Browse Source

Fix the policy check for BGP APIs

Only admin can configure BGP, this patch add policy check
for BGP APIs.

Change-Id: I5ce602202c52542792cc5b22e58e0ed074e09d7d
Closes-Bug: #1583958
changes/58/319558/6
Na 5 years ago
committed by Ryan Tidwell
parent
commit
62cb5c4184
  1. 2
      devstack/lib/dr
  2. 22
      etc/neutron/policy.d/dynamic_routing.conf
  3. 20
      neutron_dynamic_routing/services/bgp/bgp_plugin.py
  4. 3
      setup.cfg

2
devstack/lib/dr

@ -38,6 +38,8 @@ function configure_dr_agent_bgp_driver {
function dr_install {
setup_develop $NEUTRON_DYNAMIC_ROUTING_DIR
if is_service_enabled q-dr && is_service_enabled q-svc; then
mkdir -v -p $NEUTRON_CONF_DIR/policy.d
cp -v $NEUTRON_DYNAMIC_ROUTING_DIR/etc/neutron/policy.d/dynamic_routing.conf $NEUTRON_CONF_DIR/policy.d
if is_protocol_enabled BGP; then
_neutron_service_plugin_class_add $BGP_PLUGIN
fi

22
etc/neutron/policy.d/dynamic_routing.conf

@ -0,0 +1,22 @@
{
"get_bgp_speaker": "rule:admin_only",
"create_bgp_speaker": "rule:admin_only",
"update_bgp_speaker": "rule:admin_only",
"delete_bgp_speaker": "rule:admin_only",
"get_bgp_peer": "rule:admin_only",
"create_bgp_peer": "rule:admin_only",
"update_bgp_peer": "rule:admin_only",
"delete_bgp_peer": "rule:admin_only",
"add_bgp_peer": "rule:admin_only",
"remove_bgp_peer": "rule:admin_only",
"add_gateway_network": "rule:admin_only",
"remove_gateway_network": "rule:admin_only",
"get_advertised_routes":"rule:admin_only",
"add_bgp_speaker_to_dragent": "rule:admin_only",
"remove_bgp_speaker_from_dragent": "rule:admin_only",
"list_bgp_speaker_on_dragent": "rule:admin_only",
"list_dragent_hosting_bgp_speaker": "rule:admin_only"
}

20
neutron_dynamic_routing/services/bgp/bgp_plugin.py

@ -24,7 +24,6 @@ from neutron.callbacks import registry
from neutron.callbacks import resources
from neutron.common import rpc as n_rpc
from neutron import context
from neutron import policy
from neutron.services import service_base
from neutron_dynamic_routing.api.rpc.agentnotifiers import bgp_dr_rpc_agent_api # noqa
@ -99,7 +98,6 @@ class BgpPlugin(service_base.ServicePluginBase,
def get_bgp_speakers(self, context, filters=None, fields=None,
sorts=None, limit=None, marker=None,
page_reverse=False):
policy.check_is_admin(context)
return super(BgpPlugin, self).get_bgp_speakers(
context,
filters=filters,
@ -110,25 +108,21 @@ class BgpPlugin(service_base.ServicePluginBase,
page_reverse=page_reverse)
def get_bgp_speaker(self, context, bgp_speaker_id, fields=None):
policy.check_is_admin(context)
return super(BgpPlugin, self).get_bgp_speaker(context,
bgp_speaker_id,
fields=fields)
def create_bgp_speaker(self, context, bgp_speaker):
policy.check_is_admin(context)
bgp_speaker = super(BgpPlugin, self).create_bgp_speaker(context,
bgp_speaker)
return bgp_speaker
def update_bgp_speaker(self, context, bgp_speaker_id, bgp_speaker):
policy.check_is_admin(context)
return super(BgpPlugin, self).update_bgp_speaker(context,
bgp_speaker_id,
bgp_speaker)
def delete_bgp_speaker(self, context, bgp_speaker_id):
policy.check_is_admin(context)
hosted_bgp_dragents = self.get_dragents_hosting_bgp_speakers(
context,
[bgp_speaker_id])
@ -140,7 +134,6 @@ class BgpPlugin(service_base.ServicePluginBase,
def get_bgp_peers(self, context, fields=None, filters=None, sorts=None,
limit=None, marker=None, page_reverse=False):
policy.check_is_admin(context)
return super(BgpPlugin, self).get_bgp_peers(
context, fields=fields,
filters=filters, sorts=sorts,
@ -148,27 +141,22 @@ class BgpPlugin(service_base.ServicePluginBase,
page_reverse=page_reverse)
def get_bgp_peer(self, context, bgp_peer_id, fields=None):
policy.check_is_admin(context)
return super(BgpPlugin, self).get_bgp_peer(context,
bgp_peer_id,
fields=fields)
def create_bgp_peer(self, context, bgp_peer):
policy.check_is_admin(context)
return super(BgpPlugin, self).create_bgp_peer(context, bgp_peer)
def update_bgp_peer(self, context, bgp_peer_id, bgp_peer):
policy.check_is_admin(context)
return super(BgpPlugin, self).update_bgp_peer(context,
bgp_peer_id,
bgp_peer)
def delete_bgp_peer(self, context, bgp_peer_id):
policy.check_is_admin(context)
super(BgpPlugin, self).delete_bgp_peer(context, bgp_peer_id)
def add_bgp_peer(self, context, bgp_speaker_id, bgp_peer_info):
policy.check_is_admin(context)
ret_value = super(BgpPlugin, self).add_bgp_peer(context,
bgp_speaker_id,
bgp_peer_info)
@ -182,7 +170,6 @@ class BgpPlugin(service_base.ServicePluginBase,
return ret_value
def remove_bgp_peer(self, context, bgp_speaker_id, bgp_peer_info):
policy.check_is_admin(context)
hosted_bgp_dragents = self.get_dragents_hosting_bgp_speakers(
context, [bgp_speaker_id])
@ -197,42 +184,35 @@ class BgpPlugin(service_base.ServicePluginBase,
agent.host)
def add_bgp_speaker_to_dragent(self, context, agent_id, speaker_id):
policy.check_is_admin(context)
super(BgpPlugin, self).add_bgp_speaker_to_dragent(context,
agent_id,
speaker_id)
def remove_bgp_speaker_from_dragent(self, context, agent_id, speaker_id):
policy.check_is_admin(context)
super(BgpPlugin, self).remove_bgp_speaker_from_dragent(context,
agent_id,
speaker_id)
def list_bgp_speaker_on_dragent(self, context, agent_id):
policy.check_is_admin(context)
return super(BgpPlugin, self).list_bgp_speaker_on_dragent(context,
agent_id)
def list_dragent_hosting_bgp_speaker(self, context, speaker_id):
policy.check_is_admin(context)
return super(BgpPlugin, self).list_dragent_hosting_bgp_speaker(
context,
speaker_id)
def add_gateway_network(self, context, bgp_speaker_id, network_info):
policy.check_is_admin(context)
return super(BgpPlugin, self).add_gateway_network(context,
bgp_speaker_id,
network_info)
def remove_gateway_network(self, context, bgp_speaker_id, network_info):
policy.check_is_admin(context)
return super(BgpPlugin, self).remove_gateway_network(context,
bgp_speaker_id,
network_info)
def get_advertised_routes(self, context, bgp_speaker_id):
policy.check_is_admin(context)
return super(BgpPlugin, self).get_advertised_routes(context,
bgp_speaker_id)

3
setup.cfg

@ -19,6 +19,9 @@ classifier =
[files]
packages =
neutron_dynamic_routing
data_files =
etc/neutron/policy.d =
etc/neutron/policy.d/dynamic_routing.conf
[global]
setup-hooks =

Loading…
Cancel
Save