From a00f2f56caf981a6b5eda5575eda6e59b3e71947 Mon Sep 17 00:00:00 2001
From: Kevin Benton <blak111@gmail.com>
Date: Tue, 16 Jun 2015 23:43:59 -0700
Subject: [PATCH] Neutron RBAC API and network support

This adds the new API endpoint to create, update, and delete
role-based access control entries. These entries enable tenants
to grant access to other tenants to perform an action on an object
they do not own.

This was previously done using a single 'shared' flag; however, this
was too coarse because an object would either be private to a tenant
or it would be shared with every tenant.

In addition to introducing the API, this patch also adds support to
for the new entries in Neutron networks. This means tenants can now
share their networks with specific tenants as long as they know the
tenant ID.

This feature is backwards-compatible with the previous 'shared'
attribute in the API. So if a deployer doesn't want this new feature
enabled, all of the RBAC operations can be blocked in policy.json and
networks can still be globally shared in the legacy manner.

Even though this feature is referred to as role-based access control,
this first version only supports sharing networks with specific
tenant IDs because Neutron currently doesn't have integration with
Keystone to handle changes in a tenant's roles/groups/etc.

DocImpact
APIImpact

Change-Id: Ib90e2a931df068f417faf26e9c3780dc3c468867
Partially-Implements: blueprint rbac-networks
---
 etc/policy.json                                 | 17 +++++++++++++----
 neutron/tests/etc/policy.json                   | 17 +++++++++++++----
 .../services/network/json/network_client.py     |  4 +++-
 3 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/etc/policy.json b/etc/policy.json
index a07a80c2..ac5a27ee 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -1,8 +1,10 @@
 {
     "context_is_admin":  "role:admin",
-    "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
+    "owner": "tenant_id:%(tenant_id)s",
+    "admin_or_owner": "rule:context_is_admin or rule:owner",
     "context_is_advsvc":  "role:advsvc",
     "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
+    "admin_owner_or_network_owner": "rule:admin_or_network_owner or rule:owner",
     "admin_only": "rule:context_is_admin",
     "regular_user": "",
     "shared": "field:networks:shared=True",
@@ -62,7 +64,7 @@
     "create_port:binding:profile": "rule:admin_only",
     "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "get_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
     "get_port:queue_id": "rule:admin_only",
     "get_port:binding:vif_type": "rule:admin_only",
     "get_port:binding:vif_details": "rule:admin_only",
@@ -76,7 +78,7 @@
     "update_port:binding:profile": "rule:admin_only",
     "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "delete_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
 
     "get_router:ha": "rule:admin_only",
     "create_router": "rule:regular_user",
@@ -183,6 +185,13 @@
     "get_policy_bandwidth_limit_rule": "rule:regular_user",
     "create_policy_bandwidth_limit_rule": "rule:admin_only",
     "delete_policy_bandwidth_limit_rule": "rule:admin_only",
-    "update_policy_bandwidth_limit_rule": "rule:admin_only"
+    "update_policy_bandwidth_limit_rule": "rule:admin_only",
 
+    "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
+    "create_rbac_policy": "",
+    "create_rbac_policy:target_tenant": "rule:restrict_wildcard",
+    "update_rbac_policy": "rule:admin_or_owner",
+    "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
+    "get_rbac_policy": "rule:admin_or_owner",
+    "delete_rbac_policy": "rule:admin_or_owner"
 }
diff --git a/neutron/tests/etc/policy.json b/neutron/tests/etc/policy.json
index a07a80c2..ac5a27ee 100644
--- a/neutron/tests/etc/policy.json
+++ b/neutron/tests/etc/policy.json
@@ -1,8 +1,10 @@
 {
     "context_is_admin":  "role:admin",
-    "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
+    "owner": "tenant_id:%(tenant_id)s",
+    "admin_or_owner": "rule:context_is_admin or rule:owner",
     "context_is_advsvc":  "role:advsvc",
     "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
+    "admin_owner_or_network_owner": "rule:admin_or_network_owner or rule:owner",
     "admin_only": "rule:context_is_admin",
     "regular_user": "",
     "shared": "field:networks:shared=True",
@@ -62,7 +64,7 @@
     "create_port:binding:profile": "rule:admin_only",
     "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "get_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
     "get_port:queue_id": "rule:admin_only",
     "get_port:binding:vif_type": "rule:admin_only",
     "get_port:binding:vif_details": "rule:admin_only",
@@ -76,7 +78,7 @@
     "update_port:binding:profile": "rule:admin_only",
     "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "delete_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
 
     "get_router:ha": "rule:admin_only",
     "create_router": "rule:regular_user",
@@ -183,6 +185,13 @@
     "get_policy_bandwidth_limit_rule": "rule:regular_user",
     "create_policy_bandwidth_limit_rule": "rule:admin_only",
     "delete_policy_bandwidth_limit_rule": "rule:admin_only",
-    "update_policy_bandwidth_limit_rule": "rule:admin_only"
+    "update_policy_bandwidth_limit_rule": "rule:admin_only",
 
+    "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
+    "create_rbac_policy": "",
+    "create_rbac_policy:target_tenant": "rule:restrict_wildcard",
+    "update_rbac_policy": "rule:admin_or_owner",
+    "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
+    "get_rbac_policy": "rule:admin_or_owner",
+    "delete_rbac_policy": "rule:admin_or_owner"
 }
diff --git a/neutron/tests/tempest/services/network/json/network_client.py b/neutron/tests/tempest/services/network/json/network_client.py
index 3fb233e9..25400ca2 100644
--- a/neutron/tests/tempest/services/network/json/network_client.py
+++ b/neutron/tests/tempest/services/network/json/network_client.py
@@ -71,6 +71,7 @@ class NetworkClientJSON(service_client.ServiceClient):
             'policies': 'qos',
             'bandwidth_limit_rules': 'qos',
             'rule_types': 'qos',
+            'rbac-policies': '',
         }
         service_prefix = service_resource_prefix_map.get(
             plural_name)
@@ -96,7 +97,8 @@ class NetworkClientJSON(service_client.ServiceClient):
             'ipsec_site_connection': 'ipsec-site-connections',
             'quotas': 'quotas',
             'firewall_policy': 'firewall_policies',
-            'qos_policy': 'policies'
+            'qos_policy': 'policies',
+            'rbac_policy': 'rbac_policies',
         }
         return resource_plural_map.get(resource_name, resource_name + 's')