openstack
/
neutron
Code Issues Proposed changes

Define popular policy rules by constants 

This commit replaces simple rules with constants.
These constants plan to be moved to neutron-lib in future.

Partially Implements: blueprint neutron-policy-in-code

Change-Id: I94f95882880d9caaa9cd9d8aaebb8547f78ed162
This commit is contained in:
Akihiro Motoki 2018-12-19 03:48:16 +09:00
parent 7518ac5cfa
commit d6c6c68e46
23 changed files with 217 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
neutron/conf/policies/address_scope.py
View File

@ -12,30 +12,32 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault('shared_address_scopes',
'field:address_scopes:shared=True',
description='Rule of shared address scope'),
policy.RuleDefault('create_address_scope',
'',
base.RULE_ANY,
description='Access rule for creating address scope'),
policy.RuleDefault('create_address_scope:shared',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'shared address scope')),
policy.RuleDefault('get_address_scope',
'rule:admin_or_owner or rule:shared_address_scopes',
description='Access rule for getting address scope'),
policy.RuleDefault('update_address_scope',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for updating address scope'),
policy.RuleDefault('update_address_scope:shared',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating '
'shared attribute of address scope')),
policy.RuleDefault('delete_address_scope',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for deleting address scope')
]

32
neutron/conf/policies/agent.py
View File

@ -12,65 +12,67 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault('get_agent',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for getting agent'),
policy.RuleDefault('update_agent',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for updating agent'),
policy.RuleDefault('delete_agent',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for deleting agent'),
policy.RuleDefault('create_dhcp-network',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for adding '
'network to dhcp agent')),
policy.RuleDefault('get_dhcp-networks',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for listing '
'networks on the dhcp agent')),
policy.RuleDefault('delete_dhcp-network',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for removing '
'network from dhcp agent')),
policy.RuleDefault('create_l3-router',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for adding '
'router to l3 agent')),
policy.RuleDefault('get_l3-routers',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for listing '
'routers on the l3 agent')),
policy.RuleDefault('delete_l3-router',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for deleting '
'router from l3 agent')),
policy.RuleDefault('get_dhcp-agents',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for listing '
'dhcp agents hosting the network')),
policy.RuleDefault('get_l3-agents',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for listing '
'l3 agents hosting the router')),
# TODO(amotoki): Remove LBaaS related policies once neutron-lbaas
# is retired.
policy.RuleDefault('get_loadbalancer-agent',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for getting '
'lbaas agent hosting the pool')),
policy.RuleDefault('get_loadbalancer-pools',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for listing '
'pools on the lbaas agent')),
policy.RuleDefault('get_agent-loadbalancers',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for listing '
'loadbalancers on the lbaasv2 agent')),
policy.RuleDefault('get_loadbalancer-hosting-agent',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for getting '
'lbaasv2 agent hosting the loadbalancer')),
]

6
neutron/conf/policies/auto_allocated_topology.py
View File

@ -12,16 +12,18 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
'get_auto_allocated_topology',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description=("Access rule for getting a project's "
"auto-allocated topology")),
policy.RuleDefault(
'delete_auto_allocated_topology',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description=("Access rule for deleting a project's "
"auto-allocated topology")),
]

4
neutron/conf/policies/availability_zone.py
View File

@ -12,11 +12,13 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
'get_availability_zone',
'',
base.RULE_ANY,
description='Access rule for getting availability zone'),
]

13
neutron/conf/policies/base.py
View File

@ -13,6 +13,19 @@
from oslo_policy import policy
# TODO(amotoki): Define these in neutron-lib once what constants are required
# from stadium and 3rd party projects.
# As of now, the following are candidates.
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN_ONLY = 'rule:admin_only'
RULE_ANY = 'rule:regular_user'
RULE_ADVSVC = 'rule:context_is_advsvc'
RULE_ADMIN_OR_NET_OWNER = 'rule:admin_or_network_owner'
RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC = ' or '.join([RULE_ADMIN_OR_NET_OWNER,
RULE_ADVSVC])
RULE_ADMIN_OR_PARENT_OWNER = 'rule:admin_or_ext_parent_owner'
rules = [
policy.RuleDefault(
'context_is_admin',

24
neutron/conf/policies/flavor.py
View File

@ -12,55 +12,57 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
'create_flavor',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for creating flavor'),
policy.RuleDefault(
'get_flavor',
'rule:regular_user',
base.RULE_ANY,
description='Access rule for getting flavor'),
policy.RuleDefault(
'update_flavor',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for updating flavor'),
policy.RuleDefault(
'delete_flavor',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for deleting flavor'),
policy.RuleDefault(
'create_service_profile',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for creating service profile'),
policy.RuleDefault(
'get_service_profile',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for getting service profile'),
policy.RuleDefault(
'update_service_profile',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for updating service profile'),
policy.RuleDefault(
'delete_service_profile',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for deleting service profile'),
policy.RuleDefault(
'create_flavor_service_profile',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for associating '
'flavor with service profile')),
policy.RuleDefault(
'delete_flavor_service_profile',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for disassociating '
'flavor with service profile')),
policy.RuleDefault(
'get_flavor_service_profile',
'rule:regular_user',
base.RULE_ANY,
description=('Access rule for getting flavor associating '
'with the given service profiles')),
]

12
neutron/conf/policies/floatingip.py
View File

@ -12,23 +12,25 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault('create_floatingip',
'rule:regular_user',
base.RULE_ANY,
description='Access rule for creating floating IP'),
policy.RuleDefault('create_floatingip:floating_ip_address',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating floating IP '
'with a specific IP address')),
policy.RuleDefault('get_floatingip',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for getting floating IP'),
policy.RuleDefault('update_floatingip',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for updating floating IP'),
policy.RuleDefault('delete_floatingip',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for deleting floating IP'),
]

4
neutron/conf/policies/floatingip_pools.py
View File

@ -12,11 +12,13 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
'get_floatingip_pool',
'rule:regular_user',
base.RULE_ANY,
description='Access rule for getting floating IP pools'),
]

10
neutron/conf/policies/floatingip_port_forwarding.py
View File

@ -12,23 +12,25 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
'create_floatingip_port_forwarding',
'rule:admin_or_ext_parent_owner',
base.RULE_ADMIN_OR_PARENT_OWNER,
description='Access rule for creating floating IP port forwarding'),
policy.RuleDefault(
'get_floatingip_port_forwarding',
'rule:admin_or_ext_parent_owner',
base.RULE_ADMIN_OR_PARENT_OWNER,
description='Access rule for getting floating IP port forwarding'),
policy.RuleDefault(
'update_floatingip_port_forwarding',
'rule:admin_or_ext_parent_owner',
base.RULE_ADMIN_OR_PARENT_OWNER,
description='Access rule for updating floating IP port forwarding'),
policy.RuleDefault(
'delete_floatingip_port_forwarding',
'rule:admin_or_ext_parent_owner',
base.RULE_ADMIN_OR_PARENT_OWNER,
description='Access rule for deleting floating IP port forwarding'),
]

12
neutron/conf/policies/logging.py
View File

@ -12,27 +12,29 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
'get_loggable_resource',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for getting loggable resource'),
policy.RuleDefault(
'create_log',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for creating network log'),
policy.RuleDefault(
'get_log',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for getting network log'),
policy.RuleDefault(
'update_log',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for updating network log'),
policy.RuleDefault(
'delete_log',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for deleting network log'),
]

14
neutron/conf/policies/metering.py
View File

@ -12,27 +12,29 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault('create_metering_label',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for creating metering label'),
policy.RuleDefault('get_metering_label',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for getting metering label'),
policy.RuleDefault('delete_metering_label',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for deleting metering label'),
policy.RuleDefault('create_metering_label_rule',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'metering label rule')),
policy.RuleDefault('get_metering_label_rule',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for getting '
'metering label rule')),
policy.RuleDefault('delete_metering_label_rule',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for deleting '
'metering label rule'))
]

44
neutron/conf/policies/network.py
View File

@ -12,6 +12,8 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
@ -21,37 +23,37 @@ rules = [
policy.RuleDefault(
'create_network',
'',
base.RULE_ANY,
description='Access rule for creating network'),
policy.RuleDefault(
'create_network:shared',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for creating shared network'),
policy.RuleDefault(
'create_network:router:external',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for creating external network'),
policy.RuleDefault(
'create_network:is_default',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for creating network with is_default'),
policy.RuleDefault(
'create_network:segments',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for creating network with segments'),
policy.RuleDefault(
'create_network:provider:network_type',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating network '
'with provider network_type')),
policy.RuleDefault(
'create_network:provider:physical_network',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating network '
'with provider physical_network')),
policy.RuleDefault(
'create_network:provider:segmentation_id',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating network '
'with provider segmentation_id')),
@ -62,64 +64,64 @@ rules = [
description='Access rule for getting shared network'),
policy.RuleDefault(
'get_network:router:external',
'rule:regular_user',
base.RULE_ANY,
description='Access rule for getting external network'),
policy.RuleDefault(
'get_network:segments',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for getting segments of network'),
policy.RuleDefault(
'get_network:provider:network_type',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for getting provider '
'network_type of network')),
policy.RuleDefault(
'get_network:provider:physical_network',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for getting provider '
'physical_network of network')),
policy.RuleDefault(
'get_network:provider:segmentation_id',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for getting provider '
'segmentation_id of network')),
policy.RuleDefault(
'update_network',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for updating network'),
policy.RuleDefault(
'update_network:segments',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for updating segments of network'),
policy.RuleDefault(
'update_network:shared',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for updating shared attribute of network'),
policy.RuleDefault(
'update_network:provider:network_type',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating provider '
'network_type of network')),
policy.RuleDefault(
'update_network:provider:physical_network',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating provider '
'physical_network of network')),
policy.RuleDefault(
'update_network:provider:segmentation_id',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating provider '
'segmentation_id of network')),
policy.RuleDefault(
'update_network:router:external',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating router:external attribute '
'of network')),
policy.RuleDefault(
'delete_network',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for deleting network'),
]

4
neutron/conf/policies/network_ip_availability.py
View File

@ -12,11 +12,13 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
'get_network_ip_availability',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for getting network IP availability'),
]

24
neutron/conf/policies/port.py
View File

@ -12,6 +12,8 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
@ -25,7 +27,7 @@ rules = [
policy.RuleDefault(
'create_port',
'',
base.RULE_ANY,
description='Access rule for creating port'),
policy.RuleDefault(
'create_port:device_owner',
@ -60,18 +62,18 @@ rules = [
'port with port_security_enabled')),
policy.RuleDefault(
'create_port:binding:host_id',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'port with binging host_id')),
policy.RuleDefault(
'create_port:binding:profile',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'port with binding profile')),
# TODO(amotoki): Add create_port:binding:vnic_type
policy.RuleDefault(
'create_port:allowed_address_pairs',
'rule:admin_or_network_owner',
base.RULE_ADMIN_OR_NET_OWNER,
description=('Access rule for creating port '
'with allowed_address_pairs attribute')),
@ -81,19 +83,19 @@ rules = [
description='Access rule for getting port'),
policy.RuleDefault(
'get_port:binding:vif_type',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for getting binding vif_type of port'),
policy.RuleDefault(
'get_port:binding:vif_details',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for getting binding vif_details of port'),
policy.RuleDefault(
'get_port:binding:host_id',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for getting binding host_id of port'),
policy.RuleDefault(
'get_port:binding:profile',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for getting binding profile of port'),
# TODO(amotoki): Add get_port:binding:vnic_type
# TODO(amotoki): Add get_port:binding:data_plane_status
@ -133,16 +135,16 @@ rules = [
description='Access rule for updating port_security_enabled of port'),
policy.RuleDefault(
'update_port:binding:host_id',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for updating binding host_id of port'),
policy.RuleDefault(
'update_port:binding:profile',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for updating binding profile of port'),
# TODO(amotoki): Add update_port:binding:vnic_type
policy.RuleDefault(
'update_port:allowed_address_pairs',
'rule:admin_or_network_owner',
base.RULE_ADMIN_OR_NET_OWNER,
description='Access rule for updating allowed_address_pairs of port'),
policy.RuleDefault(
'update_port:data_plane_status',

36
neutron/conf/policies/qos.py
View File

@ -12,74 +12,76 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault('get_policy',
'rule:regular_user',
base.RULE_ANY,
description='Access rule for getting QoS policy'),
policy.RuleDefault('create_policy',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for creating QoS policy'),
policy.RuleDefault('update_policy',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for updating QoS policy'),
policy.RuleDefault('delete_policy',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for deleting QoS policy'),
policy.RuleDefault('get_rule_type',
'rule:regular_user',
base.RULE_ANY,
description=('Access rule for getting '
'all available QoS rule types')),
policy.RuleDefault('get_policy_bandwidth_limit_rule',
'rule:regular_user',
base.RULE_ANY,
description=('Access rule for getting '
'QoS bandwidth limit rule')),
policy.RuleDefault('create_policy_bandwidth_limit_rule',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'QoS bandwidth limit rule')),
policy.RuleDefault('update_policy_bandwidth_limit_rule',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating '
'QoS bandwidth limit rule')),
policy.RuleDefault('delete_policy_bandwidth_limit_rule',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for deleting '
'QoS bandwidth limit rule')),
policy.RuleDefault('get_policy_dscp_marking_rule',
'rule:regular_user',
base.RULE_ANY,
description=('Access rule for getting '
'QoS dscp marking rule')),
policy.RuleDefault('create_policy_dscp_marking_rule',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'QoS dscp marking rule')),
policy.RuleDefault('update_policy_dscp_marking_rule',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating '
'QoS dscp marking rule')),
policy.RuleDefault('delete_policy_dscp_marking_rule',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for deleting '
'QoS dscp marking rule')),
policy.RuleDefault('get_policy_minimum_bandwidth_rule',
'rule:regular_user',
base.RULE_ANY,
description=('Access rule for getting '
'QoS minimum bandwidth rule')),
policy.RuleDefault('create_policy_minimum_bandwidth_rule',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'QoS minimum bandwidth rule')),
policy.RuleDefault('update_policy_minimum_bandwidth_rule',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating '
'QoS minimum bandwidth rule')),
policy.RuleDefault('delete_policy_minimum_bandwidth_rule',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for deleting '
'QoS minimum bandwidth rule')),
]

10
neutron/conf/policies/rbac.py
View File

@ -12,6 +12,8 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
@ -21,7 +23,7 @@ rules = [
policy.RuleDefault(
'create_rbac_policy',
'',
base.RULE_ANY,
description='Access rule for creating RBAC policy'),
policy.RuleDefault(
'create_rbac_policy:target_tenant',
@ -30,7 +32,7 @@ rules = [
'policy with a specific target tenant')),
policy.RuleDefault(
'update_rbac_policy',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for updating RBAC policy'),
policy.RuleDefault(
'update_rbac_policy:target_tenant',
@ -39,11 +41,11 @@ rules = [
'attribute of RBAC policy')),
policy.RuleDefault(
'get_rbac_policy',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for getting RBAC policy'),
policy.RuleDefault(
'delete_rbac_policy',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for deleting RBAC policy'),
]

42
neutron/conf/policies/router.py
View File

@ -12,105 +12,107 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
'create_router',
'rule:regular_user',
base.RULE_ANY,
description='Access rule for creating router'),
policy.RuleDefault(
'create_router:distributed',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'router with distributed attribute')),
policy.RuleDefault(
'create_router:ha',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'router with ha attribute')),
policy.RuleDefault(
'create_router:external_gateway_info',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description=('Access rule for creating router with '
'external_gateway_info information')),
policy.RuleDefault(
'create_router:external_gateway_info:network_id',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description=('Access rule for creating router with network_id '
'attribute of external_gateway_info information')),
policy.RuleDefault(
'create_router:external_gateway_info:enable_snat',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating router with enable_snat '
'attribute of external_gateway_info information')),
policy.RuleDefault(
'create_router:external_gateway_info:external_fixed_ips',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating router with '
'external_fixed_ips attribute of '
'external_gateway_info information')),
policy.RuleDefault(
'get_router',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for getting router'),
policy.RuleDefault(
'get_router:distributed',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for getting distributed attribute of '
'router')),
policy.RuleDefault(
'get_router:ha',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for getting ha attribute of router'),
policy.RuleDefault(
'update_router',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for updating router'),
policy.RuleDefault(
'update_router:distributed',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating distributed attribute '
'of router')),
policy.RuleDefault(
'update_router:ha',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for updating ha attribute of router'),
policy.RuleDefault(
'update_router:external_gateway_info',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description=('Access rule for updating external_gateway_info '
'information of router')),
policy.RuleDefault(
'update_router:external_gateway_info:network_id',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description=('Access rule for updating network_id attribute of '
'external_gateway_info information of router')),
policy.RuleDefault(
'update_router:external_gateway_info:enable_snat',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating enable_snat attribute of '
'external_gateway_info information of router')),
policy.RuleDefault(
'update_router:external_gateway_info:external_fixed_ips',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating external_fixed_ips '
'attribute of external_gateway_info information '
'of router')),
policy.RuleDefault(
'delete_router',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for deleting router'),
policy.RuleDefault(
'add_router_interface',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for adding router interface'),
policy.RuleDefault(
'remove_router_interface',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for removing router interface'),
]

16
neutron/conf/policies/security_group.py
View File

@ -12,40 +12,42 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
# TODO(amotoki): admin_or_owner is the right rule?
# Does an empty string make more sense for create_security_group?
policy.RuleDefault(
'create_security_group',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for creating security group'),
policy.RuleDefault(
'get_security_group',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for getting security group'),
policy.RuleDefault(
'update_security_group',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for updating security group'),
policy.RuleDefault(
'delete_security_group',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for deleting security group'),
# TODO(amotoki): admin_or_owner is the right rule?
# Does an empty string make more sense for create_security_group_rule?
policy.RuleDefault(
'create_security_group_rule',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for creating security group rule'),
policy.RuleDefault(
'get_security_group_rule',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for getting security group rule'),
policy.RuleDefault(
'delete_security_group_rule',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for deleting security group rule'),
]

10
neutron/conf/policies/segment.py
View File

@ -12,19 +12,21 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault('create_segment',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for creating segment'),
policy.RuleDefault('get_segment',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for getting segment'),
policy.RuleDefault('update_segment',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for updating segment'),
policy.RuleDefault('delete_segment',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description='Access rule for deleting segment'),
]

4
neutron/conf/policies/service_type.py
View File

@ -12,11 +12,13 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
'get_service_provider',
'rule:regular_user',
base.RULE_ANY,
description='Access rule for listing all service providers'),
]

16
neutron/conf/policies/subnet.py
View File

@ -12,35 +12,37 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault('create_subnet',
'rule:admin_or_network_owner',
base.RULE_ADMIN_OR_NET_OWNER,
description='Access rule for creating subnet'),
policy.RuleDefault('create_subnet:segment_id',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'subnet with segment_id')),
policy.RuleDefault('create_subnet:service_types',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'subnet with service_type')),
policy.RuleDefault('get_subnet',
'rule:admin_or_owner or rule:shared',
description='Access rule for getting subnet'),
policy.RuleDefault('get_subnet:segment_id',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for getting '
'segment_id of subnet')),
policy.RuleDefault('update_subnet',
'rule:admin_or_network_owner',
base.RULE_ADMIN_OR_NET_OWNER,
description='Access rule for updating subnet'),
policy.RuleDefault('update_subnet:service_types',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating '
'service_types of subnet')),
policy.RuleDefault('delete_subnet',
'rule:admin_or_network_owner',
base.RULE_ADMIN_OR_NET_OWNER,
description='Access rule for deleting subnet')
]

14
neutron/conf/policies/subnetpool.py
View File

@ -12,34 +12,36 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault('shared_subnetpools',
'field:subnetpools:shared=True',
description='Rule of shared subnetpool'),
policy.RuleDefault('create_subnetpool',
'',
base.RULE_ANY,
description='Access rule for creating subnetpool'),
policy.RuleDefault('create_subnetpool:shared',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'shared subnetpool')),
policy.RuleDefault('create_subnetpool:is_default',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for creating '
'subnetpool with is_default')),
policy.RuleDefault('get_subnetpool',
'rule:admin_or_owner or rule:shared_subnetpools',
description='Access rule for getting subnetpool'),
policy.RuleDefault('update_subnetpool',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for updating subnetpool'),
policy.RuleDefault('update_subnetpool:is_default',
'rule:admin_only',
base.RULE_ADMIN_ONLY,
description=('Access rule for updating '
'is_default of subnetpool')),
policy.RuleDefault('delete_subnetpool',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for deleting subnetpool')
]

14
neutron/conf/policies/trunk.py
View File

@ -12,31 +12,33 @@
from oslo_policy import policy
from neutron.conf.policies import base
rules = [
policy.RuleDefault(
'create_trunk',
'rule:regular_user',
base.RULE_ANY,
description='Access rule for creating trunk'),
policy.RuleDefault(
'get_trunk',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for getting trunk'),
policy.RuleDefault(
'delete_trunk',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for deleting trunk'),
policy.RuleDefault(
'get_subports',
'',
base.RULE_ANY,
description='Access rule for listing subports attached to a trunk'),
policy.RuleDefault(
'add_subports',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for adding subports to a trunk'),
policy.RuleDefault(
'remove_subports',
'rule:admin_or_owner',
base.RULE_ADMIN_OR_OWNER,
description='Access rule for deleting subports from a trunk'),
]