Update Neutron Configuration for Liberty

This patch includes the updates to the configuration files for Neutron for the Liberty release. Files Removed: - rootwrap.d/nec-plugin.filters - rootwrap.d/ryu-plugin.filters Variables removed due to upstream deprecation: - neutron_l3_router_delete_namespaces - neutron_dhcp_delete_namespaces Defaults changed to match new upstream defaults: - neutron_driver_network_scheduler - neutron_driver_quota Upgrade Notes: - The LinuxBridge configuration has been seperated out from plugins/ml2/ml2_conf.ini to plugins/ml2/linuxbridge_agent.ini - prevent_arp_spoofing is now set to the upstream default, which is True. DocImpact UpgradeImpact Closes-Bug: #1482756 Implements: blueprint liberty-release Change-Id: I879fd37db2e699bc3d48bcdd65ec7888b0f3f1a9
2015-10-14 19:35:45 +01:00
parent 725a535335
commit 66dc88adc0
23 changed files with 149 additions and 142 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -102,11 +102,11 @@ neutron_services:
 neutron-linuxbridge-agent:
   service_name: neutron-linuxbridge-agent
   service_en: True
-   service_conf: plugins/ml2/ml2_conf.ini
+   service_conf: plugins/ml2/linuxbridge_agent.ini
   service_group: neutron_linuxbridge_agent
   service_rootwrap: rootwrap.d/linuxbridge-plugin.filters
-   config_options: --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini
+   config_options: --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini
-   config_overrides: "{{ neutron_ml2_conf_ini_overrides }}"
+   config_overrides: "{{ neutron_linuxbridge_agent_ini_overrides }}"
   config_type: "ini"
 neutron-metadata-agent:
   service_name: neutron-metadata-agent
@@ -140,14 +140,14 @@ neutron_services:
   config_options: --config-file /etc/neutron/neutron.conf --config-file "/etc/neutron/{{ neutron_plugins[neutron_plugin_type].plugin_ini }}"
 ## Drivers
-neutron_driver_network_scheduler: neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler
+neutron_driver_network_scheduler: neutron.scheduler.dhcp_agent_scheduler.WeightScheduler
 neutron_driver_router_scheduler: neutron.scheduler.l3_agent_scheduler.LeastRoutersScheduler
 neutron_driver_loadbalancer_pool_scheduler: neutron.services.loadbalancer.agent_scheduler.ChanceScheduler
 neutron_driver_interface: neutron.agent.linux.interface.BridgeInterfaceDriver
 neutron_driver_metering: neutron.services.metering.drivers.iptables.iptables_driver.IptablesMeteringDriver
 neutron_driver_dhcp: neutron.agent.linux.dhcp.Dnsmasq
 neutron_driver_notification: neutron.openstack.common.notifier.rpc_notifier
-neutron_driver_quota: neutron.db.quota_db.DbQuotaDriver
+neutron_driver_quota: neutron.db.quota.driver.DbQuotaDriver
 neutron_driver_firewall: neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
 ## Quotas
@@ -218,9 +218,6 @@ neutron_agent_polling_interval: 5
 neutron_report_interval: "{{ neutron_agent_down_time | int / 2 | int }}"
 neutron_network_device_mtu: 1450
 # L3 configuration options
 neutron_l3_router_delete_namespaces: True
 # L3HA configuration options.
 neutron_ha_vrrp_advert_int: 2
 neutron_ha_vrrp_auth_password: None
@@ -274,7 +271,6 @@ neutron_vxlan_group: ""
 neutron_vxlan_enabled: true
 neutron_dhcp_domain: openstacklocal
 neutron_dhcp_delete_namespaces: True
 # Comma-separated list of DNS servers which will be used by dnsmasq as forwarders.
 neutron_dnsmasq_dns_servers: ""
 # Limit number of leases to prevent a denial-of-service.
@@ -350,3 +346,4 @@ neutron_dnsmasq_neutron_conf_overrides: {}
 neutron_l3_agent_ini_overrides: {}
 neutron_metadata_agent_ini_overrides: {}
 neutron_metering_agent_ini_overrides: {}
 neutron_linuxbridge_agent_ini_overrides: {}
--- a/templates/rootwrap.d/debug.filters.j2
+++ b/templates/rootwrap.d/debug.filters.j2
@@ -10,5 +10,9 @@
 # This is needed because we should ping
 # from inside a namespace which requires root
 # _alt variants allow to match -c and -w in any order
 #   (used by NeutronDebugAgent.ping_all)
 ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
 ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
 ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
 ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
--- a/templates/rootwrap.d/dhcp.filters.j2
+++ b/templates/rootwrap.d/dhcp.filters.j2
@@ -23,10 +23,6 @@ dhcp_release: CommandFilter, dhcp_release, root
 # metadata proxy
 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
 # If installed from source (say, by devstack), the prefix will be
 # /usr/local instead of /usr/bin.
 metadata_proxy_local: CommandFilter, {{ neutron_bin }}/neutron-ns-metadata-proxy, root
 # RHEL invocation of the metadata proxy will report /usr/bin/python
 kill_metadata: KillFilter, root, python, -9
 kill_metadata7: KillFilter, root, python2.7, -9
--- a/files/rootwrap.d/dibbler.filters
+++ b/files/rootwrap.d/dibbler.filters
@@ -0,0 +1,16 @@
 # neutron-rootwrap command filters for nodes on which neutron is
 # expected to control network
 #
 # This file should be owned by (and only-writeable by) the root user
 # format seems to be
 # cmd-name: filter-name, raw-command, user, args
 [Filters]
 # Filters for the dibbler-based reference implementation of the pluggable
 # Prefix Delegation driver. Other implementations using an alternative agent
 # should include a similar filter in this folder.
 # prefix_delegation_agent
 dibbler-client: CommandFilter, dibbler-client, root
--- a/templates/rootwrap.d/nec-plugin.filters.j2
+++ b/templates/rootwrap.d/nec-plugin.filters.j2
@@ -8,5 +8,4 @@
 [Filters]
-# nec_neutron_agent
+ebtables: CommandFilter, ebtables, root
 ovs-vsctl: CommandFilter, ovs-vsctl, root
--- a/templates/rootwrap.d/ipset-firewall.filters.j2
+++ b/templates/rootwrap.d/ipset-firewall.filters.j2
--- a/templates/rootwrap.d/iptables-firewall.filters.j2
+++ b/templates/rootwrap.d/iptables-firewall.filters.j2
--- a/templates/rootwrap.d/l3.filters.j2
+++ b/templates/rootwrap.d/l3.filters.j2
@@ -18,10 +18,6 @@ radvd: CommandFilter, radvd, root
 # metadata proxy
 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
 # If installed from source (say, by devstack), the prefix will be
 # /usr/local instead of /usr/bin.
 metadata_proxy_local: CommandFilter, {{ neutron_bin }}/neutron-ns-metadata-proxy, root
 # RHEL invocation of the metadata proxy will report /usr/bin/python
 kill_metadata: KillFilter, root, python, -9
 kill_metadata7: KillFilter, root, python2.7, -9
--- a/templates/rootwrap.d/lbaas-haproxy.filters.j2
+++ b/templates/rootwrap.d/lbaas-haproxy.filters.j2
--- a/templates/rootwrap.d/linuxbridge-plugin.filters.j2
+++ b/templates/rootwrap.d/linuxbridge-plugin.filters.j2
--- a/templates/rootwrap.d/openvswitch-plugin.filters.j2
+++ b/templates/rootwrap.d/openvswitch-plugin.filters.j2
@@ -12,6 +12,7 @@
 # unclear whether both variants are necessary, but I'm transliterating
 # from the old mechanism
 ovs-vsctl: CommandFilter, ovs-vsctl, root
 # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
 ovs-ofctl: CommandFilter, ovs-ofctl, root
 kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
 ovsdb-client: CommandFilter, ovsdb-client, root
--- a/files/rootwrap.d/vpnaas.filters
+++ b/files/rootwrap.d/vpnaas.filters
@@ -0,0 +1,17 @@
 # neutron-rootwrap command filters for nodes on which neutron is
 # expected to control network
 #
 # This file should be owned by (and only-writeable by) the root user
 # format seems to be
 # cmd-name: filter-name, raw-command, user, args
 [Filters]
 ip: IpFilter, ip, root
 ip_exec: IpNetnsExecFilter, ip, root
 ipsec: CommandFilter, ipsec, root
 strongswan: CommandFilter, strongswan, root
 neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
 neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
 chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/ipsec.secrets
--- a/tasks/neutron_post_install.yml
+++ b/tasks/neutron_post_install.yml
@@ -79,34 +79,34 @@
  when:
       - item.value.service_en | bool
       - item.value.service_conf is defined
-       - inventory_hostname in groups['neutron_agents_container']
+       - (inventory_hostname in groups['neutron_agents_container'] or
         inventory_hostname in groups['neutron_linuxbridge_agent'])
  tags:
    - neutron-config
 - name: Drop neutron Configs
-  template:
+  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: "{{ neutron_system_user_name }}"
    group: "{{ neutron_system_group_name }}"
  with_items:
-    - { src: "rootwrap.d/debug.filters.j2", dest: "/etc/neutron/rootwrap.d/debug.filters" }
+    - { src: "rootwrap.d/debug.filters", dest: "/etc/neutron/rootwrap.d/debug.filters" }
-    - { src: "rootwrap.d/ipset-firewall.filters.j2", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" }
+    - { src: "rootwrap.d/dibbler.filters", dest: "/etc/neutron/rootwrap.d/dibbler.filters" }
-    - { src: "rootwrap.d/iptables-firewall.filters.j2", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" }
+    - { src: "rootwrap.d/ipset-firewall.filters", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" }
-    - { src: "rootwrap.d/nec-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/nec-plugin.filters" }
+    - { src: "rootwrap.d/iptables-firewall.filters", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" }
-    - { src: "rootwrap.d/openvswitch-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" }
+    - { src: "rootwrap.d/openvswitch-plugin.filters", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" }
-    - { src: "rootwrap.d/ryu-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/ryu-plugin.filters" }
+    - { src: "rootwrap.d/lbaas-haproxy.filters", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" }
-    - { src: "rootwrap.d/lbaas-haproxy.filters.j2", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" }
+    - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
-    - { src: "rootwrap.d/vpnaas.filters.j2", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
+    - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
    - { src: "rootwrap.d/ebtables.filters.j2", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
  notify:
    - Restart neutron services
  tags:
    - neutron-config
 - name: Drop neutron agent filters
-  template:
+  copy:
-    src: "{{ item.value.service_rootwrap }}.j2"
+    src: "{{ item.value.service_rootwrap }}"
    dest: "/etc/neutron/{{ item.value.service_rootwrap }}"
    owner: "{{ neutron_system_user_name }}"
    group: "{{ neutron_system_group_name }}"
--- a/templates/api-paste.ini.j2
+++ b/templates/api-paste.ini.j2
@@ -9,10 +9,10 @@ noauth = request_id catch_errors extensions neutronapiapp_v2_0
 keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0
 [filter:request_id]
-paste.filter_factory = oslo.middleware:RequestId.factory
+paste.filter_factory = oslo_middleware:RequestId.factory
 [filter:catch_errors]
-paste.filter_factory = oslo.middleware:CatchErrors.factory
+paste.filter_factory = oslo_middleware:CatchErrors.factory
 [filter:keystonecontext]
 paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory
--- a/templates/dhcp_agent.ini.j2
+++ b/templates/dhcp_agent.ini.j2
@@ -24,7 +24,3 @@ dnsmasq_lease_max = {{ neutron_dnsmasq_lease_max }}
 # Metadata
 enable_isolated_metadata = True
 # Delete defunct namespaces
 dhcp_delete_namespaces = {{ neutron_dhcp_delete_namespaces }}
--- a/templates/l3_agent.ini.j2
+++ b/templates/l3_agent.ini.j2
@@ -5,7 +5,9 @@
 verbose = {{ verbose }}
 debug = {{ debug }}
-handle_internal_only_routers = True
+# While this option is deprecated in Liberty, if we remove it then it takes
 # a default value of 'br-ex', which we do not want. We therefore leave it
 # in place for now and can remove it in Mitaka.
 external_network_bridge = {{ neutron_external_network_bridge }}
 gateway_external_network_id = {{ neutron_gateway_external_network_id }}
@@ -36,6 +38,3 @@ send_arp_for_ha = 3
 # Metadata
 enable_metadata_proxy = True
 # Delete defunct namespaces
 router_delete_namespaces = {{ neutron_l3_router_delete_namespaces }}
--- a/templates/neutron.conf.j2
+++ b/templates/neutron.conf.j2
@@ -8,7 +8,6 @@
 verbose = {{ verbose }}
 debug = {{ debug }}
 fatal_deprecations = {{ neutron_fatal_deprecations }}
 use_syslog = False
 log_file = /var/log/neutron/neutron.log
 {% if inventory_hostname in groups['neutron_server'] %}
@@ -69,7 +68,7 @@ nova_url = {{ nova_service_adminurl|replace('/%(tenant_id)s', '') }}
 ## Rpc all
 rpc_backend = {{ neutron_rpc_backend }}
-rpc_thread_pool_size = {{ neutron_rpc_thread_pool_size }}
+executor__thread_pool_size = {{ neutron_rpc_thread_pool_size }}
 rpc_conn_pool_size = {{ neutron_rpc_conn_pool_size }}
 rpc_response_timeout = {{ neutron_rpc_response_timeout }}
--- a/templates/plugins/ml2/linuxbridge_agent.ini.j2
+++ b/templates/plugins/ml2/linuxbridge_agent.ini.j2
@@ -0,0 +1,32 @@
 # {{ ansible_managed }}
 # Linux bridge agent physical interface mappings
 [linux_bridge]
 {% if neutron_provider_networks.network_mappings is defined %}
 physical_interface_mappings = {{ neutron_provider_networks.network_mappings }}
 {% endif %}
 # Linux bridge agent VXLAN networks
 [vxlan]
 {% if neutron_vxlan_enabled | bool %}
 enable_vxlan = True
 vxlan_group = {{ neutron_vxlan_group }}
 # VXLAN local tunnel endpoint
 local_ip = {{ neutron_local_ip }}
 l2_population = {{ neutron_l2_population }}
 {% else %}
 # Disable VXLAN for deployments with only flat or VLAN networks
 enable_vxlan = False
 {% endif %}
 # Agent
 [agent]
 # Security groups
 [securitygroup]
 firewall_driver = {{ neutron_driver_firewall }}
 enable_security_group = True
--- a/templates/plugins/ml2/ml2_conf.ini.j2
+++ b/templates/plugins/ml2/ml2_conf.ini.j2
@@ -1,12 +1,11 @@
 # {{ ansible_managed }}
 {% if inventory_hostname in groups['neutron_server'] %}
 # ML2 general
 [ml2]
 type_drivers = {{ neutron_ml2_drivers_type }}
 tenant_network_types = {{ neutron_provider_networks.network_types }}
 mechanism_drivers = {{ neutron_ml2_mechanism_drivers }}
 extension_drivers = port_security
 path_mtu = 0
 segment_mtu = 0
@@ -33,53 +32,9 @@ network_vlan_ranges = {{ neutron_provider_networks.network_vlan_ranges }}
 vxlan_group = {{ neutron_vxlan_group }}
 vni_ranges = {{ neutron_provider_networks.network_vxlan_ranges }}
 {% endif %}
 {% endif %}
 {% if inventory_hostname in groups['neutron_linuxbridge_agent'] %}
 # Linux bridge agent VXLAN networks
 [vxlan]
 {% if neutron_vxlan_enabled | bool %}
 enable_vxlan = True
 vxlan_group = {{ neutron_vxlan_group }}
 # VXLAN local tunnel endpoint
 local_ip = {{ neutron_local_ip }}
 l2_population = {{ neutron_l2_population }}
 {% else %}
 # Disable VXLAN for deployments with only flat or VLAN networks
 enable_vxlan = False
 {% endif %}
 {% if neutron_provider_networks.network_mappings is defined %}
 # Linux bridge agent physical interface mappings
 [linux_bridge]
 physical_interface_mappings = {{ neutron_provider_networks.network_mappings }}
 {% endif %}
 # Agent
 [agent]
 # TODO: Allow this to be the default of True once the upstream issue
 # with access through floating IP's is fixed (odyssey4me re: liberty-2)
 prevent_arp_spoofing = False
 # L2 population
 [l2pop]
 agent_boot_time = 180
 {% endif %}
 # Security groups
 [securitygroup]
 enable_security_group = True
 enable_ipset = True
 firewall_driver = {{ neutron_driver_firewall }}
--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@@ -1,14 +1,17 @@
 {
    "context_is_admin":  "role:admin",
-    "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
+    "owner": "tenant_id:%(tenant_id)s",
    "admin_or_owner": "rule:context_is_admin or rule:owner",
    "context_is_advsvc":  "role:advsvc",
    "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
    "admin_owner_or_network_owner": "rule:admin_or_network_owner or rule:owner",
    "admin_only": "rule:context_is_admin",
    "regular_user": "",
    "shared": "field:networks:shared=True",
    "shared_firewalls": "field:firewalls:shared=True",
    "shared_firewall_policies": "field:firewall_policies:shared=True",
    "shared_subnetpools": "field:subnetpools:shared=True",
    "shared_address_scopes": "field:address_scopes:shared=True",
    "external": "field:networks:router:external=True",
    "default": "rule:admin_or_owner",
@@ -23,6 +26,13 @@
    "update_subnetpool": "rule:admin_or_owner",
    "delete_subnetpool": "rule:admin_or_owner",
    "create_address_scope": "",
    "create_address_scope:shared": "rule:admin_only",
    "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
    "update_address_scope": "rule:admin_or_owner",
    "update_address_scope:shared": "rule:admin_only",
    "delete_address_scope": "rule:admin_or_owner",
    "create_network": "",
    "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
    "get_network:router:external": "rule:regular_user",
@@ -46,27 +56,32 @@
    "update_network:router:external": "rule:admin_only",
    "delete_network": "rule:admin_or_owner",
    "network_device": "field:port:device_owner=~^network:",
    "create_port": "",
    "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
    "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
    "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
    "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
    "create_port:binding:host_id": "rule:admin_only",
    "create_port:binding:profile": "rule:admin_only",
    "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
-    "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
    "get_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
    "get_port:queue_id": "rule:admin_only",
    "get_port:binding:vif_type": "rule:admin_only",
    "get_port:binding:vif_details": "rule:admin_only",
    "get_port:binding:host_id": "rule:admin_only",
    "get_port:binding:profile": "rule:admin_only",
    "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
    "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
    "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
    "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
    "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
    "update_port:binding:host_id": "rule:admin_only",
    "update_port:binding:profile": "rule:admin_only",
    "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
-    "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
    "delete_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
    "get_router:ha": "rule:admin_only",
    "create_router": "rule:regular_user",
@@ -100,6 +115,9 @@
    "update_firewall_policy": "rule:admin_or_owner",
    "delete_firewall_policy": "rule:admin_or_owner",
    "insert_rule": "rule:admin_or_owner",
    "remove_rule": "rule:admin_or_owner",
    "create_firewall_rule": "",
    "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
    "update_firewall_rule": "rule:admin_or_owner",
@@ -150,5 +168,34 @@
    "get_service_provider": "rule:regular_user",
    "get_lsn": "rule:admin_only",
-    "create_lsn": "rule:admin_only"
+    "create_lsn": "rule:admin_only",
    "create_flavor": "rule:admin_only",
    "update_flavor": "rule:admin_only",
    "delete_flavor": "rule:admin_only",
    "get_flavors": "rule:regular_user",
    "get_flavor": "rule:regular_user",
    "create_service_profile": "rule:admin_only",
    "update_service_profile": "rule:admin_only",
    "delete_service_profile": "rule:admin_only",
    "get_service_profiles": "rule:admin_only",
    "get_service_profile": "rule:admin_only",
    "get_policy": "rule:regular_user",
    "create_policy": "rule:admin_only",
    "update_policy": "rule:admin_only",
    "delete_policy": "rule:admin_only",
    "get_policy_bandwidth_limit_rule": "rule:regular_user",
    "create_policy_bandwidth_limit_rule": "rule:admin_only",
    "delete_policy_bandwidth_limit_rule": "rule:admin_only",
    "update_policy_bandwidth_limit_rule": "rule:admin_only",
    "get_rule_type": "rule:regular_user",
    "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
    "create_rbac_policy": "",
    "create_rbac_policy:target_tenant": "rule:restrict_wildcard",
    "update_rbac_policy": "rule:admin_or_owner",
    "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
    "get_rbac_policy": "rule:admin_or_owner",
    "delete_rbac_policy": "rule:admin_or_owner"
 }
--- a/templates/rootwrap.d/ebtables.filters.j2
+++ b/templates/rootwrap.d/ebtables.filters.j2
@@ -1,13 +0,0 @@
 # neutron-rootwrap command filters for nodes on which neutron is
 # expected to control network
 #
 # This file should be owned by (and only-writeable by) the root user
 # format seems to be
 # cmd-name: filter-name, raw-command, user, args
 [Filters]
 # neutron/agent/linux/ebtables_driver.py
 ebtables: CommandFilter, ebtables, root
 ebtablesEnv: EnvFilter, ebtables, root, EBTABLES_ATOMIC_FILE=
--- a/templates/rootwrap.d/ryu-plugin.filters.j2
+++ b/templates/rootwrap.d/ryu-plugin.filters.j2
@@ -1,21 +0,0 @@
 # neutron-rootwrap command filters for nodes on which neutron is
 # expected to control network
 #
 # This file should be owned by (and only-writeable by) the root user
 # format seems to be
 # cmd-name: filter-name, raw-command, user, args
 [Filters]
 # ryu-agent
 # unclear whether both variants are necessary, but I'm transliterating
 # from the old mechanism
 # neutron/plugins/ryu/agent/ryu_neutron_agent.py:
 #   "ovs-vsctl", "--timeout=2", ...
 ovs-vsctl: CommandFilter, ovs-vsctl, root
 # neutron/plugins/ryu/agent/ryu_neutron_agent.py:
 #   "xe", "vif-param-get", ...
 xe: CommandFilter, xe, root
--- a/templates/rootwrap.d/vpnaas.filters.j2
+++ b/templates/rootwrap.d/vpnaas.filters.j2
@@ -1,13 +0,0 @@
 # neutron-rootwrap command filters for nodes on which neutron is
 # expected to control network
 #
 # This file should be owned by (and only-writeable by) the root user
 # format seems to be
 # cmd-name: filter-name, raw-command, user, args
 [Filters]
 ip: IpFilter, ip, root
 ip_exec: IpNetnsExecFilter, ip, root
 openswan: CommandFilter, ipsec, root