4595899f7f
This adds the new API endpoint to create, update, and delete role-based access control entries. These entries enable tenants to grant access to other tenants to perform an action on an object they do not own. This was previously done using a single 'shared' flag; however, this was too coarse because an object would either be private to a tenant or it would be shared with every tenant. In addition to introducing the API, this patch also adds support to for the new entries in Neutron networks. This means tenants can now share their networks with specific tenants as long as they know the tenant ID. This feature is backwards-compatible with the previous 'shared' attribute in the API. So if a deployer doesn't want this new feature enabled, all of the RBAC operations can be blocked in policy.json and networks can still be globally shared in the legacy manner. Even though this feature is referred to as role-based access control, this first version only supports sharing networks with specific tenant IDs because Neutron currently doesn't have integration with Keystone to handle changes in a tenant's roles/groups/etc. DocImpact APIImpact Change-Id: Ib90e2a931df068f417faf26e9c3780dc3c468867 Partially-Implements: blueprint rbac-networks |
||
---|---|---|
.. | ||
common | ||
services | ||
__init__.py | ||
auth.py | ||
config.py | ||
exceptions.py | ||
manager.py | ||
README.rst | ||
test.py |
WARNING
The files under this path were copied from tempest as part of the move of the api tests, and they will be removed as the required functionality is transitioned from tempest to tempest-lib. While it exists, only neutron.tests.api and neutron.tests.retargetable should be importing files from this path. neutron.tests.tempest.config uses the global cfg.CONF instance and importing it outside of the api tests has the potential to break Neutron's use of cfg.CONF.