openstack/neutron
Code Issues Proposed changes

Add router `PUT` external gateways actions policies

Browse Source 
In [1], released in neutron-lib 3.6.0, and available since
2023.2 (Bobcat), three new actions were added to the router resource
with the following sub attributes:
* PUT add_external_gateways
** add_external_gateways:external_gateways
** add_external_gateways:external_gateways:network_id
** add_external_gateways:external_gateways:enable_snat
** add_external_gateways:external_gateways:external_fixed_ips

* PUT update_external_gateways
** update_external_gateways:external_gateways
** update_external_gateways:external_gateways:network_id
** update_external_gateways:external_gateways:enable_snat
** update_external_gateways:external_gateways:external_fixed_ips

* PUT remove_external_gateways
** remove_external_gateways:external_gateways

[1]https://review.opendev.org/c/openstack/neutron-lib/+/870887

Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/943170

Closes-Bug: #2098109
Related-Bug: #2002687
Change-Id: Idc502903fe6a45c9a18798b8d76036a8a1b7236a
This commit is contained in:
Rodolfo Alonso Hernandez
2025-02-13 07:37:42 +00:00
committed by Rodolfo Alonso
parent d9ed464dde
commit 7997222e40
2 changed files with 826 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
neutron/conf/policies/router.py
View File

@@ -431,6 +431,93 @@ rules = [
deprecated_reason=DEPRECATED_REASON,
deprecated_since="Xena")
),
policy.DocumentedRuleDefault(
name='add_external_gateways',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Add router external gateways',
operations=ACTION_PUT,
),
policy.DocumentedRuleDefault(
name='add_external_gateways:external_gateways',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Add router external gateways',
operations=ACTION_PUT,
),
policy.DocumentedRuleDefault(
name='add_external_gateways:external_gateways:network_id',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Add router external gateways with defined network ID',
operations=ACTION_PUT,
),
policy.DocumentedRuleDefault(
name='add_external_gateways:external_gateways:enable_snat',
check_str=base.ADMIN,
scope_types=['project'],
description='Add router external gateways specifying SNAT flag',
operations=ACTION_PUT,
),
policy.DocumentedRuleDefault(
name='add_external_gateways:external_gateways:external_fixed_ips',
check_str=base.ADMIN,
scope_types=['project'],
description='Add router external gateways specifying the fixed IPs',
operations=ACTION_PUT,
),
policy.DocumentedRuleDefault(
name='update_external_gateways',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Update router external gateways',
operations=ACTION_PUT,
),
policy.DocumentedRuleDefault(
name='update_external_gateways:external_gateways',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Update router external gateways',
operations=ACTION_PUT,
),
policy.DocumentedRuleDefault(
name='update_external_gateways:external_gateways:network_id',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Update router external gateways network ID',
operations=ACTION_PUT,
),
policy.DocumentedRuleDefault(
name='update_external_gateways:external_gateways:enable_snat',
check_str=base.ADMIN,
scope_types=['project'],
description='Update router external gateways SNAT flag',
operations=ACTION_PUT,
),
policy.DocumentedRuleDefault(
name='update_external_gateways:external_gateways:external_fixed_ips',
check_str=base.ADMIN,
scope_types=['project'],
description='Update router external gateways fixed IPs',
operations=ACTION_PUT,
),
policy.DocumentedRuleDefault(
name='remove_external_gateways',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Remove router external gateways',
operations=ACTION_PUT,
),
policy.DocumentedRuleDefault(
name='remove_external_gateways:external_gateways',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Remove router external gateways',
operations=ACTION_PUT,
),
]

739
neutron/tests/unit/conf/policies/test_router.py
View File

@@ -342,6 +342,175 @@ class SystemAdminTests(RouterAPITestCase):
policy.enforce,
self.context, 'remove_router_interface', self.alt_target)
def test_add_external_gateways(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'add_external_gateways',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'add_external_gateways',
self.alt_target)
def test_add_external_gateways_external_gateways(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'add_external_gateways:external_gateways',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'add_external_gateways:external_gateways',
self.alt_target)
def test_add_external_gateways_external_gateways_network_id(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:network_id',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:network_id',
self.alt_target)
def test_add_external_gateways_external_gateways_enable_snat(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:enable_snat',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:enable_snat',
self.alt_target)
def test_add_external_gateways_external_gateways_external_fixed_ips(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:external_fixed_ips',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:external_fixed_ips',
self.alt_target)
def test_update_external_gateways(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'update_external_gateways',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'update_external_gateways',
self.alt_target)
def test_update_external_gateways_external_gateways(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'update_external_gateways:external_gateways',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'update_external_gateways:external_gateways',
self.alt_target)
def test_update_external_gateways_external_gateways_network_id(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:network_id',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:network_id',
self.alt_target)
def test_update_external_gateways_external_gateways_enable_snat(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:enable_snat',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:enable_snat',
self.alt_target)
def test_update_external_gateways_external_gateways_external_fixed_ips(
self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:external_fixed_ips',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:external_fixed_ips',
self.alt_target)
def test_remove_external_gateways(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'remove_external_gateways',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'remove_external_gateways',
self.alt_target)
def test_remove_external_gateways_external_gateways(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'remove_external_gateways:external_gateways',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context,
'remove_external_gateways:external_gateways',
self.alt_target)
class SystemMemberTests(SystemAdminTests):
@@ -580,6 +749,149 @@ class AdminTests(RouterAPITestCase):
policy.enforce(self.context,
'remove_router_interface', self.alt_target))
def test_add_external_gateways(self):
self.assertTrue(
policy.enforce(
self.context,
'add_external_gateways',
self.target))
self.assertTrue(
policy.enforce(
self.context,
'add_external_gateways',
self.alt_target))
def test_add_external_gateways_external_gateways(self):
self.assertTrue(
policy.enforce(
self.context,
'add_external_gateways:external_gateways',
self.target))
self.assertTrue(
policy.enforce(
self.context,
'add_external_gateways:external_gateways',
self.alt_target))
def test_add_external_gateways_external_gateways_network_id(self):
self.assertTrue(
policy.enforce(
self.context,
'add_external_gateways:external_gateways:network_id',
self.target))
self.assertTrue(
policy.enforce(
self.context,
'add_external_gateways:external_gateways:network_id',
self.alt_target))
def test_add_external_gateways_external_gateways_enable_snat(self):
self.assertTrue(
policy.enforce(
self.context,
'add_external_gateways:external_gateways:enable_snat',
self.target))
self.assertTrue(
policy.enforce(
self.context,
'add_external_gateways:external_gateways:enable_snat',
self.alt_target))
def test_add_external_gateways_external_gateways_external_fixed_ips(self):
self.assertTrue(
policy.enforce(
self.context,
'add_external_gateways:external_gateways:external_fixed_ips',
self.target))
self.assertTrue(
policy.enforce(
self.context,
'add_external_gateways:external_gateways:external_fixed_ips',
self.alt_target))
def test_update_external_gateways(self):
self.assertTrue(
policy.enforce(
self.context,
'update_external_gateways',
self.target))
self.assertTrue(
policy.enforce(
self.context,
'update_external_gateways',
self.alt_target))
def test_update_external_gateways_external_gateways(self):
self.assertTrue(
policy.enforce(
self.context,
'update_external_gateways:external_gateways',
self.target))
self.assertTrue(
policy.enforce(
self.context,
'update_external_gateways:external_gateways',
self.alt_target))
def test_update_external_gateways_external_gateways_network_id(self):
self.assertTrue(
policy.enforce(
self.context,
'update_external_gateways:external_gateways:network_id',
self.target))
self.assertTrue(
policy.enforce(
self.context,
'update_external_gateways:external_gateways:network_id',
self.alt_target))
def test_update_external_gateways_external_gateways_enable_snat(self):
self.assertTrue(
policy.enforce(
self.context,
'update_external_gateways:external_gateways:enable_snat',
self.target))
self.assertTrue(
policy.enforce(
self.context,
'update_external_gateways:external_gateways:enable_snat',
self.alt_target))
def test_update_external_gateways_external_gateways_external_fixed_ips(
self):
self.assertTrue(policy.enforce(
self.context,
'update_external_gateways:external_gateways:external_fixed_ips',
self.target))
self.assertTrue(policy.enforce(
self.context,
'update_external_gateways:external_gateways:external_fixed_ips',
self.alt_target))
def test_remove_external_gateways(self):
self.assertTrue(
policy.enforce(
self.context,
'remove_external_gateways',
self.target))
self.assertTrue(
policy.enforce(
self.context,
'remove_external_gateways',
self.alt_target))
def test_remove_external_gateways_external_gateways(self):
self.assertTrue(
policy.enforce(
self.context,
'remove_external_gateways:external_gateways',
self.target))
self.assertTrue(
policy.enforce(
self.context,
'remove_external_gateways:external_gateways',
self.alt_target))
class ProjectManagerTests(AdminTests):
@@ -853,6 +1165,167 @@ class ProjectManagerTests(AdminTests):
policy.enforce,
self.context, 'remove_router_interface', self.alt_target)
def test_add_external_gateways(self):
self.assertTrue(
policy.enforce(
self.context,
'add_external_gateways',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways',
self.alt_target)
def test_add_external_gateways_external_gateways(self):
self.assertTrue(
policy.enforce(
self.context,
'add_external_gateways:external_gateways',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways',
self.alt_target)
def test_add_external_gateways_external_gateways_network_id(self):
self.assertTrue(
policy.enforce(
self.context,
'add_external_gateways:external_gateways:network_id',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:network_id',
self.alt_target)
def test_add_external_gateways_external_gateways_enable_snat(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:enable_snat',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:enable_snat',
self.alt_target)
def test_add_external_gateways_external_gateways_external_fixed_ips(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:external_fixed_ips',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:external_fixed_ips',
self.alt_target)
def test_update_external_gateways(self):
self.assertTrue(
policy.enforce(
self.context,
'update_external_gateways',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways',
self.alt_target)
def test_update_external_gateways_external_gateways(self):
self.assertTrue(
policy.enforce(
self.context,
'update_external_gateways:external_gateways',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways',
self.alt_target)
def test_update_external_gateways_external_gateways_network_id(self):
self.assertTrue(
policy.enforce(
self.context,
'update_external_gateways:external_gateways:network_id',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:network_id',
self.alt_target)
def test_update_external_gateways_external_gateways_enable_snat(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:enable_snat',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:enable_snat',
self.alt_target)
def test_update_external_gateways_external_gateways_external_fixed_ips(
self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:external_fixed_ips',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:external_fixed_ips',
self.alt_target)
def test_remove_external_gateways(self):
self.assertTrue(
policy.enforce(
self.context,
'remove_external_gateways',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'remove_external_gateways',
self.alt_target)
def test_remove_external_gateways_external_gateways(self):
self.assertTrue(
policy.enforce(
self.context,
'remove_external_gateways:external_gateways',
self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'remove_external_gateways:external_gateways',
self.alt_target)
class ProjectMemberTests(ProjectManagerTests):
@@ -995,6 +1468,175 @@ class ProjectReaderTests(ProjectMemberTests):
policy.enforce,
self.context, 'remove_router_interface', self.alt_target)
def test_add_external_gateways(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways',
self.alt_target)
def test_add_external_gateways_external_gateways(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways',
self.alt_target)
def test_add_external_gateways_external_gateways_network_id(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:network_id',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:network_id',
self.alt_target)
def test_add_external_gateways_external_gateways_enable_snat(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:enable_snat',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:enable_snat',
self.alt_target)
def test_add_external_gateways_external_gateways_external_fixed_ips(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:external_fixed_ips',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:external_fixed_ips',
self.alt_target)
def test_update_external_gateways(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways',
self.alt_target)
def test_update_external_gateways_external_gateways(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways',
self.alt_target)
def test_update_external_gateways_external_gateways_network_id(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:network_id',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:network_id',
self.alt_target)
def test_update_external_gateways_external_gateways_enable_snat(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:enable_snat',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:enable_snat',
self.alt_target)
def test_update_external_gateways_external_gateways_external_fixed_ips(
self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:external_fixed_ips',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:external_fixed_ips',
self.alt_target)
def test_remove_external_gateways(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'remove_external_gateways',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'remove_external_gateways',
self.alt_target)
def test_remove_external_gateways_external_gateways(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'remove_external_gateways:external_gateways',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'remove_external_gateways:external_gateways',
self.alt_target)
class ExtrarouteAPITestCase(base.PolicyBaseTestCase):
@@ -1266,3 +1908,100 @@ class ServiceRoleTests(RouterAPITestCase):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'remove_router_interface', self.target)
def test_add_external_gateways(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways',
self.target)
def test_add_external_gateways_external_gateways(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways',
self.target)
def test_add_external_gateways_external_gateways_network_id(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:network_id',
self.target)
def test_add_external_gateways_external_gateways_enable_snat(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:enable_snat',
self.target)
def test_add_external_gateways_external_gateways_external_fixed_ips(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'add_external_gateways:external_gateways:external_fixed_ips',
self.target)
def test_update_external_gateways(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways',
self.target)
def test_update_external_gateways_external_gateways(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways',
self.target)
def test_update_external_gateways_external_gateways_network_id(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:network_id',
self.target)
def test_update_external_gateways_external_gateways_enable_snat(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:enable_snat',
self.target)
def test_update_external_gateways_external_gateways_external_fixed_ips(
self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'update_external_gateways:external_gateways:external_fixed_ips',
self.target)
def test_remove_external_gateways(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'remove_external_gateways',
self.target)
def test_remove_external_gateways_external_gateways(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context,
'remove_external_gateways:external_gateways',
self.target)