Merge "Allow sharing of firewall rules and policies in policy.json"

2013-09-26 21:44:39 +00:00 · 2013-09-26 21:44:39 +00:00 · bf7a8951d6
commit bf7a8951d6
parent 71570fda02 fef1ced970
2 changed files with 21 additions and 3 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -5,6 +5,7 @@
    "admin_only": "rule:context_is_admin",
    "regular_user": "",
    "shared": "field:networks:shared=True",
+    "shared_firewalls": "field:firewalls:shared=True",
    "external": "field:networks:router:external=True",
    "default": "rule:admin_or_owner",

@ -71,13 +72,13 @@
    "delete_firewall": "rule:admin_or_owner",

    "create_firewall_policy": "",
-    "get_firewall_policy": "rule:admin_or_owner",
+    "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
    "create_firewall_policy:shared": "rule:admin_or_owner",
    "update_firewall_policy": "rule:admin_or_owner",
    "delete_firewall_policy": "rule:admin_or_owner",

    "create_firewall_rule": "",
-    "get_firewall_rule": "rule:admin_or_owner",
+    "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
    "create_firewall_rule:shared": "rule:admin_or_owner",
    "get_firewall_rule:shared": "rule:admin_or_owner",
    "update_firewall_rule": "rule:admin_or_owner",
--- a/neutron/tests/unit/test_policy.py
+++ b/neutron/tests/unit/test_policy.py
@ -250,7 +250,12 @@ class NeutronPolicyTestCase(base.BaseTestCase):
            "create_something": "rule:admin_or_owner",
            "create_something:attr": "rule:admin_or_owner",
            "create_something:attr:sub_attr_1": "rule:admin_or_owner",
-            "create_something:attr:sub_attr_2": "rule:admin_only"
+            "create_something:attr:sub_attr_2": "rule:admin_only",
+
+            "get_firewall_policy": "rule:admin_or_owner or "
+                            "rule:shared",
+            "get_firewall_rule": "rule:admin_or_owner or "
+                            "rule:shared"
        }.items())

        def fakepolicyinit():
@ -390,6 +395,18 @@ class NeutronPolicyTestCase(base.BaseTestCase):
        result = policy.enforce(self.context, action, target)
        self.assertTrue(result)

+    def test_enforce_firewall_policy_shared(self):
+        action = "get_firewall_policy"
+        target = {'shared': True, 'tenant_id': 'somebody_else'}
+        result = policy.enforce(self.context, action, target)
+        self.assertTrue(result)
+
+    def test_enforce_firewall_rule_shared(self):
+        action = "get_firewall_rule"
+        target = {'shared': True, 'tenant_id': 'somebody_else'}
+        result = policy.enforce(self.context, action, target)
+        self.assertTrue(result)
+
    def test_enforce_tenant_id_check(self):
        # Trigger a policy with rule admin_or_owner
        action = "create_network"