Introduce rbac-address-group api extension

This extension makes it possible to add address groups to RBAC policies.

Change-Id: I530dc3068197d24c9a581a3cd07020ec23132a52

api-ref/source/v2/parameters.yaml

@@ -925,8 +925,9 @@ object_id-query:
     resource. An ``object_type`` of ``network`` returns a network ID,
     an ``object_type`` of ``qos-policy`` returns a QoS policy ID,
     an ``object_type`` of ``security-group`` returns a security group ID,
-    an `object_type`` of ``address-scope`` returns a address scope ID
+    an `object_type`` of ``address-scope`` returns a address scope ID,
-    and an ``object_type`` of ``subnetpool`` returns a subnetpool ID.
+    an ``object_type`` of ``subnetpool`` returns a subnetpool ID and
+    an ``object_type`` of ``address-group`` returns an address group ID.
   in: query
   required: false
   type: string
@@ -934,7 +935,7 @@ object_type-query:
   description: |
     Filter the RBAC policy list result by the type of the object that the
     RBAC policy affects. Types include ``qos-policy``, ``network``,
-    ``security-group``, ``address-scope`` or ``subnetpool``.
+    ``security-group``, ``address-scope``, ``subnetpool`` or ``address-group``.
   in: query
   required: false
   type: string
@@ -4214,15 +4215,19 @@ numa_affinity_policy-request:
 object_id:
   description: |
     The ID of the ``object_type`` resource. An ``object_type`` of ``network``
-    returns a network ID and an ``object_type`` of ``qos-policy`` returns
+    returns a network ID, an ``object_type`` of ``qos-policy`` returns a QoS
-    a QoS ID.
+    policy ID, an ``object_type`` of ``security-group`` returns a security
+    group ID, an ``object_type`` of ``address-scope`` returns a address scope
+    ID, an ``object_type`` of ``subnetpool`` returns a subnetpool ID and
+    an ``object_type`` of ``address-group`` returns an address group ID.
   in: body
   required: true
   type: string
 object_type:
   description: |
     The type of the object that the RBAC policy affects. Types include
-    ``qos-policy`` or ``network``.
+    ``qos-policy``, ``network``, ``security-group``, ``address-scope``,
+    ``subnetpool`` or ``address-group``.
   in: body
   required: true
   type: string

api-ref/source/v2/rbac-policy.inc

@@ -15,6 +15,9 @@ API to support object types of ``address-scope``.
 The presence of the ``rbac-subnetpool`` extension extends this
 API to support object types of ``subnetpool``.
 
+The presence of the ``rbac-address-group`` extension extends this
+API to support object types of ``address-group``.
+
 Show RBAC policy details
 ========================
 

neutron_lib/api/definitions/__init__.py

@@ -90,6 +90,7 @@ from neutron_lib.api.definitions import qos_gateway_ip
 from neutron_lib.api.definitions import qos_port_network_policy
 from neutron_lib.api.definitions import qos_rule_type_details
 from neutron_lib.api.definitions import qos_rules_alias
+from neutron_lib.api.definitions import rbac_address_groups
 from neutron_lib.api.definitions import rbac_address_scope
 from neutron_lib.api.definitions import rbac_security_groups
 from neutron_lib.api.definitions import rbac_subnetpool
@@ -208,6 +209,7 @@ _ALL_API_DEFINITIONS = {
     qos_port_network_policy,
     qos_rule_type_details,
     qos_rules_alias,
+    rbac_address_groups,
     rbac_address_scope,
     rbac_security_groups,
     rbac_subnetpool,

neutron_lib/api/definitions/base.py

@@ -130,6 +130,7 @@ KNOWN_EXTENSIONS = (
     'qos-port-network-policy',
     'qos-rules-alias',
     'quotas',
+    'rbac-address-group',
     'rbac-address-scope',
     'rbac-policies',
     'rbac-security-groups',

neutron_lib/api/definitions/rbac_address_groups.py

@@ -0,0 +1,24 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+ALIAS = 'rbac-address-group'
+IS_SHIM_EXTENSION = True
+IS_STANDARD_ATTR_EXTENSION = False
+NAME = 'Add address_group type to RBAC'
+DESCRIPTION = 'Add address_group type to network RBAC'
+UPDATED_TIMESTAMP = '2021-01-20T00:00:00-00:00'
+RESOURCE_ATTRIBUTE_MAP = {}
+SUB_RESOURCE_ATTRIBUTE_MAP = {}
+ACTION_MAP = {}
+REQUIRED_EXTENSIONS = ['rbac-policies', 'security-group']
+OPTIONAL_EXTENSIONS = []
+ACTION_STATUS = {}

neutron_lib/tests/unit/api/definitions/test_rbac_address_groups.py

@@ -0,0 +1,18 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from neutron_lib.api.definitions import rbac_address_groups
+from neutron_lib.tests.unit.api.definitions import base
+
+
+class RbacSecurityGroupsDefinitionTestCase(base.DefinitionBaseTestCase):
+    extension_module = rbac_address_groups

releasenotes/notes/add-rbac-address-group-39c22aeb30241b11.yaml

@@ -0,0 +1,4 @@
+features:
+  - |
+    Added API definition for ``rbac-address-group`` extension, which allows
+    sharing address groups between tenants via the network RBAC mechanism.