Merge "Convert policy.json into policy-in-code"
This commit is contained in:
commit
e4658a3480
|
@ -72,10 +72,6 @@ function neutron_fwaas_generate_config_files {
|
|||
function init_fwaas() {
|
||||
# Initialize and start the service.
|
||||
:
|
||||
if [ ! -d /etc/neutron/policy.d ]; then
|
||||
mkdir /etc/neutron/policy.d
|
||||
fi
|
||||
cp $DEST/neutron-fwaas/etc/neutron/policy.d/neutron-fwaas.json /etc/neutron/policy.d/neutron-fwaas.json
|
||||
# Using sudo to gain the root privilege to be able to copy file to rootwrap.d
|
||||
sudo cp $DEST/neutron-fwaas/etc/neutron/rootwrap.d/fwaas-privsep.filters /etc/neutron/rootwrap.d/fwaas-privsep.filters
|
||||
}
|
||||
|
|
|
@ -1,52 +0,0 @@
|
|||
{
|
||||
"shared_firewalls": "field:firewalls:shared=True",
|
||||
"shared_firewall_policies": "field:firewall_policies:shared=True",
|
||||
"shared_firewall_rules": "field:firewall_rules:shared=True",
|
||||
|
||||
"create_firewall": "",
|
||||
"update_firewall": "rule:admin_or_owner",
|
||||
"delete_firewall": "rule:admin_or_owner",
|
||||
|
||||
"create_firewall:shared": "rule:admin_only",
|
||||
"update_firewall:shared": "rule:admin_only",
|
||||
"delete_firewall:shared": "rule:admin_only",
|
||||
|
||||
"get_firewall": "rule:admin_or_owner or rule:shared_firewalls",
|
||||
|
||||
"shared_firewall_groups": "field:firewall_groups:shared=True",
|
||||
"shared_firewall_policies": "field:firewall_policies:shared=True",
|
||||
"shared_firewall_rules": "field:firewall_rules:shared=True",
|
||||
|
||||
"create_firewall_group": "",
|
||||
"update_firewall_group": "rule:admin_or_owner",
|
||||
"delete_firewall_group": "rule:admin_or_owner",
|
||||
|
||||
"create_firewall_group:shared": "rule:admin_only",
|
||||
"update_firewall_group:shared": "rule:admin_only",
|
||||
"delete_firewall_group:shared": "rule:admin_only",
|
||||
|
||||
"get_firewall_group": "rule:admin_or_owner or rule:shared_firewall_groups",
|
||||
|
||||
"create_firewall_policy": "",
|
||||
"update_firewall_policy": "rule:admin_or_owner",
|
||||
"delete_firewall_policy": "rule:admin_or_owner",
|
||||
|
||||
"create_firewall_policy:shared": "rule:admin_only",
|
||||
"update_firewall_policy:shared": "rule:admin_only",
|
||||
"delete_firewall_policy:shared": "rule:admin_only",
|
||||
|
||||
"get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
|
||||
|
||||
"insert_rule": "rule:admin_or_owner",
|
||||
"remove_rule": "rule:admin_or_owner",
|
||||
|
||||
"create_firewall_rule": "",
|
||||
"update_firewall_rule": "rule:admin_or_owner",
|
||||
"delete_firewall_rule": "rule:admin_or_owner",
|
||||
|
||||
"create_firewall_rule:shared": "rule:admin_only",
|
||||
"update_firewall_rule:shared": "rule:admin_only",
|
||||
"delete_firewall_rule:shared": "rule:admin_only",
|
||||
|
||||
"get_firewall_rule": "rule:admin_or_owner or rule:shared_firewall_rules"
|
||||
}
|
|
@ -0,0 +1,3 @@
|
|||
[DEFAULT]
|
||||
output_file = etc/policy.yaml.sample
|
||||
namespace = neutron-fwaas
|
|
@ -0,0 +1,27 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import itertools
|
||||
|
||||
from neutron_fwaas.policies import firewall
|
||||
from neutron_fwaas.policies import firewall_group
|
||||
from neutron_fwaas.policies import firewall_policy
|
||||
from neutron_fwaas.policies import firewall_rule
|
||||
|
||||
|
||||
def list_rules():
|
||||
return itertools.chain(
|
||||
firewall.list_rules(),
|
||||
firewall_group.list_rules(),
|
||||
firewall_policy.list_rules(),
|
||||
firewall_rule.list_rules(),
|
||||
)
|
|
@ -0,0 +1,17 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
# TODO(amotoki): Define these in neutron or neutron-lib
|
||||
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||
RULE_ADMIN_ONLY = 'rule:admin_only'
|
||||
RULE_ANY = 'rule:regular_user'
|
|
@ -0,0 +1,113 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from neutron_fwaas.policies import base
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'shared_firewalls',
|
||||
'field:firewalls:shared=True',
|
||||
'(FWaaS v1) Definition of shared firewalls'
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_firewall',
|
||||
base.RULE_ANY,
|
||||
'(FWaaS v1) Create a firewall',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/fw/firewalls',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_firewall',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'(FWaaS v1) Update a firewall',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/fw/firewalls/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_firewall',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'(FWaaS v1) Delete a firewall',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/fw/firewalls/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_firewall:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'(FWaaS v1) Create a shared firewall',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/fw/firewalls',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_firewall:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'(FWaaS v1) Update ``shared`` attribute of a firewall',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/fw/firewalls/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
# TODO(amotoki): Drop this rule as it has no effect.
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_firewall:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'(FWaaS v1) Delete a shared firewall',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/fw/firewalls/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_firewall',
|
||||
'rule:admin_or_owner or rule:shared_firewalls',
|
||||
'(FWaaS v1) Get firewalls',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/fw/firewalls',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/fw/firewalls/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,113 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from neutron_fwaas.policies import base
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'shared_firewall_groups',
|
||||
'field:firewall_groups:shared=True',
|
||||
'Definition of shared firewall groups'
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_firewall_group',
|
||||
base.RULE_ANY,
|
||||
'Create a firewall group',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/fwaas/firewall_groups',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_firewall_group',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Update a firewall group',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/fwaas/firewall_groups/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_firewall_group',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Delete a firewall group',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/fwaas/firewall_groups/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_firewall_group:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a shared firewall group',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/fwaas/firewall_groups',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_firewall_group:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update ``shared`` attribute of a firewall group',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/fwaas/firewall_groups/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
# TODO(amotoki): Drop this rule as it has no effect.
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_firewall_group:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Delete a shared firewall group',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/fwaas/firewall_groups/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_firewall_group',
|
||||
'rule:admin_or_owner or rule:shared_firewall_groups',
|
||||
'Get firewall groups',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/fwaas/firewall_groups',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/fwaas/firewall_groups/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,113 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from neutron_fwaas.policies import base
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'shared_firewall_policies',
|
||||
'field:firewall_policies:shared=True',
|
||||
'Definition of shared firewall policies'
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_firewall_policy',
|
||||
base.RULE_ANY,
|
||||
'Create a firewall policy',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/fwaas/firewall_policies',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_firewall_policy',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Update a firewall policy',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/fwaas/firewall_policies/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_firewall_policy',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Delete a firewall policy',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/fwaas/firewall_policies/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_firewall_policy:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a shared firewall policy',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/fwaas/firewall_policies',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_firewall_policy:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update ``shared`` attribute of a firewall policy',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/fwaas/firewall_policies/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
# TODO(amotoki): Drop this rule as it has no effect.
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_firewall_policy:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Delete a shread firewall policy',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/fwaas/firewall_policies/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_firewall_policy',
|
||||
'rule:admin_or_owner or rule:shared_firewall_policies',
|
||||
'Get firewall policies',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/fwaas/firewall_policies',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/fwaas/firewall_policies/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,136 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from neutron_fwaas.policies import base
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'shared_firewall_rules',
|
||||
'field:firewall_rules:shared=True',
|
||||
'Definition of shared firewall rules'
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_firewall_rule',
|
||||
base.RULE_ANY,
|
||||
'Create a firewall rule',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/fwaas/firewall_rules',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_firewall_rule',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Update a firewall rule',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/fwaas/firewall_rules/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_firewall_rule',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Delete a firewall rule',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/fwaas/firewall_rules/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_firewall_rule:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Create a shared firewall rule',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/fwaas/firewall_rules',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_firewall_rule:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Update ``shared`` attribute of a firewall rule',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/fwaas/firewall_rules/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
# TODO(amotoki): Drop this rule as it has no effect.
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_firewall_rule:shared',
|
||||
base.RULE_ADMIN_ONLY,
|
||||
'Delete a shread firewall rule',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/fwaas/firewall_rules/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_firewall_rule',
|
||||
'rule:admin_or_owner or rule:shared_firewall_rules',
|
||||
'Get firewall rules',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/fwaas/firewall_rules',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/fwaas/firewall_rules/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'insert_rule',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Insert rule into a firewall policy',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/fwaas/firewall_policies/{id}/insert_rule',
|
||||
},
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'remove_rule',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Remove rule from a firewall policy',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/fwaas/firewall_policies/{id}/remove_rule',
|
||||
},
|
||||
]
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -14,31 +14,8 @@
|
|||
# under the License.
|
||||
#
|
||||
|
||||
import os
|
||||
|
||||
from neutron.common import test_lib
|
||||
from neutron.tests import base as n_base
|
||||
from neutron.tests.unit.db import test_db_base_plugin_v2 as test_db_plugin
|
||||
|
||||
|
||||
class BaseTestCase(n_base.BaseTestCase):
|
||||
pass
|
||||
|
||||
|
||||
class NeutronDbPluginV2TestCase(test_db_plugin.NeutronDbPluginV2TestCase):
|
||||
|
||||
def setup_config(self):
|
||||
# Copied from neutron's test_db_base_plugin_v2 because they
|
||||
# don't allow to specify args
|
||||
|
||||
# Create the default configurations
|
||||
args = ['--config-file', n_base.etcdir('neutron.conf')]
|
||||
# If test_config specifies some config-file, use it, as well
|
||||
for config_file in test_lib.test_config.get('config_files', []):
|
||||
args.extend(['--config-file', config_file])
|
||||
|
||||
# our own stuff
|
||||
dirpath = os.path.join(os.path.dirname(__file__),
|
||||
'etc/neutron/policy.d')
|
||||
args.extend(['--config-dir', dirpath])
|
||||
self.config_parse(args=args)
|
||||
|
|
|
@ -1,52 +0,0 @@
|
|||
{
|
||||
"shared_firewalls": "field:firewalls:shared=True",
|
||||
"shared_firewall_policies": "field:firewall_policies:shared=True",
|
||||
"shared_firewall_rules": "field:firewall_rules:shared=True",
|
||||
|
||||
"create_firewall": "",
|
||||
"update_firewall": "rule:admin_or_owner",
|
||||
"delete_firewall": "rule:admin_or_owner",
|
||||
|
||||
"create_firewall:shared": "rule:admin_only",
|
||||
"update_firewall:shared": "rule:admin_only",
|
||||
"delete_firewall:shared": "rule:admin_only",
|
||||
|
||||
"get_firewall": "rule:admin_or_owner or rule:shared_firewalls",
|
||||
|
||||
"shared_firewall_groups": "field:firewall_groups:shared=True",
|
||||
"shared_firewall_policies": "field:firewall_policies:shared=True",
|
||||
"shared_firewall_rules": "field:firewall_rules:shared=True",
|
||||
|
||||
"create_firewall_group": "",
|
||||
"update_firewall_group": "rule:admin_or_owner",
|
||||
"delete_firewall_group": "rule:admin_or_owner",
|
||||
|
||||
"create_firewall_group:shared": "rule:admin_only",
|
||||
"update_firewall_group:shared": "rule:admin_only",
|
||||
"delete_firewall_group:shared": "rule:admin_only",
|
||||
|
||||
"get_firewall_group": "rule:admin_or_owner or rule:shared_firewall_groups",
|
||||
|
||||
"create_firewall_policy": "",
|
||||
"update_firewall_policy": "rule:admin_or_owner",
|
||||
"delete_firewall_policy": "rule:admin_or_owner",
|
||||
|
||||
"create_firewall_policy:shared": "rule:admin_only",
|
||||
"update_firewall_policy:shared": "rule:admin_only",
|
||||
"delete_firewall_policy:shared": "rule:admin_only",
|
||||
|
||||
"get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
|
||||
|
||||
"insert_rule": "rule:admin_or_owner",
|
||||
"remove_rule": "rule:admin_or_owner",
|
||||
|
||||
"create_firewall_rule": "",
|
||||
"update_firewall_rule": "rule:admin_or_owner",
|
||||
"delete_firewall_rule": "rule:admin_or_owner",
|
||||
|
||||
"create_firewall_rule:shared": "rule:admin_only",
|
||||
"update_firewall_rule:shared": "rule:admin_only",
|
||||
"delete_firewall_rule:shared": "rule:admin_only",
|
||||
|
||||
"get_firewall_rule": "rule:admin_or_owner or rule:shared_firewall_rules"
|
||||
}
|
|
@ -18,6 +18,7 @@ import contextlib
|
|||
import mock
|
||||
from neutron.api import extensions as api_ext
|
||||
from neutron.common import config
|
||||
from neutron.tests.unit.db import test_db_base_plugin_v2 as test_db_plugin
|
||||
from neutron_lib.api.definitions import firewall
|
||||
from neutron_lib import constants as nl_constants
|
||||
from neutron_lib import context
|
||||
|
@ -33,7 +34,6 @@ import webob.exc
|
|||
from neutron_fwaas.db.firewall import firewall_db as fdb
|
||||
from neutron_fwaas import extensions
|
||||
from neutron_fwaas.services.firewall import fwaas_plugin
|
||||
from neutron_fwaas.tests import base
|
||||
|
||||
|
||||
DB_FW_PLUGIN_KLASS = (
|
||||
|
@ -73,7 +73,7 @@ class FakeAgentApi(fwaas_plugin.FirewallCallbacks):
|
|||
self.firewall_deleted(context, firewall['id'], **kwargs)
|
||||
|
||||
|
||||
class FirewallPluginDbTestCase(base.NeutronDbPluginV2TestCase):
|
||||
class FirewallPluginDbTestCase(test_db_plugin.NeutronDbPluginV2TestCase):
|
||||
resource_prefix_map = dict(
|
||||
(k, firewall.API_PREFIX)
|
||||
for k in firewall.RESOURCE_ATTRIBUTE_MAP.keys()
|
||||
|
|
|
@ -21,6 +21,7 @@ import webob.exc
|
|||
|
||||
from neutron.api import extensions as api_ext
|
||||
from neutron.db import servicetype_db as sdb
|
||||
from neutron.tests.unit.db import test_db_base_plugin_v2 as test_db_plugin
|
||||
from neutron_lib.api.definitions import firewall_v2
|
||||
from neutron_lib import constants as nl_constants
|
||||
from neutron_lib import context
|
||||
|
@ -33,7 +34,6 @@ from neutron_fwaas import extensions
|
|||
from neutron_fwaas.services.firewall import fwaas_plugin_v2
|
||||
from neutron_fwaas.services.firewall.service_drivers.driver_api import \
|
||||
FirewallDriverDB
|
||||
from neutron_fwaas.tests import base
|
||||
|
||||
|
||||
def http_client_error(req, res):
|
||||
|
@ -51,7 +51,7 @@ class DummyDriverDB(FirewallDriverDB):
|
|||
return True
|
||||
|
||||
|
||||
class FirewallPluginV2TestCase(base.NeutronDbPluginV2TestCase):
|
||||
class FirewallPluginV2TestCase(test_db_plugin.NeutronDbPluginV2TestCase):
|
||||
DESCRIPTION = 'default description'
|
||||
PROTOCOL = 'tcp'
|
||||
IP_VERSION = 4
|
||||
|
|
|
@ -49,6 +49,10 @@ tempest.test_plugins =
|
|||
oslo.config.opts =
|
||||
neutron.fwaas = neutron_fwaas.opts:list_opts
|
||||
firewall.agent = neutron_fwaas.opts:list_agent_opts
|
||||
oslo.policy.policies =
|
||||
neutron-fwaas = neutron_fwaas.policies:list_rules
|
||||
neutron.policies =
|
||||
neutron-fwaas = neutron_fwaas.policies:list_rules
|
||||
neutron.agent.l2.extensions =
|
||||
fwaas_v2 = neutron_fwaas.services.firewall.service_drivers.agents.l2.fwaas_v2:FWaaSV2AgentExtension
|
||||
neutron.agent.l2.firewall_drivers =
|
||||
|
|
4
tox.ini
4
tox.ini
|
@ -99,6 +99,7 @@ commands =
|
|||
{toxinidir}/tools/check_unit_test_structure.sh
|
||||
neutron-db-manage --subproject neutron-fwaas --database-connection sqlite:// check_migration
|
||||
{[testenv:genconfig]commands}
|
||||
{[testenv:genpolicy]commands}
|
||||
whitelist_externals = sh
|
||||
|
||||
[testenv:cover]
|
||||
|
@ -158,6 +159,9 @@ local-check-factory = neutron_lib.hacking.checks.factory
|
|||
[testenv:genconfig]
|
||||
commands = {toxinidir}/tools/generate_config_file_samples.sh
|
||||
|
||||
[testenv:genpolicy]
|
||||
commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
|
||||
|
||||
[testenv:lower-constraints]
|
||||
basepython = python3
|
||||
deps =
|
||||
|
|
Loading…
Reference in New Issue