Convert policy.json into policy-in-code

This commit converts the existing neutron-dynamic-routing policy.json
into policy-in-code.

Partially Implements: blueprint neutron-policy-in-code

Change-Id: I4f99739ca8b979ddf69c52c3f1b36e320326db8d
This commit is contained in:
Akihiro Motoki 2018-12-16 21:32:14 +09:00
parent 2b9bb078f5
commit 1241f9b603
10 changed files with 318 additions and 29 deletions
devstack/lib
etc
neutron/policy.d
oslo-policy-generator
neutron_dynamic_routing/policies
setup.cfgtox.ini

View File

@ -42,10 +42,6 @@ function configure_dr_agent_scheduler_driver {
function dr_install {
setup_develop $NEUTRON_DYNAMIC_ROUTING_DIR
if is_service_enabled q-dr neutron-dr && is_service_enabled q-svc neutron-api; then
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d
cp -v $NEUTRON_DYNAMIC_ROUTING_DIR/etc/neutron/policy.d/dynamic_routing.conf $NEUTRON_CONF_DIR/policy.d
fi
}
#############################

View File

@ -1,22 +0,0 @@
{
"get_bgp_speaker": "rule:admin_only",
"create_bgp_speaker": "rule:admin_only",
"update_bgp_speaker": "rule:admin_only",
"delete_bgp_speaker": "rule:admin_only",
"get_bgp_peer": "rule:admin_only",
"create_bgp_peer": "rule:admin_only",
"update_bgp_peer": "rule:admin_only",
"delete_bgp_peer": "rule:admin_only",
"add_bgp_peer": "rule:admin_only",
"remove_bgp_peer": "rule:admin_only",
"add_gateway_network": "rule:admin_only",
"remove_gateway_network": "rule:admin_only",
"get_advertised_routes":"rule:admin_only",
"add_bgp_speaker_to_dragent": "rule:admin_only",
"remove_bgp_speaker_from_dragent": "rule:admin_only",
"list_bgp_speaker_on_dragent": "rule:admin_only",
"list_dragent_hosting_bgp_speaker": "rule:admin_only"
}

View File

@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/policy.yaml.sample
namespace = neutron-dynamic-routing

View File

@ -0,0 +1,25 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import itertools
from neutron_dynamic_routing.policies import bgp_dragent
from neutron_dynamic_routing.policies import bgp_peer
from neutron_dynamic_routing.policies import bgp_speaker
def list_rules():
return itertools.chain(
bgp_speaker.list_rules(),
bgp_peer.list_rules(),
bgp_dragent.list_rules(),
)

View File

@ -0,0 +1,17 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# TODO(amotoki): Define these in neutron or neutron-lib
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN_ONLY = 'rule:admin_only'
RULE_ANY = 'rule:regular_user'

View File

@ -0,0 +1,67 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron_dynamic_routing.policies import base
rules = [
policy.DocumentedRuleDefault(
'add_bgp_speaker_to_dragent',
base.RULE_ADMIN_ONLY,
'Add a BGP speaker to a dynamic routing agent',
[
{
'method': 'POST',
'path': '/agents/{agent_id}/bgp-drinstances',
},
]
),
policy.DocumentedRuleDefault(
'remove_bgp_speaker_from_dragent',
base.RULE_ADMIN_ONLY,
'Remove a BGP speaker from a dynamic routing agent',
[
{
'method': 'DELETE',
'path': '/agents/{agent_id}/bgp-drinstances/{bgp_speaker_id}',
},
]
),
policy.DocumentedRuleDefault(
'list_bgp_speaker_on_dragent',
base.RULE_ADMIN_ONLY,
'List BGP speakers hosted by a dynamic routing agent',
[
{
'method': 'GET',
'path': '/agents/{agent_id}/bgp-drinstances',
},
]
),
policy.DocumentedRuleDefault(
'list_dragent_hosting_bgp_speaker',
base.RULE_ADMIN_ONLY,
'List dynamic routing agents hosting a BGP speaker',
[
{
'method': 'GET',
'path': '/bgp-speakers/{bgp_speaker_id}/bgp-dragents',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,71 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron_dynamic_routing.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_bgp_peer',
base.RULE_ADMIN_ONLY,
'Create a BGP peer',
[
{
'method': 'POST',
'path': '/bgp-peers',
},
]
),
policy.DocumentedRuleDefault(
'update_bgp_peer',
base.RULE_ADMIN_ONLY,
'Update a BGP peer',
[
{
'method': 'PUT',
'path': '/bgp-peers/{id}',
},
]
),
policy.DocumentedRuleDefault(
'delete_bgp_peer',
base.RULE_ADMIN_ONLY,
'Delete a BGP peer',
[
{
'method': 'DELETE',
'path': '/bgp-peers/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_bgp_peer',
base.RULE_ADMIN_ONLY,
'Get BGP peers',
[
{
'method': 'GET',
'path': '/bgp-peers',
},
{
'method': 'GET',
'path': '/bgp-peers/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,127 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron_dynamic_routing.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_bgp_speaker',
base.RULE_ADMIN_ONLY,
'Create a BGP speaker',
[
{
'method': 'POST',
'path': '/bgp-speakers',
},
]
),
policy.DocumentedRuleDefault(
'update_bgp_speaker',
base.RULE_ADMIN_ONLY,
'Update a BGP speaker',
[
{
'method': 'PUT',
'path': '/bgp-speakers/{id}',
},
]
),
policy.DocumentedRuleDefault(
'delete_bgp_speaker',
base.RULE_ADMIN_ONLY,
'Delete a BGP speaker',
[
{
'method': 'DELETE',
'path': '/bgp-speakers/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_bgp_speaker',
base.RULE_ADMIN_ONLY,
'Get BGP speakers',
[
{
'method': 'GET',
'path': '/bgp-speakers',
},
{
'method': 'GET',
'path': '/bgp-speakers/{id}',
},
]
),
policy.DocumentedRuleDefault(
'add_bgp_peer',
base.RULE_ADMIN_ONLY,
'Add a BGP peer to a BGP speaker',
[
{
'method': 'PUT',
'path': '/bgp-speakers/{id}/add_bgp_peer',
},
]
),
policy.DocumentedRuleDefault(
'remove_bgp_peer',
base.RULE_ADMIN_ONLY,
'Remove a BGP peer from a BGP speaker',
[
{
'method': 'PUT',
'path': '/bgp-speakers/{id}/remove_bgp_peer',
},
]
),
policy.DocumentedRuleDefault(
'add_gateway_network',
base.RULE_ADMIN_ONLY,
'Add a gateway network to a BGP speaker',
[
{
'method': 'PUT',
'path': '/bgp-speakers/{id}/add_gateway_network',
},
]
),
policy.DocumentedRuleDefault(
'remove_gateway_network',
base.RULE_ADMIN_ONLY,
'Remove a gateway network from a BGP speaker',
[
{
'method': 'PUT',
'path': '/bgp-speakers/{id}/remove_gateway_network',
},
]
),
policy.DocumentedRuleDefault(
'get_advertised_routes',
base.RULE_ADMIN_ONLY,
'Get advertised routes of a BGP speaker',
[
{
'method': 'GET',
'path': '/bgp-speakers/{id}/get_advertised_routes',
},
]
),
]
def list_rules():
return rules

View File

@ -21,9 +21,6 @@ classifier =
[files]
packages =
neutron_dynamic_routing
data_files =
etc/neutron/policy.d =
etc/neutron/policy.d/dynamic_routing.conf
[global]
setup-hooks =
@ -36,6 +33,10 @@ neutron.db.alembic_migrations =
neutron-dynamic-routing = neutron_dynamic_routing.db.migration:alembic_migrations
oslo.config.opts =
bgp.agent = neutron_dynamic_routing.services.bgp.common.opts:list_bgp_agent_opts
oslo.policy.policies =
neutron-dynamic-routing = neutron_dynamic_routing.policies:list_rules
neutron.policies =
neutron-dynamic-routing = neutron_dynamic_routing.policies:list_rules
tempest.test_plugins =
neutron_dynamic_routing = neutron_dynamic_routing.tests.tempest.plugin:NeutronDynamicRoutingTempestPlugin
neutron.service_plugins =

View File

@ -64,6 +64,7 @@ commands =
flake8
neutron-db-manage --subproject neutron-dynamic-routing --database-connection sqlite:// check_migration
{[testenv:genconfig]commands}
{[testenv:genpolicy]commands}
[testenv:cover]
basepython = python3
@ -117,6 +118,9 @@ local-check-factory = neutron_lib.hacking.checks.factory
[testenv:genconfig]
commands = {toxinidir}/tools/generate_config_file_samples.sh
[testenv:genpolicy]
commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
[testenv:lower-constraints]
basepython = python3
deps =