Allow sharing of firewall rules and policies in policy.json

Updated policy for firewall_policy and firewall_rule to allow sharing
among tenants. Added a new firewall sharing rule to enable this.

Change-Id: I5d4d9f94fb3abffe4d1b03c46fd5b13a8a4a4f09
Fixes: bug #1217103
This commit is contained in:
Dan Florea 2013-08-21 12:30:18 -07:00
parent 6aa2312577
commit fef1ced970
2 changed files with 21 additions and 3 deletions

View File

@ -5,6 +5,7 @@
"admin_only": "rule:context_is_admin", "admin_only": "rule:context_is_admin",
"regular_user": "", "regular_user": "",
"shared": "field:networks:shared=True", "shared": "field:networks:shared=True",
"shared_firewalls": "field:firewalls:shared=True",
"external": "field:networks:router:external=True", "external": "field:networks:router:external=True",
"default": "rule:admin_or_owner", "default": "rule:admin_or_owner",
@ -71,13 +72,13 @@
"delete_firewall": "rule:admin_or_owner", "delete_firewall": "rule:admin_or_owner",
"create_firewall_policy": "", "create_firewall_policy": "",
"get_firewall_policy": "rule:admin_or_owner", "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
"create_firewall_policy:shared": "rule:admin_or_owner", "create_firewall_policy:shared": "rule:admin_or_owner",
"update_firewall_policy": "rule:admin_or_owner", "update_firewall_policy": "rule:admin_or_owner",
"delete_firewall_policy": "rule:admin_or_owner", "delete_firewall_policy": "rule:admin_or_owner",
"create_firewall_rule": "", "create_firewall_rule": "",
"get_firewall_rule": "rule:admin_or_owner", "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
"create_firewall_rule:shared": "rule:admin_or_owner", "create_firewall_rule:shared": "rule:admin_or_owner",
"get_firewall_rule:shared": "rule:admin_or_owner", "get_firewall_rule:shared": "rule:admin_or_owner",
"update_firewall_rule": "rule:admin_or_owner", "update_firewall_rule": "rule:admin_or_owner",

View File

@ -250,7 +250,12 @@ class NeutronPolicyTestCase(base.BaseTestCase):
"create_something": "rule:admin_or_owner", "create_something": "rule:admin_or_owner",
"create_something:attr": "rule:admin_or_owner", "create_something:attr": "rule:admin_or_owner",
"create_something:attr:sub_attr_1": "rule:admin_or_owner", "create_something:attr:sub_attr_1": "rule:admin_or_owner",
"create_something:attr:sub_attr_2": "rule:admin_only" "create_something:attr:sub_attr_2": "rule:admin_only",
"get_firewall_policy": "rule:admin_or_owner or "
"rule:shared",
"get_firewall_rule": "rule:admin_or_owner or "
"rule:shared"
}.items()) }.items())
def fakepolicyinit(): def fakepolicyinit():
@ -390,6 +395,18 @@ class NeutronPolicyTestCase(base.BaseTestCase):
result = policy.enforce(self.context, action, target) result = policy.enforce(self.context, action, target)
self.assertTrue(result) self.assertTrue(result)
def test_enforce_firewall_policy_shared(self):
action = "get_firewall_policy"
target = {'shared': True, 'tenant_id': 'somebody_else'}
result = policy.enforce(self.context, action, target)
self.assertTrue(result)
def test_enforce_firewall_rule_shared(self):
action = "get_firewall_rule"
target = {'shared': True, 'tenant_id': 'somebody_else'}
result = policy.enforce(self.context, action, target)
self.assertTrue(result)
def test_enforce_tenant_id_check(self): def test_enforce_tenant_id_check(self):
# Trigger a policy with rule admin_or_owner # Trigger a policy with rule admin_or_owner
action = "create_network" action = "create_network"