Convert policy.json into policy-in-code

This commit defines the default policies in code. VPNaaS has no policy.json so far, so all policy definitions are newly created. Partially Implements: blueprint neutron-policy-in-code Change-Id: Ic0bf99b69a792197399e38ace6d23ea18874892a
2018-12-16 20:18:39 +09:00 · 2018-12-16 20:18:39 +09:00 · b0c4a6aefb
parent 824f4858c0
commit b0c4a6aefb
10 changed files with 412 additions and 0 deletions
--- a/etc/oslo-policy-generator/policy.conf
+++ b/etc/oslo-policy-generator/policy.conf
@ -0,0 +1,3 @@
+[DEFAULT]
+output_file = etc/policy.yaml.sample
+namespace = neutron-vpnaas
--- a/neutron_vpnaas/policies/init.py
+++ b/neutron_vpnaas/policies/init.py
@ -0,0 +1,29 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import itertools
+
+from neutron_vpnaas.policies import endpoint_group
+from neutron_vpnaas.policies import ike_policy
+from neutron_vpnaas.policies import ipsec_policy
+from neutron_vpnaas.policies import ipsec_site_connection
+from neutron_vpnaas.policies import vpnservice
+
+
+def list_rules():
+    return itertools.chain(
+        endpoint_group.list_rules(),
+        ike_policy.list_rules(),
+        ipsec_policy.list_rules(),
+        ipsec_site_connection.list_rules(),
+        vpnservice.list_rules(),
+    )
--- a/neutron_vpnaas/policies/base.py
+++ b/neutron_vpnaas/policies/base.py
@ -0,0 +1,17 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+
+# TODO(amotoki): Define these in neutron or neutron-lib
+RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
+RULE_ADMIN_ONLY = 'rule:admin_only'
+RULE_ANY = 'rule:regular_user'
--- a/neutron_vpnaas/policies/endpoint_group.py
+++ b/neutron_vpnaas/policies/endpoint_group.py
@ -0,0 +1,71 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+from oslo_policy import policy
+
+from neutron_vpnaas.policies import base
+
+
+rules = [
+    policy.DocumentedRuleDefault(
+        'create_endpoint_group',
+        base.RULE_ANY,
+        'Create a VPN endpoint group',
+        [
+            {
+                'method': 'POST',
+                'path': '/vpn/endpoint-groups',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'update_endpoint_group',
+        base.RULE_ADMIN_OR_OWNER,
+        'Update a VPN endpoint group',
+        [
+            {
+                'method': 'PUT',
+                'path': '/vpn/endpoint-groups/{id}',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'delete_endpoint_group',
+        base.RULE_ADMIN_OR_OWNER,
+        'Delete a VPN endpoint group',
+        [
+            {
+                'method': 'DELETE',
+                'path': '/vpn/endpoint-groups/{id}',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'get_endpoint_group',
+        base.RULE_ADMIN_OR_OWNER,
+        'Get VPN endpoint groups',
+        [
+            {
+                'method': 'GET',
+                'path': '/vpn/endpoint-groups',
+            },
+            {
+                'method': 'GET',
+                'path': '/vpn/endpoint-groups/{id}',
+            },
+        ]
+    ),
+]
+
+
+def list_rules():
+    return rules
--- a/neutron_vpnaas/policies/ike_policy.py
+++ b/neutron_vpnaas/policies/ike_policy.py
@ -0,0 +1,71 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+from oslo_policy import policy
+
+from neutron_vpnaas.policies import base
+
+
+rules = [
+    policy.DocumentedRuleDefault(
+        'create_ikepolicy',
+        base.RULE_ANY,
+        'Create an IKE policy',
+        [
+            {
+                'method': 'POST',
+                'path': '/vpn/ikepolicies',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'update_ikepolicy',
+        base.RULE_ADMIN_OR_OWNER,
+        'Update an IKE policy',
+        [
+            {
+                'method': 'PUT',
+                'path': '/vpn/ikepolicies/{id}',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'delete_ikepolicy',
+        base.RULE_ADMIN_OR_OWNER,
+        'Delete an IKE policy',
+        [
+            {
+                'method': 'DELETE',
+                'path': '/vpn/ikepolicies/{id}',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'get_ikepolicy',
+        base.RULE_ADMIN_OR_OWNER,
+        'Get IKE policyies',
+        [
+            {
+                'method': 'GET',
+                'path': '/vpn/ikepolicies',
+            },
+            {
+                'method': 'GET',
+                'path': '/vpn/ikepolicies/{id}',
+            },
+        ]
+    ),
+]
+
+
+def list_rules():
+    return rules
--- a/neutron_vpnaas/policies/ipsec_policy.py
+++ b/neutron_vpnaas/policies/ipsec_policy.py
@ -0,0 +1,71 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+from oslo_policy import policy
+
+from neutron_vpnaas.policies import base
+
+
+rules = [
+    policy.DocumentedRuleDefault(
+        'create_ipsecpolicy',
+        base.RULE_ANY,
+        'Create an IPsec policy',
+        [
+            {
+                'method': 'POST',
+                'path': '/vpn/ipsecpolicies',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'update_ipsecpolicy',
+        base.RULE_ADMIN_OR_OWNER,
+        'Update an IPsec policy',
+        [
+            {
+                'method': 'PUT',
+                'path': '/vpn/ipsecpolicies/{id}',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'delete_ipsecpolicy',
+        base.RULE_ADMIN_OR_OWNER,
+        'Delete an IPsec policy',
+        [
+            {
+                'method': 'DELETE',
+                'path': '/vpn/ipsecpolicies/{id}',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'get_ipsecpolicy',
+        base.RULE_ADMIN_OR_OWNER,
+        'Get IPsec policies',
+        [
+            {
+                'method': 'GET',
+                'path': '/vpn/ipsecpolicies',
+            },
+            {
+                'method': 'GET',
+                'path': '/vpn/ipsecpolicies/{id}',
+            },
+        ]
+    ),
+]
+
+
+def list_rules():
+    return rules
--- a/neutron_vpnaas/policies/ipsec_site_connection.py
+++ b/neutron_vpnaas/policies/ipsec_site_connection.py
@ -0,0 +1,71 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+from oslo_policy import policy
+
+from neutron_vpnaas.policies import base
+
+
+rules = [
+    policy.DocumentedRuleDefault(
+        'create_ipsec_site_connection',
+        base.RULE_ANY,
+        'Create an IPsec site connection',
+        [
+            {
+                'method': 'POST',
+                'path': '/vpn/ipsec-site-connections',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'update_ipsec_site_connection',
+        base.RULE_ADMIN_OR_OWNER,
+        'Update an IPsec site connection',
+        [
+            {
+                'method': 'PUT',
+                'path': '/vpn/ipsec-site-connections/{id}',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'delete_ipsec_site_connection',
+        base.RULE_ADMIN_OR_OWNER,
+        'Delete an IPsec site connection',
+        [
+            {
+                'method': 'DELETE',
+                'path': '/vpn/ipsec-site-connections/{id}',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'get_ipsec_site_connection',
+        base.RULE_ADMIN_OR_OWNER,
+        'Get IPsec site connections',
+        [
+            {
+                'method': 'GET',
+                'path': '/vpn/ipsec-site-connections',
+            },
+            {
+                'method': 'GET',
+                'path': '/vpn/ipsec-site-connections/{id}',
+            },
+        ]
+    ),
+]
+
+
+def list_rules():
+    return rules
--- a/neutron_vpnaas/policies/vpnservice.py
+++ b/neutron_vpnaas/policies/vpnservice.py
@ -0,0 +1,71 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+from oslo_policy import policy
+
+from neutron_vpnaas.policies import base
+
+
+rules = [
+    policy.DocumentedRuleDefault(
+        'create_vpnservice',
+        base.RULE_ANY,
+        'Create a VPN service',
+        [
+            {
+                'method': 'POST',
+                'path': '/vpn/vpnservices',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'update_vpnservice',
+        base.RULE_ADMIN_OR_OWNER,
+        'Update a VPN service',
+        [
+            {
+                'method': 'PUT',
+                'path': '/vpn/vpnservices/{id}',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'delete_vpnservice',
+        base.RULE_ADMIN_OR_OWNER,
+        'Delete a VPN service',
+        [
+            {
+                'method': 'DELETE',
+                'path': '/vpn/vpnservices/{id}',
+            },
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'get_vpnservice',
+        base.RULE_ADMIN_OR_OWNER,
+        'Get VPN services',
+        [
+            {
+                'method': 'GET',
+                'path': '/vpn/vpnservices',
+            },
+            {
+                'method': 'GET',
+                'path': '/vpn/vpnservices/{id}',
+            },
+        ]
+    ),
+]
+
+
+def list_rules():
+    return rules
--- a/setup.cfg
+++ b/setup.cfg
@ -44,6 +44,10 @@ neutron.service_plugins =
 oslo.config.opts =
    neutron.vpnaas = neutron_vpnaas.opts:list_opts
    neutron.vpnaas.agent = neutron_vpnaas.opts:list_agent_opts
+oslo.policy.policies =
+    neutron-vpnaas = neutron_vpnaas.policies:list_rules
+neutron.policies =
+    neutron-vpnaas = neutron_vpnaas.policies:list_rules
 tempest.test_plugins =
    neutron_vpnaas_tests = neutron_vpnaas.tests.tempest.plugin:VPNTempestPlugin

--- a/tox.ini
+++ b/tox.ini
@ -83,6 +83,7 @@ commands =
  {toxinidir}/tools/check_unit_test_structure.sh
  neutron-db-manage --subproject neutron-vpnaas --database-connection sqlite:// check_migration
  {[testenv:genconfig]commands}
+  {[testenv:genpolicy]commands}
 whitelist_externals = sh

 [testenv:pep8-dev]
@ -143,6 +144,9 @@ local-check-factory = neutron_lib.hacking.checks.factory
 [testenv:genconfig]
 commands = {toxinidir}/tools/generate_config_file_samples.sh

+[testenv:genpolicy]
+commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
+
 [testenv:lower-constraints]
 basepython = python3
 deps =