Let Neutron enforce rule on create_subnet with segment_id [neutron-lib part]
Neutron ignores rule in policy file [0], that allows non-admin users to create subnets with segment_id. [0] https://github.com/openstack/neutron/blob/master/etc/policy.json#L19 Change-Id: I313aadc53f728663fd774957c1bd92247d1513ca Partial-Bug: 1784259
This commit is contained in:
parent
61e2a98ed0
commit
d14b379d1c
@ -89,6 +89,7 @@ from neutron_lib.api.definitions import sorting
|
||||
from neutron_lib.api.definitions import standard_attr_segment
|
||||
from neutron_lib.api.definitions import subnet
|
||||
from neutron_lib.api.definitions import subnet_onboard
|
||||
from neutron_lib.api.definitions import subnet_segmentid_enforce
|
||||
from neutron_lib.api.definitions import subnet_segmentid_writable
|
||||
from neutron_lib.api.definitions import subnetpool
|
||||
from neutron_lib.api.definitions import trunk
|
||||
@ -180,6 +181,7 @@ _ALL_API_DEFINITIONS = {
|
||||
standard_attr_segment,
|
||||
subnet,
|
||||
subnet_onboard,
|
||||
subnet_segmentid_enforce,
|
||||
subnet_segmentid_writable,
|
||||
subnetpool,
|
||||
trunk,
|
||||
|
@ -129,6 +129,7 @@ KNOWN_EXTENSIONS = (
|
||||
'standard-attr-timestamp',
|
||||
'subnet_allocation',
|
||||
'subnet_onboard',
|
||||
'subnet-segmentid-enforce',
|
||||
'subnet-segmentid-writable',
|
||||
'tag',
|
||||
'trunk',
|
||||
|
79
neutron_lib/api/definitions/subnet_segmentid_enforce.py
Normal file
79
neutron_lib/api/definitions/subnet_segmentid_enforce.py
Normal file
@ -0,0 +1,79 @@
|
||||
# Copyright 2018 AT&T Corporation.
|
||||
# All rights reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import copy
|
||||
|
||||
from neutron_lib.api.definitions import segment
|
||||
from neutron_lib.api.definitions import subnet
|
||||
from neutron_lib.api.definitions import subnet_segmentid_writable
|
||||
|
||||
|
||||
# The alias of the extension.
|
||||
ALIAS = 'subnet-segmentid-enforce'
|
||||
|
||||
# Whether or not this extension is simply signaling behavior to the user
|
||||
# or it actively modifies the attribute map.
|
||||
IS_SHIM_EXTENSION = False
|
||||
|
||||
# Whether the extension is marking the adoption of standardattr model for
|
||||
# legacy resources, or introducing new standardattr attributes. False or
|
||||
# None if the standardattr model is adopted since the introduction of
|
||||
# resource extension.
|
||||
# If this is True, the alias for the extension should be prefixed with
|
||||
# 'standard-attr-'.
|
||||
IS_STANDARD_ATTR_EXTENSION = False
|
||||
|
||||
# The name of the extension.
|
||||
NAME = 'Subnet SegmentID (policy enforced)'
|
||||
|
||||
# A prefix for API resources. An empty prefix means that the API is going
|
||||
# to be exposed at the v2/ level as any other core resource.
|
||||
API_PREFIX = ''
|
||||
|
||||
# The description of the extension.
|
||||
DESCRIPTION = "Enforce segment_id policy rule."
|
||||
|
||||
# A timestamp of when the extension was introduced.
|
||||
UPDATED_TIMESTAMP = "2018-09-04T00:00:00-00:00"
|
||||
|
||||
segment_id_attr_info = copy.deepcopy(
|
||||
subnet_segmentid_writable.RESOURCE_ATTRIBUTE_MAP[
|
||||
subnet.COLLECTION_NAME][segment.SEGMENT_ID])
|
||||
segment_id_attr_info['enforce_policy'] = True
|
||||
|
||||
RESOURCE_ATTRIBUTE_MAP = {
|
||||
subnet.COLLECTION_NAME: {
|
||||
segment.SEGMENT_ID: segment_id_attr_info
|
||||
}
|
||||
}
|
||||
|
||||
# The subresource attribute map for the extension. It adds child resources
|
||||
# to main extension's resource. The subresource map must have a parent and
|
||||
# a parameters entry. If an extension does not need such a map, None can
|
||||
# be specified (mandatory).
|
||||
SUB_RESOURCE_ATTRIBUTE_MAP = {}
|
||||
|
||||
# The action map: it associates verbs with methods to be performed on
|
||||
# the API resource.
|
||||
ACTION_MAP = {}
|
||||
|
||||
# The action status.
|
||||
ACTION_STATUS = {}
|
||||
|
||||
# The list of required extensions.
|
||||
REQUIRED_EXTENSIONS = [subnet_segmentid_writable.ALIAS]
|
||||
|
||||
# The list of optional extensions.
|
||||
OPTIONAL_EXTENSIONS = []
|
@ -0,0 +1,23 @@
|
||||
# Copyright 2018 AT&T Corporation.
|
||||
# All rights reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from neutron_lib.api.definitions import segment
|
||||
from neutron_lib.api.definitions import subnet_segmentid_enforce
|
||||
from neutron_lib.tests.unit.api.definitions import base
|
||||
|
||||
|
||||
class SubnetSegmentIDEnforceDefinitionTestCase(base.DefinitionBaseTestCase):
|
||||
extension_module = subnet_segmentid_enforce
|
||||
extension_attributes = (segment.SEGMENT_ID,)
|
@ -0,0 +1,7 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
Change API to enforce policy rules for subnet entities with specified
|
||||
segment_ids, to fix a broken implementation of that policy enforcement.
|
||||
Bug: `1784259 <https://bugs.launchpad.net/neutron/+bug/1784259>`_
|
||||
|
Loading…
Reference in New Issue
Block a user