diff --git a/etc/oslo-policy-generator/policy.conf b/etc/oslo-policy-generator/policy.conf new file mode 100644 index 0000000000..09820ccf78 --- /dev/null +++ b/etc/oslo-policy-generator/policy.conf @@ -0,0 +1,3 @@ +[DEFAULT] +output_file = etc/policy.yaml.sample +namespace = vmware-nsx diff --git a/etc/policy.d/dynamic-routing.json b/etc/policy.d/dynamic-routing.json deleted file mode 100644 index 70d684f68c..0000000000 --- a/etc/policy.d/dynamic-routing.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "get_bgp_speaker": "rule:admin_only", - "create_bgp_speaker": "rule:admin_only", - "update_bgp_speaker": "rule:admin_only", - "delete_bgp_speaker": "rule:admin_only", - "get_bgp_peer": "rule:admin_only", - "create_bgp_peer": "rule:admin_only", - "update_bgp_peer": "rule:admin_only", - "delete_bgp_peer": "rule:admin_only", - "add_bgp_peer": "rule:admin_only", - "remove_bgp_peer": "rule:admin_only", - "add_gateway_network": "rule:admin_only", - "remove_gateway_network": "rule:admin_only", - "get_advertised_routes":"rule:admin_only", -} diff --git a/etc/policy.d/network-gateways.json b/etc/policy.d/network-gateways.json deleted file mode 100644 index 6c0d273c01..0000000000 --- a/etc/policy.d/network-gateways.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "create_network_gateway": "rule:admin_or_owner", - "update_network_gateway": "rule:admin_or_owner", - "delete_network_gateway": "rule:admin_or_owner", - "connect_network": "rule:admin_or_owner", - "disconnect_network": "rule:admin_or_owner", - "create_gateway_device": "rule:admin_or_owner", - "update_gateway_device": "rule:admin_or_owner", - "delete_gateway_device": "rule:admin_or_owner" -} diff --git a/etc/policy.d/neutron-fwaas.json b/etc/policy.d/neutron-fwaas.json deleted file mode 100644 index 2e6e05b7d0..0000000000 --- a/etc/policy.d/neutron-fwaas.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "shared_firewalls": "field:firewalls:shared=True", - "shared_firewall_policies": "field:firewall_policies:shared=True", - "shared_firewall_rules": "field:firewall_rules:shared=True", - - "create_firewall": "", - "update_firewall": "rule:admin_or_owner", - "delete_firewall": "rule:admin_or_owner", - - "create_firewall:shared": "rule:admin_only", - "update_firewall:shared": "rule:admin_only", - "delete_firewall:shared": "rule:admin_only", - - "get_firewall": "rule:admin_or_owner or rule:shared_firewalls", - - "shared_firewall_groups": "field:firewall_groups:shared=True", - "shared_firewall_policies": "field:firewall_policies:shared=True", - "shared_firewall_rules": "field:firewall_rules:shared=True", - - "create_firewall_group": "", - "update_firewall_group": "rule:admin_or_owner", - "delete_firewall_group": "rule:admin_or_owner", - - "create_firewall_group:shared": "rule:admin_only", - "update_firewall_group:shared": "rule:admin_only", - "delete_firewall_group:shared": "rule:admin_only", - - "get_firewall_group": "rule:admin_or_owner or rule:shared_firewall_groups", - - - "create_firewall_policy": "", - "update_firewall_policy": "rule:admin_or_owner", - "delete_firewall_policy": "rule:admin_or_owner", - - "create_firewall_policy:shared": "rule:admin_only", - "update_firewall_policy:shared": "rule:admin_only", - "delete_firewall_policy:shared": "rule:admin_only", - - "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies", - - "create_firewall_rule": "", - "update_firewall_rule": "rule:admin_or_owner", - "delete_firewall_rule": "rule:admin_or_owner", - - "create_firewall_rule:shared": "rule:admin_only", - "update_firewall_rule:shared": "rule:admin_only", - "delete_firewall_rule:shared": "rule:admin_only", - - "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewall_rules" -} diff --git a/etc/policy.d/routers.json b/etc/policy.d/routers.json index 60b6afa879..c12dae89ec 100644 --- a/etc/policy.d/routers.json +++ b/etc/policy.d/routers.json @@ -3,15 +3,6 @@ "get_router:distributed": "rule:admin_or_owner", "update_router:distributed": "rule:admin_or_owner", - "get_router:ha": "rule:admin_only", - "create_router": "rule:regular_user", "create_router:external_gateway_info:enable_snat": "rule:admin_or_owner", - "create_router:ha": "rule:admin_only", - "get_router": "rule:admin_or_owner", - "update_router:external_gateway_info:enable_snat": "rule:admin_or_owner", - "update_router:ha": "rule:admin_only", - "delete_router": "rule:admin_or_owner", - - "add_router_interface": "rule:admin_or_owner", - "remove_router_interface": "rule:admin_or_owner", + "update_router:external_gateway_info:enable_snat": "rule:admin_or_owner" } diff --git a/etc/policy.d/security-groups.json b/etc/policy.d/security-groups.json deleted file mode 100644 index 4d5d361d1d..0000000000 --- a/etc/policy.d/security-groups.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "create_security_group:logging": "rule:admin_only", - "update_security_group:logging": "rule:admin_only", - "get_security_group:logging": "rule:admin_only", - "create_security_group:provider": "rule:admin_only", - "create_security_group:policy": "rule:admin_only", - "update_security_group:policy": "rule:admin_only", -} diff --git a/etc/policy.json b/etc/policy.json deleted file mode 100644 index 5b62293926..0000000000 --- a/etc/policy.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "context_is_admin": "role:admin", - "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s", - "context_is_advsvc": "role:advsvc", - "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s", - "admin_only": "rule:context_is_admin", - "regular_user": "", - "shared": "field:networks:shared=True", - "shared_firewalls": "field:firewalls:shared=True", - "external": "field:networks:router:external=True", - "default": "rule:admin_or_owner", - - "create_subnet": "rule:admin_or_network_owner", - "get_subnet": "rule:admin_or_owner or rule:shared", - "update_subnet": "rule:admin_or_network_owner", - "delete_subnet": "rule:admin_or_network_owner", - - "create_network": "", - "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc", - "get_network:router:external": "rule:regular_user", - "get_network:segments": "rule:admin_only", - "get_network:provider:network_type": "rule:admin_only", - "get_network:provider:physical_network": "rule:admin_only", - "get_network:provider:segmentation_id": "rule:admin_only", - "get_network:queue_id": "rule:admin_only", - "create_network:shared": "rule:admin_only", - "create_network:router:external": "rule:admin_only", - "create_network:segments": "rule:admin_only", - "create_network:provider:network_type": "rule:admin_only", - "create_network:provider:physical_network": "rule:admin_only", - "create_network:provider:segmentation_id": "rule:admin_only", - "update_network": "rule:admin_or_owner", - "update_network:segments": "rule:admin_only", - "update_network:shared": "rule:admin_only", - "update_network:provider:network_type": "rule:admin_only", - "update_network:provider:physical_network": "rule:admin_only", - "update_network:provider:segmentation_id": "rule:admin_only", - "update_network:router:external": "rule:admin_only", - "delete_network": "rule:admin_or_owner", - - "create_port": "", - "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc", - "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc", - "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", - "create_port:binding:host_id": "rule:admin_only", - "create_port:binding:profile": "rule:admin_only", - "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", - "create_port:provider_security_groups": "rule:admin_only", - "get_port": "rule:admin_or_owner or rule:context_is_advsvc", - "get_port:queue_id": "rule:admin_only", - "get_port:binding:vif_type": "rule:admin_only", - "get_port:binding:vif_details": "rule:admin_only", - "get_port:binding:host_id": "rule:admin_only", - "get_port:binding:profile": "rule:admin_only", - "update_port": "rule:admin_or_owner or rule:context_is_advsvc", - "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc", - "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", - "update_port:binding:host_id": "rule:admin_only", - "update_port:binding:profile": "rule:admin_only", - "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", - "update_port:provider_security_groups": "rule:admin_only", - "delete_port": "rule:admin_or_owner or rule:context_is_advsvc", - - "create_qos_queue": "rule:admin_only", - "get_qos_queue": "rule:admin_only", - - "update_agent": "rule:admin_only", - "delete_agent": "rule:admin_only", - "get_agent": "rule:admin_only", - - "create_dhcp-network": "rule:admin_only", - "delete_dhcp-network": "rule:admin_only", - "get_dhcp-networks": "rule:admin_only", - "create_l3-router": "rule:admin_only", - "delete_l3-router": "rule:admin_only", - "get_l3-routers": "rule:admin_only", - "get_dhcp-agents": "rule:admin_only", - "get_l3-agents": "rule:admin_only", - "get_loadbalancer-agent": "rule:admin_only", - "get_loadbalancer-pools": "rule:admin_only", - - "create_floatingip": "rule:regular_user", - "create_floatingip:floating_ip_address": "rule:admin_only", - "update_floatingip": "rule:admin_or_owner", - "delete_floatingip": "rule:admin_or_owner", - "get_floatingip": "rule:admin_or_owner", - - "create_network_profile": "rule:admin_only", - "update_network_profile": "rule:admin_only", - "delete_network_profile": "rule:admin_only", - "get_network_profiles": "", - "get_network_profile": "", - "update_policy_profiles": "rule:admin_only", - "get_policy_profiles": "", - "get_policy_profile": "", - - "create_metering_label": "rule:admin_only", - "delete_metering_label": "rule:admin_only", - "get_metering_label": "rule:admin_only", - - "create_metering_label_rule": "rule:admin_only", - "delete_metering_label_rule": "rule:admin_only", - "get_metering_label_rule": "rule:admin_only", - - "get_service_provider": "rule:regular_user", - "get_lsn": "rule:admin_only", - "create_lsn": "rule:admin_only", -} diff --git a/setup.cfg b/setup.cfg index 475674570e..4269416f72 100644 --- a/setup.cfg +++ b/setup.cfg @@ -69,6 +69,10 @@ vmware_nsx.neutron.nsxv.router_type_drivers = exclusive = vmware_nsx.plugins.nsx_v.drivers.exclusive_router_driver:RouterExclusiveDriver oslo.config.opts = nsx = vmware_nsx.opts:list_opts +oslo.policy.policies = + vmware-nsx = vmware_nsx.policies:list_rules +neutron.policies = + vmware-nsx = vmware_nsx.policies:list_rules networking_sfc.flowclassifier.drivers = vmware-nsxv-sfc = vmware_nsx.services.flowclassifier.nsx_v.driver:NsxvFlowClassifierDriver openstack.cli.extension = diff --git a/tox.ini b/tox.ini index 50615772c2..c5c8412789 100644 --- a/tox.ini +++ b/tox.ini @@ -114,6 +114,7 @@ commands = sh ./tools/coding-checks.sh --pylint '{posargs}' neutron-db-manage --subproject vmware-nsx check_migration {[testenv:genconfig]commands} + {[testenv:genpolicy]commands} whitelist_externals = sh bash @@ -130,6 +131,7 @@ commands = sh ./tools/coding-checks.sh --pylint '{posargs}' neutron-db-manage --subproject vmware-nsx check_migration {[testenv:genconfig]commands} + {[testenv:genpolicy]commands} whitelist_externals = sh @@ -175,6 +177,9 @@ local-check-factory = neutron_lib.hacking.checks.factory [testenv:genconfig] commands = {toxinidir}/tools/generate_config_file_samples.sh +[testenv:genpolicy] +commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf + [testenv:uuidgen] commands = check-uuid --fix diff --git a/vmware_nsx/policies/__init__.py b/vmware_nsx/policies/__init__.py new file mode 100644 index 0000000000..29c7375ec7 --- /dev/null +++ b/vmware_nsx/policies/__init__.py @@ -0,0 +1,35 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import itertools + +from vmware_nsx.policies import housekeeper +from vmware_nsx.policies import lsn +from vmware_nsx.policies import maclearning +from vmware_nsx.policies import network_gateway +from vmware_nsx.policies import nsxpolicy +from vmware_nsx.policies import providersecuritygroup +from vmware_nsx.policies import qos_queue +from vmware_nsx.policies import security_group + + +def list_rules(): + return itertools.chain( + lsn.list_rules(), + maclearning.list_rules(), + network_gateway.list_rules(), + providersecuritygroup.list_rules(), + qos_queue.list_rules(), + security_group.list_rules(), + nsxpolicy.list_rules(), + housekeeper.list_rules(), + ) diff --git a/vmware_nsx/policies/base.py b/vmware_nsx/policies/base.py new file mode 100644 index 0000000000..8999b466f0 --- /dev/null +++ b/vmware_nsx/policies/base.py @@ -0,0 +1,22 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# TODO(amotoki): Define these in neutron or neutron-lib +RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' +RULE_ADMIN_ONLY = 'rule:admin_only' +RULE_ANY = 'rule:regular_user' + +RULE_ADMIN_OR_NET_OWNER = 'rule:admin_or_network_owner' +RULE_ADVSVC = 'rule:context_is_advsvc' +RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC = '%s or %s' % (RULE_ADMIN_OR_NET_OWNER, + RULE_ADVSVC) diff --git a/vmware_nsx/policies/housekeeper.py b/vmware_nsx/policies/housekeeper.py new file mode 100644 index 0000000000..f37f4c94cd --- /dev/null +++ b/vmware_nsx/policies/housekeeper.py @@ -0,0 +1,38 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'get_housekeeper', + base.RULE_ANY, + 'Get Housekeepers', + [ + { + 'method': 'GET', + 'path': '/housekeepers', + }, + { + 'method': 'GET', + 'path': '/housekeepers/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/vmware_nsx/policies/lsn.py b/vmware_nsx/policies/lsn.py new file mode 100644 index 0000000000..dd59b248bd --- /dev/null +++ b/vmware_nsx/policies/lsn.py @@ -0,0 +1,31 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.RuleDefault( + 'create_lsn', + base.RULE_ADMIN_ONLY, + description='Create a LSN'), + policy.RuleDefault( + 'get_lsn', + base.RULE_ADMIN_ONLY, + description='Get LSNs'), +] + + +def list_rules(): + return rules diff --git a/vmware_nsx/policies/maclearning.py b/vmware_nsx/policies/maclearning.py new file mode 100644 index 0000000000..b1c6f529a6 --- /dev/null +++ b/vmware_nsx/policies/maclearning.py @@ -0,0 +1,45 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_port:mac_learning_enabled', + base.RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC, + 'Create a port with ``mac_learning_enabled`` attribute', + [ + { + 'method': 'POST', + 'path': '/ports', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_port:mac_learning_enabled', + base.RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC, + 'Update ``mac_learning_enabled`` attribute of a port', + [ + { + 'method': 'PUT', + 'path': '/ports/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/vmware_nsx/policies/network_gateway.py b/vmware_nsx/policies/network_gateway.py new file mode 100644 index 0000000000..ec7fe9f9f5 --- /dev/null +++ b/vmware_nsx/policies/network_gateway.py @@ -0,0 +1,143 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_network_gateway', + base.RULE_ADMIN_OR_OWNER, + 'Create a network gateway', + [ + { + 'method': 'POST', + 'path': '/network-gateways', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_network_gateway', + base.RULE_ADMIN_OR_OWNER, + 'Update a network gateway', + [ + { + 'method': 'PUT', + 'path': '/network-gateways/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_network_gateway', + base.RULE_ADMIN_OR_OWNER, + 'Delete a network gateway', + [ + { + 'method': 'DELETE', + 'path': '/network-gateways/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_network_gateway', + base.RULE_ADMIN_OR_OWNER, + 'Get network gateways', + [ + { + 'method': 'GET', + 'path': '/network-gateways', + }, + { + 'method': 'GET', + 'path': '/network-gateways/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'connect_network', + base.RULE_ADMIN_OR_OWNER, + 'Connect a network to a network gateway', + [ + { + 'method': 'PUT', + 'path': '/network-gateways/{id}/connect_network', + }, + ] + ), + policy.DocumentedRuleDefault( + 'disconnect_network', + base.RULE_ADMIN_OR_OWNER, + 'Disconnect a network from a network gateway', + [ + { + 'method': 'PUT', + 'path': '/network-gateways/{id}/disconnect_network', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'create_gateway_device', + base.RULE_ADMIN_OR_OWNER, + 'Create a gateway device', + [ + { + 'method': 'POST', + 'path': '/gateway-devices', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_gateway_device', + base.RULE_ADMIN_OR_OWNER, + 'Update a gateway device', + [ + { + 'method': 'PUT', + 'path': '/gateway-devices/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_gateway_device', + base.RULE_ADMIN_OR_OWNER, + 'Delete a gateway device', + [ + { + 'method': 'DELETE', + 'path': '/gateway-devices/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_gateway_device', + base.RULE_ADMIN_OR_OWNER, + 'Get gateway devices', + [ + { + 'method': 'GET', + 'path': '/gateway-devices', + }, + { + 'method': 'GET', + 'path': '/gateway-devices/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/vmware_nsx/policies/nsxpolicy.py b/vmware_nsx/policies/nsxpolicy.py new file mode 100644 index 0000000000..ae381f0de9 --- /dev/null +++ b/vmware_nsx/policies/nsxpolicy.py @@ -0,0 +1,38 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'get_nsx_policy', + base.RULE_ANY, + 'Get NSX policies', + [ + { + 'method': 'GET', + 'path': '/nsx-policies', + }, + { + 'method': 'GET', + 'path': '/nsx-policies/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/vmware_nsx/policies/providersecuritygroup.py b/vmware_nsx/policies/providersecuritygroup.py new file mode 100644 index 0000000000..9b6537a6c1 --- /dev/null +++ b/vmware_nsx/policies/providersecuritygroup.py @@ -0,0 +1,45 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_port:provider_security_groups', + base.RULE_ADMIN_ONLY, + 'Create a port with ``provider_security_groups`` attribute', + [ + { + 'method': 'POST', + 'path': '/ports', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_port:provider_security_groups', + base.RULE_ADMIN_ONLY, + 'Update ``provider_security_groups`` attribute of a port', + [ + { + 'method': 'PUT', + 'path': '/ports/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/vmware_nsx/policies/qos_queue.py b/vmware_nsx/policies/qos_queue.py new file mode 100644 index 0000000000..f3b16f5a0d --- /dev/null +++ b/vmware_nsx/policies/qos_queue.py @@ -0,0 +1,62 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.RuleDefault( + 'create_qos_queue', + base.RULE_ADMIN_ONLY, + description='Create a QoS queue'), + policy.RuleDefault( + 'get_qos_queue', + base.RULE_ADMIN_ONLY, + description='Get QoS queues'), + + policy.DocumentedRuleDefault( + 'get_network:queue_id', + base.RULE_ADMIN_ONLY, + 'Get ``queue_id`` attributes of networks', + [ + { + 'method': 'GET', + 'path': '/networks', + }, + { + 'method': 'GET', + 'path': '/networks/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_port:queue_id', + base.RULE_ADMIN_ONLY, + 'Get ``queue_id`` attributes of ports', + [ + { + 'method': 'GET', + 'path': '/ports', + }, + { + 'method': 'GET', + 'path': '/ports/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/vmware_nsx/policies/security_group.py b/vmware_nsx/policies/security_group.py new file mode 100644 index 0000000000..f7efcc7dd6 --- /dev/null +++ b/vmware_nsx/policies/security_group.py @@ -0,0 +1,95 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_security_group:logging', + base.RULE_ADMIN_ONLY, + 'Create a security group with ``logging`` attribute', + [ + { + 'method': 'POST', + 'path': '/security-groups', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_security_group:logging', + base.RULE_ADMIN_ONLY, + 'Update ``logging`` attribute of a security group', + [ + { + 'method': 'PUT', + 'path': '/security-groups/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_security_group:logging', + base.RULE_ADMIN_ONLY, + 'Get ``logging`` attributes of security groups', + [ + { + 'method': 'GET', + 'path': '/security-groups', + }, + { + 'method': 'GET', + 'path': '/security-groups/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'create_security_group:provider', + base.RULE_ADMIN_ONLY, + 'Create a security group with ``provider`` attribute', + [ + { + 'method': 'POST', + 'path': '/security-groups', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'create_security_group:policy', + base.RULE_ADMIN_ONLY, + 'Create a security group with ``policy`` attribute', + [ + { + 'method': 'POST', + 'path': '/security-groups', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_security_group:policy', + base.RULE_ADMIN_ONLY, + 'Update ``policy`` attribute of a security group', + [ + { + 'method': 'PUT', + 'path': '/security-groups/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules