From 6ad0c2908e0422238844110673c44328abc318e7 Mon Sep 17 00:00:00 2001 From: Akihiro Motoki Date: Wed, 19 Dec 2018 04:08:27 +0900 Subject: [PATCH] Define popular policy rules by constants (part 2) This commit defines complex policy rules with constants. Convenient functions policy_or and policy_and are introduced so that complex policy rules can be defined easily. Partially Implements: blueprint neutron-policy-in-code Change-Id: Id56c787733f5bd016dab7adaf956d676dd358b82 --- neutron/conf/policies/address_scope.py | 3 +- neutron/conf/policies/base.py | 26 +++++++++--- neutron/conf/policies/network.py | 6 ++- neutron/conf/policies/port.py | 59 ++++++++++++++++---------- neutron/conf/policies/rbac.py | 6 ++- neutron/conf/policies/subnet.py | 3 +- neutron/conf/policies/subnetpool.py | 3 +- 7 files changed, 69 insertions(+), 37 deletions(-) diff --git a/neutron/conf/policies/address_scope.py b/neutron/conf/policies/address_scope.py index bfd7f31c071..78b4fe164df 100644 --- a/neutron/conf/policies/address_scope.py +++ b/neutron/conf/policies/address_scope.py @@ -27,7 +27,8 @@ rules = [ description=('Access rule for creating ' 'shared address scope')), policy.RuleDefault('get_address_scope', - 'rule:admin_or_owner or rule:shared_address_scopes', + base.policy_or(base.RULE_ADMIN_OR_OWNER, + 'rule:shared_address_scopes'), description='Access rule for getting address scope'), policy.RuleDefault('update_address_scope', base.RULE_ADMIN_OR_OWNER, diff --git a/neutron/conf/policies/base.py b/neutron/conf/policies/base.py index 5a07d6ebb4e..cc2e21aa8d8 100644 --- a/neutron/conf/policies/base.py +++ b/neutron/conf/policies/base.py @@ -13,6 +13,14 @@ from oslo_policy import policy +def policy_and(*args): + return ' and '.join(args) + + +def policy_or(*args): + return ' or '.join(args) + + # TODO(amotoki): Define these in neutron-lib once what constants are required # from stadium and 3rd party projects. # As of now, the following are candidates. @@ -21,8 +29,8 @@ RULE_ADMIN_ONLY = 'rule:admin_only' RULE_ANY = 'rule:regular_user' RULE_ADVSVC = 'rule:context_is_advsvc' RULE_ADMIN_OR_NET_OWNER = 'rule:admin_or_network_owner' -RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC = ' or '.join([RULE_ADMIN_OR_NET_OWNER, - RULE_ADVSVC]) +RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC = policy_or(RULE_ADMIN_OR_NET_OWNER, + RULE_ADVSVC) RULE_ADMIN_OR_PARENT_OWNER = 'rule:admin_or_ext_parent_owner' @@ -37,7 +45,8 @@ rules = [ description='Rule for resource owner access'), policy.RuleDefault( 'admin_or_owner', - 'rule:context_is_admin or rule:owner', + policy_or('rule:context_is_admin', + 'rule:owner'), description='Rule for admin or owner access'), policy.RuleDefault( 'context_is_advsvc', @@ -45,11 +54,13 @@ rules = [ description='Rule for advsvc role access'), policy.RuleDefault( 'admin_or_network_owner', - 'rule:context_is_admin or tenant_id:%(network:tenant_id)s', + policy_or('rule:context_is_admin', + 'tenant_id:%(network:tenant_id)s'), description='Rule for admin or network owner access'), policy.RuleDefault( 'admin_owner_or_network_owner', - 'rule:owner or rule:admin_or_network_owner', + policy_or('rule:owner', + RULE_ADMIN_OR_NET_OWNER), description=('Rule for resource owner, ' 'admin or network owner access')), policy.RuleDefault( @@ -67,11 +78,12 @@ rules = [ description='Rule of shared network'), policy.RuleDefault( 'default', - 'rule:admin_or_owner', + RULE_ADMIN_OR_OWNER, description='Default access rule'), policy.RuleDefault( 'admin_or_ext_parent_owner', - 'rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s', + policy_or('rule:context_is_admin', + 'tenant_id:%(ext_parent:tenant_id)s'), description='Rule for common parent owner check'), ] diff --git a/neutron/conf/policies/network.py b/neutron/conf/policies/network.py index 2c956fc835b..2ae95e679ee 100644 --- a/neutron/conf/policies/network.py +++ b/neutron/conf/policies/network.py @@ -59,8 +59,10 @@ rules = [ policy.RuleDefault( 'get_network', - ('rule:admin_or_owner or rule:shared or ' - 'rule:external or rule:context_is_advsvc'), + base.policy_or(base.RULE_ADMIN_OR_OWNER, + 'rule:shared', + 'rule:external', + base.RULE_ADVSVC), description='Access rule for getting shared network'), policy.RuleDefault( 'get_network:router:external', diff --git a/neutron/conf/policies/port.py b/neutron/conf/policies/port.py index 10601ec2bc5..d05bb45464d 100644 --- a/neutron/conf/policies/port.py +++ b/neutron/conf/policies/port.py @@ -22,7 +22,8 @@ rules = [ description='Rule of port with network device_owner'), policy.RuleDefault( 'admin_or_data_plane_int', - 'rule:context_is_admin or role:data_plane_integrator', + base.policy_or('rule:context_is_admin', + 'role:data_plane_integrator'), description='Rule for data plane integration'), policy.RuleDefault( @@ -31,33 +32,37 @@ rules = [ description='Access rule for creating port'), policy.RuleDefault( 'create_port:device_owner', - ('not rule:network_device or ' - 'rule:context_is_advsvc or ' - 'rule:admin_or_network_owner'), + base.policy_or('not rule:network_device', + base.RULE_ADVSVC, + base.RULE_ADMIN_OR_NET_OWNER), description='Access rule for creating port with device_owner'), policy.RuleDefault( 'create_port:mac_address', - 'rule:context_is_advsvc or rule:admin_or_network_owner', + base.policy_or(base.RULE_ADVSVC, + base.RULE_ADMIN_OR_NET_OWNER), description=('Access rule for creating port with mac_address')), policy.RuleDefault( 'create_port:fixed_ips', - 'rule:context_is_advsvc or rule:admin_or_network_owner', + base.policy_or(base.RULE_ADVSVC, + base.RULE_ADMIN_OR_NET_OWNER), description='Access rule for creating port with fixed_ips'), policy.RuleDefault( 'create_port:fixed_ips:ip_address', - 'rule:context_is_advsvc or rule:admin_or_network_owner', + base.policy_or(base.RULE_ADVSVC, + base.RULE_ADMIN_OR_NET_OWNER), description=('Access rule for creating port specifying IP address in ' 'fixed_ips')), policy.RuleDefault( 'create_port:fixed_ips:subnet_id', - ('rule:context_is_advsvc or ' - 'rule:admin_or_network_owner or ' - 'rule:shared'), + base.policy_or(base.RULE_ADVSVC, + base.RULE_ADMIN_OR_NET_OWNER, + 'rule:shared'), description=('Access rule for creating port specifying subnet ID in ' 'fixed_ips')), policy.RuleDefault( 'create_port:port_security_enabled', - 'rule:context_is_advsvc or rule:admin_or_network_owner', + base.policy_or(base.RULE_ADVSVC, + base.RULE_ADMIN_OR_NET_OWNER), description=('Access rule for creating ' 'port with port_security_enabled')), policy.RuleDefault( @@ -79,7 +84,8 @@ rules = [ policy.RuleDefault( 'get_port', - 'rule:context_is_advsvc or rule:admin_owner_or_network_owner', + base.policy_or(base.RULE_ADVSVC, + 'rule:admin_owner_or_network_owner'), description='Access rule for getting port'), policy.RuleDefault( 'get_port:binding:vif_type', @@ -102,36 +108,42 @@ rules = [ policy.RuleDefault( 'update_port', - 'rule:admin_or_owner or rule:context_is_advsvc', + base.policy_or(base.RULE_ADMIN_OR_OWNER, + base.RULE_ADVSVC), description='Access rule for updating port'), policy.RuleDefault( 'update_port:device_owner', - ('not rule:network_device or rule:context_is_advsvc ' - 'or rule:admin_or_network_owner'), + base.policy_or('not rule:network_device', + base.RULE_ADVSVC, + base.RULE_ADMIN_OR_NET_OWNER), description='Access rule for updating device_owner of port'), policy.RuleDefault( 'update_port:mac_address', - 'rule:admin_only or rule:context_is_advsvc', + base.policy_or(base.RULE_ADMIN_ONLY, + base.RULE_ADVSVC), description='Access rule for updating mac_address of port'), policy.RuleDefault( 'update_port:fixed_ips', - 'rule:context_is_advsvc or rule:admin_or_network_owner', + base.policy_or(base.RULE_ADVSVC, + base.RULE_ADMIN_OR_NET_OWNER), description='Access rule for updating fixed_ips of port'), policy.RuleDefault( 'update_port:fixed_ips:ip_address', - 'rule:context_is_advsvc or rule:admin_or_network_owner', + base.policy_or(base.RULE_ADVSVC, + base.RULE_ADMIN_OR_NET_OWNER), description=('Access rule for updating port specifying IP address in ' 'fixed_ips')), policy.RuleDefault( 'update_port:fixed_ips:subnet_id', - ('rule:context_is_advsvc or ' - 'rule:admin_or_network_owner or ' - 'rule:shared'), + base.policy_or(base.RULE_ADVSVC, + base.RULE_ADMIN_OR_NET_OWNER, + 'rule:shared'), description=('Access rule for updating port specifying subnet ID in ' 'fixed_ips')), policy.RuleDefault( 'update_port:port_security_enabled', - 'rule:context_is_advsvc or rule:admin_or_network_owner', + base.policy_or(base.RULE_ADVSVC, + base.RULE_ADMIN_OR_NET_OWNER), description='Access rule for updating port_security_enabled of port'), policy.RuleDefault( 'update_port:binding:host_id', @@ -153,7 +165,8 @@ rules = [ policy.RuleDefault( 'delete_port', - 'rule:context_is_advsvc or rule:admin_owner_or_network_owner', + base.policy_or(base.RULE_ADVSVC, + 'rule:admin_owner_or_network_owner'), description='Access rule for deleting port'), ] diff --git a/neutron/conf/policies/rbac.py b/neutron/conf/policies/rbac.py index 19329290651..c6a08891f2b 100644 --- a/neutron/conf/policies/rbac.py +++ b/neutron/conf/policies/rbac.py @@ -18,7 +18,8 @@ from neutron.conf.policies import base rules = [ policy.RuleDefault( 'restrict_wildcard', - '(not field:rbac_policy:target_tenant=*) or rule:admin_only', + base.policy_or('(not field:rbac_policy:target_tenant=*)', + base.RULE_ADMIN_ONLY), description='Rule of restrict wildcard'), policy.RuleDefault( @@ -36,7 +37,8 @@ rules = [ description='Access rule for updating RBAC policy'), policy.RuleDefault( 'update_rbac_policy:target_tenant', - 'rule:restrict_wildcard and rule:admin_or_owner', + base.policy_and('rule:restrict_wildcard', + base.RULE_ADMIN_OR_OWNER), description=('Access rule for updating target_tenant ' 'attribute of RBAC policy')), policy.RuleDefault( diff --git a/neutron/conf/policies/subnet.py b/neutron/conf/policies/subnet.py index f273fd904dd..285bc479aea 100644 --- a/neutron/conf/policies/subnet.py +++ b/neutron/conf/policies/subnet.py @@ -28,7 +28,8 @@ rules = [ description=('Access rule for creating ' 'subnet with service_type')), policy.RuleDefault('get_subnet', - 'rule:admin_or_owner or rule:shared', + base.policy_or(base.RULE_ADMIN_OR_OWNER, + 'rule:shared'), description='Access rule for getting subnet'), policy.RuleDefault('get_subnet:segment_id', base.RULE_ADMIN_ONLY, diff --git a/neutron/conf/policies/subnetpool.py b/neutron/conf/policies/subnetpool.py index 895153c6995..0ddab157b75 100644 --- a/neutron/conf/policies/subnetpool.py +++ b/neutron/conf/policies/subnetpool.py @@ -31,7 +31,8 @@ rules = [ description=('Access rule for creating ' 'subnetpool with is_default')), policy.RuleDefault('get_subnetpool', - 'rule:admin_or_owner or rule:shared_subnetpools', + base.policy_or(base.RULE_ADMIN_OR_OWNER, + 'rule:shared_subnetpools'), description='Access rule for getting subnetpool'), policy.RuleDefault('update_subnetpool', base.RULE_ADMIN_OR_OWNER,