From ae5eb24c78bddb0b7be89b47b6ca49965f20ff73 Mon Sep 17 00:00:00 2001 From: Igor Malinovskiy Date: Wed, 5 Feb 2020 17:50:47 +0200 Subject: [PATCH] Introduce rbac-subnetpool api extension This extension makes it possible to add subnetpools to RBAC policies. Change-Id: I1238430c40fe7132bad4eea573a638c0c47a5e78 Depends-On: https://review.openstack.org/707407 Partial-Bug: #1862032 --- api-ref/source/v2/parameters.yaml | 7 +++--- api-ref/source/v2/rbac-policy.inc | 3 +++ neutron_lib/api/definitions/__init__.py | 2 ++ neutron_lib/api/definitions/base.py | 1 + .../api/definitions/rbac_subnetpool.py | 25 +++++++++++++++++++ .../api/definitions/test_rbac_subnetpool.py | 18 +++++++++++++ .../add-rbac-subnetpool-bb63d4cef1d06e73.yaml | 4 +++ 7 files changed, 57 insertions(+), 3 deletions(-) create mode 100644 neutron_lib/api/definitions/rbac_subnetpool.py create mode 100644 neutron_lib/tests/unit/api/definitions/test_rbac_subnetpool.py create mode 100644 releasenotes/notes/add-rbac-subnetpool-bb63d4cef1d06e73.yaml diff --git a/api-ref/source/v2/parameters.yaml b/api-ref/source/v2/parameters.yaml index bf858559b..8a327a95a 100644 --- a/api-ref/source/v2/parameters.yaml +++ b/api-ref/source/v2/parameters.yaml @@ -879,8 +879,9 @@ object_id-query: Filter the RBAC policy list result by the ID of the ``object_type`` resource. An ``object_type`` of ``network`` returns a network ID, an ``object_type`` of ``qos-policy`` returns a QoS policy ID, - an ``object_type`` of ``security-group`` returns a security group ID - and an `object_type`` of ``address-scope`` returns a address scope ID. + an ``object_type`` of ``security-group`` returns a security group ID, + an `object_type`` of ``address-scope`` returns a address scope ID + and an ``object_type`` of ``subnetpool`` returns a subnetpool ID. in: query required: false type: string @@ -888,7 +889,7 @@ object_type-query: description: | Filter the RBAC policy list result by the type of the object that the RBAC policy affects. Types include ``qos-policy``, ``network``, - ``security-group`` or ``address-scope``. + ``security-group``, ``address-scope`` or ``subnetpool``. in: query required: false type: string diff --git a/api-ref/source/v2/rbac-policy.inc b/api-ref/source/v2/rbac-policy.inc index a33ab6075..a4317966c 100644 --- a/api-ref/source/v2/rbac-policy.inc +++ b/api-ref/source/v2/rbac-policy.inc @@ -12,6 +12,9 @@ API to support object types of ``security_group``. The presence of the ``rbac-address-scope`` extension extends this API to support object types of ``address-scope``. +The presence of the ``rbac-subnetpool`` extension extends this +API to support object types of ``subnetpool``. + Show RBAC policy details ======================== diff --git a/neutron_lib/api/definitions/__init__.py b/neutron_lib/api/definitions/__init__.py index 8eb63aa5f..ff37b453c 100644 --- a/neutron_lib/api/definitions/__init__.py +++ b/neutron_lib/api/definitions/__init__.py @@ -86,6 +86,7 @@ from neutron_lib.api.definitions import qos_rule_type_details from neutron_lib.api.definitions import qos_rules_alias from neutron_lib.api.definitions import rbac_address_scope from neutron_lib.api.definitions import rbac_security_groups +from neutron_lib.api.definitions import rbac_subnetpool from neutron_lib.api.definitions import revisionifmatch from neutron_lib.api.definitions import router_admin_state_down_before_update from neutron_lib.api.definitions import router_availability_zone @@ -195,6 +196,7 @@ _ALL_API_DEFINITIONS = { qos_rules_alias, rbac_address_scope, rbac_security_groups, + rbac_subnetpool, revisionifmatch, router_admin_state_down_before_update, router_availability_zone, diff --git a/neutron_lib/api/definitions/base.py b/neutron_lib/api/definitions/base.py index 7a9cf1847..4de08e0d0 100644 --- a/neutron_lib/api/definitions/base.py +++ b/neutron_lib/api/definitions/base.py @@ -132,6 +132,7 @@ KNOWN_EXTENSIONS = ( 'rbac-address-scope', 'rbac-policies', 'rbac-security-groups', + 'rbac-subnetpool', 'router', 'router_availability_zone', 'security-group', diff --git a/neutron_lib/api/definitions/rbac_subnetpool.py b/neutron_lib/api/definitions/rbac_subnetpool.py new file mode 100644 index 000000000..6b36288c0 --- /dev/null +++ b/neutron_lib/api/definitions/rbac_subnetpool.py @@ -0,0 +1,25 @@ +# Copyright (c) 2020 Cloudification GmbH. All rights reserved. +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +ALIAS = 'rbac-subnetpool' +IS_SHIM_EXTENSION = True +IS_STANDARD_ATTR_EXTENSION = False +NAME = 'Add subnetpool type to RBAC' +DESCRIPTION = 'Add subnetpool type to RBAC' +UPDATED_TIMESTAMP = '2020-02-05T00:00:00-00:00' +RESOURCE_ATTRIBUTE_MAP = {} +SUB_RESOURCE_ATTRIBUTE_MAP = {} +ACTION_MAP = {} +REQUIRED_EXTENSIONS = ['rbac-policies', 'rbac-address-scope'] +OPTIONAL_EXTENSIONS = [] +ACTION_STATUS = {} diff --git a/neutron_lib/tests/unit/api/definitions/test_rbac_subnetpool.py b/neutron_lib/tests/unit/api/definitions/test_rbac_subnetpool.py new file mode 100644 index 000000000..59841c620 --- /dev/null +++ b/neutron_lib/tests/unit/api/definitions/test_rbac_subnetpool.py @@ -0,0 +1,18 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from neutron_lib.api.definitions import rbac_subnetpool +from neutron_lib.tests.unit.api.definitions import base + + +class RbacSubnetPoolDefinitionTestCase(base.DefinitionBaseTestCase): + extension_module = rbac_subnetpool diff --git a/releasenotes/notes/add-rbac-subnetpool-bb63d4cef1d06e73.yaml b/releasenotes/notes/add-rbac-subnetpool-bb63d4cef1d06e73.yaml new file mode 100644 index 000000000..6699b2854 --- /dev/null +++ b/releasenotes/notes/add-rbac-subnetpool-bb63d4cef1d06e73.yaml @@ -0,0 +1,4 @@ +features: + - | + Added API definition for ``rbac-subnetpool`` extension, which allows + sharing subnetpool between tenants via the network RBAC mechanism.