openstack
/
neutron
Code Issues Proposed changes

Merge "Add NET_OWNER_MEMBER and NET_OWNER_READER policy rules"

This commit is contained in:
Zuul 2023-08-08 10:11:12 +00:00 committed by Gerrit Code Review
parent 2db871c5ea 0741a0d5a5
commit c453813d06
3 changed files with 35 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
neutron/conf/policies/base.py
View File

@ -56,6 +56,19 @@ ADMIN_OR_PARENT_OWNER_MEMBER = (
ADMIN_OR_PARENT_OWNER_READER = (
'(' + ADMIN + ') or (' + PARENT_OWNER_READER + ')')
# Those rules related to the network owner are very similar (almost the same)
# as parent owner defined above. The only reason why they are kept here is that
# in case of some resources like ports or subnets neutron have got policies
# related to the "network owner" and network isn't really parent of the subnet
# or port. Because of that, using parent owner in those cases may be
# missleading for users so it's better to keep also "network owner" rules.
NET_OWNER_MEMBER = 'role:member and ' + RULE_NET_OWNER
NET_OWNER_READER = 'role:reader and ' + RULE_NET_OWNER
ADMIN_OR_NET_OWNER_MEMBER = (
'(' + ADMIN + ') or (' + NET_OWNER_MEMBER + ')')
ADMIN_OR_NET_OWNER_READER = (
'(' + ADMIN + ') or (' + NET_OWNER_READER + ')')
rules = [
policy.RuleDefault(

63
neutron/conf/policies/port.py
View File

@ -66,9 +66,8 @@ rules = [
name='create_port:device_owner',
check_str=neutron_policy.policy_or(
'not rule:network_device',
base.ADMIN,
neutron_policy.RULE_ADVSVC,
base.RULE_NET_OWNER
base.ADMIN_OR_NET_OWNER_MEMBER
),
scope_types=['project'],
description='Specify ``device_owner`` attribute when creating a port',
@ -86,8 +85,7 @@ rules = [
name='create_port:mac_address',
check_str=neutron_policy.policy_or(
neutron_policy.RULE_ADVSVC,
base.RULE_NET_OWNER,
base.ADMIN),
base.ADMIN_OR_NET_OWNER_MEMBER),
scope_types=['project'],
description='Specify ``mac_address`` attribute when creating a port',
operations=ACTION_POST,
@ -103,8 +101,7 @@ rules = [
name='create_port:fixed_ips',
check_str=neutron_policy.policy_or(
neutron_policy.RULE_ADVSVC,
base.RULE_NET_OWNER,
base.ADMIN,
base.ADMIN_OR_NET_OWNER_MEMBER,
'rule:shared'),
scope_types=['project'],
description='Specify ``fixed_ips`` information when creating a port',
@ -122,8 +119,7 @@ rules = [
name='create_port:fixed_ips:ip_address',
check_str=neutron_policy.policy_or(
neutron_policy.RULE_ADVSVC,
base.RULE_NET_OWNER,
base.ADMIN),
base.ADMIN_OR_NET_OWNER_MEMBER),
scope_types=['project'],
description='Specify IP address in ``fixed_ips`` when creating a port',
operations=ACTION_POST,
@ -139,8 +135,7 @@ rules = [
name='create_port:fixed_ips:subnet_id',
check_str=neutron_policy.policy_or(
neutron_policy.RULE_ADVSVC,
base.RULE_NET_OWNER,
base.ADMIN,
base.ADMIN_OR_NET_OWNER_MEMBER,
'rule:shared'),
scope_types=['project'],
description='Specify subnet ID in ``fixed_ips`` when creating a port',
@ -158,8 +153,7 @@ rules = [
name='create_port:port_security_enabled',
check_str=neutron_policy.policy_or(
neutron_policy.RULE_ADVSVC,
base.RULE_NET_OWNER,
base.ADMIN),
base.ADMIN_OR_NET_OWNER_MEMBER),
scope_types=['project'],
description=(
'Specify ``port_security_enabled`` '
@ -221,9 +215,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='create_port:allowed_address_pairs',
check_str=neutron_policy.policy_or(
base.ADMIN,
base.RULE_NET_OWNER),
check_str=base.ADMIN_OR_NET_OWNER_MEMBER,
scope_types=['project'],
description=(
'Specify ``allowed_address_pairs`` '
@ -238,9 +230,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='create_port:allowed_address_pairs:mac_address',
check_str=neutron_policy.policy_or(
base.ADMIN,
base.RULE_NET_OWNER),
check_str=base.ADMIN_OR_NET_OWNER_MEMBER,
scope_types=['project'],
description=(
'Specify ``mac_address` of `allowed_address_pairs`` '
@ -255,9 +245,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='create_port:allowed_address_pairs:ip_address',
check_str=neutron_policy.policy_or(
base.ADMIN,
base.RULE_NET_OWNER),
check_str=base.ADMIN_OR_NET_OWNER_MEMBER,
scope_types=['project'],
description=(
'Specify ``ip_address`` of ``allowed_address_pairs`` '
@ -283,9 +271,8 @@ rules = [
policy.DocumentedRuleDefault(
name='get_port',
check_str=neutron_policy.policy_or(
base.ADMIN,
neutron_policy.RULE_ADVSVC,
base.RULE_NET_OWNER,
base.ADMIN_OR_NET_OWNER_READER,
base.PROJECT_READER
),
scope_types=['project'],
@ -392,8 +379,7 @@ rules = [
check_str=neutron_policy.policy_or(
'not rule:network_device',
neutron_policy.RULE_ADVSVC,
base.RULE_NET_OWNER,
base.ADMIN
base.ADMIN_OR_NET_OWNER_MEMBER,
),
scope_types=['project'],
description='Update ``device_owner`` attribute of a port',
@ -428,8 +414,7 @@ rules = [
name='update_port:fixed_ips',
check_str=neutron_policy.policy_or(
neutron_policy.RULE_ADVSVC,
base.RULE_NET_OWNER,
base.ADMIN
base.ADMIN_OR_NET_OWNER_MEMBER,
),
scope_types=['project'],
description='Specify ``fixed_ips`` information when updating a port',
@ -446,8 +431,7 @@ rules = [
name='update_port:fixed_ips:ip_address',
check_str=neutron_policy.policy_or(
neutron_policy.RULE_ADVSVC,
base.RULE_NET_OWNER,
base.ADMIN
base.ADMIN_OR_NET_OWNER_MEMBER,
),
scope_types=['project'],
description=(
@ -467,8 +451,7 @@ rules = [
name='update_port:fixed_ips:subnet_id',
check_str=neutron_policy.policy_or(
neutron_policy.RULE_ADVSVC,
base.RULE_NET_OWNER,
base.ADMIN,
base.ADMIN_OR_NET_OWNER_MEMBER,
'rule:shared'
),
scope_types=['project'],
@ -490,8 +473,7 @@ rules = [
name='update_port:port_security_enabled',
check_str=neutron_policy.policy_or(
neutron_policy.RULE_ADVSVC,
base.RULE_NET_OWNER,
base.ADMIN
base.ADMIN_OR_NET_OWNER_MEMBER,
),
scope_types=['project'],
description='Update ``port_security_enabled`` attribute of a port',
@ -548,9 +530,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='update_port:allowed_address_pairs',
check_str=neutron_policy.policy_or(
base.ADMIN,
base.RULE_NET_OWNER),
check_str=base.ADMIN_OR_NET_OWNER_MEMBER,
scope_types=['project'],
description='Update ``allowed_address_pairs`` attribute of a port',
operations=ACTION_PUT,
@ -562,9 +542,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='update_port:allowed_address_pairs:mac_address',
check_str=neutron_policy.policy_or(
base.ADMIN,
base.RULE_NET_OWNER),
check_str=base.ADMIN_OR_NET_OWNER_MEMBER,
scope_types=['project'],
description=(
'Update ``mac_address`` of ``allowed_address_pairs`` '
@ -579,9 +557,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='update_port:allowed_address_pairs:ip_address',
check_str=neutron_policy.policy_or(
base.ADMIN,
base.RULE_NET_OWNER),
check_str=base.ADMIN_OR_NET_OWNER_MEMBER,
scope_types=['project'],
description=(
'Update ``ip_address`` of ``allowed_address_pairs`` '
@ -619,10 +595,9 @@ rules = [
policy.DocumentedRuleDefault(
name='delete_port',
check_str=neutron_policy.policy_or(
base.ADMIN,
neutron_policy.RULE_ADVSVC,
base.PROJECT_MEMBER,
base.RULE_NET_OWNER
base.ADMIN_OR_NET_OWNER_MEMBER
),
scope_types=['project'],
description='Delete a port',

17
neutron/conf/policies/subnet.py
View File

@ -36,18 +36,11 @@ ACTION_GET = [
{'method': 'GET', 'path': RESOURCE_PATH},
]
# TODO(slaweq): remove it once network will be added to the
# EXT_PARENT_RESOURCE_MAPPING in neutron_lib and rule base.PARENT_OWNER_MEMBER
# will be possible to use instead of RULE_NET_OWNER_MEMBER
RULE_NET_OWNER_MEMBER = 'role:member and ' + base.RULE_NET_OWNER
rules = [
policy.DocumentedRuleDefault(
name='create_subnet',
check_str=neutron_policy.policy_or(
base.ADMIN,
RULE_NET_OWNER_MEMBER),
check_str=base.ADMIN_OR_NET_OWNER_MEMBER,
scope_types=['project'],
description='Create a subnet',
operations=ACTION_POST,
@ -115,9 +108,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='update_subnet',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_PROJECT_MEMBER,
RULE_NET_OWNER_MEMBER),
check_str=base.ADMIN_OR_NET_OWNER_MEMBER,
scope_types=['project'],
description='Update a subnet',
operations=ACTION_PUT,
@ -153,9 +144,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='delete_subnet',
check_str=neutron_policy.policy_or(
base.ADMIN_OR_PROJECT_MEMBER,
RULE_NET_OWNER_MEMBER),
check_str=base.ADMIN_OR_NET_OWNER_MEMBER,
scope_types=['project'],
description='Delete a subnet',
operations=ACTION_DELETE,