Define default policies in code
New role ``neutron_interconnection_peer`` must be added for neutron-interconnection specific user used for interconnection refresh and parameters exchange. This patch adds policies in code and corresponding documentation. Partially Implements: blueprint neutron-policy-in-code Signed-off-by: Thomas Morin <thomas.morin@orange.com> Submitted on behalf of a third-party: Orange Change-Id: I235e79e2c165ba2d5d2d6b3c976f6fda16f19a68
This commit is contained in:
parent
633108cdc2
commit
74e6ae9831
|
@ -23,7 +23,8 @@ sys.path.insert(0, os.path.abspath('../..'))
|
|||
extensions = [
|
||||
'sphinx.ext.autodoc',
|
||||
'openstackdocstheme',
|
||||
#'sphinx.ext.intersphinx',
|
||||
'oslo_policy.sphinxext',
|
||||
'oslo_policy.sphinxpolicygen',
|
||||
]
|
||||
|
||||
# autodoc generation is a bit aggressive and a nuisance when doing heavy
|
||||
|
@ -80,3 +81,8 @@ latex_documents = [
|
|||
|
||||
# Example configuration for intersphinx: refer to the Python standard library.
|
||||
#intersphinx_mapping = {'http://docs.python.org/': None}
|
||||
|
||||
# -- Options for oslo_policy.sphinxpolicygen ---------------------------------
|
||||
|
||||
policy_generator_config_file = '../../etc/oslo-policy-generator/policy.conf'
|
||||
sample_policy_basename = '_static/neutron-interconnection'
|
|
@ -1,5 +1,15 @@
|
|||
=============
|
||||
Configuration
|
||||
=============
|
||||
===================
|
||||
Configuration Guide
|
||||
===================
|
||||
|
||||
Configuration of neutron-interconnection.
|
||||
Policy
|
||||
------
|
||||
|
||||
Like most OpenStack projects, neutron-interconnection uses policies to restrict
|
||||
permissions on REST API actions.
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
Policy Reference <policy>
|
||||
Sample Policy File <policy-sample>
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
==========================================
|
||||
Neutron Interconnection Sample Policy File
|
||||
==========================================
|
||||
|
||||
The following is a neutron-interconnection sample policy file for adaptation
|
||||
and use.
|
||||
|
||||
This sample policy can also be viewed in :download:`file form
|
||||
</_static/neutron-interconnection.policy.yaml.sample>`.
|
||||
|
||||
.. important::
|
||||
|
||||
The sample policy file was auto-generated when neutron-interconnection
|
||||
documentation was build. You must ensure your neutron-interconnection
|
||||
version matches the version of this documentation.
|
||||
|
||||
.. literalinclude:: /_static/neutron-interconnection.policy.yaml.sample
|
|
@ -0,0 +1,10 @@
|
|||
================================
|
||||
Neutron Interconnection Policies
|
||||
================================
|
||||
|
||||
The following is an overview of all available policies in
|
||||
neutron-interconnection.
|
||||
Refer to :doc:`/configuration/policy-sample` for a sample configuration file.
|
||||
|
||||
.. show-policy::
|
||||
:config-file: etc/oslo-policy-generator/policy.conf
|
|
@ -0,0 +1,3 @@
|
|||
[DEFAULT]
|
||||
output_file = etc/policy.yaml.sample
|
||||
namespace = neutron-interconnection
|
|
@ -0,0 +1,24 @@
|
|||
# Copyright (c) 2018 Orange.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import itertools
|
||||
|
||||
from neutron_interconnection.policies import interconnection
|
||||
|
||||
|
||||
def list_rules():
|
||||
return itertools.chain(
|
||||
interconnection.list_rules(),
|
||||
)
|
|
@ -0,0 +1,23 @@
|
|||
# Copyright (c) 2018 Orange.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
# TODO(ythomas1): Define these in neutron or neutron-lib
|
||||
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||
RULE_ANY = 'rule:regular_user'
|
||||
|
||||
RULE_NEUTRON_INTERCONNECTION_PEER = 'role:neutron_interconnection_peer'
|
||||
RULE_ADMIN_OR_NEUTRON_INTERCONNECTION_PEER = (
|
||||
'rule:context_is_admin or role:neutron_interconnection_peer'
|
||||
)
|
|
@ -0,0 +1,122 @@
|
|||
# Copyright (c) 2018 Orange.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from neutron_interconnection.policies import base
|
||||
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
'create_interconnection',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Create an interconnection',
|
||||
[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/inter/interconnections',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'update_interconnection',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Update an interconnection',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/inter/interconnections/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'delete_interconnection',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Delete an interconnection',
|
||||
[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/inter/interconnections/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_interconnection',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
'Get interconnections',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/inter/interconnections',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/inter/interconnections/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_interconnection:local_parameters',
|
||||
base.RULE_ADMIN_OR_NEUTRON_INTERCONNECTION_PEER,
|
||||
'Get ``local_parameters`` attributes of interconnections',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/inter/interconnections',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/inter/interconnections/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'get_interconnection:remote_parameters',
|
||||
base.RULE_ADMIN_OR_NEUTRON_INTERCONNECTION_PEER,
|
||||
'Get ``remote_parameters`` attributes of interconnections',
|
||||
[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/inter/interconnections',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/inter/interconnections/{id}',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
'refresh',
|
||||
base.RULE_NEUTRON_INTERCONNECTION_PEER,
|
||||
'Refresh an interconnection',
|
||||
[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/inter/interconnections/{id}/refresh',
|
||||
},
|
||||
]
|
||||
),
|
||||
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -3,3 +3,4 @@
|
|||
# process, which may cause wedges in the gate later.
|
||||
|
||||
pbr>=2.0 # Apache-2.0
|
||||
oslo.policy>=1.30.0 # Apache-2.0
|
||||
|
|
|
@ -22,6 +22,12 @@ classifier =
|
|||
packages =
|
||||
neutron_interconnection
|
||||
|
||||
[entry_points]
|
||||
oslo.policy.policies =
|
||||
neutron-interconnection = neutron_interconnection.policies:list_rules
|
||||
neutron.policies =
|
||||
neutron-interconnection = neutron_interconnection.policies:list_rules
|
||||
|
||||
[compile_catalog]
|
||||
directory = neutron_interconnection/locale
|
||||
domain = neutron_interconnection
|
||||
|
|
12
tox.ini
12
tox.ini
|
@ -12,11 +12,16 @@ setenv =
|
|||
OS_STDOUT_CAPTURE=1
|
||||
OS_STDERR_CAPTURE=1
|
||||
OS_TEST_TIMEOUT=60
|
||||
deps = -r{toxinidir}/test-requirements.txt
|
||||
deps = -r{toxinidir}/requirements.txt
|
||||
-r{toxinidir}/test-requirements.txt
|
||||
commands = stestr run {posargs}
|
||||
|
||||
[testenv:pep8]
|
||||
commands = flake8 {posargs}
|
||||
deps =
|
||||
{[testenv]deps}
|
||||
commands =
|
||||
flake8 {posargs}
|
||||
{[testenv:genpolicy]commands}
|
||||
|
||||
[testenv:venv]
|
||||
commands = {posargs}
|
||||
|
@ -43,6 +48,9 @@ commands =
|
|||
[testenv:debug]
|
||||
commands = oslo_debug_helper {posargs}
|
||||
|
||||
[testenv:genpolicy]
|
||||
commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
|
||||
|
||||
[flake8]
|
||||
# E123, E125 skipped as they are invalid PEP-8.
|
||||
|
||||
|
|
Loading…
Reference in New Issue