Fix the policy check for BGP APIs

Only admin can configure BGP, this patch add policy check
for BGP APIs.

Change-Id: I5ce602202c52542792cc5b22e58e0ed074e09d7d
Closes-Bug: #1583958
This commit is contained in:
Na 2016-05-21 05:49:50 -07:00 committed by Ryan Tidwell
parent d706bb0bfc
commit 62cb5c4184
4 changed files with 27 additions and 20 deletions

View File

@ -38,6 +38,8 @@ function configure_dr_agent_bgp_driver {
function dr_install { function dr_install {
setup_develop $NEUTRON_DYNAMIC_ROUTING_DIR setup_develop $NEUTRON_DYNAMIC_ROUTING_DIR
if is_service_enabled q-dr && is_service_enabled q-svc; then if is_service_enabled q-dr && is_service_enabled q-svc; then
mkdir -v -p $NEUTRON_CONF_DIR/policy.d
cp -v $NEUTRON_DYNAMIC_ROUTING_DIR/etc/neutron/policy.d/dynamic_routing.conf $NEUTRON_CONF_DIR/policy.d
if is_protocol_enabled BGP; then if is_protocol_enabled BGP; then
_neutron_service_plugin_class_add $BGP_PLUGIN _neutron_service_plugin_class_add $BGP_PLUGIN
fi fi

View File

@ -0,0 +1,22 @@
{
"get_bgp_speaker": "rule:admin_only",
"create_bgp_speaker": "rule:admin_only",
"update_bgp_speaker": "rule:admin_only",
"delete_bgp_speaker": "rule:admin_only",
"get_bgp_peer": "rule:admin_only",
"create_bgp_peer": "rule:admin_only",
"update_bgp_peer": "rule:admin_only",
"delete_bgp_peer": "rule:admin_only",
"add_bgp_peer": "rule:admin_only",
"remove_bgp_peer": "rule:admin_only",
"add_gateway_network": "rule:admin_only",
"remove_gateway_network": "rule:admin_only",
"get_advertised_routes":"rule:admin_only",
"add_bgp_speaker_to_dragent": "rule:admin_only",
"remove_bgp_speaker_from_dragent": "rule:admin_only",
"list_bgp_speaker_on_dragent": "rule:admin_only",
"list_dragent_hosting_bgp_speaker": "rule:admin_only"
}

View File

@ -24,7 +24,6 @@ from neutron.callbacks import registry
from neutron.callbacks import resources from neutron.callbacks import resources
from neutron.common import rpc as n_rpc from neutron.common import rpc as n_rpc
from neutron import context from neutron import context
from neutron import policy
from neutron.services import service_base from neutron.services import service_base
from neutron_dynamic_routing.api.rpc.agentnotifiers import bgp_dr_rpc_agent_api # noqa from neutron_dynamic_routing.api.rpc.agentnotifiers import bgp_dr_rpc_agent_api # noqa
@ -99,7 +98,6 @@ class BgpPlugin(service_base.ServicePluginBase,
def get_bgp_speakers(self, context, filters=None, fields=None, def get_bgp_speakers(self, context, filters=None, fields=None,
sorts=None, limit=None, marker=None, sorts=None, limit=None, marker=None,
page_reverse=False): page_reverse=False):
policy.check_is_admin(context)
return super(BgpPlugin, self).get_bgp_speakers( return super(BgpPlugin, self).get_bgp_speakers(
context, context,
filters=filters, filters=filters,
@ -110,25 +108,21 @@ class BgpPlugin(service_base.ServicePluginBase,
page_reverse=page_reverse) page_reverse=page_reverse)
def get_bgp_speaker(self, context, bgp_speaker_id, fields=None): def get_bgp_speaker(self, context, bgp_speaker_id, fields=None):
policy.check_is_admin(context)
return super(BgpPlugin, self).get_bgp_speaker(context, return super(BgpPlugin, self).get_bgp_speaker(context,
bgp_speaker_id, bgp_speaker_id,
fields=fields) fields=fields)
def create_bgp_speaker(self, context, bgp_speaker): def create_bgp_speaker(self, context, bgp_speaker):
policy.check_is_admin(context)
bgp_speaker = super(BgpPlugin, self).create_bgp_speaker(context, bgp_speaker = super(BgpPlugin, self).create_bgp_speaker(context,
bgp_speaker) bgp_speaker)
return bgp_speaker return bgp_speaker
def update_bgp_speaker(self, context, bgp_speaker_id, bgp_speaker): def update_bgp_speaker(self, context, bgp_speaker_id, bgp_speaker):
policy.check_is_admin(context)
return super(BgpPlugin, self).update_bgp_speaker(context, return super(BgpPlugin, self).update_bgp_speaker(context,
bgp_speaker_id, bgp_speaker_id,
bgp_speaker) bgp_speaker)
def delete_bgp_speaker(self, context, bgp_speaker_id): def delete_bgp_speaker(self, context, bgp_speaker_id):
policy.check_is_admin(context)
hosted_bgp_dragents = self.get_dragents_hosting_bgp_speakers( hosted_bgp_dragents = self.get_dragents_hosting_bgp_speakers(
context, context,
[bgp_speaker_id]) [bgp_speaker_id])
@ -140,7 +134,6 @@ class BgpPlugin(service_base.ServicePluginBase,
def get_bgp_peers(self, context, fields=None, filters=None, sorts=None, def get_bgp_peers(self, context, fields=None, filters=None, sorts=None,
limit=None, marker=None, page_reverse=False): limit=None, marker=None, page_reverse=False):
policy.check_is_admin(context)
return super(BgpPlugin, self).get_bgp_peers( return super(BgpPlugin, self).get_bgp_peers(
context, fields=fields, context, fields=fields,
filters=filters, sorts=sorts, filters=filters, sorts=sorts,
@ -148,27 +141,22 @@ class BgpPlugin(service_base.ServicePluginBase,
page_reverse=page_reverse) page_reverse=page_reverse)
def get_bgp_peer(self, context, bgp_peer_id, fields=None): def get_bgp_peer(self, context, bgp_peer_id, fields=None):
policy.check_is_admin(context)
return super(BgpPlugin, self).get_bgp_peer(context, return super(BgpPlugin, self).get_bgp_peer(context,
bgp_peer_id, bgp_peer_id,
fields=fields) fields=fields)
def create_bgp_peer(self, context, bgp_peer): def create_bgp_peer(self, context, bgp_peer):
policy.check_is_admin(context)
return super(BgpPlugin, self).create_bgp_peer(context, bgp_peer) return super(BgpPlugin, self).create_bgp_peer(context, bgp_peer)
def update_bgp_peer(self, context, bgp_peer_id, bgp_peer): def update_bgp_peer(self, context, bgp_peer_id, bgp_peer):
policy.check_is_admin(context)
return super(BgpPlugin, self).update_bgp_peer(context, return super(BgpPlugin, self).update_bgp_peer(context,
bgp_peer_id, bgp_peer_id,
bgp_peer) bgp_peer)
def delete_bgp_peer(self, context, bgp_peer_id): def delete_bgp_peer(self, context, bgp_peer_id):
policy.check_is_admin(context)
super(BgpPlugin, self).delete_bgp_peer(context, bgp_peer_id) super(BgpPlugin, self).delete_bgp_peer(context, bgp_peer_id)
def add_bgp_peer(self, context, bgp_speaker_id, bgp_peer_info): def add_bgp_peer(self, context, bgp_speaker_id, bgp_peer_info):
policy.check_is_admin(context)
ret_value = super(BgpPlugin, self).add_bgp_peer(context, ret_value = super(BgpPlugin, self).add_bgp_peer(context,
bgp_speaker_id, bgp_speaker_id,
bgp_peer_info) bgp_peer_info)
@ -182,7 +170,6 @@ class BgpPlugin(service_base.ServicePluginBase,
return ret_value return ret_value
def remove_bgp_peer(self, context, bgp_speaker_id, bgp_peer_info): def remove_bgp_peer(self, context, bgp_speaker_id, bgp_peer_info):
policy.check_is_admin(context)
hosted_bgp_dragents = self.get_dragents_hosting_bgp_speakers( hosted_bgp_dragents = self.get_dragents_hosting_bgp_speakers(
context, [bgp_speaker_id]) context, [bgp_speaker_id])
@ -197,42 +184,35 @@ class BgpPlugin(service_base.ServicePluginBase,
agent.host) agent.host)
def add_bgp_speaker_to_dragent(self, context, agent_id, speaker_id): def add_bgp_speaker_to_dragent(self, context, agent_id, speaker_id):
policy.check_is_admin(context)
super(BgpPlugin, self).add_bgp_speaker_to_dragent(context, super(BgpPlugin, self).add_bgp_speaker_to_dragent(context,
agent_id, agent_id,
speaker_id) speaker_id)
def remove_bgp_speaker_from_dragent(self, context, agent_id, speaker_id): def remove_bgp_speaker_from_dragent(self, context, agent_id, speaker_id):
policy.check_is_admin(context)
super(BgpPlugin, self).remove_bgp_speaker_from_dragent(context, super(BgpPlugin, self).remove_bgp_speaker_from_dragent(context,
agent_id, agent_id,
speaker_id) speaker_id)
def list_bgp_speaker_on_dragent(self, context, agent_id): def list_bgp_speaker_on_dragent(self, context, agent_id):
policy.check_is_admin(context)
return super(BgpPlugin, self).list_bgp_speaker_on_dragent(context, return super(BgpPlugin, self).list_bgp_speaker_on_dragent(context,
agent_id) agent_id)
def list_dragent_hosting_bgp_speaker(self, context, speaker_id): def list_dragent_hosting_bgp_speaker(self, context, speaker_id):
policy.check_is_admin(context)
return super(BgpPlugin, self).list_dragent_hosting_bgp_speaker( return super(BgpPlugin, self).list_dragent_hosting_bgp_speaker(
context, context,
speaker_id) speaker_id)
def add_gateway_network(self, context, bgp_speaker_id, network_info): def add_gateway_network(self, context, bgp_speaker_id, network_info):
policy.check_is_admin(context)
return super(BgpPlugin, self).add_gateway_network(context, return super(BgpPlugin, self).add_gateway_network(context,
bgp_speaker_id, bgp_speaker_id,
network_info) network_info)
def remove_gateway_network(self, context, bgp_speaker_id, network_info): def remove_gateway_network(self, context, bgp_speaker_id, network_info):
policy.check_is_admin(context)
return super(BgpPlugin, self).remove_gateway_network(context, return super(BgpPlugin, self).remove_gateway_network(context,
bgp_speaker_id, bgp_speaker_id,
network_info) network_info)
def get_advertised_routes(self, context, bgp_speaker_id): def get_advertised_routes(self, context, bgp_speaker_id):
policy.check_is_admin(context)
return super(BgpPlugin, self).get_advertised_routes(context, return super(BgpPlugin, self).get_advertised_routes(context,
bgp_speaker_id) bgp_speaker_id)

View File

@ -19,6 +19,9 @@ classifier =
[files] [files]
packages = packages =
neutron_dynamic_routing neutron_dynamic_routing
data_files =
etc/neutron/policy.d =
etc/neutron/policy.d/dynamic_routing.conf
[global] [global]
setup-hooks = setup-hooks =