Introduce rbac-address-scope api extension

This extension makes it possible to add address scope to RBAC policies. Change-Id: I9c77a53cf8d91d27ce1aaebfa12c31f2ae823006 Partial-Bug: #1862968
2020-02-12 17:21:18 +02:00 · 2020-02-12 17:21:18 +02:00 · 1dfa07ccfd
commit 1dfa07ccfd
parent 52f8e49297
7 changed files with 58 additions and 4 deletions
--- a/api-ref/source/v2/parameters.yaml
+++ b/api-ref/source/v2/parameters.yaml
@ -878,16 +878,17 @@ object_id-query:
  description: |
    Filter the RBAC policy list result by the ID of the ``object_type``
    resource. An ``object_type`` of ``network`` returns a network ID,
-    an ``object_type`` of ``qos-policy`` returns a QoS policy ID, and
-    an ``object_type`` of ``security-group`` returns a security group ID.
+    an ``object_type`` of ``qos-policy`` returns a QoS policy ID,
+    an ``object_type`` of ``security-group`` returns a security group ID
+    and an `object_type`` of ``address-scope`` returns a address scope ID.
  in: query
  required: false
  type: string
 object_type-query:
  description: |
    Filter the RBAC policy list result by the type of the object that the
-    RBAC policy affects. Types include ``qos-policy``, ``network``, or
-    ``security-group``.
+    RBAC policy affects. Types include ``qos-policy``, ``network``,
+    ``security-group`` or ``address-scope``.
  in: query
  required: false
  type: string
--- a/api-ref/source/v2/rbac-policy.inc
+++ b/api-ref/source/v2/rbac-policy.inc
@ -9,6 +9,9 @@ Lists, shows details for, creates, updates, and deletes RBAC policies.
 The presence of the ``rbac-security-groups`` extension extends this
 API to support object types of ``security_group``.

+The presence of the ``rbac-address-scope`` extension extends this
+API to support object types of ``address-scope``.
+
 Show RBAC policy details
 ========================

--- a/neutron_lib/api/definitions/init.py
+++ b/neutron_lib/api/definitions/init.py
@ -84,6 +84,7 @@ from neutron_lib.api.definitions import qos_gateway_ip
 from neutron_lib.api.definitions import qos_port_network_policy
 from neutron_lib.api.definitions import qos_rule_type_details
 from neutron_lib.api.definitions import qos_rules_alias
+from neutron_lib.api.definitions import rbac_address_scope
 from neutron_lib.api.definitions import rbac_security_groups
 from neutron_lib.api.definitions import revisionifmatch
 from neutron_lib.api.definitions import router_admin_state_down_before_update
@ -192,6 +193,7 @@ _ALL_API_DEFINITIONS = {
    qos_port_network_policy,
    qos_rule_type_details,
    qos_rules_alias,
+    rbac_address_scope,
    rbac_security_groups,
    revisionifmatch,
    router_admin_state_down_before_update,
--- a/neutron_lib/api/definitions/base.py
+++ b/neutron_lib/api/definitions/base.py
@ -129,6 +129,7 @@ KNOWN_EXTENSIONS = (
    'qos-port-network-policy',
    'qos-rules-alias',
    'quotas',
+    'rbac-address-scope',
    'rbac-policies',
    'rbac-security-groups',
    'router',
--- a/neutron_lib/api/definitions/rbac_address_scope.py
+++ b/neutron_lib/api/definitions/rbac_address_scope.py
@ -0,0 +1,25 @@
+#    Copyright (c) 2020 Cloudification GmbH.  All rights reserved.
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+ALIAS = 'rbac-address-scope'
+IS_SHIM_EXTENSION = True
+IS_STANDARD_ATTR_EXTENSION = False
+NAME = 'Add address_scope type to RBAC'
+DESCRIPTION = 'Add address_scope type to RBAC'
+UPDATED_TIMESTAMP = '2020-02-12T00:00:00-00:00'
+RESOURCE_ATTRIBUTE_MAP = {}
+SUB_RESOURCE_ATTRIBUTE_MAP = {}
+ACTION_MAP = {}
+REQUIRED_EXTENSIONS = ['rbac-policies', 'address-scope']
+OPTIONAL_EXTENSIONS = []
+ACTION_STATUS = {}
--- a/neutron_lib/tests/unit/api/definitions/test_rbac_address_scope.py
+++ b/neutron_lib/tests/unit/api/definitions/test_rbac_address_scope.py
@ -0,0 +1,18 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from neutron_lib.api.definitions import rbac_address_scope
+from neutron_lib.tests.unit.api.definitions import base
+
+
+class RbacAddressScopeDefinitionTestCase(base.DefinitionBaseTestCase):
+    extension_module = rbac_address_scope
--- a/releasenotes/notes/add-rbac-address-scope-dc4683772b205632.yaml
+++ b/releasenotes/notes/add-rbac-address-scope-dc4683772b205632.yaml
@ -0,0 +1,4 @@
+features:
+  - |
+    Added API definition for ``rbac-address-scope`` extension, which allows
+    sharing address scope between tenants via the network RBAC mechanism.