Commit Graph

42 Commits (d568fee34be36ca17a9124fe6539f62d702d6359)

Author SHA1 Message Date
Bob Kukura be8a068943 Replace binding:capabilities with binding:vif_details
In addition to binding:vif_type, the neutron core plugin needs to
supply various information to nova's VIF driver, such as VIF security
details and PCI details when SR-IOV is being used. This information is
read-only, requires admin privileges, and is not intended for normal
users. Rather than add separate mechanisms throughout the stack for
each such requirement, the binding:capabilities port attibute, which
is a dictionary and is not currently not used by nova, is renamed to
binding:vif_details to serve as a general-purpose mechanism for
supplying binding-specific details to the VIF driver.

This patch does not remove or replace the CAP_PORT_FILTER boolean
previously used in binding:capabilities. A separate patch should
implement the specific key/value pairs carried by binding:vif_details
to implement VIF security. Another patch will implement the key/value
pairs needed for SR-IOV.

The ML2 plugin now allows the bound mechanism driver to supply the
binding:vif_details dictionary content, instead of just the
CAP_PORT_FILTER boolean previously carried by the binding:capabilities

DocImpact: Need to update portbinding extension API, but no impact on
user or administrator documentation.

Implements: blueprint vif-details
Related-Bug: 1112912
Change-Id: I34be746fcfa73c70f72b4f9add8eff3ac88c723f
9 years ago
Irena Berezovsky 9623e6c967 Add support to request vnic type on port
This patch adds support for requested vnic_type to be plugged to neutron port to ML2 plugin.
This patch contains:
1. New attribute 'binding:vnic_type' added to port binding extension.
   Possible values are 'direct', 'macvtap' and 'normal'.
   'binding:vnic_type' is allowed to be defined on port creation or changed
   on port update by admin or tenant user.
   'binding:vnic_type' can be also skipped in port defintion
2. Management of vnic_type by ML2 plugin, assuming default
3. Add 'vnic_type' to ml2_port_bindings DB table
4. Add supported vnic_types for MechanismDrivers that are capable to bind
5. Add DB migration script for ml2_vnic_type.

DocImpact: Need to update portbindings API docs and include in SR-IOV user docs

Change-Id: Ic88708fa9ece742f807c1d09bb49e499f99bd092
Implements: blueprint ml2-request-vnic-type
9 years ago
armando-migliaccio deef3471cb Add migration support from agent to NSX dhcp/metadata services
This is feature patch (3 of 3) that introduces support for
transitioning existing NSX-based deployments from the agent
based model of providing dhcp and metadata proxy services
to the new agentless based mode. In 'combined' mode, existing
networks will still be served by the existing infrastructure,
whereas new networks will be served by the new infrastructure.

Networks may be migrated to the model using a new CLI tool
provided, called 'neutron-nsx-manage'. Currently the tool
provides two admin-only commands:

  neutron-nsx-manage net-report <net-id-or-name>

This will check that the network can be migrated and returns
the resources currently in use. And:

  neutron-nsx-manage net-migrate <net-id-or-name>

This will move the network over the new model and deallocate
resources from the agent. Once a network has been migrated
there is no turning back.

Completes-blueprint nsx-integrated-services

Change-Id: I37c9aa0e76124e1023899106406de7be6714c24d
9 years ago
Stephen Ma e4836bd08c Disallow non-admin users update net's shared attribute
Currently non-admin user cannot create a network with
shared=True. But the user can create the network and then
change the shared attribute to True.

This patch will no longer allow non-admin user to update a
network's shared value to True.

Change-Id: Id596ee399c56b9882efab97a89dbf7d14c5cf7f4
Closes-Bug: 1268823
9 years ago
Jenkins bf7a8951d6 Merge "Allow sharing of firewall rules and policies in policy.json" 10 years ago
Eugene Nikanorov 3726f0fb48 Allow non-admin user to list service providers
Add get_service_provider rule to policy.json

Change-Id: If4f8103231694fbf79088f7a95a277d68eecce0f
Closes-Bug: #1227697
10 years ago
Dan Florea fef1ced970 Allow sharing of firewall rules and policies in policy.json
Updated policy for firewall_policy and firewall_rule to allow sharing
among tenants. Added a new firewall sharing rule to enable this.

Change-Id: I5d4d9f94fb3abffe4d1b03c46fd5b13a8a4a4f09
Fixes: bug #1217103
10 years ago
Akihiro MOTOKI c06550e6fe Disallow non-admin to specify binding:profile
Change-Id: Iefa4b251f3b0a373fb9b2b7d576e14d58afece59
Fixes-Bug: #1214873
10 years ago
Aaron Rosen d16e185d34 Add multiple provider network extension
The following commit adds the ability to associate multiple
different provider networks on a single network.

Implements blueprint map-networks-to-multiple-provider-networks

Change-Id: I3c70fb2426899f728a401566debab7f66e7246bc
10 years ago
Sylvain Afchain 81156e4a39 Add metering extension and base class
This a part of the blueprint bandwidth-router-label

This patch initiates the blueprint by adding base class
to associate labels and metering rules to tenant's routers.

Change-Id: Ia93b49d881e79c3291730cff7b80f26c56fedb48
10 years ago
Abhishek Raut b49cc5b771 Add support for the Nexus 1000V into the Cisco Plugin.
This will enable the Cisco Nexus 1000V to integrate with the Cisco plugin
and be used to drive the realization of Neutron constructs.
Network profile and Policy profile are introduced as extended neutron
resources, while n1kv:profile_id is introduced as an extended attribute
for network and port objects. Necessary changes to the Cisco plugin are
made to accomodate Nexus 1000V as a configurable vswitch plugin.

Implements: blueprint cisco-plugin-n1k-support
Change-Id: I951e10c57d74c935fca8754c0e21e1ac9df35704
10 years ago
snaiksat a5a88c7ed3 Firewall as a Service (FWaaS) APIs and DB Model
Implements: blueprint quantum-fwaas

blueprint: quantum-fwaas-plugin

This is the first iteration of the FWaaS implementation and
is geared towards implementing the model that will be
required to at least address the reference implementation.

This iteration will not include implementation of the following
* grouping or dynamic objects
* application/service objects

Change-Id: I57a62d6e9d3f1e6c4dd44cd5c745710a3d9e488e
10 years ago
Eugene Nikanorov 1b36e20771 Service Type Framework refactoring
implements blueprint service-type-framework-cleanup

* Defines logic and API for ServiceProvider - read-only entity
that admins provide in configuration and which is stored in memory
* ServiceType entity which maps to ServiceOfferings in new terms
is removed for now.
* Routed service insertion fixed to not to refer to service providers.
* In case configuration changes and some service providers are removed
then the resources must be cleanup in a special way (undeploy logical
resources). This is a matter of future work
* Add migration.

Change-Id: I400ad8f544ec8bdc7d2efb597c995f284ff05829
10 years ago
Yong Sheng Gong 1c8e5f1d3b remove "get_agents" rule in policy.json
Bug #1200933

keep the current API behaviour due to compatibility
and leave list op authz in new API version.

Change-Id: Ia0a9b8738fa8ffe913d2e2b1ef28232abb18340d
10 years ago
Oleg Bondarev da65fe6951 Add agent scheduling for LBaaS namespace agent
- adds simple chance scheduling on create pool operation
- adds PoolsLoadbalancerAgentBinding db table
- adds lbaas_agentscheduler extension to list pools hosted by a particular agent
  and to get an agent hosting a particular pool
- adds agent notifiers mapping to AgentSchedulerDbMixin to make it easier
  for services to add their agent notifiers to the core plugin

Implements blueprint lbaas-agent-scheduler
Change-Id: Id98649fd5c7873dcd5be1a2b117b8bed25f06cc2
10 years ago
Salvatore Orlando 7ce9bc96ab Enable policy control over external_gateway_info sub-attributes
Part 2 of blueprint l3-ext-gw-modes

This patch extends the logic for building policy rule matches in order to
include sub-attributes as well. This logic will be leveraged by the
ext-gw-mode api extension.

Change-Id: I7f46a395597b71bb1c5110aa4e792a04a5010d4c
10 years ago
Jenkins 489f5b59b6 Merge "Reduce plugin accesses from policy engine" 10 years ago
armando-migliaccio 82ccdf893e Add API mac learning extension for NVP
This commit adds an API extension for NVP where the
NVP supported mac learning feature can be switched
on/off for a specific port. The attribute can be
True or False or omitted altogether.

Implements blueprint nvp-mac-learning-extension

Change-Id: I9173c7dfe0cf4a9ee7b0605722ce7fa01708f5ba
10 years ago
Aaron Rosen 6f9fdcb3a1 Add L3 resources to policy.json
This patch adds the l3 resources to policy.json. I tested changing the
rule to rule:admin_only for all the resources added and they were
enforced as expected.

Fixes bug 1186077

Change-Id: Ib5e2879165d9dc6416be4c96c62d6e49452d3be5
10 years ago
Salvatore Orlando 27bdfcab29 Reduce plugin accesses from policy engine
Bug 1179745

This patch introduces a new type of check whose aim is to fetch
the parent resource's owner only when a rule that explicitly needs
it needs to be checked.

Change-Id: I1ff429eb3f92b35bcb9b4c4e01b65f8c0a595f48
10 years ago
Salvatore Orlando 13f9e02a64 Remove calls to policy.check from plugin logic
Blueprint make-authz-orthogonal

This patch implements part #3 of this blueprint, according to its
It does so by allowing the view generator in the API layer to strip
off fields which do not satify authorization policies.
Also, some checks in unit tests for plugins relied on the
capability of the plugin to invoke directly the policy engine.
This checks have been removed and replaced by equivalent unit tests.
Finally, this patch required changes to most test cases for API
extensions in order to ensure the resource attribute map was
updated with the extension's attributes

Change-Id: I1ef94a8a628d34697254b68d7a539bd1c636876e
10 years ago
gongysh 73900fd0f4 add db to save host for port
blueprint portbinding-ex-db

related patch in nova:

Only OVS and linux bridge plugins now support this feature.

Change-Id: I42d9bc59130e2758dd6a221d8953d63ec10e1f3c
10 years ago
Salvatore Orlando 4d6f02440b Remove calls to policy.enforce from plugin and db logic
Blueprint make-authz-orthogonal

This patch implementes item #2 of the blueprint
Remove calls to policy.enforce when the policy check can be performed
safely at the API level, and modify policy.json to this aim.
This patch does not address enforce calls in the agent scheduler
extension, as that extension is currently not defined as a quantum.v2.api
resource class.
This patch also adds an API-level test case for the provider networks
extension, which was missing in Quantum and was necessary to validate
the API behaviour with the default policy settings.

Change-Id: I1c20a5870279bc5fce4470c90a210eae59675b0c
10 years ago
Salvatore Orlando 35988f1393 Make the 'admin' role configurable
Bug 1158434

This patch adds a new policy named 'context_is_admin' which defines
an admin user as a collection of roles or else. The quantum context
has been updated to check for this policy when setting the is_admin
This patch also adds a method for gathering 'admin' roles from policy
rules as current logic requires the context to be always populate with
the correct roles for admin rules, even when the context is implicitly
generated with get_admin_context or context.elevated.
Backward compatibility is ensuring by preserving the old behavior if
the 'context_is_admin' policy is not found in policy.json

Change-Id: I9acea75cca0c47e083a9149e358328ea3ca12d68
10 years ago
Salvatore Orlando dc110b71c1 Enable authZ checks for member actions
Blueprint make-authz-orthogonal

This implements work item #1 of the blueprint.
This patch enables authZ checks for 'member actions' in the base
controller and removes explicit checks from l3_db.
This patch also addresses a small glitch in the policy engine which
was assuming the request always had a body.

Change-Id: I7e0f386eedcfff24ea1fee7294bbadd6c5ec781c
10 years ago
Salvatore Orlando 95f677d7f3 Fix typo in policy.json and checks in nicira plugin
Bug 1155379

This patch removes extra colons from policy.json.
Also, it fixes some checks in the nicira plugin which were not
passing correctly the target resource for the policy engine.

Change-Id: I89a1d170818173eaa90b50158289a06455febadc
10 years ago
gongysh 0070b452f1 Add scheduling feature basing on agent management extension
3rd part of blueprint quantum-scheduler

1. Allow networks to be hosted by certain dhcp agents.
Network to dhcp agent is a
many to many relationship. Provide a simple
scheduler to schedule a network randomly
to an active dhcp agent when a network or port is created.
2. Allow admin user to (de)schedule network to a
certain dhcp agent manually.
3. Allow routers to be hosted by a certain l3 agent.
Router to l3 agent is a many to one relationship.
Provide a simple scheduler to
schedule a router to l3 agent if the router is not
scheduled when the router is  updated.
4. Auto schedule networks and routers to agents when agents
5. Only support ovs plugin at this point

Change-Id: Iddec3ea9d4c0fe2d51a59f7db47145722fc5a1cd
10 years ago
gongysh 881884844d Agent management extension
1/3 part of blueprint quantum-scheduler

This patch adds agent management support
to l3-agent and plugin-agent (ovs and linuxbridge).

Change-Id: Iebc272f45c7530c995f32ef3729b11cd76779385
10 years ago
Aaron Rosen 2d1762ced0 Add nvp qos extension
Implements blueprint nvp-qos-extension

Change-Id: I8ad980128407c6ddb57e5f928663e0df15cc0065
10 years ago
Aaron Rosen 2a3e25e383 Adds port security api extension and base class
Implements blueprint port-security-api-base-class
This patch also updates the _create_network/port in the unit tests
so that it does not remove false values from arg_list.
Fixes bug 1097527

Change-Id: I22b55b0ed56c830995ffb491176c801c697abe6f
10 years ago
Salvatore Orlando 3eb2cfc011 API extension and DB support for service types
Blueprint quantum-service-type

This patch allows for managing service types through the API.
The default service type is specified in the configuration file.
The patch also provides a 'dummy' API extension, which uses the
'dummy' service plugin, as a PoC for usage of service type.
The dummy API extension is used in unit tests only.

Change-Id: I97d400b941fa7925b0efa0fd0d35c07419ff6bfa
11 years ago
Gary Kotton 64f2a38bc9 Add VIF binding extensions
The is part of the blueprint vif-plugging-improvements.

The patch adds an extension to Quantum that enables the plugin to
return VIF details.

At the moment it supports openvswitch and linuxbridge.

Change-Id: Ib9b4d34e668e2ddc61c152c2c4cd4a01f2d0de40
11 years ago
Kevin L. Mitchell e943df7003 Update policies
Merge in update openstack-common policy code.

Updates Quantum-specific policy glue code to eliminate deprecated
openstack-common policy interfaces.  Also cleans up policy code
to allow for returning fine-grained policy values.

Change-Id: I2951a0de3751bd2ec868e7a661070fed624e4af2
11 years ago
Nachi Ueno 3caafd9e01 Update default policy for add/remove router interface to admin_or_owner
Fixes bug 1048891
default policy for add/remove router interface
should be admin_or_owner

Change-Id: Idc797d8a2e7dc17b517fed4668b256344438a257
11 years ago
Nachi Ueno c01e54bde2 Added policy checks for add interface and remove interface
Fixes bug 1042037
admin_only policy didn't works, so policy checks
for add interface and remove interface needed.
Also updated policy.json

Change-Id: Ifec281250ccbe1680a3e634f4efdb7ba7ef3ec94
11 years ago
Salvatore Orlando a7326a947b Policies for external networks
Bug #1042030 , part 2

Also reworks model queries in order to allow plugins and extensions
to augment them as required through hooks.

Change-Id: Ice72fc6d3b1c613d596c037818ed66d7e9ed841d
11 years ago
Dan Wendlandt 75e2dfffaf Make sure floating IPs + gateways must be on external nets
bug #1042030

- adds admin-writable, world-readable router:external attribute to
the network object if L3 extension is loaded.
- prevents floating ips from being created unless network is external
- shortens L3 extensions alias from 'os-quantum-router' to 'router' to
make attribute extensions more readable.

- Need to add policy logic so non-admin users can always see external
networks without requiring that these networks are shared (since VMs can
always create ports on shared networks, but provider may want to have
externals networks that VMs cannot directly plug into.

Random clean-up:
- prevent delete_network in plugins from implying it returns something
- modify so that exceptions during calls to
get_extended_resources() will actually be logged if unexpected.
- unset executable bit on to make sure tox
actually runs it.

Change-Id: I5bbf063927b93458da7cb467d9ad5c92ebabbbf7
11 years ago
justin ljj 8d75212460 remove policy check for host_routes in update_port
Fixes bug 1043630

Port has no 'host_routes' attribute according to the latest V2 API
specification. So, policy check for 'host_routes' is not need any
more, just remove it in this patch.

Change-Id: I925e83d9825f89265843c15e71ee5ed4c33bad5f
11 years ago
Salvatore Orlando 3dbaa356b9 Enable users to list subnets on shared networks
Fixes bug 1039591

This patch will enable regular users to list subnets on a shared
network by exposing the subnet's "shared" attribute to the policy
engine, and letting it applying different rules if the subnet is
shared or private.

Change-Id: If204f1e352c114e16251586c743f5b7fe2d1ad7d
11 years ago
Salvatore Orlando f3b64410af Adds the 'public network' concept to Quantum
Implements blueprint quantum-v2-public-networks

This patch allows Quantum to handle public networks. It modifies the
API adding a new attribute to the network resource ('shared')
and enhances the policy engine in order to handle the behaviour of
the service wrt shared networks.
Policy.json specifies a default behaviour which can be changed by
the administrator, even at runtime.
Tests added to test_db_plugin validate 'obvious' behaviour - such as
that only the ports belonging to a given tenant should be returned
even when they are queried on a public network.
Tests added to test_policy instead validate the changes added to the
policy engine.

Change-Id: I0087d449a677ed29357cd3cb4d8580bece940fdf
11 years ago
Bob Kukura f2e37172ef Initial V2 implementation of provider extension.
Initial provider extension implementation. Specify vlan_id using the
CLI with admin rights via "net-create --tenant_id <tenant-id>
<net-name> --provider:vlan_id <vlan-id>". Also includes
provider:vlan_id in reply messages for admins. The extension is
supported in the linuxbridge and openvswitch plugins.

Partially implements blueprint provider-networks.

Change-Id: I2fff64c4247b1a3091c28c7a2cd632afda192c3d
11 years ago
Kevin L. Mitchell b3a970a5e4 Add authZ through incorporation of policy checks.
Adds the policy openstack-common module and implements policy checks
for the v2 API.  Note that this cut only addresses whole objects (i.e.,
a subnet or a network or a port), not specific fields within objects.
(This means that attributes are not filtered out based on policies.)
Implements blueprint authorization-support-for-quantum.

Change-Id: I1b52b1791a1f14f0af6508a63a40a38e440f15fe
11 years ago