.opts:list_bgp_agent_opts
|
bgp.agent = neutron_dynamic_routing.services.bgp.common.opts:list_bgp_agent_opts
|
||||||
|
oslo.policy.policies =
|
||||||
|
neutron-dynamic-routing = neutron_dynamic_routing.policies:list_rules
|
||||||
|
neutron.policies =
|
||||||
|
neutron-dynamic-routing = neutron_dynamic_routing.policies:list_rules
|
||||||
tempest.test_plugins =
|
tempest.test_plugins =
|
||||||
neutron_dynamic_routing = neutron_dynamic_routing.tests.tempest.plugin:NeutronDynamicRoutingTempestPlugin
|
neutron_dynamic_routing = neutron_dynamic_routing.tests.tempest.plugin:NeutronDynamicRoutingTempestPlugin
|
||||||
neutron.service_plugins =
|
neutron.service_plugins =
|
||||||
|
4
tox.ini
4
tox.ini
@ -64,6 +64,7 @@ commands =
|
|||||||
flake8
|
flake8
|
||||||
neutron-db-manage --subproject neutron-dynamic-routing --database-connection sqlite:// check_migration
|
neutron-db-manage --subproject neutron-dynamic-routing --database-connection sqlite:// check_migration
|
||||||
{[testenv:genconfig]commands}
|
{[testenv:genconfig]commands}
|
||||||
|
{[testenv:genpolicy]commands}
|
||||||
|
|
||||||
[testenv:cover]
|
[testenv:cover]
|
||||||
basepython = python3
|
basepython = python3
|
||||||
@ -117,6 +118,9 @@ local-check-factory = neutron_lib.hacking.checks.factory
|
|||||||
[testenv:genconfig]
|
[testenv:genconfig]
|
||||||
commands = {toxinidir}/tools/generate_config_file_samples.sh
|
commands = {toxinidir}/tools/generate_config_file_samples.sh
|
||||||
|
|
||||||
|
[testenv:genpolicy]
|
||||||
|
commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
|
||||||
|
|
||||||
[testenv:lower-constraints]
|
[testenv:lower-constraints]
|
||||||
basepython = python3
|
basepython = python3
|
||||||
deps =
|
deps =
|
||||||
|
Loading…
Reference in New Issue
Block a user