From 2cfe12c2ece452882b0646036fc01fd021cf727a Mon Sep 17 00:00:00 2001 From: Vadim Ponomarev Date: Wed, 9 Jun 2021 00:46:41 +0300 Subject: [PATCH] Introduce rbac-bgpvpn api extension This extension makes it possible to add bgpvpn to RBAC policies. Partial-Bug: #1931100 Change-Id: Ibee622ef47ca6d738ca53f6482cad88b2441503e --- api-ref/source/v2/parameters.yaml | 8 ++-- api-ref/source/v2/rbac-policy.inc | 3 ++ neutron_lib/api/definitions/__init__.py | 2 + neutron_lib/api/definitions/base.py | 1 + neutron_lib/api/definitions/bgpvpn.py | 2 +- neutron_lib/api/definitions/rbac_bgpvpn.py | 46 +++++++++++++++++++ .../unit/api/definitions/test_rbac_bgpvpn.py | 22 +++++++++ .../add-rbac-bgpvpn-cf6c9346822268f7.yaml | 5 ++ 8 files changed, 85 insertions(+), 4 deletions(-) create mode 100644 neutron_lib/api/definitions/rbac_bgpvpn.py create mode 100644 neutron_lib/tests/unit/api/definitions/test_rbac_bgpvpn.py create mode 100644 releasenotes/notes/add-rbac-bgpvpn-cf6c9346822268f7.yaml diff --git a/api-ref/source/v2/parameters.yaml b/api-ref/source/v2/parameters.yaml index 38398c3a1..c8bf76494 100644 --- a/api-ref/source/v2/parameters.yaml +++ b/api-ref/source/v2/parameters.yaml @@ -952,8 +952,9 @@ object_id-query: an ``object_type`` of ``qos-policy`` returns a QoS policy ID, an ``object_type`` of ``security-group`` returns a security group ID, an `object_type`` of ``address-scope`` returns a address scope ID, - an ``object_type`` of ``subnetpool`` returns a subnetpool ID and - an ``object_type`` of ``address-group`` returns an address group ID. + an ``object_type`` of ``subnetpool`` returns a subnetpool ID, + an ``object_type`` of ``address-group`` returns an address group ID and + an ``object_type`` of ``bgpvpn`` returns a bgpvpn ID. in: query required: false type: string @@ -961,7 +962,8 @@ object_type-query: description: | Filter the RBAC policy list result by the type of the object that the RBAC policy affects. Types include ``qos-policy``, ``network``, - ``security-group``, ``address-scope``, ``subnetpool`` or ``address-group``. + ``security-group``, ``address-scope``, ``subnetpool``, ``address-group`` or + ``bgpvpn``. in: query required: false type: string diff --git a/api-ref/source/v2/rbac-policy.inc b/api-ref/source/v2/rbac-policy.inc index 91150f0bb..1c7c3f0f8 100644 --- a/api-ref/source/v2/rbac-policy.inc +++ b/api-ref/source/v2/rbac-policy.inc @@ -18,6 +18,9 @@ API to support object types of ``subnetpool``. The presence of the ``rbac-address-group`` extension extends this API to support object types of ``address-group``. +The presence of the ``rbac-bgpvpn`` extension extends this +API to support object types of ``bgpvpn``. + Show RBAC policy details ======================== diff --git a/neutron_lib/api/definitions/__init__.py b/neutron_lib/api/definitions/__init__.py index 77468dc7e..9dcfe9550 100644 --- a/neutron_lib/api/definitions/__init__.py +++ b/neutron_lib/api/definitions/__init__.py @@ -98,6 +98,7 @@ from neutron_lib.api.definitions import qos_rule_type_details from neutron_lib.api.definitions import qos_rules_alias from neutron_lib.api.definitions import rbac_address_groups from neutron_lib.api.definitions import rbac_address_scope +from neutron_lib.api.definitions import rbac_bgpvpn from neutron_lib.api.definitions import rbac_security_groups from neutron_lib.api.definitions import rbac_subnetpool from neutron_lib.api.definitions import revisionifmatch @@ -223,6 +224,7 @@ _ALL_API_DEFINITIONS = { qos_rules_alias, rbac_address_groups, rbac_address_scope, + rbac_bgpvpn, rbac_security_groups, rbac_subnetpool, revisionifmatch, diff --git a/neutron_lib/api/definitions/base.py b/neutron_lib/api/definitions/base.py index bd74d73a7..2838e8517 100644 --- a/neutron_lib/api/definitions/base.py +++ b/neutron_lib/api/definitions/base.py @@ -132,6 +132,7 @@ KNOWN_EXTENSIONS = ( 'quotas', 'rbac-address-group', 'rbac-address-scope', + 'rbac-bgpvpn', 'rbac-policies', 'rbac-security-groups', 'rbac-subnetpool', diff --git a/neutron_lib/api/definitions/bgpvpn.py b/neutron_lib/api/definitions/bgpvpn.py index c6e68b940..fecd9234a 100644 --- a/neutron_lib/api/definitions/bgpvpn.py +++ b/neutron_lib/api/definitions/bgpvpn.py @@ -132,7 +132,7 @@ RESOURCE_ATTRIBUTE_MAP = { 'enforce_policy': True}, 'routers': {'allow_post': False, 'allow_put': False, 'is_visible': True, - 'enforce_policy': True} + 'enforce_policy': True}, }, } diff --git a/neutron_lib/api/definitions/rbac_bgpvpn.py b/neutron_lib/api/definitions/rbac_bgpvpn.py new file mode 100644 index 000000000..2834685bc --- /dev/null +++ b/neutron_lib/api/definitions/rbac_bgpvpn.py @@ -0,0 +1,46 @@ +# Copyright (c) 2021 Cloudification GmbH. All rights reserved. +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from neutron_lib.api import converters +from neutron_lib.api.definitions import bgpvpn +from neutron_lib import constants + + +ALIAS = 'rbac-bgpvpn' +IS_SHIM_EXTENSION = False +IS_STANDARD_ATTR_EXTENSION = False +NAME = 'Add bgpvpn type to RBAC' +DESCRIPTION = 'Add bgpvpn type to RBAC' +UPDATED_TIMESTAMP = '2021-06-07T00:00:00-00:00' +API_PREFIX = bgpvpn.API_PREFIX +RESOURCE_NAME = bgpvpn.RESOURCE_NAME +COLLECTION_NAME = bgpvpn.COLLECTION_NAME +RESOURCE_ATTRIBUTE_MAP = { + COLLECTION_NAME: { + constants.SHARED: { + 'allow_post': False, + 'allow_put': False, + 'default': False, + 'convert_to': converters.convert_to_boolean, + 'is_visible': True, + 'is_filter': True, + 'is_sort_key': True, + 'enforce_policy': True + } + }, +} +SUB_RESOURCE_ATTRIBUTE_MAP = {} +ACTION_MAP = {} +REQUIRED_EXTENSIONS = ['rbac-policies', bgpvpn.ALIAS] +OPTIONAL_EXTENSIONS = [] +ACTION_STATUS = {} diff --git a/neutron_lib/tests/unit/api/definitions/test_rbac_bgpvpn.py b/neutron_lib/tests/unit/api/definitions/test_rbac_bgpvpn.py new file mode 100644 index 000000000..3c0ab27d4 --- /dev/null +++ b/neutron_lib/tests/unit/api/definitions/test_rbac_bgpvpn.py @@ -0,0 +1,22 @@ +# Copyright (c) 2021 Cloudification GmbH. All rights reserved. +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from neutron_lib.api.definitions import rbac_bgpvpn +from neutron_lib import constants +from neutron_lib.tests.unit.api.definitions import base + + +class RbacBGPVPNDefinitionTestCase(base.DefinitionBaseTestCase): + extension_module = rbac_bgpvpn + extension_resources = (rbac_bgpvpn.COLLECTION_NAME,) + extension_attributes = (constants.SHARED,) diff --git a/releasenotes/notes/add-rbac-bgpvpn-cf6c9346822268f7.yaml b/releasenotes/notes/add-rbac-bgpvpn-cf6c9346822268f7.yaml new file mode 100644 index 000000000..61f633bbe --- /dev/null +++ b/releasenotes/notes/add-rbac-bgpvpn-cf6c9346822268f7.yaml @@ -0,0 +1,5 @@ +features: + - | + Added API definition for ``rbac-bgpvpn`` extension, which allows + sharing bgpvpn objects between tenants via the RBAC mechanism. With shared + bgpvpn the end-user will be able to manage router and network associations.