Convert policy.json into policy-in-code

This commit defines the default policies in code. VPNaaS has
no policy.json so far, so all policy definitions are newly created.

Partially Implements: blueprint neutron-policy-in-code

Change-Id: Ic0bf99b69a792197399e38ace6d23ea18874892a
This commit is contained in:
Akihiro Motoki 2018-12-16 20:18:39 +09:00
parent 824f4858c0
commit b0c4a6aefb
10 changed files with 412 additions and 0 deletions

View File

@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/policy.yaml.sample
namespace = neutron-vpnaas

View File

@ -0,0 +1,29 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import itertools
from neutron_vpnaas.policies import endpoint_group
from neutron_vpnaas.policies import ike_policy
from neutron_vpnaas.policies import ipsec_policy
from neutron_vpnaas.policies import ipsec_site_connection
from neutron_vpnaas.policies import vpnservice
def list_rules():
return itertools.chain(
endpoint_group.list_rules(),
ike_policy.list_rules(),
ipsec_policy.list_rules(),
ipsec_site_connection.list_rules(),
vpnservice.list_rules(),
)

View File

@ -0,0 +1,17 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# TODO(amotoki): Define these in neutron or neutron-lib
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN_ONLY = 'rule:admin_only'
RULE_ANY = 'rule:regular_user'

View File

@ -0,0 +1,71 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron_vpnaas.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_endpoint_group',
base.RULE_ANY,
'Create a VPN endpoint group',
[
{
'method': 'POST',
'path': '/vpn/endpoint-groups',
},
]
),
policy.DocumentedRuleDefault(
'update_endpoint_group',
base.RULE_ADMIN_OR_OWNER,
'Update a VPN endpoint group',
[
{
'method': 'PUT',
'path': '/vpn/endpoint-groups/{id}',
},
]
),
policy.DocumentedRuleDefault(
'delete_endpoint_group',
base.RULE_ADMIN_OR_OWNER,
'Delete a VPN endpoint group',
[
{
'method': 'DELETE',
'path': '/vpn/endpoint-groups/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_endpoint_group',
base.RULE_ADMIN_OR_OWNER,
'Get VPN endpoint groups',
[
{
'method': 'GET',
'path': '/vpn/endpoint-groups',
},
{
'method': 'GET',
'path': '/vpn/endpoint-groups/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,71 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron_vpnaas.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_ikepolicy',
base.RULE_ANY,
'Create an IKE policy',
[
{
'method': 'POST',
'path': '/vpn/ikepolicies',
},
]
),
policy.DocumentedRuleDefault(
'update_ikepolicy',
base.RULE_ADMIN_OR_OWNER,
'Update an IKE policy',
[
{
'method': 'PUT',
'path': '/vpn/ikepolicies/{id}',
},
]
),
policy.DocumentedRuleDefault(
'delete_ikepolicy',
base.RULE_ADMIN_OR_OWNER,
'Delete an IKE policy',
[
{
'method': 'DELETE',
'path': '/vpn/ikepolicies/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_ikepolicy',
base.RULE_ADMIN_OR_OWNER,
'Get IKE policyies',
[
{
'method': 'GET',
'path': '/vpn/ikepolicies',
},
{
'method': 'GET',
'path': '/vpn/ikepolicies/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,71 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron_vpnaas.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_ipsecpolicy',
base.RULE_ANY,
'Create an IPsec policy',
[
{
'method': 'POST',
'path': '/vpn/ipsecpolicies',
},
]
),
policy.DocumentedRuleDefault(
'update_ipsecpolicy',
base.RULE_ADMIN_OR_OWNER,
'Update an IPsec policy',
[
{
'method': 'PUT',
'path': '/vpn/ipsecpolicies/{id}',
},
]
),
policy.DocumentedRuleDefault(
'delete_ipsecpolicy',
base.RULE_ADMIN_OR_OWNER,
'Delete an IPsec policy',
[
{
'method': 'DELETE',
'path': '/vpn/ipsecpolicies/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_ipsecpolicy',
base.RULE_ADMIN_OR_OWNER,
'Get IPsec policies',
[
{
'method': 'GET',
'path': '/vpn/ipsecpolicies',
},
{
'method': 'GET',
'path': '/vpn/ipsecpolicies/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,71 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron_vpnaas.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_ipsec_site_connection',
base.RULE_ANY,
'Create an IPsec site connection',
[
{
'method': 'POST',
'path': '/vpn/ipsec-site-connections',
},
]
),
policy.DocumentedRuleDefault(
'update_ipsec_site_connection',
base.RULE_ADMIN_OR_OWNER,
'Update an IPsec site connection',
[
{
'method': 'PUT',
'path': '/vpn/ipsec-site-connections/{id}',
},
]
),
policy.DocumentedRuleDefault(
'delete_ipsec_site_connection',
base.RULE_ADMIN_OR_OWNER,
'Delete an IPsec site connection',
[
{
'method': 'DELETE',
'path': '/vpn/ipsec-site-connections/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_ipsec_site_connection',
base.RULE_ADMIN_OR_OWNER,
'Get IPsec site connections',
[
{
'method': 'GET',
'path': '/vpn/ipsec-site-connections',
},
{
'method': 'GET',
'path': '/vpn/ipsec-site-connections/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,71 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron_vpnaas.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_vpnservice',
base.RULE_ANY,
'Create a VPN service',
[
{
'method': 'POST',
'path': '/vpn/vpnservices',
},
]
),
policy.DocumentedRuleDefault(
'update_vpnservice',
base.RULE_ADMIN_OR_OWNER,
'Update a VPN service',
[
{
'method': 'PUT',
'path': '/vpn/vpnservices/{id}',
},
]
),
policy.DocumentedRuleDefault(
'delete_vpnservice',
base.RULE_ADMIN_OR_OWNER,
'Delete a VPN service',
[
{
'method': 'DELETE',
'path': '/vpn/vpnservices/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_vpnservice',
base.RULE_ADMIN_OR_OWNER,
'Get VPN services',
[
{
'method': 'GET',
'path': '/vpn/vpnservices',
},
{
'method': 'GET',
'path': '/vpn/vpnservices/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -44,6 +44,10 @@ neutron.service_plugins =
oslo.config.opts = oslo.config.opts =
neutron.vpnaas = neutron_vpnaas.opts:list_opts neutron.vpnaas = neutron_vpnaas.opts:list_opts
neutron.vpnaas.agent = neutron_vpnaas.opts:list_agent_opts neutron.vpnaas.agent = neutron_vpnaas.opts:list_agent_opts
oslo.policy.policies =
neutron-vpnaas = neutron_vpnaas.policies:list_rules
neutron.policies =
neutron-vpnaas = neutron_vpnaas.policies:list_rules
tempest.test_plugins = tempest.test_plugins =
neutron_vpnaas_tests = neutron_vpnaas.tests.tempest.plugin:VPNTempestPlugin neutron_vpnaas_tests = neutron_vpnaas.tests.tempest.plugin:VPNTempestPlugin

View File

@ -83,6 +83,7 @@ commands =
{toxinidir}/tools/check_unit_test_structure.sh {toxinidir}/tools/check_unit_test_structure.sh
neutron-db-manage --subproject neutron-vpnaas --database-connection sqlite:// check_migration neutron-db-manage --subproject neutron-vpnaas --database-connection sqlite:// check_migration
{[testenv:genconfig]commands} {[testenv:genconfig]commands}
{[testenv:genpolicy]commands}
whitelist_externals = sh whitelist_externals = sh
[testenv:pep8-dev] [testenv:pep8-dev]
@ -143,6 +144,9 @@ local-check-factory = neutron_lib.hacking.checks.factory
[testenv:genconfig] [testenv:genconfig]
commands = {toxinidir}/tools/generate_config_file_samples.sh commands = {toxinidir}/tools/generate_config_file_samples.sh
[testenv:genpolicy]
commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
[testenv:lower-constraints] [testenv:lower-constraints]
basepython = python3 basepython = python3
deps = deps =