Convert policy.json into policy-in-code

vmware-nsx specific policies are defined as policy-in-code.

- vmware_nsx/policies/lsn.py, qos_queue.py and maclearning.py
  are moved from the neutron repo.
- vmware_nsx/policies/providersecuritygroup.py is based on the difference
  between etc/policy.json and the old neutron policy.json
- vmware_nsx/policies/security_group.py is based on
  etc/policy.d/security-groups.json
- vmware_nsx/policies/network_gateway.py is based on
  etc/policy.d/network-gateways.json

etc/policy.d/dynamic-routing.json and etc/policy.d/neutron-fwaas.json
have no policies specific to vmware-nsx, so they can be dropped and
we can use policy-in-code definitions in neutron-fwaas and
neutron-dynamic-routing.

etc/policy.d/routers.json and flow-classifier.json cannot be
converted into policy-in-code because the default policies are
different from those defined in neutron and networking-sfc.
Note that etc/policy.d/routers.json now has policies which are
different from the default policies defined in the neutron repo.
(Others are clean up by this commit.)

This commit depends on the following patches under review:

(neutron-fwaas policy-in-code support)
Depends-On: https://review.openstack.org/527282
(neutron-dynamic-routing policy-in-code support)
Depends-On: https://review.openstack.org/625429
(networking-sfc policy-in-code support)
Depends-On: https://review.openstack.org/625431
(Drop 3rd-party plugin specific policies)
Depends-On: https://review.openstack.org/625394

Partially Implements: blueprint neutron-policy-in-code

Co-Authored-By: Michal Kelner Mishali <mkelnermishal@vmware.com>
Co-Authored-By: Adit Sarfaty <asarfaty@vmware.com>
Change-Id: I96a9dbd759d54308abbc12ce65c97b06a76453cd
This commit is contained in:
Akihiro Motoki 2018-12-17 01:03:57 +09:00 committed by Kobi Samoray
parent c907da0aef
commit b7930ae821
19 changed files with 567 additions and 201 deletions

View File

@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/policy.yaml.sample
namespace = vmware-nsx

View File

@ -1,15 +0,0 @@
{
"get_bgp_speaker": "rule:admin_only",
"create_bgp_speaker": "rule:admin_only",
"update_bgp_speaker": "rule:admin_only",
"delete_bgp_speaker": "rule:admin_only",
"get_bgp_peer": "rule:admin_only",
"create_bgp_peer": "rule:admin_only",
"update_bgp_peer": "rule:admin_only",
"delete_bgp_peer": "rule:admin_only",
"add_bgp_peer": "rule:admin_only",
"remove_bgp_peer": "rule:admin_only",
"add_gateway_network": "rule:admin_only",
"remove_gateway_network": "rule:admin_only",
"get_advertised_routes":"rule:admin_only",
}

View File

@ -1,10 +0,0 @@
{
"create_network_gateway": "rule:admin_or_owner",
"update_network_gateway": "rule:admin_or_owner",
"delete_network_gateway": "rule:admin_or_owner",
"connect_network": "rule:admin_or_owner",
"disconnect_network": "rule:admin_or_owner",
"create_gateway_device": "rule:admin_or_owner",
"update_gateway_device": "rule:admin_or_owner",
"delete_gateway_device": "rule:admin_or_owner"
}

View File

@ -1,50 +0,0 @@
{
"shared_firewalls": "field:firewalls:shared=True",
"shared_firewall_policies": "field:firewall_policies:shared=True",
"shared_firewall_rules": "field:firewall_rules:shared=True",
"create_firewall": "",
"update_firewall": "rule:admin_or_owner",
"delete_firewall": "rule:admin_or_owner",
"create_firewall:shared": "rule:admin_only",
"update_firewall:shared": "rule:admin_only",
"delete_firewall:shared": "rule:admin_only",
"get_firewall": "rule:admin_or_owner or rule:shared_firewalls",
"shared_firewall_groups": "field:firewall_groups:shared=True",
"shared_firewall_policies": "field:firewall_policies:shared=True",
"shared_firewall_rules": "field:firewall_rules:shared=True",
"create_firewall_group": "",
"update_firewall_group": "rule:admin_or_owner",
"delete_firewall_group": "rule:admin_or_owner",
"create_firewall_group:shared": "rule:admin_only",
"update_firewall_group:shared": "rule:admin_only",
"delete_firewall_group:shared": "rule:admin_only",
"get_firewall_group": "rule:admin_or_owner or rule:shared_firewall_groups",
"create_firewall_policy": "",
"update_firewall_policy": "rule:admin_or_owner",
"delete_firewall_policy": "rule:admin_or_owner",
"create_firewall_policy:shared": "rule:admin_only",
"update_firewall_policy:shared": "rule:admin_only",
"delete_firewall_policy:shared": "rule:admin_only",
"get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
"create_firewall_rule": "",
"update_firewall_rule": "rule:admin_or_owner",
"delete_firewall_rule": "rule:admin_or_owner",
"create_firewall_rule:shared": "rule:admin_only",
"update_firewall_rule:shared": "rule:admin_only",
"delete_firewall_rule:shared": "rule:admin_only",
"get_firewall_rule": "rule:admin_or_owner or rule:shared_firewall_rules"
}

View File

@ -3,15 +3,6 @@
"get_router:distributed": "rule:admin_or_owner",
"update_router:distributed": "rule:admin_or_owner",
"get_router:ha": "rule:admin_only",
"create_router": "rule:regular_user",
"create_router:external_gateway_info:enable_snat": "rule:admin_or_owner",
"create_router:ha": "rule:admin_only",
"get_router": "rule:admin_or_owner",
"update_router:external_gateway_info:enable_snat": "rule:admin_or_owner",
"update_router:ha": "rule:admin_only",
"delete_router": "rule:admin_or_owner",
"add_router_interface": "rule:admin_or_owner",
"remove_router_interface": "rule:admin_or_owner",
"update_router:external_gateway_info:enable_snat": "rule:admin_or_owner"
}

View File

@ -1,8 +0,0 @@
{
"create_security_group:logging": "rule:admin_only",
"update_security_group:logging": "rule:admin_only",
"get_security_group:logging": "rule:admin_only",
"create_security_group:provider": "rule:admin_only",
"create_security_group:policy": "rule:admin_only",
"update_security_group:policy": "rule:admin_only",
}

View File

@ -1,108 +0,0 @@
{
"context_is_admin": "role:admin",
"admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
"context_is_advsvc": "role:advsvc",
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
"admin_only": "rule:context_is_admin",
"regular_user": "",
"shared": "field:networks:shared=True",
"shared_firewalls": "field:firewalls:shared=True",
"external": "field:networks:router:external=True",
"default": "rule:admin_or_owner",
"create_subnet": "rule:admin_or_network_owner",
"get_subnet": "rule:admin_or_owner or rule:shared",
"update_subnet": "rule:admin_or_network_owner",
"delete_subnet": "rule:admin_or_network_owner",
"create_network": "",
"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
"get_network:router:external": "rule:regular_user",
"get_network:segments": "rule:admin_only",
"get_network:provider:network_type": "rule:admin_only",
"get_network:provider:physical_network": "rule:admin_only",
"get_network:provider:segmentation_id": "rule:admin_only",
"get_network:queue_id": "rule:admin_only",
"create_network:shared": "rule:admin_only",
"create_network:router:external": "rule:admin_only",
"create_network:segments": "rule:admin_only",
"create_network:provider:network_type": "rule:admin_only",
"create_network:provider:physical_network": "rule:admin_only",
"create_network:provider:segmentation_id": "rule:admin_only",
"update_network": "rule:admin_or_owner",
"update_network:segments": "rule:admin_only",
"update_network:shared": "rule:admin_only",
"update_network:provider:network_type": "rule:admin_only",
"update_network:provider:physical_network": "rule:admin_only",
"update_network:provider:segmentation_id": "rule:admin_only",
"update_network:router:external": "rule:admin_only",
"delete_network": "rule:admin_or_owner",
"create_port": "",
"create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
"create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
"create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
"create_port:binding:host_id": "rule:admin_only",
"create_port:binding:profile": "rule:admin_only",
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
"create_port:provider_security_groups": "rule:admin_only",
"get_port": "rule:admin_or_owner or rule:context_is_advsvc",
"get_port:queue_id": "rule:admin_only",
"get_port:binding:vif_type": "rule:admin_only",
"get_port:binding:vif_details": "rule:admin_only",
"get_port:binding:host_id": "rule:admin_only",
"get_port:binding:profile": "rule:admin_only",
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
"update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
"update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
"update_port:binding:host_id": "rule:admin_only",
"update_port:binding:profile": "rule:admin_only",
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
"update_port:provider_security_groups": "rule:admin_only",
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
"create_qos_queue": "rule:admin_only",
"get_qos_queue": "rule:admin_only",
"update_agent": "rule:admin_only",
"delete_agent": "rule:admin_only",
"get_agent": "rule:admin_only",
"create_dhcp-network": "rule:admin_only",
"delete_dhcp-network": "rule:admin_only",
"get_dhcp-networks": "rule:admin_only",
"create_l3-router": "rule:admin_only",
"delete_l3-router": "rule:admin_only",
"get_l3-routers": "rule:admin_only",
"get_dhcp-agents": "rule:admin_only",
"get_l3-agents": "rule:admin_only",
"get_loadbalancer-agent": "rule:admin_only",
"get_loadbalancer-pools": "rule:admin_only",
"create_floatingip": "rule:regular_user",
"create_floatingip:floating_ip_address": "rule:admin_only",
"update_floatingip": "rule:admin_or_owner",
"delete_floatingip": "rule:admin_or_owner",
"get_floatingip": "rule:admin_or_owner",
"create_network_profile": "rule:admin_only",
"update_network_profile": "rule:admin_only",
"delete_network_profile": "rule:admin_only",
"get_network_profiles": "",
"get_network_profile": "",
"update_policy_profiles": "rule:admin_only",
"get_policy_profiles": "",
"get_policy_profile": "",
"create_metering_label": "rule:admin_only",
"delete_metering_label": "rule:admin_only",
"get_metering_label": "rule:admin_only",
"create_metering_label_rule": "rule:admin_only",
"delete_metering_label_rule": "rule:admin_only",
"get_metering_label_rule": "rule:admin_only",
"get_service_provider": "rule:regular_user",
"get_lsn": "rule:admin_only",
"create_lsn": "rule:admin_only",
}

View File

@ -69,6 +69,10 @@ vmware_nsx.neutron.nsxv.router_type_drivers =
exclusive = vmware_nsx.plugins.nsx_v.drivers.exclusive_router_driver:RouterExclusiveDriver
oslo.config.opts =
nsx = vmware_nsx.opts:list_opts
oslo.policy.policies =
vmware-nsx = vmware_nsx.policies:list_rules
neutron.policies =
vmware-nsx = vmware_nsx.policies:list_rules
networking_sfc.flowclassifier.drivers =
vmware-nsxv-sfc = vmware_nsx.services.flowclassifier.nsx_v.driver:NsxvFlowClassifierDriver
openstack.cli.extension =

View File

@ -114,6 +114,7 @@ commands =
sh ./tools/coding-checks.sh --pylint '{posargs}'
neutron-db-manage --subproject vmware-nsx check_migration
{[testenv:genconfig]commands}
{[testenv:genpolicy]commands}
whitelist_externals =
sh
bash
@ -130,6 +131,7 @@ commands =
sh ./tools/coding-checks.sh --pylint '{posargs}'
neutron-db-manage --subproject vmware-nsx check_migration
{[testenv:genconfig]commands}
{[testenv:genpolicy]commands}
whitelist_externals =
sh
@ -175,6 +177,9 @@ local-check-factory = neutron_lib.hacking.checks.factory
[testenv:genconfig]
commands = {toxinidir}/tools/generate_config_file_samples.sh
[testenv:genpolicy]
commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
[testenv:uuidgen]
commands =
check-uuid --fix

View File

@ -0,0 +1,35 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import itertools
from vmware_nsx.policies import housekeeper
from vmware_nsx.policies import lsn
from vmware_nsx.policies import maclearning
from vmware_nsx.policies import network_gateway
from vmware_nsx.policies import nsxpolicy
from vmware_nsx.policies import providersecuritygroup
from vmware_nsx.policies import qos_queue
from vmware_nsx.policies import security_group
def list_rules():
return itertools.chain(
lsn.list_rules(),
maclearning.list_rules(),
network_gateway.list_rules(),
providersecuritygroup.list_rules(),
qos_queue.list_rules(),
security_group.list_rules(),
nsxpolicy.list_rules(),
housekeeper.list_rules(),
)

View File

@ -0,0 +1,22 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# TODO(amotoki): Define these in neutron or neutron-lib
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN_ONLY = 'rule:admin_only'
RULE_ANY = 'rule:regular_user'
RULE_ADMIN_OR_NET_OWNER = 'rule:admin_or_network_owner'
RULE_ADVSVC = 'rule:context_is_advsvc'
RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC = '%s or %s' % (RULE_ADMIN_OR_NET_OWNER,
RULE_ADVSVC)

View File

@ -0,0 +1,38 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vmware_nsx.policies import base
rules = [
policy.DocumentedRuleDefault(
'get_housekeeper',
base.RULE_ANY,
'Get Housekeepers',
[
{
'method': 'GET',
'path': '/housekeepers',
},
{
'method': 'GET',
'path': '/housekeepers/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,31 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vmware_nsx.policies import base
rules = [
policy.RuleDefault(
'create_lsn',
base.RULE_ADMIN_ONLY,
description='Create a LSN'),
policy.RuleDefault(
'get_lsn',
base.RULE_ADMIN_ONLY,
description='Get LSNs'),
]
def list_rules():
return rules

View File

@ -0,0 +1,45 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vmware_nsx.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_port:mac_learning_enabled',
base.RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC,
'Create a port with ``mac_learning_enabled`` attribute',
[
{
'method': 'POST',
'path': '/ports',
},
]
),
policy.DocumentedRuleDefault(
'update_port:mac_learning_enabled',
base.RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC,
'Update ``mac_learning_enabled`` attribute of a port',
[
{
'method': 'PUT',
'path': '/ports/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,143 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vmware_nsx.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_network_gateway',
base.RULE_ADMIN_OR_OWNER,
'Create a network gateway',
[
{
'method': 'POST',
'path': '/network-gateways',
},
]
),
policy.DocumentedRuleDefault(
'update_network_gateway',
base.RULE_ADMIN_OR_OWNER,
'Update a network gateway',
[
{
'method': 'PUT',
'path': '/network-gateways/{id}',
},
]
),
policy.DocumentedRuleDefault(
'delete_network_gateway',
base.RULE_ADMIN_OR_OWNER,
'Delete a network gateway',
[
{
'method': 'DELETE',
'path': '/network-gateways/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_network_gateway',
base.RULE_ADMIN_OR_OWNER,
'Get network gateways',
[
{
'method': 'GET',
'path': '/network-gateways',
},
{
'method': 'GET',
'path': '/network-gateways/{id}',
},
]
),
policy.DocumentedRuleDefault(
'connect_network',
base.RULE_ADMIN_OR_OWNER,
'Connect a network to a network gateway',
[
{
'method': 'PUT',
'path': '/network-gateways/{id}/connect_network',
},
]
),
policy.DocumentedRuleDefault(
'disconnect_network',
base.RULE_ADMIN_OR_OWNER,
'Disconnect a network from a network gateway',
[
{
'method': 'PUT',
'path': '/network-gateways/{id}/disconnect_network',
},
]
),
policy.DocumentedRuleDefault(
'create_gateway_device',
base.RULE_ADMIN_OR_OWNER,
'Create a gateway device',
[
{
'method': 'POST',
'path': '/gateway-devices',
},
]
),
policy.DocumentedRuleDefault(
'update_gateway_device',
base.RULE_ADMIN_OR_OWNER,
'Update a gateway device',
[
{
'method': 'PUT',
'path': '/gateway-devices/{id}',
},
]
),
policy.DocumentedRuleDefault(
'delete_gateway_device',
base.RULE_ADMIN_OR_OWNER,
'Delete a gateway device',
[
{
'method': 'DELETE',
'path': '/gateway-devices/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_gateway_device',
base.RULE_ADMIN_OR_OWNER,
'Get gateway devices',
[
{
'method': 'GET',
'path': '/gateway-devices',
},
{
'method': 'GET',
'path': '/gateway-devices/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,38 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vmware_nsx.policies import base
rules = [
policy.DocumentedRuleDefault(
'get_nsx_policy',
base.RULE_ANY,
'Get NSX policies',
[
{
'method': 'GET',
'path': '/nsx-policies',
},
{
'method': 'GET',
'path': '/nsx-policies/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,45 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vmware_nsx.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_port:provider_security_groups',
base.RULE_ADMIN_ONLY,
'Create a port with ``provider_security_groups`` attribute',
[
{
'method': 'POST',
'path': '/ports',
},
]
),
policy.DocumentedRuleDefault(
'update_port:provider_security_groups',
base.RULE_ADMIN_ONLY,
'Update ``provider_security_groups`` attribute of a port',
[
{
'method': 'PUT',
'path': '/ports/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,62 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vmware_nsx.policies import base
rules = [
policy.RuleDefault(
'create_qos_queue',
base.RULE_ADMIN_ONLY,
description='Create a QoS queue'),
policy.RuleDefault(
'get_qos_queue',
base.RULE_ADMIN_ONLY,
description='Get QoS queues'),
policy.DocumentedRuleDefault(
'get_network:queue_id',
base.RULE_ADMIN_ONLY,
'Get ``queue_id`` attributes of networks',
[
{
'method': 'GET',
'path': '/networks',
},
{
'method': 'GET',
'path': '/networks/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_port:queue_id',
base.RULE_ADMIN_ONLY,
'Get ``queue_id`` attributes of ports',
[
{
'method': 'GET',
'path': '/ports',
},
{
'method': 'GET',
'path': '/ports/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,95 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vmware_nsx.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_security_group:logging',
base.RULE_ADMIN_ONLY,
'Create a security group with ``logging`` attribute',
[
{
'method': 'POST',
'path': '/security-groups',
},
]
),
policy.DocumentedRuleDefault(
'update_security_group:logging',
base.RULE_ADMIN_ONLY,
'Update ``logging`` attribute of a security group',
[
{
'method': 'PUT',
'path': '/security-groups/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_security_group:logging',
base.RULE_ADMIN_ONLY,
'Get ``logging`` attributes of security groups',
[
{
'method': 'GET',
'path': '/security-groups',
},
{
'method': 'GET',
'path': '/security-groups/{id}',
},
]
),
policy.DocumentedRuleDefault(
'create_security_group:provider',
base.RULE_ADMIN_ONLY,
'Create a security group with ``provider`` attribute',
[
{
'method': 'POST',
'path': '/security-groups',
},
]
),
policy.DocumentedRuleDefault(
'create_security_group:policy',
base.RULE_ADMIN_ONLY,
'Create a security group with ``policy`` attribute',
[
{
'method': 'POST',
'path': '/security-groups',
},
]
),
policy.DocumentedRuleDefault(
'update_security_group:policy',
base.RULE_ADMIN_ONLY,
'Update ``policy`` attribute of a security group',
[
{
'method': 'PUT',
'path': '/security-groups/{id}',
},
]
),
]
def list_rules():
return rules