From d6c6c68e4692186620c6fdcc900fc956a958b4e1 Mon Sep 17 00:00:00 2001 From: Akihiro Motoki Date: Wed, 19 Dec 2018 03:48:16 +0900 Subject: [PATCH] Define popular policy rules by constants This commit replaces simple rules with constants. These constants plan to be moved to neutron-lib in future. Partially Implements: blueprint neutron-policy-in-code Change-Id: I94f95882880d9caaa9cd9d8aaebb8547f78ed162 --- neutron/conf/policies/address_scope.py | 12 ++--- neutron/conf/policies/agent.py | 32 +++++++------- .../conf/policies/auto_allocated_topology.py | 6 ++- neutron/conf/policies/availability_zone.py | 4 +- neutron/conf/policies/base.py | 13 ++++++ neutron/conf/policies/flavor.py | 24 +++++----- neutron/conf/policies/floatingip.py | 12 ++--- neutron/conf/policies/floatingip_pools.py | 4 +- .../policies/floatingip_port_forwarding.py | 10 +++-- neutron/conf/policies/logging.py | 12 ++--- neutron/conf/policies/metering.py | 14 +++--- neutron/conf/policies/network.py | 44 ++++++++++--------- .../conf/policies/network_ip_availability.py | 4 +- neutron/conf/policies/port.py | 24 +++++----- neutron/conf/policies/qos.py | 36 ++++++++------- neutron/conf/policies/rbac.py | 10 +++-- neutron/conf/policies/router.py | 42 +++++++++--------- neutron/conf/policies/security_group.py | 16 ++++--- neutron/conf/policies/segment.py | 10 +++-- neutron/conf/policies/service_type.py | 4 +- neutron/conf/policies/subnet.py | 16 ++++--- neutron/conf/policies/subnetpool.py | 14 +++--- neutron/conf/policies/trunk.py | 14 +++--- 23 files changed, 217 insertions(+), 160 deletions(-) diff --git a/neutron/conf/policies/address_scope.py b/neutron/conf/policies/address_scope.py index faf357cbbb8..bfd7f31c071 100644 --- a/neutron/conf/policies/address_scope.py +++ b/neutron/conf/policies/address_scope.py @@ -12,30 +12,32 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault('shared_address_scopes', 'field:address_scopes:shared=True', description='Rule of shared address scope'), policy.RuleDefault('create_address_scope', - '', + base.RULE_ANY, description='Access rule for creating address scope'), policy.RuleDefault('create_address_scope:shared', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'shared address scope')), policy.RuleDefault('get_address_scope', 'rule:admin_or_owner or rule:shared_address_scopes', description='Access rule for getting address scope'), policy.RuleDefault('update_address_scope', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for updating address scope'), policy.RuleDefault('update_address_scope:shared', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for updating ' 'shared attribute of address scope')), policy.RuleDefault('delete_address_scope', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for deleting address scope') ] diff --git a/neutron/conf/policies/agent.py b/neutron/conf/policies/agent.py index 4673f60c864..ee3f44d2d48 100644 --- a/neutron/conf/policies/agent.py +++ b/neutron/conf/policies/agent.py @@ -12,65 +12,67 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault('get_agent', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for getting agent'), policy.RuleDefault('update_agent', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for updating agent'), policy.RuleDefault('delete_agent', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for deleting agent'), policy.RuleDefault('create_dhcp-network', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for adding ' 'network to dhcp agent')), policy.RuleDefault('get_dhcp-networks', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for listing ' 'networks on the dhcp agent')), policy.RuleDefault('delete_dhcp-network', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for removing ' 'network from dhcp agent')), policy.RuleDefault('create_l3-router', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for adding ' 'router to l3 agent')), policy.RuleDefault('get_l3-routers', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for listing ' 'routers on the l3 agent')), policy.RuleDefault('delete_l3-router', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for deleting ' 'router from l3 agent')), policy.RuleDefault('get_dhcp-agents', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for listing ' 'dhcp agents hosting the network')), policy.RuleDefault('get_l3-agents', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for listing ' 'l3 agents hosting the router')), # TODO(amotoki): Remove LBaaS related policies once neutron-lbaas # is retired. policy.RuleDefault('get_loadbalancer-agent', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for getting ' 'lbaas agent hosting the pool')), policy.RuleDefault('get_loadbalancer-pools', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for listing ' 'pools on the lbaas agent')), policy.RuleDefault('get_agent-loadbalancers', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for listing ' 'loadbalancers on the lbaasv2 agent')), policy.RuleDefault('get_loadbalancer-hosting-agent', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for getting ' 'lbaasv2 agent hosting the loadbalancer')), ] diff --git a/neutron/conf/policies/auto_allocated_topology.py b/neutron/conf/policies/auto_allocated_topology.py index e55ebb27736..893ee796ffd 100644 --- a/neutron/conf/policies/auto_allocated_topology.py +++ b/neutron/conf/policies/auto_allocated_topology.py @@ -12,16 +12,18 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault( 'get_auto_allocated_topology', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description=("Access rule for getting a project's " "auto-allocated topology")), policy.RuleDefault( 'delete_auto_allocated_topology', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description=("Access rule for deleting a project's " "auto-allocated topology")), ] diff --git a/neutron/conf/policies/availability_zone.py b/neutron/conf/policies/availability_zone.py index ab886df1aab..0cbe76907e2 100644 --- a/neutron/conf/policies/availability_zone.py +++ b/neutron/conf/policies/availability_zone.py @@ -12,11 +12,13 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault( 'get_availability_zone', - '', + base.RULE_ANY, description='Access rule for getting availability zone'), ] diff --git a/neutron/conf/policies/base.py b/neutron/conf/policies/base.py index f006a84551f..5a07d6ebb4e 100644 --- a/neutron/conf/policies/base.py +++ b/neutron/conf/policies/base.py @@ -13,6 +13,19 @@ from oslo_policy import policy +# TODO(amotoki): Define these in neutron-lib once what constants are required +# from stadium and 3rd party projects. +# As of now, the following are candidates. +RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' +RULE_ADMIN_ONLY = 'rule:admin_only' +RULE_ANY = 'rule:regular_user' +RULE_ADVSVC = 'rule:context_is_advsvc' +RULE_ADMIN_OR_NET_OWNER = 'rule:admin_or_network_owner' +RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC = ' or '.join([RULE_ADMIN_OR_NET_OWNER, + RULE_ADVSVC]) +RULE_ADMIN_OR_PARENT_OWNER = 'rule:admin_or_ext_parent_owner' + + rules = [ policy.RuleDefault( 'context_is_admin', diff --git a/neutron/conf/policies/flavor.py b/neutron/conf/policies/flavor.py index 604ee9f08ae..e36f855298a 100644 --- a/neutron/conf/policies/flavor.py +++ b/neutron/conf/policies/flavor.py @@ -12,55 +12,57 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault( 'create_flavor', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for creating flavor'), policy.RuleDefault( 'get_flavor', - 'rule:regular_user', + base.RULE_ANY, description='Access rule for getting flavor'), policy.RuleDefault( 'update_flavor', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for updating flavor'), policy.RuleDefault( 'delete_flavor', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for deleting flavor'), policy.RuleDefault( 'create_service_profile', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for creating service profile'), policy.RuleDefault( 'get_service_profile', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for getting service profile'), policy.RuleDefault( 'update_service_profile', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for updating service profile'), policy.RuleDefault( 'delete_service_profile', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for deleting service profile'), policy.RuleDefault( 'create_flavor_service_profile', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for associating ' 'flavor with service profile')), policy.RuleDefault( 'delete_flavor_service_profile', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for disassociating ' 'flavor with service profile')), policy.RuleDefault( 'get_flavor_service_profile', - 'rule:regular_user', + base.RULE_ANY, description=('Access rule for getting flavor associating ' 'with the given service profiles')), ] diff --git a/neutron/conf/policies/floatingip.py b/neutron/conf/policies/floatingip.py index 235ce85d629..b3cf22dd5e3 100644 --- a/neutron/conf/policies/floatingip.py +++ b/neutron/conf/policies/floatingip.py @@ -12,23 +12,25 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault('create_floatingip', - 'rule:regular_user', + base.RULE_ANY, description='Access rule for creating floating IP'), policy.RuleDefault('create_floatingip:floating_ip_address', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating floating IP ' 'with a specific IP address')), policy.RuleDefault('get_floatingip', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for getting floating IP'), policy.RuleDefault('update_floatingip', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for updating floating IP'), policy.RuleDefault('delete_floatingip', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for deleting floating IP'), ] diff --git a/neutron/conf/policies/floatingip_pools.py b/neutron/conf/policies/floatingip_pools.py index 167db5f5348..8c9f22cd7ed 100644 --- a/neutron/conf/policies/floatingip_pools.py +++ b/neutron/conf/policies/floatingip_pools.py @@ -12,11 +12,13 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault( 'get_floatingip_pool', - 'rule:regular_user', + base.RULE_ANY, description='Access rule for getting floating IP pools'), ] diff --git a/neutron/conf/policies/floatingip_port_forwarding.py b/neutron/conf/policies/floatingip_port_forwarding.py index 8ab755b5592..d59bd34385c 100644 --- a/neutron/conf/policies/floatingip_port_forwarding.py +++ b/neutron/conf/policies/floatingip_port_forwarding.py @@ -12,23 +12,25 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault( 'create_floatingip_port_forwarding', - 'rule:admin_or_ext_parent_owner', + base.RULE_ADMIN_OR_PARENT_OWNER, description='Access rule for creating floating IP port forwarding'), policy.RuleDefault( 'get_floatingip_port_forwarding', - 'rule:admin_or_ext_parent_owner', + base.RULE_ADMIN_OR_PARENT_OWNER, description='Access rule for getting floating IP port forwarding'), policy.RuleDefault( 'update_floatingip_port_forwarding', - 'rule:admin_or_ext_parent_owner', + base.RULE_ADMIN_OR_PARENT_OWNER, description='Access rule for updating floating IP port forwarding'), policy.RuleDefault( 'delete_floatingip_port_forwarding', - 'rule:admin_or_ext_parent_owner', + base.RULE_ADMIN_OR_PARENT_OWNER, description='Access rule for deleting floating IP port forwarding'), ] diff --git a/neutron/conf/policies/logging.py b/neutron/conf/policies/logging.py index 5b62f0fdd20..14ea866100c 100644 --- a/neutron/conf/policies/logging.py +++ b/neutron/conf/policies/logging.py @@ -12,27 +12,29 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault( 'get_loggable_resource', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for getting loggable resource'), policy.RuleDefault( 'create_log', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for creating network log'), policy.RuleDefault( 'get_log', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for getting network log'), policy.RuleDefault( 'update_log', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for updating network log'), policy.RuleDefault( 'delete_log', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for deleting network log'), ] diff --git a/neutron/conf/policies/metering.py b/neutron/conf/policies/metering.py index c67eef1f2c7..4b6a1d9e65e 100644 --- a/neutron/conf/policies/metering.py +++ b/neutron/conf/policies/metering.py @@ -12,27 +12,29 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault('create_metering_label', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for creating metering label'), policy.RuleDefault('get_metering_label', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for getting metering label'), policy.RuleDefault('delete_metering_label', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for deleting metering label'), policy.RuleDefault('create_metering_label_rule', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'metering label rule')), policy.RuleDefault('get_metering_label_rule', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for getting ' 'metering label rule')), policy.RuleDefault('delete_metering_label_rule', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for deleting ' 'metering label rule')) ] diff --git a/neutron/conf/policies/network.py b/neutron/conf/policies/network.py index a745572c38d..2c956fc835b 100644 --- a/neutron/conf/policies/network.py +++ b/neutron/conf/policies/network.py @@ -12,6 +12,8 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault( @@ -21,37 +23,37 @@ rules = [ policy.RuleDefault( 'create_network', - '', + base.RULE_ANY, description='Access rule for creating network'), policy.RuleDefault( 'create_network:shared', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for creating shared network'), policy.RuleDefault( 'create_network:router:external', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for creating external network'), policy.RuleDefault( 'create_network:is_default', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for creating network with is_default'), policy.RuleDefault( 'create_network:segments', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for creating network with segments'), policy.RuleDefault( 'create_network:provider:network_type', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating network ' 'with provider network_type')), policy.RuleDefault( 'create_network:provider:physical_network', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating network ' 'with provider physical_network')), policy.RuleDefault( 'create_network:provider:segmentation_id', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating network ' 'with provider segmentation_id')), @@ -62,64 +64,64 @@ rules = [ description='Access rule for getting shared network'), policy.RuleDefault( 'get_network:router:external', - 'rule:regular_user', + base.RULE_ANY, description='Access rule for getting external network'), policy.RuleDefault( 'get_network:segments', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for getting segments of network'), policy.RuleDefault( 'get_network:provider:network_type', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for getting provider ' 'network_type of network')), policy.RuleDefault( 'get_network:provider:physical_network', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for getting provider ' 'physical_network of network')), policy.RuleDefault( 'get_network:provider:segmentation_id', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for getting provider ' 'segmentation_id of network')), policy.RuleDefault( 'update_network', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for updating network'), policy.RuleDefault( 'update_network:segments', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for updating segments of network'), policy.RuleDefault( 'update_network:shared', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for updating shared attribute of network'), policy.RuleDefault( 'update_network:provider:network_type', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for updating provider ' 'network_type of network')), policy.RuleDefault( 'update_network:provider:physical_network', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for updating provider ' 'physical_network of network')), policy.RuleDefault( 'update_network:provider:segmentation_id', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for updating provider ' 'segmentation_id of network')), policy.RuleDefault( 'update_network:router:external', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for updating router:external attribute ' 'of network')), policy.RuleDefault( 'delete_network', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for deleting network'), ] diff --git a/neutron/conf/policies/network_ip_availability.py b/neutron/conf/policies/network_ip_availability.py index 3f5dff8ef30..489242c84cf 100644 --- a/neutron/conf/policies/network_ip_availability.py +++ b/neutron/conf/policies/network_ip_availability.py @@ -12,11 +12,13 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault( 'get_network_ip_availability', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for getting network IP availability'), ] diff --git a/neutron/conf/policies/port.py b/neutron/conf/policies/port.py index 59bcff539b9..10601ec2bc5 100644 --- a/neutron/conf/policies/port.py +++ b/neutron/conf/policies/port.py @@ -12,6 +12,8 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault( @@ -25,7 +27,7 @@ rules = [ policy.RuleDefault( 'create_port', - '', + base.RULE_ANY, description='Access rule for creating port'), policy.RuleDefault( 'create_port:device_owner', @@ -60,18 +62,18 @@ rules = [ 'port with port_security_enabled')), policy.RuleDefault( 'create_port:binding:host_id', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'port with binging host_id')), policy.RuleDefault( 'create_port:binding:profile', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'port with binding profile')), # TODO(amotoki): Add create_port:binding:vnic_type policy.RuleDefault( 'create_port:allowed_address_pairs', - 'rule:admin_or_network_owner', + base.RULE_ADMIN_OR_NET_OWNER, description=('Access rule for creating port ' 'with allowed_address_pairs attribute')), @@ -81,19 +83,19 @@ rules = [ description='Access rule for getting port'), policy.RuleDefault( 'get_port:binding:vif_type', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for getting binding vif_type of port'), policy.RuleDefault( 'get_port:binding:vif_details', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for getting binding vif_details of port'), policy.RuleDefault( 'get_port:binding:host_id', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for getting binding host_id of port'), policy.RuleDefault( 'get_port:binding:profile', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for getting binding profile of port'), # TODO(amotoki): Add get_port:binding:vnic_type # TODO(amotoki): Add get_port:binding:data_plane_status @@ -133,16 +135,16 @@ rules = [ description='Access rule for updating port_security_enabled of port'), policy.RuleDefault( 'update_port:binding:host_id', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for updating binding host_id of port'), policy.RuleDefault( 'update_port:binding:profile', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for updating binding profile of port'), # TODO(amotoki): Add update_port:binding:vnic_type policy.RuleDefault( 'update_port:allowed_address_pairs', - 'rule:admin_or_network_owner', + base.RULE_ADMIN_OR_NET_OWNER, description='Access rule for updating allowed_address_pairs of port'), policy.RuleDefault( 'update_port:data_plane_status', diff --git a/neutron/conf/policies/qos.py b/neutron/conf/policies/qos.py index 806b307beba..d5faab6e4ef 100644 --- a/neutron/conf/policies/qos.py +++ b/neutron/conf/policies/qos.py @@ -12,74 +12,76 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault('get_policy', - 'rule:regular_user', + base.RULE_ANY, description='Access rule for getting QoS policy'), policy.RuleDefault('create_policy', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for creating QoS policy'), policy.RuleDefault('update_policy', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for updating QoS policy'), policy.RuleDefault('delete_policy', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for deleting QoS policy'), policy.RuleDefault('get_rule_type', - 'rule:regular_user', + base.RULE_ANY, description=('Access rule for getting ' 'all available QoS rule types')), policy.RuleDefault('get_policy_bandwidth_limit_rule', - 'rule:regular_user', + base.RULE_ANY, description=('Access rule for getting ' 'QoS bandwidth limit rule')), policy.RuleDefault('create_policy_bandwidth_limit_rule', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'QoS bandwidth limit rule')), policy.RuleDefault('update_policy_bandwidth_limit_rule', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for updating ' 'QoS bandwidth limit rule')), policy.RuleDefault('delete_policy_bandwidth_limit_rule', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for deleting ' 'QoS bandwidth limit rule')), policy.RuleDefault('get_policy_dscp_marking_rule', - 'rule:regular_user', + base.RULE_ANY, description=('Access rule for getting ' 'QoS dscp marking rule')), policy.RuleDefault('create_policy_dscp_marking_rule', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'QoS dscp marking rule')), policy.RuleDefault('update_policy_dscp_marking_rule', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for updating ' 'QoS dscp marking rule')), policy.RuleDefault('delete_policy_dscp_marking_rule', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for deleting ' 'QoS dscp marking rule')), policy.RuleDefault('get_policy_minimum_bandwidth_rule', - 'rule:regular_user', + base.RULE_ANY, description=('Access rule for getting ' 'QoS minimum bandwidth rule')), policy.RuleDefault('create_policy_minimum_bandwidth_rule', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'QoS minimum bandwidth rule')), policy.RuleDefault('update_policy_minimum_bandwidth_rule', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for updating ' 'QoS minimum bandwidth rule')), policy.RuleDefault('delete_policy_minimum_bandwidth_rule', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for deleting ' 'QoS minimum bandwidth rule')), ] diff --git a/neutron/conf/policies/rbac.py b/neutron/conf/policies/rbac.py index 5763b0a4266..19329290651 100644 --- a/neutron/conf/policies/rbac.py +++ b/neutron/conf/policies/rbac.py @@ -12,6 +12,8 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault( @@ -21,7 +23,7 @@ rules = [ policy.RuleDefault( 'create_rbac_policy', - '', + base.RULE_ANY, description='Access rule for creating RBAC policy'), policy.RuleDefault( 'create_rbac_policy:target_tenant', @@ -30,7 +32,7 @@ rules = [ 'policy with a specific target tenant')), policy.RuleDefault( 'update_rbac_policy', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for updating RBAC policy'), policy.RuleDefault( 'update_rbac_policy:target_tenant', @@ -39,11 +41,11 @@ rules = [ 'attribute of RBAC policy')), policy.RuleDefault( 'get_rbac_policy', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for getting RBAC policy'), policy.RuleDefault( 'delete_rbac_policy', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for deleting RBAC policy'), ] diff --git a/neutron/conf/policies/router.py b/neutron/conf/policies/router.py index 3ae16b2b55a..b0e428b31bc 100644 --- a/neutron/conf/policies/router.py +++ b/neutron/conf/policies/router.py @@ -12,105 +12,107 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault( 'create_router', - 'rule:regular_user', + base.RULE_ANY, description='Access rule for creating router'), policy.RuleDefault( 'create_router:distributed', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'router with distributed attribute')), policy.RuleDefault( 'create_router:ha', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'router with ha attribute')), policy.RuleDefault( 'create_router:external_gateway_info', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description=('Access rule for creating router with ' 'external_gateway_info information')), policy.RuleDefault( 'create_router:external_gateway_info:network_id', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description=('Access rule for creating router with network_id ' 'attribute of external_gateway_info information')), policy.RuleDefault( 'create_router:external_gateway_info:enable_snat', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating router with enable_snat ' 'attribute of external_gateway_info information')), policy.RuleDefault( 'create_router:external_gateway_info:external_fixed_ips', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating router with ' 'external_fixed_ips attribute of ' 'external_gateway_info information')), policy.RuleDefault( 'get_router', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for getting router'), policy.RuleDefault( 'get_router:distributed', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for getting distributed attribute of ' 'router')), policy.RuleDefault( 'get_router:ha', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for getting ha attribute of router'), policy.RuleDefault( 'update_router', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for updating router'), policy.RuleDefault( 'update_router:distributed', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for updating distributed attribute ' 'of router')), policy.RuleDefault( 'update_router:ha', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for updating ha attribute of router'), policy.RuleDefault( 'update_router:external_gateway_info', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description=('Access rule for updating external_gateway_info ' 'information of router')), policy.RuleDefault( 'update_router:external_gateway_info:network_id', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description=('Access rule for updating network_id attribute of ' 'external_gateway_info information of router')), policy.RuleDefault( 'update_router:external_gateway_info:enable_snat', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for updating enable_snat attribute of ' 'external_gateway_info information of router')), policy.RuleDefault( 'update_router:external_gateway_info:external_fixed_ips', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for updating external_fixed_ips ' 'attribute of external_gateway_info information ' 'of router')), policy.RuleDefault( 'delete_router', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for deleting router'), policy.RuleDefault( 'add_router_interface', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for adding router interface'), policy.RuleDefault( 'remove_router_interface', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for removing router interface'), ] diff --git a/neutron/conf/policies/security_group.py b/neutron/conf/policies/security_group.py index 7b58bc5da75..9865a409692 100644 --- a/neutron/conf/policies/security_group.py +++ b/neutron/conf/policies/security_group.py @@ -12,40 +12,42 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ # TODO(amotoki): admin_or_owner is the right rule? # Does an empty string make more sense for create_security_group? policy.RuleDefault( 'create_security_group', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for creating security group'), policy.RuleDefault( 'get_security_group', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for getting security group'), policy.RuleDefault( 'update_security_group', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for updating security group'), policy.RuleDefault( 'delete_security_group', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for deleting security group'), # TODO(amotoki): admin_or_owner is the right rule? # Does an empty string make more sense for create_security_group_rule? policy.RuleDefault( 'create_security_group_rule', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for creating security group rule'), policy.RuleDefault( 'get_security_group_rule', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for getting security group rule'), policy.RuleDefault( 'delete_security_group_rule', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for deleting security group rule'), ] diff --git a/neutron/conf/policies/segment.py b/neutron/conf/policies/segment.py index e878e8a4a9e..78140b2e989 100644 --- a/neutron/conf/policies/segment.py +++ b/neutron/conf/policies/segment.py @@ -12,19 +12,21 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault('create_segment', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for creating segment'), policy.RuleDefault('get_segment', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for getting segment'), policy.RuleDefault('update_segment', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for updating segment'), policy.RuleDefault('delete_segment', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description='Access rule for deleting segment'), ] diff --git a/neutron/conf/policies/service_type.py b/neutron/conf/policies/service_type.py index 49dda87f1ce..1a22c13c36b 100644 --- a/neutron/conf/policies/service_type.py +++ b/neutron/conf/policies/service_type.py @@ -12,11 +12,13 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault( 'get_service_provider', - 'rule:regular_user', + base.RULE_ANY, description='Access rule for listing all service providers'), ] diff --git a/neutron/conf/policies/subnet.py b/neutron/conf/policies/subnet.py index 56ffad47849..f273fd904dd 100644 --- a/neutron/conf/policies/subnet.py +++ b/neutron/conf/policies/subnet.py @@ -12,35 +12,37 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault('create_subnet', - 'rule:admin_or_network_owner', + base.RULE_ADMIN_OR_NET_OWNER, description='Access rule for creating subnet'), policy.RuleDefault('create_subnet:segment_id', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'subnet with segment_id')), policy.RuleDefault('create_subnet:service_types', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'subnet with service_type')), policy.RuleDefault('get_subnet', 'rule:admin_or_owner or rule:shared', description='Access rule for getting subnet'), policy.RuleDefault('get_subnet:segment_id', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for getting ' 'segment_id of subnet')), policy.RuleDefault('update_subnet', - 'rule:admin_or_network_owner', + base.RULE_ADMIN_OR_NET_OWNER, description='Access rule for updating subnet'), policy.RuleDefault('update_subnet:service_types', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for updating ' 'service_types of subnet')), policy.RuleDefault('delete_subnet', - 'rule:admin_or_network_owner', + base.RULE_ADMIN_OR_NET_OWNER, description='Access rule for deleting subnet') ] diff --git a/neutron/conf/policies/subnetpool.py b/neutron/conf/policies/subnetpool.py index 4cc64276ba5..895153c6995 100644 --- a/neutron/conf/policies/subnetpool.py +++ b/neutron/conf/policies/subnetpool.py @@ -12,34 +12,36 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault('shared_subnetpools', 'field:subnetpools:shared=True', description='Rule of shared subnetpool'), policy.RuleDefault('create_subnetpool', - '', + base.RULE_ANY, description='Access rule for creating subnetpool'), policy.RuleDefault('create_subnetpool:shared', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'shared subnetpool')), policy.RuleDefault('create_subnetpool:is_default', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for creating ' 'subnetpool with is_default')), policy.RuleDefault('get_subnetpool', 'rule:admin_or_owner or rule:shared_subnetpools', description='Access rule for getting subnetpool'), policy.RuleDefault('update_subnetpool', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for updating subnetpool'), policy.RuleDefault('update_subnetpool:is_default', - 'rule:admin_only', + base.RULE_ADMIN_ONLY, description=('Access rule for updating ' 'is_default of subnetpool')), policy.RuleDefault('delete_subnetpool', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for deleting subnetpool') ] diff --git a/neutron/conf/policies/trunk.py b/neutron/conf/policies/trunk.py index 9f717f44af7..93e5dc804c9 100644 --- a/neutron/conf/policies/trunk.py +++ b/neutron/conf/policies/trunk.py @@ -12,31 +12,33 @@ from oslo_policy import policy +from neutron.conf.policies import base + rules = [ policy.RuleDefault( 'create_trunk', - 'rule:regular_user', + base.RULE_ANY, description='Access rule for creating trunk'), policy.RuleDefault( 'get_trunk', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for getting trunk'), policy.RuleDefault( 'delete_trunk', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for deleting trunk'), policy.RuleDefault( 'get_subports', - '', + base.RULE_ANY, description='Access rule for listing subports attached to a trunk'), policy.RuleDefault( 'add_subports', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for adding subports to a trunk'), policy.RuleDefault( 'remove_subports', - 'rule:admin_or_owner', + base.RULE_ADMIN_OR_OWNER, description='Access rule for deleting subports from a trunk'), ]