From 1dfa07ccfd81d21e5e03fdfbd5cdf871f9a17d01 Mon Sep 17 00:00:00 2001
From: Igor Malinovskiy <u.glide@gmail.com>
Date: Wed, 12 Feb 2020 17:21:18 +0200
Subject: [PATCH] Introduce rbac-address-scope api extension

This extension makes it possible to add address scope to RBAC policies.

Change-Id: I9c77a53cf8d91d27ce1aaebfa12c31f2ae823006
Partial-Bug: #1862968
---
 api-ref/source/v2/parameters.yaml             |  9 ++++---
 api-ref/source/v2/rbac-policy.inc             |  3 +++
 neutron_lib/api/definitions/__init__.py       |  2 ++
 neutron_lib/api/definitions/base.py           |  1 +
 .../api/definitions/rbac_address_scope.py     | 25 +++++++++++++++++++
 .../definitions/test_rbac_address_scope.py    | 18 +++++++++++++
 ...d-rbac-address-scope-dc4683772b205632.yaml |  4 +++
 7 files changed, 58 insertions(+), 4 deletions(-)
 create mode 100644 neutron_lib/api/definitions/rbac_address_scope.py
 create mode 100644 neutron_lib/tests/unit/api/definitions/test_rbac_address_scope.py
 create mode 100644 releasenotes/notes/add-rbac-address-scope-dc4683772b205632.yaml

diff --git a/api-ref/source/v2/parameters.yaml b/api-ref/source/v2/parameters.yaml
index e7e0ceea4..bf858559b 100644
--- a/api-ref/source/v2/parameters.yaml
+++ b/api-ref/source/v2/parameters.yaml
@@ -878,16 +878,17 @@ object_id-query:
   description: |
     Filter the RBAC policy list result by the ID of the ``object_type``
     resource. An ``object_type`` of ``network`` returns a network ID,
-    an ``object_type`` of ``qos-policy`` returns a QoS policy ID, and
-    an ``object_type`` of ``security-group`` returns a security group ID.
+    an ``object_type`` of ``qos-policy`` returns a QoS policy ID,
+    an ``object_type`` of ``security-group`` returns a security group ID
+    and an `object_type`` of ``address-scope`` returns a address scope ID.
   in: query
   required: false
   type: string
 object_type-query:
   description: |
     Filter the RBAC policy list result by the type of the object that the
-    RBAC policy affects. Types include ``qos-policy``, ``network``, or
-    ``security-group``.
+    RBAC policy affects. Types include ``qos-policy``, ``network``,
+    ``security-group`` or ``address-scope``.
   in: query
   required: false
   type: string
diff --git a/api-ref/source/v2/rbac-policy.inc b/api-ref/source/v2/rbac-policy.inc
index 73140061c..a33ab6075 100644
--- a/api-ref/source/v2/rbac-policy.inc
+++ b/api-ref/source/v2/rbac-policy.inc
@@ -9,6 +9,9 @@ Lists, shows details for, creates, updates, and deletes RBAC policies.
 The presence of the ``rbac-security-groups`` extension extends this
 API to support object types of ``security_group``.
 
+The presence of the ``rbac-address-scope`` extension extends this
+API to support object types of ``address-scope``.
+
 Show RBAC policy details
 ========================
 
diff --git a/neutron_lib/api/definitions/__init__.py b/neutron_lib/api/definitions/__init__.py
index e3fc15b56..8eb63aa5f 100644
--- a/neutron_lib/api/definitions/__init__.py
+++ b/neutron_lib/api/definitions/__init__.py
@@ -84,6 +84,7 @@ from neutron_lib.api.definitions import qos_gateway_ip
 from neutron_lib.api.definitions import qos_port_network_policy
 from neutron_lib.api.definitions import qos_rule_type_details
 from neutron_lib.api.definitions import qos_rules_alias
+from neutron_lib.api.definitions import rbac_address_scope
 from neutron_lib.api.definitions import rbac_security_groups
 from neutron_lib.api.definitions import revisionifmatch
 from neutron_lib.api.definitions import router_admin_state_down_before_update
@@ -192,6 +193,7 @@ _ALL_API_DEFINITIONS = {
     qos_port_network_policy,
     qos_rule_type_details,
     qos_rules_alias,
+    rbac_address_scope,
     rbac_security_groups,
     revisionifmatch,
     router_admin_state_down_before_update,
diff --git a/neutron_lib/api/definitions/base.py b/neutron_lib/api/definitions/base.py
index 932ec3c56..7a9cf1847 100644
--- a/neutron_lib/api/definitions/base.py
+++ b/neutron_lib/api/definitions/base.py
@@ -129,6 +129,7 @@ KNOWN_EXTENSIONS = (
     'qos-port-network-policy',
     'qos-rules-alias',
     'quotas',
+    'rbac-address-scope',
     'rbac-policies',
     'rbac-security-groups',
     'router',
diff --git a/neutron_lib/api/definitions/rbac_address_scope.py b/neutron_lib/api/definitions/rbac_address_scope.py
new file mode 100644
index 000000000..af88ad408
--- /dev/null
+++ b/neutron_lib/api/definitions/rbac_address_scope.py
@@ -0,0 +1,25 @@
+#    Copyright (c) 2020 Cloudification GmbH.  All rights reserved.
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+ALIAS = 'rbac-address-scope'
+IS_SHIM_EXTENSION = True
+IS_STANDARD_ATTR_EXTENSION = False
+NAME = 'Add address_scope type to RBAC'
+DESCRIPTION = 'Add address_scope type to RBAC'
+UPDATED_TIMESTAMP = '2020-02-12T00:00:00-00:00'
+RESOURCE_ATTRIBUTE_MAP = {}
+SUB_RESOURCE_ATTRIBUTE_MAP = {}
+ACTION_MAP = {}
+REQUIRED_EXTENSIONS = ['rbac-policies', 'address-scope']
+OPTIONAL_EXTENSIONS = []
+ACTION_STATUS = {}
diff --git a/neutron_lib/tests/unit/api/definitions/test_rbac_address_scope.py b/neutron_lib/tests/unit/api/definitions/test_rbac_address_scope.py
new file mode 100644
index 000000000..810ed6216
--- /dev/null
+++ b/neutron_lib/tests/unit/api/definitions/test_rbac_address_scope.py
@@ -0,0 +1,18 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from neutron_lib.api.definitions import rbac_address_scope
+from neutron_lib.tests.unit.api.definitions import base
+
+
+class RbacAddressScopeDefinitionTestCase(base.DefinitionBaseTestCase):
+    extension_module = rbac_address_scope
diff --git a/releasenotes/notes/add-rbac-address-scope-dc4683772b205632.yaml b/releasenotes/notes/add-rbac-address-scope-dc4683772b205632.yaml
new file mode 100644
index 000000000..db65f7820
--- /dev/null
+++ b/releasenotes/notes/add-rbac-address-scope-dc4683772b205632.yaml
@@ -0,0 +1,4 @@
+features:
+  - |
+    Added API definition for ``rbac-address-scope`` extension, which allows
+    sharing address scope between tenants via the network RBAC mechanism.
\ No newline at end of file