88 Commits

Author SHA1 Message Date
Yushiro FURUKAWA
f72863a6b6 Remove FWaaS policy.json entries
The FWaaS policy.json entries are being relocated into the FWaaS
repository.

Co-Authored-By: Nate Johnston <Nate_Johnston@cable.comcast.com>
Depends-On: Idd8993da78dbd779e2b3d38a4039dabf60d416d5

Change-Id: Iec36638a7a57cc14753e93c5d207853d4a3e3b6e
2016-09-06 21:30:41 +00:00
Rodolfo Alonso Hernandez
60325f4ae9 Add QoS minimum bandwidth rule for instance egress traffic
This patch introduces the front end implementation for QoS
minimum bandwidth rule.

APIImpact: New type of parameter for QoS rule in neutron API
DocImpact

Change-Id: I6b619a96a2bfde164646c71409b671352bc6ce7d
Partial-Bug: #1560963
2016-08-27 17:08:18 +00:00
Miguel Lavalle
5e3c284fba Revert "Publish segment id in port responses"
This reverts commit b35d7fa3cbcd68ef10b9c40a47c0698c7e0a2089.
Patchset set is reverted after deciding Nova can get the segment_id
from the subnet associated to the port

Change-Id: Idf4ba107bf6e1427c82ab5b6a5cea0dba9264699
2016-08-18 06:01:22 -05:00
Miguel Lavalle
b35d7fa3cb Publish segment id in port responses
In this patchset, attribute 'ipam_segment_id' is added to ports to
contain the id of the segment where the port is bound in the case of a
routed network. This new attribute will be used by the Nova scheduler
to place an instance using the port in a host bound to the segment

Change-Id: Ide13a7c53c5f4a33894f459c38924830ba583f98
Partially-Implements: blueprint routed-networks
2016-08-11 21:00:48 -05:00
Brian Haley
eead641242 Enable CRUD for Subnet Service Types
This patch enables basic CRUD operations to support
Subnet service-types.

Partially-implements: blueprint service-subnets

Co-Authored-By: John Davidge <john.davidge@rackspace.com>

Change-Id: I0a1724ad00f0a3e675bb700cdd291f55f898c6f3
2016-08-05 16:31:30 -07:00
Ryan Tidwell
9cda319687 Enable CRUD for trunk ports
This patch enables basic CRUD operations on trunk ports and defines
related API extensions. Trunk ports and sub-ports can be persisted
in the Neutron model and are made visible through the API, but the
L2 agent is not notified and no trunk ports or subports are actually
instantiated on compute hosts.

This one of the main patches in the series that implement the end
to end functionality.

Partially-implements: blueprint vlan-aware-vms

Co-Authored-By: Armando Migliaccio <armamig@gmail.com>
Change-Id: I26453eb9a1b25e116193417271400994ac57e4c1
2016-07-02 16:09:45 -07:00
Na
12200922a9 Remove remaining BGP code from neutron
There still are BGP codes in neutron repo, this patch remove it.
It was missed in commit I20b6ddd37d10eae70e8294d578e53137c0f866fe

Change-Id: I6bf71b14a03ccc005dcd4d67078e7e9f4a7ed197
Closes-Bug: #1584333
2016-05-24 06:36:54 -07:00
Carl Baldwin
f494de47fc Associate subnets to segments through subnet API
Change-Id: Ia1084a94ac659332c126eb9d4787b04a89a4ba90
DocImpact: Need to add segment_id to API docs
Partially-Implements: blueprint routed-networks
2016-05-10 15:56:48 -06:00
Carl Baldwin
a34c3543d0 Basic Extension and CRUD for Segments
This patch enables CRUD on Segments by defining a new entity called
'Segment' with an extension definition and some DB code to read the
existing segments DB.  A basic framework for create, update, and
delete are provided.

For now, this is just the basic boiler-plate but I've got to start
somewhere.  It is implemented as a service plugin that is disabled by
default because it has not been fully tested with any plugin.
Follow-on patches will implement support for this new extension in
ML2 and OVN at least.

Change-Id: Ifc370fdd38f9a5b296334635fa85bd93d270b910
Partially-Implements: blueprint routed-networks
2016-05-05 13:58:34 -06:00
Armando Migliaccio
e8d3626d1c Remove BGP code from neutron
Once the spinout is undergoing we should perform the eviction.

Partially-implements: blueprint bgp-spinout

Depends-on: I8be510153edbc496575cde34943ca4c56645e0fb
Change-Id: I20b6ddd37d10eae70e8294d578e53137c0f866fe
2016-04-25 21:54:06 -07:00
David Shaughnessy
a9a1943fde DSCP QoS rule implementation
This patch adds the front end and back end implementation of QoS DSCP.

Associated patches that are dependent on this one:

* python-neutronclient: https://review.openstack.org/#/c/254280
* openstack-manuals: https://review.openstack.org/#/c/273638
* API Guide: https://review.openstack.org/#/c/275253
* Heat:
  * Spec: https://review.openstack.org/#/c/272173
  * QoSDscpMarkingRule resource: https://review.openstack.org/#/c/277567
* Fullstack tests: https://review.openstack.org/#/c/288392/

APIImpact - The API now supports marking traffic egressing from a VM's
            dscp field with a valid dscp value.

Co-Authored-By: Nate Johnston <nate_johnston@cable.comcast.com>
Co-Authored-By: Victor Howard <victor.r.howard@gmail.com>
Co-Authored-By: Margaret Frances <margaret_frances@cable.comcast.com>
Co-Authored-By: James Reeves <james.reeves5546@gmail.com>
Co-Authored-By: John Schwarz <jschwarz@redhat.com>
Needed-By: I25ad60c1b9a66e568276a772b8c496987d9f8299
Needed-By: I881b8f5bc9024c20275bc56062de72a1c70c8321
Needed-By: I48ead4b459183db795337ab729830a1b3c0022da
Needed-By: Ib92b172dce48276b90ec75ee5880ddd69040d7c8
Needed-By: I4eb21495e84feea46880caf3360759263e1e8f95
Needed-By: I0ab6a1a0d1430c5791fea1d5b54106c6cc93b937
Partial-Bug: #1468353

Change-Id: Ic3baefe176df05f049a2e06529c58fd65fe6b419
2016-03-18 10:07:24 +01:00
Mike Dorman
2f741ca5f9 Add API extension for reporting IP availability usage statistics
Implements an API extension for reporting availibility of IP
addresses on Neutron networks/subnets based on the blueprint
proposed at https://review.openstack.org/#/c/180803/

This provides an easy way for operators to count the number of
used and total IP addresses on any or all networks and/or
subnets.

Co-Authored-By: David Bingham <dbingham@godaddy.com>
Co-Authored-By: Craig Jellick <craig.jellick@gmail.com>

APIImpact
DocImpact: As a new API, will need all new docs. See devref for details.

Implements: blueprint network-ip-usage-api
Closes-Bug: 1457986
Change-Id: I81406054d46b2c0e0ffcd56e898e329f943ba46f
2016-02-29 05:31:48 +00:00
vikram.choudhary
bede37f5e2 BGP Dynamic Routing: introduce BgpDrScheduler model
This patch implements a new extension called "bgp_dragentscheduler" which
does instant & auto scheuling of BgpSpeakers to an active BgpDrAgent. In
addition to this the patch also implements the basic CRUD requirement for
binding BgpSpeakers and BgpDrAgent.

BgpSpeaker to BgpDrAgent association can be 1-to-n. An admin user can only
associate/disassociate BgpSpeaker to/from a BgpDRAgent. Default scheduler
class will only assign non-scheduled BgpSpeaker to an active BgpDrAgent.

Partially-Implements: blueprint bgp-dynamic-routing
Co-Authored-By: Ryan Tidwell <ryan.tidwell@hpe.com>
Co-Authored-By: Jaume Devesa <devvesa@gmail.com>
Co-Authored-By: vikram.choudhary <vikram.choudhary@huawei.com>
Co-Authored-By: Numan Siddique <nusiddiq@redhat.com>
Change-Id: Id305d9a583116e155441ac5979bf3f6aa6a8258b
2016-02-12 14:17:57 +05:30
Ryan Tidwell
773a3916ea Add BGP Dynamic Routing DB Model and Basic CRUD
This patch enables basic CRUD on BGP dynamic routing
entities bgp_speaker and bgp_peer, as well as
bgp_speaker-bgp_peer and bgp_speaker-network
bindings.

An admin user can create BgpSpeakers and configure
peering entities (BgpPeers) for BgpSpeakers. BgpSpeaker
to BgpPeer association is n-to-n. An admin user can
also associate networks with BgpSpeakers. Relationship
between BgpSpeaker and Network is 1-to-n.

This patch provides BGP-related functionality only to
the admin users.

Partially-Implements: blueprint bgp-dynamic-routing
Co-Authored-By: Ryan Tidwell <ryan.tidwell@hpe.com>
Co-Authored-By: Jaume Devesa <devvesa@gmail.com>
Co-Authored-By: vikram.choudhary <vikram.choudhary@huawei.com>
Change-Id: I2412c1689683da9d7ec884a4cea506d4eed99453
2016-02-11 14:43:35 -07:00
Jenkins
5479d4b148 Merge "Implement 'get-me-a-network' API building block" 2016-02-10 05:59:28 +00:00
Brian Haley
955fa1c075 Implement 'get-me-a-network' API building block
This patch introduces an API to allocate an externally connected
private tenant network on demand. The API is idempotent in that,
once the topology is provisioned, further API calls keep returning
the same topology to the caller.

The API, as introduced by the patch, is not currently on, and its
design carefully ensures minimal impact on the existing codebase.
In fact the feature depends on and enhances the external-net extension,
but it does so via callbacks.

A subsequent patch in this series will make it available by default,
and API tests will be added to validate the functionality.

Partially-implements: blueprint get-me-a-network

Co-Authored-By: Armando Migliaccio <armamig@gmail.com>
Co-Authored-By: Henry Gessau <HenryG@gessau.net>

Change-Id: I4abd45252026431452f0d2cb2805043489c2f6ad
2016-02-08 18:06:35 -08:00
Ihar Hrachyshka
4398f14a9a Postpone heavy policy check for ports to later
When a port is validated, we check for the user to be the owner of
corresponding network, among other things. Sadly, this check requires a
plugin call to fetch the network, which goes straight into the database.
Now, if there are multiple ports to validate with current policy, and
the user is not admin, we fetch the network for each port, f.e. making
list operation on ports to scale badly.

To avoid that, we should postpone OwnerCheck (tenant_id) based
validations that rely on foreign keys, tenant_id:%(network:...)s, to as
late as possible. It will make policy checks avoid hitting database in
some cases, like when a port is owned by current user.

Also, added some unit tests to avoid later regressions:

DbOperationBoundMixin now passes user context into API calls. It allows
us to trigger policy engine checks when executing listing operations.

Change-Id: I99e0c4280b06d8ebab0aa8adc497662c995133ad
Closes-Bug: #1513782
2016-02-05 10:07:03 +01:00
James Arendt
6bc53cc7f8 Fix Neutron flavor framework
Make flavor service profile store actual driver instead of
hardcoded dummy driver.  Ensure service type on flavor persisted.

Raise ServiceProfileDriverNotFound if non-empty driver is not part
of ServiceTypeManager providers.

Raise ServiceProfileEmpty if profile has neither a driver nor
any metainfo.

Raise InvalidFlavorServiceType if invalid service type passed.

Show flavors associated with a profile, not just profiles associated
with a flavor, to ease diagnosis when ServiceProfileInUse raised.

Create method to extract provider given a flavor for use with
neutron-lbaas plus tests.

Ensure various boolean forms accepted for enabled flag.

To enable in DevStack, add to local.conf:
enable_plugin neutron https://git.openstack.org/openstack/neutron
enable_service q-flavors

Add associated unit tests. Fix tempest api test that used invalid
LOADBALANCERS service type.

Change-Id: I5c22ab655a8e2a2e586c10eae9de9b72db49755f
Implements: blueprint neutron-flavor-framework
2015-11-19 11:27:05 -08:00
John Davidge
6ee91e56c8 Replace subnetpool config options with admin-only API
This patch adds a new boolean 'is_default' property to subnetpools. This
allows the admin to set the default v4/v6 subnetpools via the API rather
than the existing neutron.conf options - which are deprecated by this patch.

Only one subnetpool per IP family can be set to default.

DocImpact
ApiImpact

Co-Authored-By: Carl Baldwin <carl@ecbaldwin.net>

Change-Id: I5daba2347cfb91fac0b155b2c1b459ee7d9e4505
Closes-Bug: 1501328
2015-11-06 17:16:31 +00:00
Kevin Benton
bbca973986 Stop device_owner from being set to 'network:*'
This patch adjusts the FieldCheck class in the policy engine to
allow a regex rule. It then leverages that to prevent users from
setting the device_owner field to anything that starts with
'network:' on networks which they do not own.

This policy adjustment is necessary because any ports with a
device_owner that starts with 'network:' will not have any security
group rules applied because it is assumed they are trusted network
devices (e.g. router ports, DHCP ports, etc). These security rules
include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
and IP headers.

Without this policy adjustment, tenants can abuse this trust when
connected to a shared network with other tenants by setting their
VM port's device_owner field to 'network:<anything>' and hijack other
tenants' traffic via DHCP spoofing or MAC/IP spoofing.

Closes-Bug: #1489111
Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9
2015-09-08 15:00:13 +00:00
gong yong sheng
20459979e0 Add empty policy rule to get_rule_type action
Without this empty policy rule, get_rule_type will use default, which
will demand admin role or tenant_id in object. but rule_type has no
tenant_id in its body.

Change-Id: I92b1222fbcdc2efd13ca6f586cfefefc55b59189
Closes-bug: #1487324
2015-08-24 17:43:08 +08:00
Kevin Benton
4595899f7f Neutron RBAC API and network support
This adds the new API endpoint to create, update, and delete
role-based access control entries. These entries enable tenants
to grant access to other tenants to perform an action on an object
they do not own.

This was previously done using a single 'shared' flag; however, this
was too coarse because an object would either be private to a tenant
or it would be shared with every tenant.

In addition to introducing the API, this patch also adds support to
for the new entries in Neutron networks. This means tenants can now
share their networks with specific tenants as long as they know the
tenant ID.

This feature is backwards-compatible with the previous 'shared'
attribute in the API. So if a deployer doesn't want this new feature
enabled, all of the RBAC operations can be blocked in policy.json and
networks can still be globally shared in the legacy manner.

Even though this feature is referred to as role-based access control,
this first version only supports sharing networks with specific
tenant IDs because Neutron currently doesn't have integration with
Keystone to handle changes in a tenant's roles/groups/etc.

DocImpact
APIImpact

Change-Id: Ib90e2a931df068f417faf26e9c3780dc3c468867
Partially-Implements: blueprint rbac-networks
2015-08-20 20:00:17 -07:00
Miguel Angel Ajo
6d6980903c Fix tenant access to qos policies
fix policy.json to not allow tenants to create policies or rules
by default and allow tenants attach ports and networks to policies,
please note that policy access is checked in the QoSPolicy neutron
object in such case.

Closes-Bug: #1485858

Change-Id: Ide1cd30979f99612fe89dddf3dc0e029d3f4d34a
2015-08-19 04:58:41 +00:00
Ihar Hrachyshka
d3708de0cb Merge remote-tracking branch 'origin/feature/qos' into merge-branch
Also applied the following fixes:

===

1. cleaned up some pylint failures that were not spotted before:

Module neutron.objects.qos.policy: Metaclass class method __new__ should
have 'mcs' as first argument

Module neutron.objects.qos.rule: Lambda may not be necessary

===

2. Revert "Introduce the AFTER_READ callback for ports and networks"

This reverts commit e3dba1424114575581c153e02227282e036ad0a2.

We don't use callbacks to extend resources anymore, instead relying on
ml2 extension drivers. No need for the patch to achieve QoS, and it also
breaks test_delete_subnet_with_callback that was added in master
recently.

===

3. updated requirements.txt and test-requirements.txt based on:

https://review.openstack.org/#/c/204398/

to avoid requirements gate checks failing due to incompatible
requirements comparing to global-requirements.txt

Change-Id: I744ab2d8327a428a5467f2d07d073a5f8c333520
2015-07-23 11:48:57 +02:00
Eugene Nikanorov
e0eed14a1e Flavor Framework implementation
This patch introduces API and DB plugin for flavor framework.
API adds Flavors and Service Profiles which are resources
available only for admins to operate.

This framework then should be leveraged by advanced services.

Included tempest API tests in neutron tree

Implements: blueprint neutron-flavor-framework
Change-Id: I99ba0ce520ae3d8696eca5c994777c7d5ba3d4b1
Co-Authored-By: Doug Wiegley <dougw@a10networks.com>
Co-Authored-By: Madhusudhan Kandadai <madhusudhan.kandadai@hp.com>
2015-07-16 09:07:41 -07:00
Ihar Hrachyshka
2fed2617cd Merge remote-tracking branch 'origin/feature/qos' into merge-branch
Change-Id: I7f2342d62634f5b4af3a083cc1aaff46efe28519
2015-07-07 16:01:17 +02:00
vikram.choudhary
cbd95318ad Support Basic Address Scope CRUD as extensions
This patch adds the support for basic address scope CRUD.
Subsequent patches will be added to use this address scope
on subnet pools.

DocImpact
APIImpact

Co-Authored-By: Ryan Tidwell <rktidwell85@gmail.com>
Co-Authored-By: Numan Siddique <nusiddiq@redhat.com>
Change-Id: Icabdd22577cfda0e1fbf6042e4b05b8080e54fdb
Partially-implements:  blueprint address-scopes
2015-07-02 13:49:06 +05:30
Miguel Angel Ajo
96d1cb1ae2 Create the QoS API extension stub
This patch introduces the QoS API extension, in a basic
form where we could, in combination with the service plugin
stub, start creating some experimental test jobs that install
the service plugin.

Please not that URL mapping is not fully according to spec,
neither it does include any testing. We need to work that out.

blueprint quantum-qos-api
Change-Id: I86e8048e2d9b84690dbede9a94cfc884985069c5
2015-06-29 17:50:43 +03:00
Yushiro FURUKAWA
f1b4dfd52b Add missed actions into policy.json
This patch adds following actions into policy.json.

  1. v2.0/fw/firewall_policies/{firewall_policy_id}/insert_rule
  2. v2.0/fw/firewall_policies/{firewall_policy_id}/remove_rule

Closes-Bug: #1439383
Change-Id: I8051a97852f0f1f21bf266c16a477a5e2fd32062
2015-05-08 07:29:04 +09:00
Kevin Benton
927399c011 Block allowed address pairs on other tenants' net
Don't allow tenants to use the allowed address pairs extension
when they are attaching a port to a network that does not belong
to them.

This is done because allowed address pairs can allow things like
ARP spoofing and all tenants attached to a shared network might not
implicitly trust each other.

Change-Id: Ie6c3e8ad04103804e40f2b043202387385e62ca5
Closes-Bug: #1447242
2015-04-21 11:28:59 -07:00
Ryan Tidwell
6f610d2d87 Basic subnetpool CRUD
Enable creating, reading, updating, and deleting subnet pools via REST API.
Includes required changes to REST, model, alembic migrations, and unit tests.
Subnet pools carry a list of IPv4 or IPv6 prefixes from which a subnet can be
allocated. This will enable tenants to request a subnet from a pool rather
than being forced to explicitly provide their own CIDR's for their subnets.
This change simply enables managing the lifecycle of a subnet pool and does
not yet enable allocation of subnet prefixes from a pool.

Subnet pools can have their prefix bounds (min, max, default), name, and
prefix list updated. Changes to prefix bounds do not alter existing
allocations and will not be blocked by existing allocations. Prefix lists can
only be appended to. Prefixes cannot be removed from the pool once added.

ApiImpact
Partially-Implements: blueprint subnet-allocation
Change-Id: I88c6b15aab258069758f1a9423d6616ceb4a33c4
2015-03-18 22:53:50 -07:00
Sumit Naiksatam
668be7e869 Fix retrieval of shared firewall_policies
Incorrect rule in the policy.json prevents the visibility
of shared firewall_policies.

Change-Id: I6541d363f1ca4ae89b9dddab41a8f20522e50df8
Closes-bug: 1426586
2015-02-27 15:41:59 -08:00
Brandon Logan
6ddd58a46b Added a policy for retrieving the agent hosting a load balancer
LBaaS V2 needs a separate policy from V1 that will allow only an admin
to retrieve the agent hosting a particular load balancer.

Change-Id: Ida9c3ce15cf14431072d5505396bca11aa92b276
2015-02-26 11:03:28 -06:00
Brandon Logan
572aaa8abd Added policy for lbaas v2 agent extension resource
Adding get_agent-loadbalancers policy only because v2 can
reuse the get_loadbalancer-agent policy from v1.
get_loadbalancer-pools doesn't make sense as a policy for
v2 because pools are no longer the root object.

Change-Id: Ic9179ef0a95b91d1b7662537fffeb0a949efc925
2015-02-11 14:57:26 -06:00
ChuckC
cf99eb988e Allow port mac_address to be modified
With ironic servers, a NIC can fail and be replaced with one that has a
different mac.  The corresponding neutron port needs to be updated with
the new mac address so the NIC can be guaranteed to retain the same IP
address.

This change enables this feature in the ml2 plugin.  There may need to
be changes to other plugins to disable or complete the implementation of
this feature.

Closes-Bug: #1341268
Partially-implements: blueprint allow-mac-to-be-updated
APIImpact: Ports
DocImpact: minor port update api change
Change-Id: I1864c0882cda7eddc9ced519ed3f96c91b2b63f3
2015-01-29 15:00:21 -08:00
Jenkins
a46af7629c Merge "Allow setting a tenant router's external IP" 2014-12-30 00:07:14 +00:00
fujioka yuuichi
e4f5b0d986 Allow to specify IP address of floating ip
IP address of floating ip will be automatically allocated.
There are cases where users need to specify a floating IP address.
This patch addresses the problem.

The feature is limited by "create_floatingip:floating_ip_address" in
"policy.json".
By default, it needs an admin role.

DocImpact
APIImpact

Implements: blueprint allow-specific-floating-ip-address

Change-Id: Iba64a0f0a38ca5eb39c605e121a12c956637b96c
2014-12-26 02:25:00 +00:00
Kevin Benton
66f5eadec0 Allow setting a tenant router's external IP
Adds an external_ip option to the router creation
and update operations to set the IP address the router
will try to use as its fixed IP on the external network
it's attached to. By default this is restricted to an
admin-only operation by policy.json.

DocImpact
ApiImpact

Implements: blueprint specify-router-ext-ip
Closes-Bug: #1188427
Change-Id: Iba7c606eea48181fc10e9d0d5dc667e6f48f37de
2014-12-19 02:04:02 -08:00
Kyle Mestery
d4f00659eb Add advsvc role to neutron policy file
Add in a default "advsvc" user and the logic in the Neutron policy
infrastructure which will allow this user to create/get/update/delete
ports on other tenants networks, as well as view other tenants
networks. This is for the use case of letting advanced services have
a user to put ports on other tenants networks. By default, we do not
define any roles for the policy "context_is_advsvc", but rely on
operators to specify the likely value of "role advsvc".

DocImpact

Closes-Bug: #1331836

Change-Id: I94cb3383eb1fed793934719603f888dbbdbbd85a
Co-Authored-By: Susanne Balle <sleipnir012@gmail.com>
2014-10-27 12:49:27 +00:00
Sylvain Afchain
5730d87c26 Add L3 VRRP HA base classes
Add L3 HA base classes on the plugin side. A new admin-only ha
attribute is added to the API router resource. Conversion from
or to HA router is possible. Each tenant gets a single network
used for HA traffic. The tenant_id for that network is set to
'' so that it isn't visible via the CLI or GUI. A new table
is added to map a tenant to its HA network. Specific HA
attributes are added to the extra router attributes table.
Finally, each HA router gets a port on the HA network, per
l3 agent it is scheduled on. A new table is added to track
these bindings. A new table is added in order to track
VRID allocations.

DVR integration is not expected to work. Any issues will
be reported as bugs and handled after the feature merges.
Migrating a router to HA or from HA works server side
but is not expected to work (Yet) agent side. This will be
dealt with as a bug in the future.

DocImpact
Partially-implements: blueprint l3-high-availability
Change-Id: I9d935cf5e0c231e8cb7af5f61b9a9fc552c3521e
Co-Authored-By: Assaf Muller <amuller@redhat.com>
2014-09-10 12:06:13 +00:00
Salvatore
1cad794156 Remove old policies from policy.json
They're confused, misleading, and most importantly unused.

Change-Id: I22130ce3147617f8fb7baba7a50bada128d40e08
Closes-Bug: #1362618
2014-08-28 20:29:13 +02:00
Elena Ezhova
971747f4f2 Fix policy rules for adding and removing router interfaces
Currently "add_router_interface" and "remove_router_interface"
policy rules have the "update_router" prefix and thus are never
enforced. Removing the prefix activates the rules.

Also moved some rules, so that all router-related rules are
now grouped together.

Closes-Bug: 1356678
Change-Id: Ib6cc45f2c6d0c7ae394274d6196262529b9fd855
2014-08-21 18:48:31 +04:00
Elena Ezhova
dc44496094 Add rule for updating network's router:external attribute
Set admin_only rule for update_network:router:external in policy.json

Also, change the default value of router:external from attr.ATTR_NOT_SPECIFIED
to False, because each time we try to get or update a network the dict with
its attributes is extended by _extend_network_dict_l3 function which adds
router:external=False to the dict if this attribute is not specified.
Thus, if the default value is not specified, router:external is considered
to be updated in any case and the policy rule is applied.

Change-Id: I899d98c7d8c9d9863ac5d8f992b6a2d507ec4482
Closes-Bug: 1338880
2014-07-22 12:27:14 +04:00
Swaminathan Vasudevan
1caa51ea68 Add L3 Extension for Distributed Routers
This patch introduces the model and extension
framework for implementing distributed virtual
routing on top of Open vSwitch.

A new admin-only 'distributed' (as opposed to a
'centralized' or legacy-mode) attribute is added
to the API router resource. It is possible to convert
an existing (centralized) router to a distributed
one; the opposite conversion, even though allowed by
the API, may not be honored by the underlying
plugin implementation and an appropriate error will
be reported.

When creating a router (regardless of the user role),
Neutron will rely on a system wide configuration, whose
default currently allows to create 'centralized' routers.

Tests are added for basic unit coverage; when the first
building blocks for neutron-testing-refactor
are complete, functional testing will be added.
This is because we should be moving away from how
extension tests have been done up until now.

Partially-implements: blueprint neutron-ovs-dvr

DocImpact

Change-Id: I7227fbe2718eba6665a5afb5dcaaaa77b341091f
Authored-by:    Swaminathan Vasudevan <swaminathan.vasudevan@hp.com>
Co-Authored-By: Armando Migliaccio <armamig@gmail.com>
2014-07-16 07:33:43 -07:00
Eugene Nikanorov
0f7cfee155 Disallow regular user to update firewall's shared attribute
Shared firewalls should only be operable by  admins.
Currently only admin can provide shared attribute at firewall creation,
so update_firewall should be consistent with that as well.

Change-Id: I093743514637824207b375d724404d51f778d012
Closes-Bug: #1323322
2014-05-28 17:37:17 +04:00
Salvatore Orlando
9b2b5e1482 Perform policy checks only once on list responses
The policy engine is currently being called for every attribute
of every resource to be returned by a list response. This is
harming the API performance; moreover such a high number of checks
is also unnecessary.

This patch therefore slightly changes the API logic so that list
response first determine the list of attributes which should be
returned querying the policy engine and then use this list for
all resource items to be returned.

To this aim a few methods in base.py needed to be refactored.
This patch also removes the routine check_if_exists from policy.py
and the related PolicyNotFound exception.

Finally, this patch also removes unnecessary admin_or_owner rules
when applied to attributes. This kind of rule indeed has no effect
anyway because of Neutron's ownership checks. The rules were removed
because this change won't allow anymore for having attribute-level
policies whose evaluation result depends on the resource value.

Implements blueprint faster-list-responses

Change-Id: I21b8273add5d5984f512ad94af5a99cf0b0a5d93
2014-05-06 03:52:29 -07:00
Bob Kukura
be8a068943 Replace binding:capabilities with binding:vif_details
In addition to binding:vif_type, the neutron core plugin needs to
supply various information to nova's VIF driver, such as VIF security
details and PCI details when SR-IOV is being used. This information is
read-only, requires admin privileges, and is not intended for normal
users. Rather than add separate mechanisms throughout the stack for
each such requirement, the binding:capabilities port attibute, which
is a dictionary and is not currently not used by nova, is renamed to
binding:vif_details to serve as a general-purpose mechanism for
supplying binding-specific details to the VIF driver.

This patch does not remove or replace the CAP_PORT_FILTER boolean
previously used in binding:capabilities. A separate patch should
implement the specific key/value pairs carried by binding:vif_details
to implement VIF security. Another patch will implement the key/value
pairs needed for SR-IOV.

The ML2 plugin now allows the bound mechanism driver to supply the
binding:vif_details dictionary content, instead of just the
CAP_PORT_FILTER boolean previously carried by the binding:capabilities
attribute.

DocImpact: Need to update portbinding extension API, but no impact on
user or administrator documentation.

Implements: blueprint vif-details
Related-Bug: 1112912
Change-Id: I34be746fcfa73c70f72b4f9add8eff3ac88c723f
2014-02-23 22:56:45 -05:00
Irena Berezovsky
9623e6c967 Add support to request vnic type on port
This patch adds support for requested vnic_type to be plugged to neutron port to ML2 plugin.
This patch contains:
1. New attribute 'binding:vnic_type' added to port binding extension.
   Possible values are 'direct', 'macvtap' and 'normal'.
   'binding:vnic_type' is allowed to be defined on port creation or changed
   on port update by admin or tenant user.
   'binding:vnic_type' can be also skipped in port defintion
2. Management of vnic_type by ML2 plugin, assuming default
vnic_type=normal
3. Add 'vnic_type' to ml2_port_bindings DB table
4. Add supported vnic_types for MechanismDrivers that are capable to bind
port.
5. Add DB migration script for ml2_vnic_type.

DocImpact: Need to update portbindings API docs and include in SR-IOV user docs

Change-Id: Ic88708fa9ece742f807c1d09bb49e499f99bd092
Implements: blueprint ml2-request-vnic-type
2014-02-20 07:29:38 +02:00
armando-migliaccio
deef3471cb Add migration support from agent to NSX dhcp/metadata services
This is feature patch (3 of 3) that introduces support for
transitioning existing NSX-based deployments from the agent
based model of providing dhcp and metadata proxy services
to the new agentless based mode. In 'combined' mode, existing
networks will still be served by the existing infrastructure,
whereas new networks will be served by the new infrastructure.

Networks may be migrated to the model using a new CLI tool
provided, called 'neutron-nsx-manage'. Currently the tool
provides two admin-only commands:

  neutron-nsx-manage net-report <net-id-or-name>

This will check that the network can be migrated and returns
the resources currently in use. And:

  neutron-nsx-manage net-migrate <net-id-or-name>

This will move the network over the new model and deallocate
resources from the agent. Once a network has been migrated
there is no turning back.

Completes-blueprint nsx-integrated-services

Change-Id: I37c9aa0e76124e1023899106406de7be6714c24d
2014-02-10 17:27:14 -08:00
Stephen Ma
e4836bd08c Disallow non-admin users update net's shared attribute
Currently non-admin user cannot create a network with
shared=True. But the user can create the network and then
change the shared attribute to True.

This patch will no longer allow non-admin user to update a
network's shared value to True.

Change-Id: Id596ee399c56b9882efab97a89dbf7d14c5cf7f4
Closes-Bug: 1268823
2014-01-28 05:48:34 +00:00