From a9098d218836aa82dc07ba94156f0d553f2f87a7 Mon Sep 17 00:00:00 2001 From: Salvatore Orlando Date: Fri, 31 May 2013 17:28:35 +0200 Subject: [PATCH] Enable attribute-based policy on router:external_gateway_info Bug 1186081 This patch also removes a check on is_write in policy.py since the code block where that check is placed assumed already that is_write == True Change-Id: I21c54f63e1948675f67afb088c262dc5316c230d --- quantum/extensions/l3.py | 3 ++- quantum/extensions/l3_ext_gw_mode.py | 1 + quantum/policy.py | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/quantum/extensions/l3.py b/quantum/extensions/l3.py index 29379a10e0a..2fc27c68bf9 100644 --- a/quantum/extensions/l3.py +++ b/quantum/extensions/l3.py @@ -110,7 +110,8 @@ RESOURCE_ATTRIBUTE_MAP = { 'validate': {'type:string': None}, 'is_visible': True}, EXTERNAL_GW_INFO: {'allow_post': True, 'allow_put': True, - 'is_visible': True, 'default': None} + 'is_visible': True, 'default': None, + 'enforce_policy': True} }, 'floatingips': { 'id': {'allow_post': False, 'allow_put': False, diff --git a/quantum/extensions/l3_ext_gw_mode.py b/quantum/extensions/l3_ext_gw_mode.py index 1e53c473b5b..5c431106048 100644 --- a/quantum/extensions/l3_ext_gw_mode.py +++ b/quantum/extensions/l3_ext_gw_mode.py @@ -33,6 +33,7 @@ EXTENDED_ATTRIBUTES_2_0 = { 'allow_put': True, 'is_visible': True, 'default': None, + 'enforce_policy': True, 'validate': {'type:dict_or_nodata': {'network_id': {'type:uuid': None, 'required': True}, diff --git a/quantum/policy.py b/quantum/policy.py index 610e4c5b858..f20b63db555 100644 --- a/quantum/policy.py +++ b/quantum/policy.py @@ -167,7 +167,7 @@ def _build_match_rule(action, target): res_map[resource], target): attribute = res_map[resource][attribute_name] - if 'enforce_policy' in attribute and is_write: + if 'enforce_policy' in attribute: attr_rule = policy.RuleCheck('rule', '%s:%s' % (action, attribute_name)) match_rule = policy.AndCheck([match_rule, attr_rule])