Merge "Convert policy.json into policy-in-code"
This commit is contained in:
commit
7bb0b84151
|
@ -22,17 +22,17 @@
|
|||
|
||||
|
||||
Authorization Policy Enforcement
|
||||
==================================
|
||||
================================
|
||||
|
||||
As most OpenStack projects, Neutron leverages oslo_policy [#]_. However, since
|
||||
Neutron loves to be special and complicate every developer's life, it also
|
||||
"augments" oslo_policy capabilities by:
|
||||
|
||||
* A wrapper module with its own API: neutron.policy;
|
||||
* The ability of adding fine-grained checks on attributes for resources in
|
||||
request bodies;
|
||||
* The ability of using the policy engine to filter out attributes in responses;
|
||||
* Adding some custom rule checks beyond those defined in oslo_policy;
|
||||
* A wrapper module with its own API: neutron.policy;
|
||||
* The ability of adding fine-grained checks on attributes for resources in
|
||||
request bodies;
|
||||
* The ability of using the policy engine to filter out attributes in responses;
|
||||
* Adding some custom rule checks beyond those defined in oslo_policy;
|
||||
|
||||
This document discusses Neutron-specific aspects of policy enforcement, and in
|
||||
particular how the enforcement logic is wired into API processing.
|
||||
|
@ -40,19 +40,19 @@ For any other information please refer to the developer documentation for
|
|||
oslo_policy [#]_.
|
||||
|
||||
Authorization workflow
|
||||
-----------------------
|
||||
----------------------
|
||||
|
||||
The Neutron API controllers perform policy checks in two phases during the
|
||||
processing of an API request:
|
||||
|
||||
* Request authorization, immediately before dispatching the request to the
|
||||
plugin layer for ``POST``, ``PUT``, and ``DELETE``, and immediately after
|
||||
returning from the plugin layer for ``GET`` requests;
|
||||
* Response filtering, when building the response to be returned to the API
|
||||
consumer.
|
||||
* Request authorization, immediately before dispatching the request to the
|
||||
plugin layer for ``POST``, ``PUT``, and ``DELETE``, and immediately after
|
||||
returning from the plugin layer for ``GET`` requests;
|
||||
* Response filtering, when building the response to be returned to the API
|
||||
consumer.
|
||||
|
||||
Request authorization
|
||||
~~~~~~~~~~~~~~~~~~~~~~
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The aim of this step is to authorize processing for a request or reject it
|
||||
with an error status code.
|
||||
|
@ -60,11 +60,11 @@ This step uses the ``neutron.policy.enforce`` routine. This routine raises
|
|||
``oslo_policy.PolicyNotAuthorized`` when policy enforcement fails. The Neutron
|
||||
REST API controllers catch this exception and return:
|
||||
|
||||
* A 403 response code on a ``POST`` request or an ``PUT`` request for an
|
||||
object owned by the project submitting the request;
|
||||
* A 403 response for failures while authorizing API actions such as
|
||||
``add_router_interface``;
|
||||
* A 404 response for ``DELETE``, ``GET`` and all other ``PUT`` requests.
|
||||
* A 403 response code on a ``POST`` request or an ``PUT`` request for an
|
||||
object owned by the project submitting the request;
|
||||
* A 403 response for failures while authorizing API actions such as
|
||||
``add_router_interface``;
|
||||
* A 404 response for ``DELETE``, ``GET`` and all other ``PUT`` requests.
|
||||
|
||||
For ``DELETE`` operations the resource must first be fetched. This is done
|
||||
invoking the same ``_item`` [#]_ method used for processing ``GET`` requests.
|
||||
|
@ -73,33 +73,33 @@ This is also true for ``PUT`` operations, since the Neutron API implements
|
|||
The criteria to evaluate are built in the ``_build_match_rule`` [#]_ routine.
|
||||
This routine takes in input the following parameters:
|
||||
|
||||
* The action to be performed, in the ``<operation>_<resource>`` form,
|
||||
``e.g.: create_network``
|
||||
* The data to use for performing checks. For ``POST`` operations this could
|
||||
be a partial specification of the object, whereas it is always a full
|
||||
specification for ``GET``, ``PUT``, and ``DELETE`` requests, as resource
|
||||
data are retrieved before dispatching the call to the plugin layer.
|
||||
* The collection name for the resource specified in the previous parameter;
|
||||
for instance, for a network it would be the "networks".
|
||||
* The action to be performed, in the ``<operation>_<resource>`` form,
|
||||
``e.g.: create_network``
|
||||
* The data to use for performing checks. For ``POST`` operations this could
|
||||
be a partial specification of the object, whereas it is always a full
|
||||
specification for ``GET``, ``PUT``, and ``DELETE`` requests, as resource
|
||||
data are retrieved before dispatching the call to the plugin layer.
|
||||
* The collection name for the resource specified in the previous parameter;
|
||||
for instance, for a network it would be the "networks".
|
||||
|
||||
The ``_build_match_rule`` routine returns a ``oslo_policy.RuleCheck`` instance
|
||||
built in the following way:
|
||||
|
||||
* Always add a check for the action being performed. This will match
|
||||
a policy like create_network in ``policy.json``;
|
||||
* Return for ``GET`` operations; more detailed checks will be performed anyway
|
||||
when building the response;
|
||||
* For each attribute which has been explicitly specified in the request
|
||||
create a rule matching policy names in the form
|
||||
``<operation>_<resource>:<attribute>`` rule, and link it with the
|
||||
previous rule with an 'And' relationship (using ``oslo_policy.AndCheck``);
|
||||
this step will be performed only if the enforce_policy flag is set to
|
||||
True in the resource attribute descriptor (usually found in a data
|
||||
structure called ``RESOURCE_ATTRIBUTE_MAP``);
|
||||
* If the attribute is a composite one then further rules will be created;
|
||||
These will match policy names in the form ``<operation>_<resource>:
|
||||
<attribute>:<sub_attribute>``. An 'And' relationship will be used in this
|
||||
case too.
|
||||
* Always add a check for the action being performed. This will match
|
||||
a policy like create_network in ``policy.json``;
|
||||
* Return for ``GET`` operations; more detailed checks will be performed anyway
|
||||
when building the response;
|
||||
* For each attribute which has been explicitly specified in the request
|
||||
create a rule matching policy names in the form
|
||||
``<operation>_<resource>:<attribute>`` rule, and link it with the
|
||||
previous rule with an 'And' relationship (using ``oslo_policy.AndCheck``);
|
||||
this step will be performed only if the enforce_policy flag is set to
|
||||
True in the resource attribute descriptor (usually found in a data
|
||||
structure called ``RESOURCE_ATTRIBUTE_MAP``);
|
||||
* If the attribute is a composite one then further rules will be created;
|
||||
These will match policy names in the form ``<operation>_<resource>:
|
||||
<attribute>:<sub_attribute>``. An 'And' relationship will be used in this
|
||||
case too.
|
||||
|
||||
As all the rules to verify are linked by 'And' relationships, all the policy
|
||||
checks should succeed in order for a request to be authorized. Rule
|
||||
|
@ -107,7 +107,7 @@ verification is performed by ``oslo_policy`` with no "customization" from the
|
|||
Neutron side.
|
||||
|
||||
Response Filtering
|
||||
~~~~~~~~~~~~~~~~~~~
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Some Neutron extensions, like the provider networks one, add some attribute
|
||||
to resources which are however not meant to be consumed by all clients. This
|
||||
|
@ -126,7 +126,7 @@ is added to a list of attributes that should be removed from the response
|
|||
before returning it to the API client.
|
||||
|
||||
The neutron.policy API
|
||||
------------------------
|
||||
----------------------
|
||||
|
||||
The ``neutron.policy`` module exposes a simple API whose main goal if to allow the
|
||||
REST API controllers to implement the authorization workflow discussed in this
|
||||
|
@ -137,35 +137,35 @@ defies Neutron tenet of being backend agnostic.
|
|||
|
||||
The neutron.policy API exposes the following routines:
|
||||
|
||||
* ``init``
|
||||
Initializes the policy engine loading rules from the json policy (files).
|
||||
This method can safely be called several times.
|
||||
* ``reset``
|
||||
Clears all the rules currently configured in the policy engine. It is
|
||||
called in unit tests and at the end of the initialization of core API
|
||||
router [#]_ in order to ensure rules are loaded after all the extensions
|
||||
are loaded.
|
||||
* ``refresh``
|
||||
Combines init and reset. Called when a SIGHUP signal is sent to an API
|
||||
worker.
|
||||
* ``set_rules``
|
||||
Explicitly set policy engine's rules. Used only in unit tests.
|
||||
* ``check``
|
||||
Perform a check using the policy engine. Builds match rules as described
|
||||
in this document, and then evaluates the resulting rule using oslo_policy's
|
||||
policy engine. Returns True if the checks succeeds, false otherwise.
|
||||
* ``enforce``
|
||||
Operates like the check routine but raises if the check in oslo_policy
|
||||
fails.
|
||||
* ``check_is_admin``
|
||||
Enforce the predefined context_is_admin rule; used to determine the is_admin
|
||||
property for a neutron context.
|
||||
* ``check_is_advsvc``
|
||||
Enforce the predefined context_is_advsvc rule; used to determine the
|
||||
is_advsvc property for a neutron context.
|
||||
* ``init``
|
||||
Initializes the policy engine loading rules from the json policy (files).
|
||||
This method can safely be called several times.
|
||||
* ``reset``
|
||||
Clears all the rules currently configured in the policy engine. It is
|
||||
called in unit tests and at the end of the initialization of core API
|
||||
router [#]_ in order to ensure rules are loaded after all the extensions
|
||||
are loaded.
|
||||
* ``refresh``
|
||||
Combines init and reset. Called when a SIGHUP signal is sent to an API
|
||||
worker.
|
||||
* ``set_rules``
|
||||
Explicitly set policy engine's rules. Used only in unit tests.
|
||||
* ``check``
|
||||
Perform a check using the policy engine. Builds match rules as described
|
||||
in this document, and then evaluates the resulting rule using oslo_policy's
|
||||
policy engine. Returns True if the checks succeeds, false otherwise.
|
||||
* ``enforce``
|
||||
Operates like the check routine but raises if the check in oslo_policy
|
||||
fails.
|
||||
* ``check_is_admin``
|
||||
Enforce the predefined context_is_admin rule; used to determine the is_admin
|
||||
property for a neutron context.
|
||||
* ``check_is_advsvc``
|
||||
Enforce the predefined context_is_advsvc rule; used to determine the
|
||||
is_advsvc property for a neutron context.
|
||||
|
||||
Neutron specific policy rules
|
||||
------------------------------
|
||||
-----------------------------
|
||||
|
||||
Neutron provides two additional policy rule classes in order to support the
|
||||
"augmented" authorization capabilities it provides. They both extend
|
||||
|
@ -190,30 +190,30 @@ plugin name which were registered in neutron-lib into
|
|||
|
||||
The check, performed in the ``__call__`` method, works as follows:
|
||||
|
||||
* verify if the target field is already in the target data. If yes, then
|
||||
simply verify whether the value for the target field in target data
|
||||
is equal to value for the same field in credentials, just like
|
||||
``oslo_policy.GeneriCheck`` would do. This is also the most frequent case
|
||||
as the target field is usually ``tenant_id``;
|
||||
* if the previous check failed, extract a parent resource type and a
|
||||
parent field name from the target field. For instance
|
||||
``networks:tenant_id`` identifies the ``tenant_id`` attribute of the
|
||||
``network`` resource. For extension parent resource case,
|
||||
``ext_parent:tenant_id`` identifies the ``tenant_id`` attribute of the
|
||||
registered extension resource in ``EXT_PARENT_RESOURCE_MAPPING``;
|
||||
* if no parent resource or target field could be identified raise a
|
||||
``PolicyCheckError`` exception;
|
||||
* Retrieve a 'parent foreign key' from the ``_RESOURCE_FOREIGN_KEYS`` data
|
||||
structure in ``neutron.policy``. This foreign key is simply the
|
||||
attribute acting as a primary key in the parent resource. A
|
||||
``PolicyCheckError`` exception will be raised if such 'parent foreign key'
|
||||
cannot be retrieved;
|
||||
* Using the core plugin, retrieve an instance of the resource having
|
||||
'parent foreign key' as an identifier;
|
||||
* Finally, verify whether the target field in this resource matches the
|
||||
one in the initial request data. For instance, for a port create request,
|
||||
verify whether the ``tenant_id`` of the port data structure matches the
|
||||
``tenant_id`` of the network where this port is being created.
|
||||
* verify if the target field is already in the target data. If yes, then
|
||||
simply verify whether the value for the target field in target data
|
||||
is equal to value for the same field in credentials, just like
|
||||
``oslo_policy.GeneriCheck`` would do. This is also the most frequent case
|
||||
as the target field is usually ``tenant_id``;
|
||||
* if the previous check failed, extract a parent resource type and a
|
||||
parent field name from the target field. For instance
|
||||
``networks:tenant_id`` identifies the ``tenant_id`` attribute of the
|
||||
``network`` resource. For extension parent resource case,
|
||||
``ext_parent:tenant_id`` identifies the ``tenant_id`` attribute of the
|
||||
registered extension resource in ``EXT_PARENT_RESOURCE_MAPPING``;
|
||||
* if no parent resource or target field could be identified raise a
|
||||
``PolicyCheckError`` exception;
|
||||
* Retrieve a 'parent foreign key' from the ``_RESOURCE_FOREIGN_KEYS`` data
|
||||
structure in ``neutron.policy``. This foreign key is simply the
|
||||
attribute acting as a primary key in the parent resource. A
|
||||
``PolicyCheckError`` exception will be raised if such 'parent foreign key'
|
||||
cannot be retrieved;
|
||||
* Using the core plugin, retrieve an instance of the resource having
|
||||
'parent foreign key' as an identifier;
|
||||
* Finally, verify whether the target field in this resource matches the
|
||||
one in the initial request data. For instance, for a port create request,
|
||||
verify whether the ``tenant_id`` of the port data structure matches the
|
||||
``tenant_id`` of the network where this port is being created.
|
||||
|
||||
|
||||
FieldCheck: Verify Resource Attributes
|
||||
|
@ -235,70 +235,111 @@ to ``<value>`` or return ``False`` is the ``<field>`` either is not equal to
|
|||
|
||||
|
||||
Guidance for API developers
|
||||
----------------------------
|
||||
---------------------------
|
||||
|
||||
When developing REST APIs for Neutron it is important to be aware of how the
|
||||
policy engine will authorize these requests. This is true both for APIs
|
||||
served by Neutron "core" and for the APIs served by the various Neutron
|
||||
"stadium" services.
|
||||
|
||||
* If an attribute of a resource might be subject to authorization checks
|
||||
then the ``enforce_policy`` attribute should be set to ``True``. While
|
||||
setting this flag to ``True`` for each attribute is a viable strategy,
|
||||
it is worth noting that this will require a call to the policy engine
|
||||
for each attribute, thus consistently increasing the time required to
|
||||
complete policy checks for a resource. This could result in a scalability
|
||||
issue, especially in the case of list operations retrieving a large
|
||||
number of resources;
|
||||
* Some resource attributes, even if not directly used in policy checks
|
||||
might still be required by the policy engine. This is for instance the
|
||||
case of the ``tenant_id`` attribute. For these attributes the
|
||||
``required_by_policy`` attribute should always set to ``True``. This will
|
||||
ensure that the attribute is included in the resource data sent to the
|
||||
policy engine for evaluation;
|
||||
* The ``tenant_id`` attribute is a fundamental one in Neutron API request
|
||||
authorization. The default policy, ``admin_or_owner``, uses it to validate
|
||||
if a project owns the resource it is trying to operate on. To this aim,
|
||||
if a resource without a tenant_id is created, it is important to ensure
|
||||
that ad-hoc authZ policies are specified for this resource.
|
||||
* There is still only one check which is hardcoded in Neutron's API layer:
|
||||
the check to verify that a project owns the network on which it is creating
|
||||
a port. This check is hardcoded and is always executed when creating a
|
||||
port, unless the network is shared. Unfortunately a solution for performing
|
||||
this check in an efficient way through the policy engine has not yet been
|
||||
found. Due to its nature, there is no way to override this check using the
|
||||
policy engine.
|
||||
* It is strongly advised to not perform policy checks in the plugin or in
|
||||
the database management classes. This might lead to divergent API
|
||||
behaviours across plugins. Also, it might leave the Neutron DB in an
|
||||
inconsistent state if a request is not authorized after it has already
|
||||
been dispatched to the backend.
|
||||
* If an attribute of a resource might be subject to authorization checks
|
||||
then the ``enforce_policy`` attribute should be set to ``True``. While
|
||||
setting this flag to ``True`` for each attribute is a viable strategy,
|
||||
it is worth noting that this will require a call to the policy engine
|
||||
for each attribute, thus consistently increasing the time required to
|
||||
complete policy checks for a resource. This could result in a scalability
|
||||
issue, especially in the case of list operations retrieving a large
|
||||
number of resources;
|
||||
* Some resource attributes, even if not directly used in policy checks
|
||||
might still be required by the policy engine. This is for instance the
|
||||
case of the ``tenant_id`` attribute. For these attributes the
|
||||
``required_by_policy`` attribute should always set to ``True``. This will
|
||||
ensure that the attribute is included in the resource data sent to the
|
||||
policy engine for evaluation;
|
||||
* The ``tenant_id`` attribute is a fundamental one in Neutron API request
|
||||
authorization. The default policy, ``admin_or_owner``, uses it to validate
|
||||
if a project owns the resource it is trying to operate on. To this aim,
|
||||
if a resource without a tenant_id is created, it is important to ensure
|
||||
that ad-hoc authZ policies are specified for this resource.
|
||||
* There is still only one check which is hardcoded in Neutron's API layer:
|
||||
the check to verify that a project owns the network on which it is creating
|
||||
a port. This check is hardcoded and is always executed when creating a
|
||||
port, unless the network is shared. Unfortunately a solution for performing
|
||||
this check in an efficient way through the policy engine has not yet been
|
||||
found. Due to its nature, there is no way to override this check using the
|
||||
policy engine.
|
||||
* It is strongly advised to not perform policy checks in the plugin or in
|
||||
the database management classes. This might lead to divergent API
|
||||
behaviours across plugins. Also, it might leave the Neutron DB in an
|
||||
inconsistent state if a request is not authorized after it has already
|
||||
been dispatched to the backend.
|
||||
|
||||
|
||||
Notes
|
||||
-----------------------
|
||||
-----
|
||||
|
||||
* No authorization checks are performed for requests coming from the RPC over
|
||||
AMQP channel. For all these requests a neutron admin context is built, and
|
||||
the plugins will process them as such.
|
||||
* For ``PUT`` and ``DELETE`` requests a 404 error is returned on request
|
||||
authorization failures rather than a 403, unless the project submitting the
|
||||
request own the resource to update or delete. This is to avoid conditions
|
||||
in which an API client might try and find out other projects' resource
|
||||
identifiers by sending out ``PUT`` and ``DELETE`` requests for random
|
||||
resource identifiers.
|
||||
* There is no way at the moment to specify an ``OR`` relationship between two
|
||||
attributes of a given resource (eg.: ``port.name == 'meh' or
|
||||
port.status == 'DOWN'``), unless the rule with the or condition is explicitly
|
||||
added to the policy.json file.
|
||||
* ``OwnerCheck`` performs a plugin access; this will likely require a database
|
||||
access, but since the behaviour is implementation specific it might also
|
||||
imply a round-trip to the backend. This class of checks, when involving
|
||||
retrieving attributes for 'parent' resources should be used very sparingly.
|
||||
* In order for ``OwnerCheck`` rules to work, parent resources should have an
|
||||
entry in ``neutron.policy._RESOURCE_FOREIGN_KEYS``; moreover the
|
||||
resource must be managed by the 'core' plugin (ie: the one defined in the
|
||||
core_plugin configuration variable)
|
||||
* No authorization checks are performed for requests coming from the RPC over
|
||||
AMQP channel. For all these requests a neutron admin context is built, and
|
||||
the plugins will process them as such.
|
||||
* For ``PUT`` and ``DELETE`` requests a 404 error is returned on request
|
||||
authorization failures rather than a 403, unless the project submitting the
|
||||
request own the resource to update or delete. This is to avoid conditions
|
||||
in which an API client might try and find out other projects' resource
|
||||
identifiers by sending out ``PUT`` and ``DELETE`` requests for random
|
||||
resource identifiers.
|
||||
* There is no way at the moment to specify an ``OR`` relationship between two
|
||||
attributes of a given resource (eg.: ``port.name == 'meh' or
|
||||
port.status == 'DOWN'``), unless the rule with the or condition is explicitly
|
||||
added to the policy.json file.
|
||||
* ``OwnerCheck`` performs a plugin access; this will likely require a database
|
||||
access, but since the behaviour is implementation specific it might also
|
||||
imply a round-trip to the backend. This class of checks, when involving
|
||||
retrieving attributes for 'parent' resources should be used very sparingly.
|
||||
* In order for ``OwnerCheck`` rules to work, parent resources should have an
|
||||
entry in ``neutron.policy._RESOURCE_FOREIGN_KEYS``; moreover the
|
||||
resource must be managed by the 'core' plugin (ie: the one defined in the
|
||||
core_plugin configuration variable)
|
||||
|
||||
Policy-in-Code support
|
||||
----------------------
|
||||
|
||||
Policy-in-code support in neutron is a bit different from other projects
|
||||
because the neutron server needs to load policies in code from multiple
|
||||
projects. Each neutron related project should register the following two entry
|
||||
points ``oslo.policy.policies`` and ``neutron.policies`` in ``setup.cfg`` like
|
||||
below:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
oslo.policy.policies =
|
||||
neutron = neutron.conf.policies:list_rules
|
||||
neutron.policies =
|
||||
neutron = neutron.conf.policies:list_rules
|
||||
|
||||
The above two entries are same, but they have different purposes.
|
||||
|
||||
* The first entry point is a normal entry point defined by oslo.policy and it
|
||||
is used to generate a sample policy file [#]_ [#]_.
|
||||
* The second one is specific to neutron. It is used by ``neutron.policy``
|
||||
module to load policies of neutron related projects.
|
||||
|
||||
``oslo.policy.policies`` entry point is used by all projects which adopt
|
||||
oslo.policy, so we cannot determine which projects are neutron related
|
||||
projects, so the second entry point is required.
|
||||
|
||||
The recommended entry point name is a repository name: For example,
|
||||
'neutron-fwaas' for FWaaS and 'networking-sfc' for SFC:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
oslo.policy.policies =
|
||||
neutron-fwaas = neutron_fwaas.policies:list_rules
|
||||
neutron.policies =
|
||||
neutron-fwaas = neutron_fwaas.policies:list_rules
|
||||
|
||||
Except registering the ``neutron.policies`` entry point, other steps to be done
|
||||
in each neutron related project for policy-in-code support are same for all
|
||||
OpenStack projects.
|
||||
|
||||
References
|
||||
----------
|
||||
|
@ -320,3 +361,6 @@ References
|
|||
.. [#] Policy reset_ in neutron.api.v2.router
|
||||
|
||||
.. _reset: http://git.openstack.org/cgit/openstack/neutron/tree/neutron/api/v2/router.py?id=2015.1.1#n122
|
||||
|
||||
.. [#] https://docs.openstack.org/oslo.policy/latest/user/usage.html#sample-file-generation
|
||||
.. [#] https://docs.openstack.org/oslo.policy/latest/cli/index.html#oslopolicy-sample-generator
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
To generate the sample policy.json file, run the following command from the top
|
||||
level of the neutron directory:
|
||||
|
||||
tox -e genpolicy
|
|
@ -0,0 +1,3 @@
|
|||
[DEFAULT]
|
||||
output_file = etc/policy.yaml.sample
|
||||
namespace = neutron
|
262
etc/policy.json
262
etc/policy.json
|
@ -1,262 +0,0 @@
|
|||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"owner": "tenant_id:%(tenant_id)s",
|
||||
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
||||
"context_is_advsvc": "role:advsvc",
|
||||
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
||||
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
||||
"admin_only": "rule:context_is_admin",
|
||||
"regular_user": "",
|
||||
"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator",
|
||||
"shared": "field:networks:shared=True",
|
||||
"shared_subnetpools": "field:subnetpools:shared=True",
|
||||
"shared_address_scopes": "field:address_scopes:shared=True",
|
||||
"external": "field:networks:router:external=True",
|
||||
"default": "rule:admin_or_owner",
|
||||
"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s",
|
||||
|
||||
"create_subnet": "rule:admin_or_network_owner",
|
||||
"create_subnet:segment_id": "rule:admin_only",
|
||||
"create_subnet:service_types": "rule:admin_only",
|
||||
"get_subnet": "rule:admin_or_owner or rule:shared",
|
||||
"get_subnet:segment_id": "rule:admin_only",
|
||||
"update_subnet": "rule:admin_or_network_owner",
|
||||
"update_subnet:service_types": "rule:admin_only",
|
||||
"delete_subnet": "rule:admin_or_network_owner",
|
||||
|
||||
"create_subnetpool": "",
|
||||
"create_subnetpool:shared": "rule:admin_only",
|
||||
"create_subnetpool:is_default": "rule:admin_only",
|
||||
"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
|
||||
"update_subnetpool": "rule:admin_or_owner",
|
||||
"update_subnetpool:is_default": "rule:admin_only",
|
||||
"delete_subnetpool": "rule:admin_or_owner",
|
||||
|
||||
"create_address_scope": "",
|
||||
"create_address_scope:shared": "rule:admin_only",
|
||||
"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
|
||||
"update_address_scope": "rule:admin_or_owner",
|
||||
"update_address_scope:shared": "rule:admin_only",
|
||||
"delete_address_scope": "rule:admin_or_owner",
|
||||
|
||||
"create_network": "",
|
||||
"create_network:shared": "rule:admin_only",
|
||||
"create_network:router:external": "rule:admin_only",
|
||||
"create_network:is_default": "rule:admin_only",
|
||||
"create_network:segments": "rule:admin_only",
|
||||
"create_network:provider:network_type": "rule:admin_only",
|
||||
"create_network:provider:physical_network": "rule:admin_only",
|
||||
"create_network:provider:segmentation_id": "rule:admin_only",
|
||||
"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
|
||||
"get_network:router:external": "rule:regular_user",
|
||||
"get_network:segments": "rule:admin_only",
|
||||
"get_network:provider:network_type": "rule:admin_only",
|
||||
"get_network:provider:physical_network": "rule:admin_only",
|
||||
"get_network:provider:segmentation_id": "rule:admin_only",
|
||||
"get_network:queue_id": "rule:admin_only",
|
||||
"get_network_ip_availabilities": "rule:admin_only",
|
||||
"get_network_ip_availability": "rule:admin_only",
|
||||
"get_availability_zone": "",
|
||||
"update_network": "rule:admin_or_owner",
|
||||
"update_network:segments": "rule:admin_only",
|
||||
"update_network:shared": "rule:admin_only",
|
||||
"update_network:provider:network_type": "rule:admin_only",
|
||||
"update_network:provider:physical_network": "rule:admin_only",
|
||||
"update_network:provider:segmentation_id": "rule:admin_only",
|
||||
"update_network:router:external": "rule:admin_only",
|
||||
"delete_network": "rule:admin_or_owner",
|
||||
|
||||
"create_segment": "rule:admin_only",
|
||||
"get_segment": "rule:admin_only",
|
||||
"update_segment": "rule:admin_only",
|
||||
"delete_segment": "rule:admin_only",
|
||||
|
||||
"network_device": "field:port:device_owner=~^network:",
|
||||
"create_port": "",
|
||||
"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
|
||||
"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:binding:host_id": "rule:admin_only",
|
||||
"create_port:binding:profile": "rule:admin_only",
|
||||
"create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||
"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
|
||||
"get_port:queue_id": "rule:admin_only",
|
||||
"get_port:binding:vif_type": "rule:admin_only",
|
||||
"get_port:binding:vif_details": "rule:admin_only",
|
||||
"get_port:binding:host_id": "rule:admin_only",
|
||||
"get_port:binding:profile": "rule:admin_only",
|
||||
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||
"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
|
||||
"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
|
||||
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:binding:host_id": "rule:admin_only",
|
||||
"update_port:binding:profile": "rule:admin_only",
|
||||
"update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||
"update_port:data_plane_status": "rule:admin_or_data_plane_int",
|
||||
"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
|
||||
|
||||
"create_router": "rule:regular_user",
|
||||
"create_router:external_gateway_info": "rule:admin_or_owner",
|
||||
"create_router:external_gateway_info:network_id": "rule:admin_or_owner",
|
||||
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
|
||||
"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
|
||||
"create_router:distributed": "rule:admin_only",
|
||||
"create_router:ha": "rule:admin_only",
|
||||
"get_router": "rule:admin_or_owner",
|
||||
"get_router:ha": "rule:admin_only",
|
||||
"get_router:distributed": "rule:admin_only",
|
||||
"update_router": "rule:admin_or_owner",
|
||||
"update_router:external_gateway_info": "rule:admin_or_owner",
|
||||
"update_router:external_gateway_info:network_id": "rule:admin_or_owner",
|
||||
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
|
||||
"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
|
||||
"update_router:distributed": "rule:admin_only",
|
||||
"update_router:ha": "rule:admin_only",
|
||||
"delete_router": "rule:admin_or_owner",
|
||||
|
||||
"add_router_interface": "rule:admin_or_owner",
|
||||
"remove_router_interface": "rule:admin_or_owner",
|
||||
|
||||
"create_qos_queue": "rule:admin_only",
|
||||
"get_qos_queue": "rule:admin_only",
|
||||
|
||||
"get_agent": "rule:admin_only",
|
||||
"update_agent": "rule:admin_only",
|
||||
"delete_agent": "rule:admin_only",
|
||||
|
||||
"create_dhcp-network": "rule:admin_only",
|
||||
"get_dhcp-networks": "rule:admin_only",
|
||||
"delete_dhcp-network": "rule:admin_only",
|
||||
|
||||
"create_l3-router": "rule:admin_only",
|
||||
"get_l3-routers": "rule:admin_only",
|
||||
"delete_l3-router": "rule:admin_only",
|
||||
|
||||
"get_dhcp-agents": "rule:admin_only",
|
||||
"get_l3-agents": "rule:admin_only",
|
||||
|
||||
"get_loadbalancer-agent": "rule:admin_only",
|
||||
"get_loadbalancer-pools": "rule:admin_only",
|
||||
"get_agent-loadbalancers": "rule:admin_only",
|
||||
"get_loadbalancer-hosting-agent": "rule:admin_only",
|
||||
|
||||
"create_floatingip": "rule:regular_user",
|
||||
"create_floatingip:floating_ip_address": "rule:admin_only",
|
||||
"get_floatingip": "rule:admin_or_owner",
|
||||
"get_floatingip_pool": "rule:regular_user",
|
||||
"update_floatingip": "rule:admin_or_owner",
|
||||
"delete_floatingip": "rule:admin_or_owner",
|
||||
|
||||
"create_network_profile": "rule:admin_only",
|
||||
"get_network_profiles": "",
|
||||
"get_network_profile": "",
|
||||
"update_network_profile": "rule:admin_only",
|
||||
"delete_network_profile": "rule:admin_only",
|
||||
|
||||
"get_policy_profiles": "",
|
||||
"get_policy_profile": "",
|
||||
"update_policy_profiles": "rule:admin_only",
|
||||
|
||||
"create_metering_label": "rule:admin_only",
|
||||
"get_metering_label": "rule:admin_only",
|
||||
"delete_metering_label": "rule:admin_only",
|
||||
|
||||
"create_metering_label_rule": "rule:admin_only",
|
||||
"get_metering_label_rule": "rule:admin_only",
|
||||
"delete_metering_label_rule": "rule:admin_only",
|
||||
|
||||
"create_lsn": "rule:admin_only",
|
||||
"get_lsn": "rule:admin_only",
|
||||
|
||||
"get_service_provider": "rule:regular_user",
|
||||
|
||||
"create_flavor": "rule:admin_only",
|
||||
"get_flavors": "rule:regular_user",
|
||||
"get_flavor": "rule:regular_user",
|
||||
"update_flavor": "rule:admin_only",
|
||||
"delete_flavor": "rule:admin_only",
|
||||
|
||||
"create_service_profile": "rule:admin_only",
|
||||
"get_service_profiles": "rule:admin_only",
|
||||
"get_service_profile": "rule:admin_only",
|
||||
"update_service_profile": "rule:admin_only",
|
||||
"delete_service_profile": "rule:admin_only",
|
||||
|
||||
"create_policy": "rule:admin_only",
|
||||
"get_policy": "rule:regular_user",
|
||||
"update_policy": "rule:admin_only",
|
||||
"delete_policy": "rule:admin_only",
|
||||
|
||||
"create_policy_bandwidth_limit_rule": "rule:admin_only",
|
||||
"get_policy_bandwidth_limit_rule": "rule:regular_user",
|
||||
"update_policy_bandwidth_limit_rule": "rule:admin_only",
|
||||
"delete_policy_bandwidth_limit_rule": "rule:admin_only",
|
||||
|
||||
"create_policy_dscp_marking_rule": "rule:admin_only",
|
||||
"get_policy_dscp_marking_rule": "rule:regular_user",
|
||||
"update_policy_dscp_marking_rule": "rule:admin_only",
|
||||
"delete_policy_dscp_marking_rule": "rule:admin_only",
|
||||
|
||||
"get_rule_type": "rule:regular_user",
|
||||
|
||||
"create_policy_minimum_bandwidth_rule": "rule:admin_only",
|
||||
"get_policy_minimum_bandwidth_rule": "rule:regular_user",
|
||||
"update_policy_minimum_bandwidth_rule": "rule:admin_only",
|
||||
"delete_policy_minimum_bandwidth_rule": "rule:admin_only",
|
||||
|
||||
"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
|
||||
"create_rbac_policy": "",
|
||||
"create_rbac_policy:target_tenant": "rule:restrict_wildcard",
|
||||
"get_rbac_policy": "rule:admin_or_owner",
|
||||
"update_rbac_policy": "rule:admin_or_owner",
|
||||
"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
|
||||
"delete_rbac_policy": "rule:admin_or_owner",
|
||||
|
||||
"create_flavor_service_profile": "rule:admin_only",
|
||||
"get_flavor_service_profile": "rule:regular_user",
|
||||
"delete_flavor_service_profile": "rule:admin_only",
|
||||
|
||||
"get_auto_allocated_topology": "rule:admin_or_owner",
|
||||
"delete_auto_allocated_topology": "rule:admin_or_owner",
|
||||
|
||||
"create_trunk": "rule:regular_user",
|
||||
"get_trunk": "rule:admin_or_owner",
|
||||
"delete_trunk": "rule:admin_or_owner",
|
||||
|
||||
"add_subports": "rule:admin_or_owner",
|
||||
"get_subports": "",
|
||||
"remove_subports": "rule:admin_or_owner",
|
||||
|
||||
"create_security_group": "rule:admin_or_owner",
|
||||
"get_security_groups": "rule:admin_or_owner",
|
||||
"get_security_group": "rule:admin_or_owner",
|
||||
"update_security_group": "rule:admin_or_owner",
|
||||
"delete_security_group": "rule:admin_or_owner",
|
||||
|
||||
"create_security_group_rule": "rule:admin_or_owner",
|
||||
"get_security_group_rules": "rule:admin_or_owner",
|
||||
"get_security_group_rule": "rule:admin_or_owner",
|
||||
"delete_security_group_rule": "rule:admin_or_owner",
|
||||
|
||||
"get_loggable_resources": "rule:admin_only",
|
||||
|
||||
"create_log": "rule:admin_only",
|
||||
"get_log": "rule:admin_only",
|
||||
"get_logs": "rule:admin_only",
|
||||
"update_log": "rule:admin_only",
|
||||
"delete_log": "rule:admin_only",
|
||||
|
||||
"create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
|
||||
"get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
|
||||
"get_floatingip_port_forwardings": "rule:admin_or_ext_parent_owner",
|
||||
"update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
|
||||
"delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
|
||||
}
|
|
@ -0,0 +1,81 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import inspect
|
||||
import itertools
|
||||
|
||||
import six
|
||||
|
||||
from neutron.conf.policies import address_scope
|
||||
from neutron.conf.policies import agent
|
||||
from neutron.conf.policies import auto_allocated_topology
|
||||
from neutron.conf.policies import availability_zone
|
||||
from neutron.conf.policies import base
|
||||
from neutron.conf.policies import cisco_plugin
|
||||
from neutron.conf.policies import flavor
|
||||
from neutron.conf.policies import floatingip
|
||||
from neutron.conf.policies import floatingip_pools
|
||||
from neutron.conf.policies import floatingip_port_forwarding
|
||||
from neutron.conf.policies import logging
|
||||
from neutron.conf.policies import metering
|
||||
from neutron.conf.policies import network
|
||||
from neutron.conf.policies import network_ip_availability
|
||||
from neutron.conf.policies import port
|
||||
from neutron.conf.policies import qos
|
||||
from neutron.conf.policies import rbac
|
||||
from neutron.conf.policies import router
|
||||
from neutron.conf.policies import security_group
|
||||
from neutron.conf.policies import segment
|
||||
from neutron.conf.policies import service_type
|
||||
from neutron.conf.policies import subnet
|
||||
from neutron.conf.policies import subnetpool
|
||||
from neutron.conf.policies import trunk
|
||||
from neutron.conf.policies import vmware_plugin
|
||||
|
||||
|
||||
def list_rules():
|
||||
return itertools.chain(
|
||||
base.list_rules(),
|
||||
address_scope.list_rules(),
|
||||
agent.list_rules(),
|
||||
auto_allocated_topology.list_rules(),
|
||||
availability_zone.list_rules(),
|
||||
cisco_plugin.list_rules(),
|
||||
flavor.list_rules(),
|
||||
floatingip.list_rules(),
|
||||
floatingip_pools.list_rules(),
|
||||
floatingip_port_forwarding.list_rules(),
|
||||
logging.list_rules(),
|
||||
metering.list_rules(),
|
||||
network.list_rules(),
|
||||
network_ip_availability.list_rules(),
|
||||
port.list_rules(),
|
||||
qos.list_rules(),
|
||||
rbac.list_rules(),
|
||||
router.list_rules(),
|
||||
security_group.list_rules(),
|
||||
segment.list_rules(),
|
||||
service_type.list_rules(),
|
||||
subnet.list_rules(),
|
||||
subnetpool.list_rules(),
|
||||
trunk.list_rules(),
|
||||
vmware_plugin.list_rules(),
|
||||
)
|
||||
|
||||
|
||||
def reload_default_policies():
|
||||
for name, module in globals().items():
|
||||
if (inspect.ismodule(module) and
|
||||
module.__name__.startswith(__package__)):
|
||||
# NOTE: pylint checks function args wrongly.
|
||||
# pylint: disable=too-many-function-args
|
||||
six.moves.reload_module(module)
|
|
@ -0,0 +1,44 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('shared_address_scopes',
|
||||
'field:address_scopes:shared=True',
|
||||
description='Rule of shared address scope'),
|
||||
policy.RuleDefault('create_address_scope',
|
||||
'',
|
||||
description='Access rule for creating address scope'),
|
||||
policy.RuleDefault('create_address_scope:shared',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'shared address scope')),
|
||||
policy.RuleDefault('get_address_scope',
|
||||
'rule:admin_or_owner or rule:shared_address_scopes',
|
||||
description='Access rule for getting address scope'),
|
||||
policy.RuleDefault('update_address_scope',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for updating address scope'),
|
||||
policy.RuleDefault('update_address_scope:shared',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating '
|
||||
'shared attribute of address scope')),
|
||||
policy.RuleDefault('delete_address_scope',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for deleting address scope')
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,80 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('get_agent',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting agent'),
|
||||
policy.RuleDefault('update_agent',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating agent'),
|
||||
policy.RuleDefault('delete_agent',
|
||||
'rule:admin_only',
|
||||
description='Access rule for deleting agent'),
|
||||
policy.RuleDefault('create_dhcp-network',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for adding '
|
||||
'network to dhcp agent')),
|
||||
policy.RuleDefault('get_dhcp-networks',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for listing '
|
||||
'networks on the dhcp agent')),
|
||||
policy.RuleDefault('delete_dhcp-network',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for removing '
|
||||
'network from dhcp agent')),
|
||||
policy.RuleDefault('create_l3-router',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for adding '
|
||||
'router to l3 agent')),
|
||||
policy.RuleDefault('get_l3-routers',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for listing '
|
||||
'routers on the l3 agent')),
|
||||
policy.RuleDefault('delete_l3-router',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for deleting '
|
||||
'router from l3 agent')),
|
||||
policy.RuleDefault('get_dhcp-agents',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for listing '
|
||||
'dhcp agents hosting the network')),
|
||||
policy.RuleDefault('get_l3-agents',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for listing '
|
||||
'l3 agents hosting the router')),
|
||||
# TODO(amotoki): Remove LBaaS related policies once neutron-lbaas
|
||||
# is retired.
|
||||
policy.RuleDefault('get_loadbalancer-agent',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for getting '
|
||||
'lbaas agent hosting the pool')),
|
||||
policy.RuleDefault('get_loadbalancer-pools',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for listing '
|
||||
'pools on the lbaas agent')),
|
||||
policy.RuleDefault('get_agent-loadbalancers',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for listing '
|
||||
'loadbalancers on the lbaasv2 agent')),
|
||||
policy.RuleDefault('get_loadbalancer-hosting-agent',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for getting '
|
||||
'lbaasv2 agent hosting the loadbalancer')),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,31 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'get_auto_allocated_topology',
|
||||
'rule:admin_or_owner',
|
||||
description=("Access rule for getting a project's "
|
||||
"auto-allocated topology")),
|
||||
policy.RuleDefault(
|
||||
'delete_auto_allocated_topology',
|
||||
'rule:admin_or_owner',
|
||||
description=("Access rule for deleting a project's "
|
||||
"auto-allocated topology")),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,25 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'get_availability_zone',
|
||||
'',
|
||||
description='Access rule for getting availability zone'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,67 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'context_is_admin',
|
||||
'role:admin',
|
||||
description='Rule for cloud admin access'),
|
||||
policy.RuleDefault(
|
||||
'owner',
|
||||
'tenant_id:%(tenant_id)s',
|
||||
description='Rule for resource owner access'),
|
||||
policy.RuleDefault(
|
||||
'admin_or_owner',
|
||||
'rule:context_is_admin or rule:owner',
|
||||
description='Rule for admin or owner access'),
|
||||
policy.RuleDefault(
|
||||
'context_is_advsvc',
|
||||
'role:advsvc',
|
||||
description='Rule for advsvc role access'),
|
||||
policy.RuleDefault(
|
||||
'admin_or_network_owner',
|
||||
'rule:context_is_admin or tenant_id:%(network:tenant_id)s',
|
||||
description='Rule for admin or network owner access'),
|
||||
policy.RuleDefault(
|
||||
'admin_owner_or_network_owner',
|
||||
'rule:owner or rule:admin_or_network_owner',
|
||||
description=('Rule for resource owner, '
|
||||
'admin or network owner access')),
|
||||
policy.RuleDefault(
|
||||
'admin_only',
|
||||
'rule:context_is_admin',
|
||||
description='Rule only for admin access'),
|
||||
policy.RuleDefault(
|
||||
'regular_user',
|
||||
'',
|
||||
description='Rule for regular user access'),
|
||||
# TODO(amotoki): Should be renamed to shared_network? It seems clearer.
|
||||
policy.RuleDefault(
|
||||
'shared',
|
||||
'field:networks:shared=True',
|
||||
description='Rule of shared network'),
|
||||
policy.RuleDefault(
|
||||
'default',
|
||||
'rule:admin_or_owner',
|
||||
description='Default access rule'),
|
||||
policy.RuleDefault(
|
||||
'admin_or_ext_parent_owner',
|
||||
'rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s',
|
||||
description='Rule for common parent owner check'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,46 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
# TODO(amotoki): Move Cisco related policy rules to networking-cisco
|
||||
rules = [
|
||||
policy.RuleDefault('create_network_profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating network profile'),
|
||||
policy.RuleDefault('get_network_profiles',
|
||||
'',
|
||||
description='Access rule for listing network profiles'),
|
||||
policy.RuleDefault('get_network_profile',
|
||||
'',
|
||||
description='Access rule for getting network profile'),
|
||||
policy.RuleDefault('update_network_profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating network profile'),
|
||||
policy.RuleDefault('delete_network_profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for deleting network profile'),
|
||||
policy.RuleDefault('get_policy_profiles',
|
||||
'',
|
||||
description='Access rule for listing policy profile'),
|
||||
policy.RuleDefault('get_policy_profile',
|
||||
'',
|
||||
description='Access rule for getting policy prodile'),
|
||||
policy.RuleDefault('update_policy_profiles',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating policy profile'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,78 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'create_flavor',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating flavor'),
|
||||
policy.RuleDefault(
|
||||
'get_flavors',
|
||||
'rule:regular_user',
|
||||
description='Access rule for listing flavors'),
|
||||
policy.RuleDefault(
|
||||
'get_flavor',
|
||||
'rule:regular_user',
|
||||
description='Access rule for getting flavor'),
|
||||
policy.RuleDefault(
|
||||
'update_flavor',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating flavor'),
|
||||
policy.RuleDefault(
|
||||
'delete_flavor',
|
||||
'rule:admin_only',
|
||||
description='Access rule for deleting flavor'),
|
||||
|
||||
policy.RuleDefault(
|
||||
'create_service_profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating service profile'),
|
||||
policy.RuleDefault(
|
||||
'get_service_profiles',
|
||||
'rule:admin_only',
|
||||
description='Access rule for listing service profiles'),
|
||||
policy.RuleDefault(
|
||||
'get_service_profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting service profile'),
|
||||
policy.RuleDefault(
|
||||
'update_service_profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating service profile'),
|
||||
policy.RuleDefault(
|
||||
'delete_service_profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for deleting service profile'),
|
||||
|
||||
policy.RuleDefault(
|
||||
'create_flavor_service_profile',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for associating '
|
||||
'flavor with service profile')),
|
||||
policy.RuleDefault(
|
||||
'delete_flavor_service_profile',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for disassociating '
|
||||
'flavor with service profile')),
|
||||
policy.RuleDefault(
|
||||
'get_flavor_service_profile',
|
||||
'rule:regular_user',
|
||||
description=('Access rule for getting flavor associating '
|
||||
'with the given service profiles')),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,37 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('create_floatingip',
|
||||
'rule:regular_user',
|
||||
description='Access rule for creating floating IP'),
|
||||
policy.RuleDefault('create_floatingip:floating_ip_address',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating floating IP '
|
||||
'with a specific IP address')),
|
||||
policy.RuleDefault('get_floatingip',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for getting floating IP'),
|
||||
policy.RuleDefault('update_floatingip',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for updating floating IP'),
|
||||
policy.RuleDefault('delete_floatingip',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for deleting floating IP'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,25 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'get_floatingip_pool',
|
||||
'rule:regular_user',
|
||||
description='Access rule for getting floating IP pools'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,42 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'create_floatingip_port_forwarding',
|
||||
'rule:admin_or_ext_parent_owner',
|
||||
description='Access rule for creating floating IP port forwarding'),
|
||||
policy.RuleDefault(
|
||||
'get_floatingip_port_forwarding',
|
||||
'rule:admin_or_ext_parent_owner',
|
||||
description='Access rule for getting floating IP port forwarding'),
|
||||
# TOOD(amotoki): get_floatingip_port_forwardings looks unnecessary.
|
||||
policy.RuleDefault(
|
||||
'get_floatingip_port_forwardings',
|
||||
'rule:admin_or_ext_parent_owner',
|
||||
description='Access rule for listing floating IP port forwardings'),
|
||||
policy.RuleDefault(
|
||||
'update_floatingip_port_forwarding',
|
||||
'rule:admin_or_ext_parent_owner',
|
||||
description='Access rule for updating floating IP port forwarding'),
|
||||
policy.RuleDefault(
|
||||
'delete_floatingip_port_forwarding',
|
||||
'rule:admin_or_ext_parent_owner',
|
||||
description='Access rule for deleting floating IP port forwarding'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,45 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'get_loggable_resources',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting loggable resources'),
|
||||
policy.RuleDefault(
|
||||
'create_log',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating network log'),
|
||||
policy.RuleDefault(
|
||||
'get_log',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting network log'),
|
||||
policy.RuleDefault(
|
||||
'get_logs',
|
||||
'rule:admin_only',
|
||||
description='Access rule for listing network logs'),
|
||||
policy.RuleDefault(
|
||||
'update_log',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating network log'),
|
||||
policy.RuleDefault(
|
||||
'delete_log',
|
||||
'rule:admin_only',
|
||||
description='Access rule for deleting network log'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,42 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('create_metering_label',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating metering label'),
|
||||
policy.RuleDefault('get_metering_label',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting metering label'),
|
||||
policy.RuleDefault('delete_metering_label',
|
||||
'rule:admin_only',
|
||||
description='Access rule for deleting metering label'),
|
||||
policy.RuleDefault('create_metering_label_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'metering label rule')),
|
||||
policy.RuleDefault('get_metering_label_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for getting '
|
||||
'metering label rule')),
|
||||
policy.RuleDefault('delete_metering_label_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for deleting '
|
||||
'metering label rule'))
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,133 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'external',
|
||||
'field:networks:router:external=True',
|
||||
description='Rule of external network'),
|
||||
|
||||
policy.RuleDefault(
|
||||
'create_network',
|
||||
'',
|
||||
description='Access rule for creating network'),
|
||||
policy.RuleDefault(
|
||||
'create_network:shared',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating shared network'),
|
||||
policy.RuleDefault(
|
||||
'create_network:router:external',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating external network'),
|
||||
policy.RuleDefault(
|
||||
'create_network:is_default',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating network with is_default'),
|
||||
policy.RuleDefault(
|
||||
'create_network:segments',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating network with segments'),
|
||||
policy.RuleDefault(
|
||||
'create_network:provider:network_type',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating network '
|
||||
'with provider network_type')),
|
||||
policy.RuleDefault(
|
||||
'create_network:provider:physical_network',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating network '
|
||||
'with provider physical_network')),
|
||||
policy.RuleDefault(
|
||||
'create_network:provider:segmentation_id',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating network '
|
||||
'with provider segmentation_id')),
|
||||
|
||||
policy.RuleDefault(
|
||||
'get_network',
|
||||
('rule:admin_or_owner or rule:shared or '
|
||||
'rule:external or rule:context_is_advsvc'),
|
||||
description='Access rule for getting shared network'),
|
||||
policy.RuleDefault(
|
||||
'get_network:router:external',
|
||||
'rule:regular_user',
|
||||
description='Access rule for getting external network'),
|
||||
policy.RuleDefault(
|
||||
'get_network:segments',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting segments of network'),
|
||||
policy.RuleDefault(
|
||||
'get_network:provider:network_type',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for getting provider '
|
||||
'network_type of network')),
|
||||
policy.RuleDefault(
|
||||
'get_network:provider:physical_network',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for getting provider '
|
||||
'physical_network of network')),
|
||||
policy.RuleDefault(
|
||||
'get_network:provider:segmentation_id',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for getting provider '
|
||||
'segmentation_id of network')),
|
||||
# TODO(amotoki): Move queue_id to vmware-nsx plugin
|
||||
policy.RuleDefault(
|
||||
'get_network:queue_id',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting queue_id of network'),
|
||||
|
||||
policy.RuleDefault(
|
||||
'update_network',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for updating network'),
|
||||
policy.RuleDefault(
|
||||
'update_network:segments',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating segments of network'),
|
||||
policy.RuleDefault(
|
||||
'update_network:shared',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating shared attribute of network'),
|
||||
policy.RuleDefault(
|
||||
'update_network:provider:network_type',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating provider '
|
||||
'network_type of network')),
|
||||
policy.RuleDefault(
|
||||
'update_network:provider:physical_network',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating provider '
|
||||
'physical_network of network')),
|
||||
policy.RuleDefault(
|
||||
'update_network:provider:segmentation_id',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating provider '
|
||||
'segmentation_id of network')),
|
||||
policy.RuleDefault(
|
||||
'update_network:router:external',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating router:external attribute '
|
||||
'of network')),
|
||||
|
||||
policy.RuleDefault(
|
||||
'delete_network',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for deleting network'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,29 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'get_network_ip_availabilities',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting network IP availabilities'),
|
||||
policy.RuleDefault(
|
||||
'get_network_ip_availability',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting network IP availability'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,176 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'network_device',
|
||||
'field:port:device_owner=~^network:',
|
||||
description='Rule of port with network device_owner'),
|
||||
policy.RuleDefault(
|
||||
'admin_or_data_plane_int',
|
||||
'rule:context_is_admin or role:data_plane_integrator',
|
||||
description='Rule for data plane integration'),
|
||||
|
||||
policy.RuleDefault(
|
||||
'create_port',
|
||||
'',
|
||||
description='Access rule for creating port'),
|
||||
policy.RuleDefault(
|
||||
'create_port:device_owner',
|
||||
('not rule:network_device or '
|
||||
'rule:context_is_advsvc or '
|
||||
'rule:admin_or_network_owner'),
|
||||
description='Access rule for creating port with device_owner'),
|
||||
policy.RuleDefault(
|
||||
'create_port:mac_address',
|
||||
'rule:context_is_advsvc or rule:admin_or_network_owner',
|
||||
description=('Access rule for creating port with mac_address')),
|
||||
policy.RuleDefault(
|
||||
'create_port:fixed_ips',
|
||||
'rule:context_is_advsvc or rule:admin_or_network_owner',
|
||||
description='Access rule for creating port with fixed_ips'),
|
||||
policy.RuleDefault(
|
||||
'create_port:fixed_ips:ip_address',
|
||||
'rule:context_is_advsvc or rule:admin_or_network_owner',
|
||||
description=('Access rule for creating port specifying IP address in '
|
||||
'fixed_ips')),
|
||||
policy.RuleDefault(
|
||||
'create_port:fixed_ips:subnet_id',
|
||||
('rule:context_is_advsvc or '
|
||||
'rule:admin_or_network_owner or '
|
||||
'rule:shared'),
|
||||
description=('Access rule for creating port specifying subnet ID in '
|
||||
'fixed_ips')),
|
||||
policy.RuleDefault(
|
||||
'create_port:port_security_enabled',
|
||||
'rule:context_is_advsvc or rule:admin_or_network_owner',
|
||||
description=('Access rule for creating '
|
||||
'port with port_security_enabled')),
|
||||
policy.RuleDefault(
|
||||
'create_port:binding:host_id',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'port with binging host_id')),
|
||||
policy.RuleDefault(
|
||||
'create_port:binding:profile',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'port with binding profile')),
|
||||
# TODO(amotoki): Add create_port:binding:vnic_type
|
||||
# TODO(amotoki): Move mac_learning_enabled to vmware-nsx plugin
|
||||
policy.RuleDefault(
|
||||
'create_port:mac_learning_enabled',
|
||||
'rule:context_is_advsvc or rule:admin_or_network_owner',
|
||||
description=('Access rule for creating port '
|
||||
'with mac_learning_enabled attribute')),
|
||||
policy.RuleDefault(
|
||||
'create_port:allowed_address_pairs',
|
||||
'rule:admin_or_network_owner',
|
||||
description=('Access rule for creating port '
|
||||
'with allowed_address_pairs attribute')),
|
||||
|
||||
policy.RuleDefault(
|
||||
'get_port',
|
||||
'rule:context_is_advsvc or rule:admin_owner_or_network_owner',
|
||||
description='Access rule for getting port'),
|
||||
# TODO(amotoki): Move queue_id to vmware-nsx plugin
|
||||
policy.RuleDefault(
|
||||
'get_port:queue_id',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting queue_id of port'),
|
||||
policy.RuleDefault(
|
||||
'get_port:binding:vif_type',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting binding vif_type of port'),
|
||||
policy.RuleDefault(
|
||||
'get_port:binding:vif_details',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting binding vif_details of port'),
|
||||
policy.RuleDefault(
|
||||
'get_port:binding:host_id',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting binding host_id of port'),
|
||||
policy.RuleDefault(
|
||||
'get_port:binding:profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting binding profile of port'),
|
||||
# TODO(amotoki): Add get_port:binding:vnic_type
|
||||
# TODO(amotoki): Add get_port:binding:data_plane_status
|
||||
|
||||
policy.RuleDefault(
|
||||
'update_port',
|
||||
'rule:admin_or_owner or rule:context_is_advsvc',
|
||||
description='Access rule for updating port'),
|
||||
policy.RuleDefault(
|
||||
'update_port:device_owner',
|
||||
('not rule:network_device or rule:context_is_advsvc '
|
||||
'or rule:admin_or_network_owner'),
|
||||
description='Access rule for updating device_owner of port'),
|
||||
policy.RuleDefault(
|
||||
'update_port:mac_address',
|
||||
'rule:admin_only or rule:context_is_advsvc',
|
||||
description='Access rule for updating mac_address of port'),
|
||||
policy.RuleDefault(
|
||||
'update_port:fixed_ips',
|
||||
'rule:context_is_advsvc or rule:admin_or_network_owner',
|
||||
description='Access rule for updating fixed_ips of port'),
|
||||
policy.RuleDefault(
|
||||
'update_port:fixed_ips:ip_address',
|
||||
'rule:context_is_advsvc or rule:admin_or_network_owner',
|
||||
description=('Access rule for updating port specifying IP address in '
|
||||
'fixed_ips')),
|
||||
policy.RuleDefault(
|
||||
'update_port:fixed_ips:subnet_id',
|
||||
('rule:context_is_advsvc or '
|
||||
'rule:admin_or_network_owner or '
|
||||
'rule:shared'),
|
||||
description=('Access rule for updating port specifying subnet ID in '
|
||||
'fixed_ips')),
|
||||
policy.RuleDefault(
|
||||
'update_port:port_security_enabled',
|
||||
'rule:context_is_advsvc or rule:admin_or_network_owner',
|
||||
description='Access rule for updating port_security_enabled of port'),
|
||||
policy.RuleDefault(
|
||||
'update_port:binding:host_id',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating binding host_id of port'),
|
||||
policy.RuleDefault(
|
||||
'update_port:binding:profile',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating binding profile of port'),
|
||||
# TODO(amotoki): Move mac_learning_enabled to vmware-nsx plugin
|
||||
policy.RuleDefault(
|
||||
'update_port:mac_learning_enabled',
|
||||
'rule:context_is_advsvc or rule:admin_or_network_owner',
|
||||
description='Access rule for updating mac_learning_enabled of port'),
|
||||
# TODO(amotoki): Add update_port:binding:vnic_type
|
||||
policy.RuleDefault(
|
||||
'update_port:allowed_address_pairs',
|
||||
'rule:admin_or_network_owner',
|
||||
description='Access rule for updating allowed_address_pairs of port'),
|
||||
policy.RuleDefault(
|
||||
'update_port:data_plane_status',
|
||||
'rule:admin_or_data_plane_int',
|
||||
description='Access rule for updating data_plane_status of port'),
|
||||
|
||||
policy.RuleDefault(
|
||||
'delete_port',
|
||||
'rule:context_is_advsvc or rule:admin_owner_or_network_owner',
|
||||
description='Access rule for deleting port'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,89 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('get_policy',
|
||||
'rule:regular_user',
|
||||
description='Access rule for getting QoS policy'),
|
||||
policy.RuleDefault('create_policy',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating QoS policy'),
|
||||
policy.RuleDefault('update_policy',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating QoS policy'),
|
||||
policy.RuleDefault('delete_policy',
|
||||
'rule:admin_only',
|
||||
description='Access rule for deleting QoS policy'),
|
||||
|
||||
policy.RuleDefault('get_rule_type',
|
||||
'rule:regular_user',
|
||||
description=('Access rule for getting '
|
||||
'all available QoS rule types')),
|
||||
|
||||
policy.RuleDefault('get_policy_bandwidth_limit_rule',
|
||||
'rule:regular_user',
|
||||
description=('Access rule for getting '
|
||||
'QoS bandwidth limit rule')),
|
||||
policy.RuleDefault('create_policy_bandwidth_limit_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'QoS bandwidth limit rule')),
|
||||
policy.RuleDefault('update_policy_bandwidth_limit_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating '
|
||||
'QoS bandwidth limit rule')),
|
||||
policy.RuleDefault('delete_policy_bandwidth_limit_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for deleting '
|
||||
'QoS bandwidth limit rule')),
|
||||
|
||||
policy.RuleDefault('get_policy_dscp_marking_rule',
|
||||
'rule:regular_user',
|
||||
description=('Access rule for getting '
|
||||
'QoS dscp marking rule')),
|
||||
policy.RuleDefault('create_policy_dscp_marking_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'QoS dscp marking rule')),
|
||||
policy.RuleDefault('update_policy_dscp_marking_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating '
|
||||
'QoS dscp marking rule')),
|
||||
policy.RuleDefault('delete_policy_dscp_marking_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for deleting '
|
||||
'QoS dscp marking rule')),
|
||||
|
||||
policy.RuleDefault('get_policy_minimum_bandwidth_rule',
|
||||
'rule:regular_user',
|
||||
description=('Access rule for getting '
|
||||
'QoS minimum bandwidth rule')),
|
||||
policy.RuleDefault('create_policy_minimum_bandwidth_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'QoS minimum bandwidth rule')),
|
||||
policy.RuleDefault('update_policy_minimum_bandwidth_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating '
|
||||
'QoS minimum bandwidth rule')),
|
||||
policy.RuleDefault('delete_policy_minimum_bandwidth_rule',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for deleting '
|
||||
'QoS minimum bandwidth rule')),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,52 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'restrict_wildcard',
|
||||
'(not field:rbac_policy:target_tenant=*) or rule:admin_only',
|
||||
description='Rule of restrict wildcard'),
|
||||
|
||||
policy.RuleDefault(
|
||||
'create_rbac_policy',
|
||||
'',
|
||||
description='Access rule for creating RBAC policy'),
|
||||
policy.RuleDefault(
|
||||
'create_rbac_policy:target_tenant',
|
||||
'rule:restrict_wildcard',
|
||||
description=('Access rule for creating RBAC '
|
||||
'policy with a specific target tenant')),
|
||||
policy.RuleDefault(
|
||||
'update_rbac_policy',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for updating RBAC policy'),
|
||||
policy.RuleDefault(
|
||||
'update_rbac_policy:target_tenant',
|
||||
'rule:restrict_wildcard and rule:admin_or_owner',
|
||||
description=('Access rule for updating target_tenant '
|
||||
'attribute of RBAC policy')),
|
||||
policy.RuleDefault(
|
||||
'get_rbac_policy',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for getting RBAC policy'),
|
||||
policy.RuleDefault(
|
||||
'delete_rbac_policy',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for deleting RBAC policy'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,119 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'create_router',
|
||||
'rule:regular_user',
|
||||
description='Access rule for creating router'),
|
||||
policy.RuleDefault(
|
||||
'create_router:distributed',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'router with distributed attribute')),
|
||||
policy.RuleDefault(
|
||||
'create_router:ha',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'router with ha attribute')),
|
||||
policy.RuleDefault(
|
||||
'create_router:external_gateway_info',
|
||||
'rule:admin_or_owner',
|
||||
description=('Access rule for creating router with '
|
||||
'external_gateway_info information')),
|
||||
policy.RuleDefault(
|
||||
'create_router:external_gateway_info:network_id',
|
||||
'rule:admin_or_owner',
|
||||
description=('Access rule for creating router with network_id '
|
||||
'attribute of external_gateway_info information')),
|
||||
policy.RuleDefault(
|
||||
'create_router:external_gateway_info:enable_snat',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating router with enable_snat '
|
||||
'attribute of external_gateway_info information')),
|
||||
policy.RuleDefault(
|
||||
'create_router:external_gateway_info:external_fixed_ips',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating router with '
|
||||
'external_fixed_ips attribute of '
|
||||
'external_gateway_info information')),
|
||||
|
||||
policy.RuleDefault(
|
||||
'get_router',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for getting router'),
|
||||
policy.RuleDefault(
|
||||
'get_router:distributed',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for getting distributed attribute of '
|
||||
'router')),
|
||||
policy.RuleDefault(
|
||||
'get_router:ha',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting ha attribute of router'),
|
||||
|
||||
policy.RuleDefault(
|
||||
'update_router',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for updating router'),
|
||||
policy.RuleDefault(
|
||||
'update_router:distributed',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating distributed attribute '
|
||||
'of router')),
|
||||
policy.RuleDefault(
|
||||
'update_router:ha',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating ha attribute of router'),
|
||||
policy.RuleDefault(
|
||||
'update_router:external_gateway_info',
|
||||
'rule:admin_or_owner',
|
||||
description=('Access rule for updating external_gateway_info '
|
||||
'information of router')),
|
||||
policy.RuleDefault(
|
||||
'update_router:external_gateway_info:network_id',
|
||||
'rule:admin_or_owner',
|
||||
description=('Access rule for updating network_id attribute of '
|
||||
'external_gateway_info information of router')),
|
||||
policy.RuleDefault(
|
||||
'update_router:external_gateway_info:enable_snat',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating enable_snat attribute of '
|
||||
'external_gateway_info information of router')),
|
||||
policy.RuleDefault(
|
||||
'update_router:external_gateway_info:external_fixed_ips',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating external_fixed_ips '
|
||||
'attribute of external_gateway_info information '
|
||||
'of router')),
|
||||
|
||||
policy.RuleDefault(
|
||||
'delete_router',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for deleting router'),
|
||||
|
||||
policy.RuleDefault(
|
||||
'add_router_interface',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for adding router interface'),
|
||||
policy.RuleDefault(
|
||||
'remove_router_interface',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for removing router interface'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,62 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
# TODO(amotoki): admin_or_owner is the right rule?
|
||||
# Does an empty string make more sense for create_security_group?
|
||||
policy.RuleDefault(
|
||||
'create_security_group',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for creating security group'),
|
||||
policy.RuleDefault(
|
||||
'get_security_group',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for getting security group'),
|
||||
policy.RuleDefault(
|
||||
'get_security_groups',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for getting security groups'),
|
||||
policy.RuleDefault(
|
||||
'update_security_group',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for updating security group'),
|
||||
policy.RuleDefault(
|
||||
'delete_security_group',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for deleting security group'),
|
||||
|
||||
# TODO(amotoki): admin_or_owner is the right rule?
|
||||
# Does an empty string make more sense for create_security_group_rule?
|
||||
policy.RuleDefault(
|
||||
'create_security_group_rule',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for creating security group rule'),
|
||||
policy.RuleDefault(
|
||||
'get_security_group_rule',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for getting security group rule'),
|
||||
policy.RuleDefault(
|
||||
'get_security_group_rules',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for getting security groups rules'),
|
||||
policy.RuleDefault(
|
||||
'delete_security_group_rule',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for deleting security group rule'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,33 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('create_segment',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating segment'),
|
||||
policy.RuleDefault('get_segment',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting segment'),
|
||||
policy.RuleDefault('update_segment',
|
||||
'rule:admin_only',
|
||||
description='Access rule for updating segment'),
|
||||
policy.RuleDefault('delete_segment',
|
||||
'rule:admin_only',
|
||||
description='Access rule for deleting segment'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,25 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'get_service_provider',
|
||||
'rule:regular_user',
|
||||
description='Access rule for listing all service providers'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,49 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('create_subnet',
|
||||
'rule:admin_or_network_owner',
|
||||
description='Access rule for creating subnet'),
|
||||
policy.RuleDefault('create_subnet:segment_id',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'subnet with segment_id')),
|
||||
policy.RuleDefault('create_subnet:service_types',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'subnet with service_type')),
|
||||
policy.RuleDefault('get_subnet',
|
||||
'rule:admin_or_owner or rule:shared',
|
||||
description='Access rule for getting subnet'),
|
||||
policy.RuleDefault('get_subnet:segment_id',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for getting '
|
||||
'segment_id of subnet')),
|
||||
policy.RuleDefault('update_subnet',
|
||||
'rule:admin_or_network_owner',
|
||||
description='Access rule for updating subnet'),
|
||||
policy.RuleDefault('update_subnet:service_types',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating '
|
||||
'service_types of subnet')),
|
||||
policy.RuleDefault('delete_subnet',
|
||||
'rule:admin_or_network_owner',
|
||||
description='Access rule for deleting subnet')
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,48 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault('shared_subnetpools',
|
||||
'field:subnetpools:shared=True',
|
||||
description='Rule of shared subnetpool'),
|
||||
policy.RuleDefault('create_subnetpool',
|
||||
'',
|
||||
description='Access rule for creating subnetpool'),
|
||||
policy.RuleDefault('create_subnetpool:shared',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'shared subnetpool')),
|
||||
policy.RuleDefault('create_subnetpool:is_default',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for creating '
|
||||
'subnetpool with is_default')),
|
||||
policy.RuleDefault('get_subnetpool',
|
||||
'rule:admin_or_owner or rule:shared_subnetpools',
|
||||
description='Access rule for getting subnetpool'),
|
||||
policy.RuleDefault('update_subnetpool',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for updating subnetpool'),
|
||||
policy.RuleDefault('update_subnetpool:is_default',
|
||||
'rule:admin_only',
|
||||
description=('Access rule for updating '
|
||||
'is_default of subnetpool')),
|
||||
policy.RuleDefault('delete_subnetpool',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for deleting subnetpool')
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,45 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
'create_trunk',
|
||||
'rule:regular_user',
|
||||
description='Access rule for creating trunk'),
|
||||
policy.RuleDefault(
|
||||
'get_trunk',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for getting trunk'),
|
||||
policy.RuleDefault(
|
||||
'delete_trunk',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for deleting trunk'),
|
||||
policy.RuleDefault(
|
||||
'get_subports',
|
||||
'',
|
||||
description='Access rule for listing subports attached to a trunk'),
|
||||
policy.RuleDefault(
|
||||
'add_subports',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for adding subports to a trunk'),
|
||||
policy.RuleDefault(
|
||||
'remove_subports',
|
||||
'rule:admin_or_owner',
|
||||
description='Access rule for deleting subports from a trunk'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,35 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
# TODO(amotoki): Move VMware related policy rules to vmware-nsx
|
||||
rules = [
|
||||
policy.RuleDefault('create_lsn',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating lsn'),
|
||||
policy.RuleDefault('get_lsn',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting lsn'),
|
||||
|
||||
policy.RuleDefault('create_qos_queue',
|
||||
'rule:admin_only',
|
||||
description='Access rule for creating qos queue'),
|
||||
policy.RuleDefault('get_qos_queue',
|
||||
'rule:admin_only',
|
||||
description='Access rule for getting qos queue'),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -14,7 +14,9 @@
|
|||
# under the License.
|
||||
|
||||
import collections
|
||||
import itertools
|
||||
import re
|
||||
import sys
|
||||
|
||||
from neutron_lib.api import attributes
|
||||
from neutron_lib.api.definitions import network as net_apidef
|
||||
|
@ -28,6 +30,7 @@ from oslo_log import log as logging
|
|||
from oslo_policy import policy
|
||||
from oslo_utils import excutils
|
||||
import six
|
||||
import stevedore
|
||||
|
||||
from neutron._i18n import _
|
||||
from neutron.common import cache_utils as cache
|
||||
|
@ -53,12 +56,23 @@ def reset():
|
|||
_ENFORCER = None
|
||||
|
||||
|
||||
def register_rules(enforcer):
|
||||
extmgr = stevedore.extension.ExtensionManager('neutron.policies',
|
||||
invoke_on_load=True)
|
||||
policies = [list(e.obj) for e in extmgr.extensions]
|
||||
LOG.debug('Loaded default policies from %s '
|
||||
'under neutron.policies entry points',
|
||||
[e.name for e in extmgr.extensions])
|
||||
enforcer.register_defaults(itertools.chain(*policies))
|
||||
|
||||
|
||||
def init(conf=cfg.CONF, policy_file=None):
|
||||
"""Init an instance of the Enforcer class."""
|
||||
|
||||
global _ENFORCER
|
||||
if not _ENFORCER:
|
||||
_ENFORCER = policy.Enforcer(conf, policy_file=policy_file)
|
||||
register_rules(_ENFORCER)
|
||||
_ENFORCER.load_rules(True)
|
||||
|
||||
|
||||
|
@ -421,3 +435,24 @@ def enforce(context, action, target, plugin=None, pluralized=None):
|
|||
log_rule_list(rule)
|
||||
LOG.debug("Failed policy check for '%s'", action)
|
||||
return result
|
||||
|
||||
|
||||
def get_enforcer():
|
||||
# NOTE(amotoki): This was borrowed from nova/policy.py.
|
||||
# This method is for use by oslo.policy CLI scripts. Those scripts need the
|
||||
# 'output-file' and 'namespace' options, but having those in sys.argv means
|
||||
# loading the neutron config options will fail as those are not expected to
|
||||
# be present. So we pass in an arg list with those stripped out.
|
||||
conf_args = []
|
||||
# Start at 1 because cfg.CONF expects the equivalent of sys.argv[1:]
|
||||
i = 1
|
||||
while i < len(sys.argv):
|
||||
if sys.argv[i].strip('-') in ['namespace', 'output-file']:
|
||||
i += 2
|
||||
continue
|
||||
conf_args.append(sys.argv[i])
|
||||
i += 1
|
||||
|
||||
cfg.CONF(conf_args, project='neutron')
|
||||
init()
|
||||
return _ENFORCER
|
||||
|
|
|
@ -1,262 +0,0 @@
|
|||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"owner": "tenant_id:%(tenant_id)s",
|
||||
"admin_or_owner": "rule:context_is_admin or rule:owner",
|
||||
"context_is_advsvc": "role:advsvc",
|
||||
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
|
||||
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
|
||||
"admin_only": "rule:context_is_admin",
|
||||
"regular_user": "",
|
||||
"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator",
|
||||
"shared": "field:networks:shared=True",
|
||||
"shared_subnetpools": "field:subnetpools:shared=True",
|
||||
"shared_address_scopes": "field:address_scopes:shared=True",
|
||||
"external": "field:networks:router:external=True",
|
||||
"default": "rule:admin_or_owner",
|
||||
"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s",
|
||||
|
||||
"create_subnet": "rule:admin_or_network_owner",
|
||||
"create_subnet:segment_id": "rule:admin_only",
|
||||
"create_subnet:service_types": "rule:admin_only",
|
||||
"get_subnet": "rule:admin_or_owner or rule:shared",
|
||||
"get_subnet:segment_id": "rule:admin_only",
|
||||
"update_subnet": "rule:admin_or_network_owner",
|
||||
"update_subnet:service_types": "rule:admin_only",
|
||||
"delete_subnet": "rule:admin_or_network_owner",
|
||||
|
||||
"create_subnetpool": "",
|
||||
"create_subnetpool:shared": "rule:admin_only",
|
||||
"create_subnetpool:is_default": "rule:admin_only",
|
||||
"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
|
||||
"update_subnetpool": "rule:admin_or_owner",
|
||||
"update_subnetpool:is_default": "rule:admin_only",
|
||||
"delete_subnetpool": "rule:admin_or_owner",
|
||||
|
||||
"create_address_scope": "",
|
||||
"create_address_scope:shared": "rule:admin_only",
|
||||
"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
|
||||
"update_address_scope": "rule:admin_or_owner",
|
||||
"update_address_scope:shared": "rule:admin_only",
|
||||
"delete_address_scope": "rule:admin_or_owner",
|
||||
|
||||
"create_network": "",
|
||||
"create_network:shared": "rule:admin_only",
|
||||
"create_network:router:external": "rule:admin_only",
|
||||
"create_network:is_default": "rule:admin_only",
|
||||
"create_network:segments": "rule:admin_only",
|
||||
"create_network:provider:network_type": "rule:admin_only",
|
||||
"create_network:provider:physical_network": "rule:admin_only",
|
||||
"create_network:provider:segmentation_id": "rule:admin_only",
|
||||
"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
|
||||
"get_network:router:external": "rule:regular_user",
|
||||
"get_network:segments": "rule:admin_only",
|
||||
"get_network:provider:network_type": "rule:admin_only",
|
||||
"get_network:provider:physical_network": "rule:admin_only",
|
||||
"get_network:provider:segmentation_id": "rule:admin_only",
|
||||
"get_network:queue_id": "rule:admin_only",
|
||||
"get_network_ip_availabilities": "rule:admin_only",
|
||||
"get_network_ip_availability": "rule:admin_only",
|
||||
"get_availability_zone": "",
|
||||
"update_network": "rule:admin_or_owner",
|
||||
"update_network:segments": "rule:admin_only",
|
||||
"update_network:shared": "rule:admin_only",
|
||||
"update_network:provider:network_type": "rule:admin_only",
|
||||
"update_network:provider:physical_network": "rule:admin_only",
|
||||
"update_network:provider:segmentation_id": "rule:admin_only",
|
||||
"update_network:router:external": "rule:admin_only",
|
||||
"delete_network": "rule:admin_or_owner",
|
||||
|
||||
"create_segment": "rule:admin_only",
|
||||
"get_segment": "rule:admin_only",
|
||||
"update_segment": "rule:admin_only",
|
||||
"delete_segment": "rule:admin_only",
|
||||
|
||||
"network_device": "field:port:device_owner=~^network:",
|
||||
"create_port": "",
|
||||
"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
|
||||
"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:binding:host_id": "rule:admin_only",
|
||||
"create_port:binding:profile": "rule:admin_only",
|
||||
"create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||
"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
|
||||
"get_port:queue_id": "rule:admin_only",
|
||||
"get_port:binding:vif_type": "rule:admin_only",
|
||||
"get_port:binding:vif_details": "rule:admin_only",
|
||||
"get_port:binding:host_id": "rule:admin_only",
|
||||
"get_port:binding:profile": "rule:admin_only",
|
||||
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||
"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
|
||||
"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
|
||||
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:binding:host_id": "rule:admin_only",
|
||||
"update_port:binding:profile": "rule:admin_only",
|
||||
"update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||
"update_port:data_plane_status": "rule:admin_or_data_plane_int",
|
||||
"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
|
||||
|
||||
"create_router": "rule:regular_user",
|
||||
"create_router:external_gateway_info": "rule:admin_or_owner",
|
||||
"create_router:external_gateway_info:network_id": "rule:admin_or_owner",
|
||||
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
|
||||
"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
|
||||
"create_router:distributed": "rule:admin_only",
|
||||
"create_router:ha": "rule:admin_only",
|
||||
"get_router": "rule:admin_or_owner",
|
||||
"get_router:ha": "rule:admin_only",
|
||||
"get_router:distributed": "rule:admin_only",
|
||||
"update_router": "rule:admin_or_owner",
|
||||
"update_router:external_gateway_info": "rule:admin_or_owner",
|
||||
"update_router:external_gateway_info:network_id": "rule:admin_or_owner",
|
||||
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
|
||||
"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
|
||||
"update_router:distributed": "rule:admin_only",
|
||||
"update_router:ha": "rule:admin_only",
|
||||
"delete_router": "rule:admin_or_owner",
|
||||
|
||||
"add_router_interface": "rule:admin_or_owner",
|
||||
"remove_router_interface": "rule:admin_or_owner",
|
||||
|
||||
"create_qos_queue": "rule:admin_only",
|
||||
"get_qos_queue": "rule:admin_only",
|
||||
|
||||
"get_agent": "rule:admin_only",
|
||||
"update_agent": "rule:admin_only",
|
||||
"delete_agent": "rule:admin_only",
|
||||
|
||||
"create_dhcp-network": "rule:admin_only",
|
||||
"get_dhcp-networks": "rule:admin_only",
|
||||
"delete_dhcp-network": "rule:admin_only",
|
||||
|
||||
"create_l3-router": "rule:admin_only",
|
||||
"get_l3-routers": "rule:admin_only",
|
||||
"delete_l3-router": "rule:admin_only",
|
||||
|
||||
"get_dhcp-agents": "rule:admin_only",
|
||||
"get_l3-agents": "rule:admin_only",
|
||||
|
||||
"get_loadbalancer-agent": "rule:admin_only",
|
||||
"get_loadbalancer-pools": "rule:admin_only",
|
||||
"get_agent-loadbalancers": "rule:admin_only",
|
||||
"get_loadbalancer-hosting-agent": "rule:admin_only",
|
||||
|
||||
"create_floatingip": "rule:regular_user",
|
||||
"create_floatingip:floating_ip_address": "rule:admin_only",
|
||||
"get_floatingip": "rule:admin_or_owner",
|
||||
"get_floatingip_pool": "rule:regular_user",
|
||||
"update_floatingip": "rule:admin_or_owner",
|
||||
"delete_floatingip": "rule:admin_or_owner",
|
||||
|
||||
"create_network_profile": "rule:admin_only",
|
||||
"get_network_profiles": "",
|
||||
"get_network_profile": "",
|
||||
"update_network_profile": "rule:admin_only",
|
||||
"delete_network_profile": "rule:admin_only",
|
||||
|
||||
"get_policy_profiles": "",
|
||||
"get_policy_profile": "",
|
||||
"update_policy_profiles": "rule:admin_only",
|
||||
|
||||
"create_metering_label": "rule:admin_only",
|
||||
"get_metering_label": "rule:admin_only",
|
||||
"delete_metering_label": "rule:admin_only",
|
||||
|
||||
"create_metering_label_rule": "rule:admin_only",
|
||||
"get_metering_label_rule": "rule:admin_only",
|
||||
"delete_metering_label_rule": "rule:admin_only",
|
||||
|
||||
"create_lsn": "rule:admin_only",
|
||||
"get_lsn": "rule:admin_only",
|
||||
|
||||
"get_service_provider": "rule:regular_user",
|
||||
|
||||
"create_flavor": "rule:admin_only",
|
||||
"get_flavors": "rule:regular_user",
|
||||
"get_flavor": "rule:regular_user",
|
||||
"update_flavor": "rule:admin_only",
|
||||
"delete_flavor": "rule:admin_only",
|
||||
|
||||
"create_service_profile": "rule:admin_only",
|
||||
"get_service_profiles": "rule:admin_only",
|
||||
"get_service_profile": "rule:admin_only",
|
||||
"update_service_profile": "rule:admin_only",
|
||||
"delete_service_profile": "rule:admin_only",
|
||||
|
||||
"create_policy": "rule:admin_only",
|
||||
"get_policy": "rule:regular_user",
|
||||
"update_policy": "rule:admin_only",
|
||||
"delete_policy": "rule:admin_only",
|
||||
|
||||
"create_policy_bandwidth_limit_rule": "rule:admin_only",
|
||||
"get_policy_bandwidth_limit_rule": "rule:regular_user",
|
||||
"update_policy_bandwidth_limit_rule": "rule:admin_only",
|
||||
"delete_policy_bandwidth_limit_rule": "rule:admin_only",
|
||||
|
||||
"create_policy_dscp_marking_rule": "rule:admin_only",
|
||||
"get_policy_dscp_marking_rule": "rule:regular_user",
|
||||
"update_policy_dscp_marking_rule": "rule:admin_only",
|
||||
"delete_policy_dscp_marking_rule": "rule:admin_only",
|
||||
|
||||
"get_rule_type": "rule:regular_user",
|
||||
|
||||
"create_policy_minimum_bandwidth_rule": "rule:admin_only",
|
||||
"get_policy_minimum_bandwidth_rule": "rule:regular_user",
|
||||
"update_policy_minimum_bandwidth_rule": "rule:admin_only",
|
||||
"delete_policy_minimum_bandwidth_rule": "rule:admin_only",
|
||||
|
||||
"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
|
||||
"create_rbac_policy": "",
|
||||
"create_rbac_policy:target_tenant": "rule:restrict_wildcard",
|
||||
"get_rbac_policy": "rule:admin_or_owner",
|
||||
"update_rbac_policy": "rule:admin_or_owner",
|
||||
"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
|
||||
"delete_rbac_policy": "rule:admin_or_owner",
|
||||
|
||||
"create_flavor_service_profile": "rule:admin_only",
|
||||
"get_flavor_service_profile": "rule:regular_user",
|
||||
"delete_flavor_service_profile": "rule:admin_only",
|
||||
|
||||
"get_auto_allocated_topology": "rule:admin_or_owner",
|
||||
"delete_auto_allocated_topology": "rule:admin_or_owner",
|
||||
|
||||
"create_trunk": "rule:regular_user",
|
||||
"get_trunk": "rule:admin_or_owner",
|
||||
"delete_trunk": "rule:admin_or_owner",
|
||||
|
||||
"add_subports": "rule:admin_or_owner",
|
||||
"get_subports": "",
|
||||
"remove_subports": "rule:admin_or_owner",
|
||||
|
||||
"create_security_group": "rule:admin_or_owner",
|
||||
"get_security_groups": "rule:admin_or_owner",
|
||||
"get_security_group": "rule:admin_or_owner",
|
||||
"update_security_group": "rule:admin_or_owner",
|
||||
"delete_security_group": "rule:admin_or_owner",
|
||||
|
||||
"create_security_group_rule": "rule:admin_or_owner",
|
||||
"get_security_group_rules": "rule:admin_or_owner",
|
||||
"get_security_group_rule": "rule:admin_or_owner",
|
||||
"delete_security_group_rule": "rule:admin_or_owner",
|
||||
|
||||
"get_loggable_resources": "rule:admin_only",
|
||||
|
||||
"create_log": "rule:admin_only",
|
||||
"get_log": "rule:admin_only",
|
||||
"get_logs": "rule:admin_only",
|
||||
"update_log": "rule:admin_only",
|
||||
"delete_log": "rule:admin_only",
|
||||
|
||||
"create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
|
||||
"get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
|
||||
"get_floatingip_port_forwardings": "rule:admin_or_ext_parent_owner",
|
||||
"update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
|
||||
"delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
|
||||
}
|
|
@ -20,6 +20,7 @@ from neutron_lib import context
|
|||
from neutron_lib import fixture
|
||||
|
||||
from neutron.api import extensions
|
||||
from neutron.conf import policies
|
||||
from neutron import policy
|
||||
from neutron.tests.functional import base
|
||||
|
||||
|
@ -86,6 +87,10 @@ class APIPolicyTestCase(base.BaseLoggingTestCase):
|
|||
extension_manager = extensions.ExtensionManager(self.extension_path)
|
||||
extension_manager.extend_resources(self.api_version,
|
||||
attributes.RESOURCES)
|
||||
# TODO(amotoki): Consider this should be part of
|
||||
# neutron.policy.reset (or refresh), but as of now
|
||||
# this is only required for unit testing.
|
||||
policies.reload_default_policies()
|
||||
policy.init()
|
||||
admin_context = context.get_admin_context()
|
||||
tenant_context = context.Context('test_user', 'test_tenant_id', False)
|
||||
|
|
|
@ -50,6 +50,7 @@ from neutron.common import exceptions as n_exc
|
|||
from neutron.common import ipv6_utils
|
||||
from neutron.common import test_lib
|
||||
from neutron.common import utils
|
||||
from neutron.conf import policies
|
||||
from neutron.db import db_base_plugin_common
|
||||
from neutron.db import ipam_backend_mixin
|
||||
from neutron.db.models import l3 as l3_models
|
||||
|
@ -61,6 +62,7 @@ from neutron.ipam import exceptions as ipam_exc
|
|||
from neutron.objects import network as network_obj
|
||||
from neutron.objects import router as l3_obj
|
||||
from neutron.plugins.ml2.common import exceptions as ml2_exceptions
|
||||
from neutron import policy
|
||||
from neutron.tests import base
|
||||
from neutron.tests import tools
|
||||
from neutron.tests.unit.api import test_extensions
|
||||
|
@ -177,6 +179,21 @@ class NeutronDbPluginV2TestCase(testlib_api.WebTestCase):
|
|||
self._skip_native_sorting = not _is_native_sorting_support()
|
||||
if ext_mgr:
|
||||
self.ext_api = test_extensions.setup_extensions_middleware(ext_mgr)
|
||||
# NOTE(amotoki): policy._ENFORCER is initialized in
|
||||
# neutron.tests.base.BaseTestCase.setUp() but this is too early
|
||||
# and neutron.policy.FieldCheck conv_func does not work
|
||||
# because extended resources are not populated to
|
||||
# attributes.RESOURCES yet.
|
||||
# Thus we need to refresh the default policy rules after loading
|
||||
# extensions. Especially it is important to re-instantiate
|
||||
# DefaultRule() under neutron.conf.policies. To do this,
|
||||
# we need to reload the default policy modules.
|
||||
policy.reset()
|
||||
# TODO(amotoki): Consider this should be part of
|
||||
# neutron.policy.reset (or refresh), but as of now
|
||||
# this is only required for unit testing.
|
||||
policies.reload_default_policies()
|
||||
policy.init()
|
||||
|
||||
def setup_config(self):
|
||||
# Create the default configurations
|
||||
|
|
|
@ -24,7 +24,6 @@ packages =
|
|||
data_files =
|
||||
etc/neutron =
|
||||
etc/api-paste.ini
|
||||
etc/policy.json
|
||||
etc/rootwrap.conf
|
||||
etc/neutron/rootwrap.d = etc/neutron/rootwrap.d/*
|
||||
scripts =
|
||||
|
@ -143,6 +142,12 @@ oslo.config.opts =
|
|||
nova.auth = neutron.opts:list_auth_opts
|
||||
oslo.config.opts.defaults =
|
||||
neutron = neutron.common.config:set_cors_middleware_defaults
|
||||
oslo.policy.enforcer =
|
||||
neutron = neutron.policy:get_enforcer
|
||||
oslo.policy.policies =
|
||||
neutron = neutron.conf.policies:list_rules
|
||||
neutron.policies =
|
||||
neutron = neutron.conf.policies:list_rules
|
||||
neutron.db.alembic_migrations =
|
||||
neutron = neutron.db.migration:alembic_migrations
|
||||
neutron.interface_drivers =
|
||||
|
|
|
@ -45,22 +45,9 @@ check_pot_files_errors () {
|
|||
fi
|
||||
}
|
||||
|
||||
|
||||
check_identical_policy_files () {
|
||||
# For unit tests, we maintain their own policy.json file to make test suite
|
||||
# independent of whether it's executed from the neutron source tree or from
|
||||
# site-packages installation path. We don't want two copies of the same
|
||||
# file to diverge, so checking that they are identical
|
||||
diff etc/policy.json neutron/tests/etc/policy.json 2>&1 > /dev/null
|
||||
if [ "$?" -ne 0 ]; then
|
||||
echo "policy.json files must be identical!" >>$FAILURES
|
||||
fi
|
||||
}
|
||||
|
||||
# Add your checks here...
|
||||
check_no_symlinks_allowed
|
||||
check_pot_files_errors
|
||||
check_identical_policy_files
|
||||
|
||||
# Fail, if there are emitted failures
|
||||
if [ -f $FAILURES ]; then
|
||||
|
|
6
tox.ini
6
tox.ini
|
@ -116,6 +116,7 @@ commands=
|
|||
{[testenv:genconfig]commands}
|
||||
{[testenv:bashate]commands}
|
||||
{[testenv:bandit]commands}
|
||||
{[testenv:genpolicy]commands}
|
||||
whitelist_externals =
|
||||
sh
|
||||
bash
|
||||
|
@ -202,6 +203,11 @@ basepython = python3
|
|||
envdir = {toxworkdir}/shared
|
||||
commands = {toxinidir}/tools/generate_config_file_samples.sh
|
||||
|
||||
[testenv:genpolicy]
|
||||
basepython = python3
|
||||
envdir = {toxworkdir}/shared
|
||||
commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
|
||||
|
||||
# This environment can be used to quickly validate that all needed system
|
||||
# packages required to successfully execute test targets are installed
|
||||
[testenv:bindep]
|
||||
|
|
Loading…
Reference in New Issue