Define default policies in code
New role ``neutron_interconnection_peer`` must be added for neutron-interconnection specific user used for interconnection refresh and parameters exchange. This patch adds policies in code and corresponding documentation. Partially Implements: blueprint neutron-policy-in-code Signed-off-by: Thomas Morin <thomas.morin@orange.com> Submitted on behalf of a third-party: Orange Change-Id: I235e79e2c165ba2d5d2d6b3c976f6fda16f19a68
This commit is contained in:
parent
633108cdc2
commit
74e6ae9831
|
@ -23,7 +23,8 @@ sys.path.insert(0, os.path.abspath('../..'))
|
||||||
extensions = [
|
extensions = [
|
||||||
'sphinx.ext.autodoc',
|
'sphinx.ext.autodoc',
|
||||||
'openstackdocstheme',
|
'openstackdocstheme',
|
||||||
#'sphinx.ext.intersphinx',
|
'oslo_policy.sphinxext',
|
||||||
|
'oslo_policy.sphinxpolicygen',
|
||||||
]
|
]
|
||||||
|
|
||||||
# autodoc generation is a bit aggressive and a nuisance when doing heavy
|
# autodoc generation is a bit aggressive and a nuisance when doing heavy
|
||||||
|
@ -80,3 +81,8 @@ latex_documents = [
|
||||||
|
|
||||||
# Example configuration for intersphinx: refer to the Python standard library.
|
# Example configuration for intersphinx: refer to the Python standard library.
|
||||||
#intersphinx_mapping = {'http://docs.python.org/': None}
|
#intersphinx_mapping = {'http://docs.python.org/': None}
|
||||||
|
|
||||||
|
# -- Options for oslo_policy.sphinxpolicygen ---------------------------------
|
||||||
|
|
||||||
|
policy_generator_config_file = '../../etc/oslo-policy-generator/policy.conf'
|
||||||
|
sample_policy_basename = '_static/neutron-interconnection'
|
|
@ -1,5 +1,15 @@
|
||||||
=============
|
===================
|
||||||
Configuration
|
Configuration Guide
|
||||||
=============
|
===================
|
||||||
|
|
||||||
Configuration of neutron-interconnection.
|
Policy
|
||||||
|
------
|
||||||
|
|
||||||
|
Like most OpenStack projects, neutron-interconnection uses policies to restrict
|
||||||
|
permissions on REST API actions.
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth: 1
|
||||||
|
|
||||||
|
Policy Reference <policy>
|
||||||
|
Sample Policy File <policy-sample>
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
==========================================
|
||||||
|
Neutron Interconnection Sample Policy File
|
||||||
|
==========================================
|
||||||
|
|
||||||
|
The following is a neutron-interconnection sample policy file for adaptation
|
||||||
|
and use.
|
||||||
|
|
||||||
|
This sample policy can also be viewed in :download:`file form
|
||||||
|
</_static/neutron-interconnection.policy.yaml.sample>`.
|
||||||
|
|
||||||
|
.. important::
|
||||||
|
|
||||||
|
The sample policy file was auto-generated when neutron-interconnection
|
||||||
|
documentation was build. You must ensure your neutron-interconnection
|
||||||
|
version matches the version of this documentation.
|
||||||
|
|
||||||
|
.. literalinclude:: /_static/neutron-interconnection.policy.yaml.sample
|
|
@ -0,0 +1,10 @@
|
||||||
|
================================
|
||||||
|
Neutron Interconnection Policies
|
||||||
|
================================
|
||||||
|
|
||||||
|
The following is an overview of all available policies in
|
||||||
|
neutron-interconnection.
|
||||||
|
Refer to :doc:`/configuration/policy-sample` for a sample configuration file.
|
||||||
|
|
||||||
|
.. show-policy::
|
||||||
|
:config-file: etc/oslo-policy-generator/policy.conf
|
|
@ -0,0 +1,3 @@
|
||||||
|
[DEFAULT]
|
||||||
|
output_file = etc/policy.yaml.sample
|
||||||
|
namespace = neutron-interconnection
|
|
@ -0,0 +1,24 @@
|
||||||
|
# Copyright (c) 2018 Orange.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
import itertools
|
||||||
|
|
||||||
|
from neutron_interconnection.policies import interconnection
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return itertools.chain(
|
||||||
|
interconnection.list_rules(),
|
||||||
|
)
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Copyright (c) 2018 Orange.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
# TODO(ythomas1): Define these in neutron or neutron-lib
|
||||||
|
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||||
|
RULE_ANY = 'rule:regular_user'
|
||||||
|
|
||||||
|
RULE_NEUTRON_INTERCONNECTION_PEER = 'role:neutron_interconnection_peer'
|
||||||
|
RULE_ADMIN_OR_NEUTRON_INTERCONNECTION_PEER = (
|
||||||
|
'rule:context_is_admin or role:neutron_interconnection_peer'
|
||||||
|
)
|
|
@ -0,0 +1,122 @@
|
||||||
|
# Copyright (c) 2018 Orange.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from neutron_interconnection.policies import base
|
||||||
|
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'create_interconnection',
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
'Create an interconnection',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'POST',
|
||||||
|
'path': '/inter/interconnections',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'update_interconnection',
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
'Update an interconnection',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'PUT',
|
||||||
|
'path': '/inter/interconnections/{id}',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'delete_interconnection',
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
'Delete an interconnection',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'DELETE',
|
||||||
|
'path': '/inter/interconnections/{id}',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'get_interconnection',
|
||||||
|
base.RULE_ADMIN_OR_OWNER,
|
||||||
|
'Get interconnections',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'GET',
|
||||||
|
'path': '/inter/interconnections',
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'method': 'GET',
|
||||||
|
'path': '/inter/interconnections/{id}',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'get_interconnection:local_parameters',
|
||||||
|
base.RULE_ADMIN_OR_NEUTRON_INTERCONNECTION_PEER,
|
||||||
|
'Get ``local_parameters`` attributes of interconnections',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'GET',
|
||||||
|
'path': '/inter/interconnections',
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'method': 'GET',
|
||||||
|
'path': '/inter/interconnections/{id}',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'get_interconnection:remote_parameters',
|
||||||
|
base.RULE_ADMIN_OR_NEUTRON_INTERCONNECTION_PEER,
|
||||||
|
'Get ``remote_parameters`` attributes of interconnections',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'GET',
|
||||||
|
'path': '/inter/interconnections',
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'method': 'GET',
|
||||||
|
'path': '/inter/interconnections/{id}',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
'refresh',
|
||||||
|
base.RULE_NEUTRON_INTERCONNECTION_PEER,
|
||||||
|
'Refresh an interconnection',
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'method': 'PUT',
|
||||||
|
'path': '/inter/interconnections/{id}/refresh',
|
||||||
|
},
|
||||||
|
]
|
||||||
|
),
|
||||||
|
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return rules
|
|
@ -3,3 +3,4 @@
|
||||||
# process, which may cause wedges in the gate later.
|
# process, which may cause wedges in the gate later.
|
||||||
|
|
||||||
pbr>=2.0 # Apache-2.0
|
pbr>=2.0 # Apache-2.0
|
||||||
|
oslo.policy>=1.30.0 # Apache-2.0
|
||||||
|
|
|
@ -22,6 +22,12 @@ classifier =
|
||||||
packages =
|
packages =
|
||||||
neutron_interconnection
|
neutron_interconnection
|
||||||
|
|
||||||
|
[entry_points]
|
||||||
|
oslo.policy.policies =
|
||||||
|
neutron-interconnection = neutron_interconnection.policies:list_rules
|
||||||
|
neutron.policies =
|
||||||
|
neutron-interconnection = neutron_interconnection.policies:list_rules
|
||||||
|
|
||||||
[compile_catalog]
|
[compile_catalog]
|
||||||
directory = neutron_interconnection/locale
|
directory = neutron_interconnection/locale
|
||||||
domain = neutron_interconnection
|
domain = neutron_interconnection
|
||||||
|
|
12
tox.ini
12
tox.ini
|
@ -12,11 +12,16 @@ setenv =
|
||||||
OS_STDOUT_CAPTURE=1
|
OS_STDOUT_CAPTURE=1
|
||||||
OS_STDERR_CAPTURE=1
|
OS_STDERR_CAPTURE=1
|
||||||
OS_TEST_TIMEOUT=60
|
OS_TEST_TIMEOUT=60
|
||||||
deps = -r{toxinidir}/test-requirements.txt
|
deps = -r{toxinidir}/requirements.txt
|
||||||
|
-r{toxinidir}/test-requirements.txt
|
||||||
commands = stestr run {posargs}
|
commands = stestr run {posargs}
|
||||||
|
|
||||||
[testenv:pep8]
|
[testenv:pep8]
|
||||||
commands = flake8 {posargs}
|
deps =
|
||||||
|
{[testenv]deps}
|
||||||
|
commands =
|
||||||
|
flake8 {posargs}
|
||||||
|
{[testenv:genpolicy]commands}
|
||||||
|
|
||||||
[testenv:venv]
|
[testenv:venv]
|
||||||
commands = {posargs}
|
commands = {posargs}
|
||||||
|
@ -43,6 +48,9 @@ commands =
|
||||||
[testenv:debug]
|
[testenv:debug]
|
||||||
commands = oslo_debug_helper {posargs}
|
commands = oslo_debug_helper {posargs}
|
||||||
|
|
||||||
|
[testenv:genpolicy]
|
||||||
|
commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
|
||||||
|
|
||||||
[flake8]
|
[flake8]
|
||||||
# E123, E125 skipped as they are invalid PEP-8.
|
# E123, E125 skipped as they are invalid PEP-8.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue