From fef1ced9708024604b54e02eebb9eff21996fccb Mon Sep 17 00:00:00 2001 From: Dan Florea Date: Wed, 21 Aug 2013 12:30:18 -0700 Subject: [PATCH] Allow sharing of firewall rules and policies in policy.json Updated policy for firewall_policy and firewall_rule to allow sharing among tenants. Added a new firewall sharing rule to enable this. Change-Id: I5d4d9f94fb3abffe4d1b03c46fd5b13a8a4a4f09 Fixes: bug #1217103 --- etc/policy.json | 5 +++-- neutron/tests/unit/test_policy.py | 19 ++++++++++++++++++- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/etc/policy.json b/etc/policy.json index 78dd1e4c791..3d60dcdc994 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -5,6 +5,7 @@ "admin_only": "rule:context_is_admin", "regular_user": "", "shared": "field:networks:shared=True", + "shared_firewalls": "field:firewalls:shared=True", "external": "field:networks:router:external=True", "default": "rule:admin_or_owner", @@ -71,13 +72,13 @@ "delete_firewall": "rule:admin_or_owner", "create_firewall_policy": "", - "get_firewall_policy": "rule:admin_or_owner", + "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls", "create_firewall_policy:shared": "rule:admin_or_owner", "update_firewall_policy": "rule:admin_or_owner", "delete_firewall_policy": "rule:admin_or_owner", "create_firewall_rule": "", - "get_firewall_rule": "rule:admin_or_owner", + "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls", "create_firewall_rule:shared": "rule:admin_or_owner", "get_firewall_rule:shared": "rule:admin_or_owner", "update_firewall_rule": "rule:admin_or_owner", diff --git a/neutron/tests/unit/test_policy.py b/neutron/tests/unit/test_policy.py index d602cd93cbf..22a7ccad6ac 100644 --- a/neutron/tests/unit/test_policy.py +++ b/neutron/tests/unit/test_policy.py @@ -250,7 +250,12 @@ class NeutronPolicyTestCase(base.BaseTestCase): "create_something": "rule:admin_or_owner", "create_something:attr": "rule:admin_or_owner", "create_something:attr:sub_attr_1": "rule:admin_or_owner", - "create_something:attr:sub_attr_2": "rule:admin_only" + "create_something:attr:sub_attr_2": "rule:admin_only", + + "get_firewall_policy": "rule:admin_or_owner or " + "rule:shared", + "get_firewall_rule": "rule:admin_or_owner or " + "rule:shared" }.items()) def fakepolicyinit(): @@ -390,6 +395,18 @@ class NeutronPolicyTestCase(base.BaseTestCase): result = policy.enforce(self.context, action, target) self.assertTrue(result) + def test_enforce_firewall_policy_shared(self): + action = "get_firewall_policy" + target = {'shared': True, 'tenant_id': 'somebody_else'} + result = policy.enforce(self.context, action, target) + self.assertTrue(result) + + def test_enforce_firewall_rule_shared(self): + action = "get_firewall_rule" + target = {'shared': True, 'tenant_id': 'somebody_else'} + result = policy.enforce(self.context, action, target) + self.assertTrue(result) + def test_enforce_tenant_id_check(self): # Trigger a policy with rule admin_or_owner action = "create_network"