From b7930ae8210f44ccd2967d3e1a16d67e4f6e79ef Mon Sep 17 00:00:00 2001 From: Akihiro Motoki Date: Mon, 17 Dec 2018 01:03:57 +0900 Subject: [PATCH] Convert policy.json into policy-in-code vmware-nsx specific policies are defined as policy-in-code. - vmware_nsx/policies/lsn.py, qos_queue.py and maclearning.py are moved from the neutron repo. - vmware_nsx/policies/providersecuritygroup.py is based on the difference between etc/policy.json and the old neutron policy.json - vmware_nsx/policies/security_group.py is based on etc/policy.d/security-groups.json - vmware_nsx/policies/network_gateway.py is based on etc/policy.d/network-gateways.json etc/policy.d/dynamic-routing.json and etc/policy.d/neutron-fwaas.json have no policies specific to vmware-nsx, so they can be dropped and we can use policy-in-code definitions in neutron-fwaas and neutron-dynamic-routing. etc/policy.d/routers.json and flow-classifier.json cannot be converted into policy-in-code because the default policies are different from those defined in neutron and networking-sfc. Note that etc/policy.d/routers.json now has policies which are different from the default policies defined in the neutron repo. (Others are clean up by this commit.) This commit depends on the following patches under review: (neutron-fwaas policy-in-code support) Depends-On: https://review.openstack.org/527282 (neutron-dynamic-routing policy-in-code support) Depends-On: https://review.openstack.org/625429 (networking-sfc policy-in-code support) Depends-On: https://review.openstack.org/625431 (Drop 3rd-party plugin specific policies) Depends-On: https://review.openstack.org/625394 Partially Implements: blueprint neutron-policy-in-code Co-Authored-By: Michal Kelner Mishali Co-Authored-By: Adit Sarfaty Change-Id: I96a9dbd759d54308abbc12ce65c97b06a76453cd --- etc/oslo-policy-generator/policy.conf | 3 + etc/policy.d/dynamic-routing.json | 15 -- etc/policy.d/network-gateways.json | 10 -- etc/policy.d/neutron-fwaas.json | 50 ------- etc/policy.d/routers.json | 11 +- etc/policy.d/security-groups.json | 8 -- etc/policy.json | 108 -------------- setup.cfg | 4 + tox.ini | 5 + vmware_nsx/policies/__init__.py | 35 +++++ vmware_nsx/policies/base.py | 22 +++ vmware_nsx/policies/housekeeper.py | 38 +++++ vmware_nsx/policies/lsn.py | 31 ++++ vmware_nsx/policies/maclearning.py | 45 ++++++ vmware_nsx/policies/network_gateway.py | 143 +++++++++++++++++++ vmware_nsx/policies/nsxpolicy.py | 38 +++++ vmware_nsx/policies/providersecuritygroup.py | 45 ++++++ vmware_nsx/policies/qos_queue.py | 62 ++++++++ vmware_nsx/policies/security_group.py | 95 ++++++++++++ 19 files changed, 567 insertions(+), 201 deletions(-) create mode 100644 etc/oslo-policy-generator/policy.conf delete mode 100644 etc/policy.d/dynamic-routing.json delete mode 100644 etc/policy.d/network-gateways.json delete mode 100644 etc/policy.d/neutron-fwaas.json delete mode 100644 etc/policy.d/security-groups.json delete mode 100644 etc/policy.json create mode 100644 vmware_nsx/policies/__init__.py create mode 100644 vmware_nsx/policies/base.py create mode 100644 vmware_nsx/policies/housekeeper.py create mode 100644 vmware_nsx/policies/lsn.py create mode 100644 vmware_nsx/policies/maclearning.py create mode 100644 vmware_nsx/policies/network_gateway.py create mode 100644 vmware_nsx/policies/nsxpolicy.py create mode 100644 vmware_nsx/policies/providersecuritygroup.py create mode 100644 vmware_nsx/policies/qos_queue.py create mode 100644 vmware_nsx/policies/security_group.py diff --git a/etc/oslo-policy-generator/policy.conf b/etc/oslo-policy-generator/policy.conf new file mode 100644 index 0000000000..09820ccf78 --- /dev/null +++ b/etc/oslo-policy-generator/policy.conf @@ -0,0 +1,3 @@ +[DEFAULT] +output_file = etc/policy.yaml.sample +namespace = vmware-nsx diff --git a/etc/policy.d/dynamic-routing.json b/etc/policy.d/dynamic-routing.json deleted file mode 100644 index 70d684f68c..0000000000 --- a/etc/policy.d/dynamic-routing.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "get_bgp_speaker": "rule:admin_only", - "create_bgp_speaker": "rule:admin_only", - "update_bgp_speaker": "rule:admin_only", - "delete_bgp_speaker": "rule:admin_only", - "get_bgp_peer": "rule:admin_only", - "create_bgp_peer": "rule:admin_only", - "update_bgp_peer": "rule:admin_only", - "delete_bgp_peer": "rule:admin_only", - "add_bgp_peer": "rule:admin_only", - "remove_bgp_peer": "rule:admin_only", - "add_gateway_network": "rule:admin_only", - "remove_gateway_network": "rule:admin_only", - "get_advertised_routes":"rule:admin_only", -} diff --git a/etc/policy.d/network-gateways.json b/etc/policy.d/network-gateways.json deleted file mode 100644 index 6c0d273c01..0000000000 --- a/etc/policy.d/network-gateways.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "create_network_gateway": "rule:admin_or_owner", - "update_network_gateway": "rule:admin_or_owner", - "delete_network_gateway": "rule:admin_or_owner", - "connect_network": "rule:admin_or_owner", - "disconnect_network": "rule:admin_or_owner", - "create_gateway_device": "rule:admin_or_owner", - "update_gateway_device": "rule:admin_or_owner", - "delete_gateway_device": "rule:admin_or_owner" -} diff --git a/etc/policy.d/neutron-fwaas.json b/etc/policy.d/neutron-fwaas.json deleted file mode 100644 index 2e6e05b7d0..0000000000 --- a/etc/policy.d/neutron-fwaas.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "shared_firewalls": "field:firewalls:shared=True", - "shared_firewall_policies": "field:firewall_policies:shared=True", - "shared_firewall_rules": "field:firewall_rules:shared=True", - - "create_firewall": "", - "update_firewall": "rule:admin_or_owner", - "delete_firewall": "rule:admin_or_owner", - - "create_firewall:shared": "rule:admin_only", - "update_firewall:shared": "rule:admin_only", - "delete_firewall:shared": "rule:admin_only", - - "get_firewall": "rule:admin_or_owner or rule:shared_firewalls", - - "shared_firewall_groups": "field:firewall_groups:shared=True", - "shared_firewall_policies": "field:firewall_policies:shared=True", - "shared_firewall_rules": "field:firewall_rules:shared=True", - - "create_firewall_group": "", - "update_firewall_group": "rule:admin_or_owner", - "delete_firewall_group": "rule:admin_or_owner", - - "create_firewall_group:shared": "rule:admin_only", - "update_firewall_group:shared": "rule:admin_only", - "delete_firewall_group:shared": "rule:admin_only", - - "get_firewall_group": "rule:admin_or_owner or rule:shared_firewall_groups", - - - "create_firewall_policy": "", - "update_firewall_policy": "rule:admin_or_owner", - "delete_firewall_policy": "rule:admin_or_owner", - - "create_firewall_policy:shared": "rule:admin_only", - "update_firewall_policy:shared": "rule:admin_only", - "delete_firewall_policy:shared": "rule:admin_only", - - "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies", - - "create_firewall_rule": "", - "update_firewall_rule": "rule:admin_or_owner", - "delete_firewall_rule": "rule:admin_or_owner", - - "create_firewall_rule:shared": "rule:admin_only", - "update_firewall_rule:shared": "rule:admin_only", - "delete_firewall_rule:shared": "rule:admin_only", - - "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewall_rules" -} diff --git a/etc/policy.d/routers.json b/etc/policy.d/routers.json index 60b6afa879..c12dae89ec 100644 --- a/etc/policy.d/routers.json +++ b/etc/policy.d/routers.json @@ -3,15 +3,6 @@ "get_router:distributed": "rule:admin_or_owner", "update_router:distributed": "rule:admin_or_owner", - "get_router:ha": "rule:admin_only", - "create_router": "rule:regular_user", "create_router:external_gateway_info:enable_snat": "rule:admin_or_owner", - "create_router:ha": "rule:admin_only", - "get_router": "rule:admin_or_owner", - "update_router:external_gateway_info:enable_snat": "rule:admin_or_owner", - "update_router:ha": "rule:admin_only", - "delete_router": "rule:admin_or_owner", - - "add_router_interface": "rule:admin_or_owner", - "remove_router_interface": "rule:admin_or_owner", + "update_router:external_gateway_info:enable_snat": "rule:admin_or_owner" } diff --git a/etc/policy.d/security-groups.json b/etc/policy.d/security-groups.json deleted file mode 100644 index 4d5d361d1d..0000000000 --- a/etc/policy.d/security-groups.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "create_security_group:logging": "rule:admin_only", - "update_security_group:logging": "rule:admin_only", - "get_security_group:logging": "rule:admin_only", - "create_security_group:provider": "rule:admin_only", - "create_security_group:policy": "rule:admin_only", - "update_security_group:policy": "rule:admin_only", -} diff --git a/etc/policy.json b/etc/policy.json deleted file mode 100644 index 5b62293926..0000000000 --- a/etc/policy.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "context_is_admin": "role:admin", - "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s", - "context_is_advsvc": "role:advsvc", - "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s", - "admin_only": "rule:context_is_admin", - "regular_user": "", - "shared": "field:networks:shared=True", - "shared_firewalls": "field:firewalls:shared=True", - "external": "field:networks:router:external=True", - "default": "rule:admin_or_owner", - - "create_subnet": "rule:admin_or_network_owner", - "get_subnet": "rule:admin_or_owner or rule:shared", - "update_subnet": "rule:admin_or_network_owner", - "delete_subnet": "rule:admin_or_network_owner", - - "create_network": "", - "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc", - "get_network:router:external": "rule:regular_user", - "get_network:segments": "rule:admin_only", - "get_network:provider:network_type": "rule:admin_only", - "get_network:provider:physical_network": "rule:admin_only", - "get_network:provider:segmentation_id": "rule:admin_only", - "get_network:queue_id": "rule:admin_only", - "create_network:shared": "rule:admin_only", - "create_network:router:external": "rule:admin_only", - "create_network:segments": "rule:admin_only", - "create_network:provider:network_type": "rule:admin_only", - "create_network:provider:physical_network": "rule:admin_only", - "create_network:provider:segmentation_id": "rule:admin_only", - "update_network": "rule:admin_or_owner", - "update_network:segments": "rule:admin_only", - "update_network:shared": "rule:admin_only", - "update_network:provider:network_type": "rule:admin_only", - "update_network:provider:physical_network": "rule:admin_only", - "update_network:provider:segmentation_id": "rule:admin_only", - "update_network:router:external": "rule:admin_only", - "delete_network": "rule:admin_or_owner", - - "create_port": "", - "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc", - "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc", - "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", - "create_port:binding:host_id": "rule:admin_only", - "create_port:binding:profile": "rule:admin_only", - "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", - "create_port:provider_security_groups": "rule:admin_only", - "get_port": "rule:admin_or_owner or rule:context_is_advsvc", - "get_port:queue_id": "rule:admin_only", - "get_port:binding:vif_type": "rule:admin_only", - "get_port:binding:vif_details": "rule:admin_only", - "get_port:binding:host_id": "rule:admin_only", - "get_port:binding:profile": "rule:admin_only", - "update_port": "rule:admin_or_owner or rule:context_is_advsvc", - "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc", - "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", - "update_port:binding:host_id": "rule:admin_only", - "update_port:binding:profile": "rule:admin_only", - "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", - "update_port:provider_security_groups": "rule:admin_only", - "delete_port": "rule:admin_or_owner or rule:context_is_advsvc", - - "create_qos_queue": "rule:admin_only", - "get_qos_queue": "rule:admin_only", - - "update_agent": "rule:admin_only", - "delete_agent": "rule:admin_only", - "get_agent": "rule:admin_only", - - "create_dhcp-network": "rule:admin_only", - "delete_dhcp-network": "rule:admin_only", - "get_dhcp-networks": "rule:admin_only", - "create_l3-router": "rule:admin_only", - "delete_l3-router": "rule:admin_only", - "get_l3-routers": "rule:admin_only", - "get_dhcp-agents": "rule:admin_only", - "get_l3-agents": "rule:admin_only", - "get_loadbalancer-agent": "rule:admin_only", - "get_loadbalancer-pools": "rule:admin_only", - - "create_floatingip": "rule:regular_user", - "create_floatingip:floating_ip_address": "rule:admin_only", - "update_floatingip": "rule:admin_or_owner", - "delete_floatingip": "rule:admin_or_owner", - "get_floatingip": "rule:admin_or_owner", - - "create_network_profile": "rule:admin_only", - "update_network_profile": "rule:admin_only", - "delete_network_profile": "rule:admin_only", - "get_network_profiles": "", - "get_network_profile": "", - "update_policy_profiles": "rule:admin_only", - "get_policy_profiles": "", - "get_policy_profile": "", - - "create_metering_label": "rule:admin_only", - "delete_metering_label": "rule:admin_only", - "get_metering_label": "rule:admin_only", - - "create_metering_label_rule": "rule:admin_only", - "delete_metering_label_rule": "rule:admin_only", - "get_metering_label_rule": "rule:admin_only", - - "get_service_provider": "rule:regular_user", - "get_lsn": "rule:admin_only", - "create_lsn": "rule:admin_only", -} diff --git a/setup.cfg b/setup.cfg index 475674570e..4269416f72 100644 --- a/setup.cfg +++ b/setup.cfg @@ -69,6 +69,10 @@ vmware_nsx.neutron.nsxv.router_type_drivers = exclusive = vmware_nsx.plugins.nsx_v.drivers.exclusive_router_driver:RouterExclusiveDriver oslo.config.opts = nsx = vmware_nsx.opts:list_opts +oslo.policy.policies = + vmware-nsx = vmware_nsx.policies:list_rules +neutron.policies = + vmware-nsx = vmware_nsx.policies:list_rules networking_sfc.flowclassifier.drivers = vmware-nsxv-sfc = vmware_nsx.services.flowclassifier.nsx_v.driver:NsxvFlowClassifierDriver openstack.cli.extension = diff --git a/tox.ini b/tox.ini index 50615772c2..c5c8412789 100644 --- a/tox.ini +++ b/tox.ini @@ -114,6 +114,7 @@ commands = sh ./tools/coding-checks.sh --pylint '{posargs}' neutron-db-manage --subproject vmware-nsx check_migration {[testenv:genconfig]commands} + {[testenv:genpolicy]commands} whitelist_externals = sh bash @@ -130,6 +131,7 @@ commands = sh ./tools/coding-checks.sh --pylint '{posargs}' neutron-db-manage --subproject vmware-nsx check_migration {[testenv:genconfig]commands} + {[testenv:genpolicy]commands} whitelist_externals = sh @@ -175,6 +177,9 @@ local-check-factory = neutron_lib.hacking.checks.factory [testenv:genconfig] commands = {toxinidir}/tools/generate_config_file_samples.sh +[testenv:genpolicy] +commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf + [testenv:uuidgen] commands = check-uuid --fix diff --git a/vmware_nsx/policies/__init__.py b/vmware_nsx/policies/__init__.py new file mode 100644 index 0000000000..29c7375ec7 --- /dev/null +++ b/vmware_nsx/policies/__init__.py @@ -0,0 +1,35 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import itertools + +from vmware_nsx.policies import housekeeper +from vmware_nsx.policies import lsn +from vmware_nsx.policies import maclearning +from vmware_nsx.policies import network_gateway +from vmware_nsx.policies import nsxpolicy +from vmware_nsx.policies import providersecuritygroup +from vmware_nsx.policies import qos_queue +from vmware_nsx.policies import security_group + + +def list_rules(): + return itertools.chain( + lsn.list_rules(), + maclearning.list_rules(), + network_gateway.list_rules(), + providersecuritygroup.list_rules(), + qos_queue.list_rules(), + security_group.list_rules(), + nsxpolicy.list_rules(), + housekeeper.list_rules(), + ) diff --git a/vmware_nsx/policies/base.py b/vmware_nsx/policies/base.py new file mode 100644 index 0000000000..8999b466f0 --- /dev/null +++ b/vmware_nsx/policies/base.py @@ -0,0 +1,22 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# TODO(amotoki): Define these in neutron or neutron-lib +RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' +RULE_ADMIN_ONLY = 'rule:admin_only' +RULE_ANY = 'rule:regular_user' + +RULE_ADMIN_OR_NET_OWNER = 'rule:admin_or_network_owner' +RULE_ADVSVC = 'rule:context_is_advsvc' +RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC = '%s or %s' % (RULE_ADMIN_OR_NET_OWNER, + RULE_ADVSVC) diff --git a/vmware_nsx/policies/housekeeper.py b/vmware_nsx/policies/housekeeper.py new file mode 100644 index 0000000000..f37f4c94cd --- /dev/null +++ b/vmware_nsx/policies/housekeeper.py @@ -0,0 +1,38 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'get_housekeeper', + base.RULE_ANY, + 'Get Housekeepers', + [ + { + 'method': 'GET', + 'path': '/housekeepers', + }, + { + 'method': 'GET', + 'path': '/housekeepers/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/vmware_nsx/policies/lsn.py b/vmware_nsx/policies/lsn.py new file mode 100644 index 0000000000..dd59b248bd --- /dev/null +++ b/vmware_nsx/policies/lsn.py @@ -0,0 +1,31 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.RuleDefault( + 'create_lsn', + base.RULE_ADMIN_ONLY, + description='Create a LSN'), + policy.RuleDefault( + 'get_lsn', + base.RULE_ADMIN_ONLY, + description='Get LSNs'), +] + + +def list_rules(): + return rules diff --git a/vmware_nsx/policies/maclearning.py b/vmware_nsx/policies/maclearning.py new file mode 100644 index 0000000000..b1c6f529a6 --- /dev/null +++ b/vmware_nsx/policies/maclearning.py @@ -0,0 +1,45 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_port:mac_learning_enabled', + base.RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC, + 'Create a port with ``mac_learning_enabled`` attribute', + [ + { + 'method': 'POST', + 'path': '/ports', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_port:mac_learning_enabled', + base.RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC, + 'Update ``mac_learning_enabled`` attribute of a port', + [ + { + 'method': 'PUT', + 'path': '/ports/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/vmware_nsx/policies/network_gateway.py b/vmware_nsx/policies/network_gateway.py new file mode 100644 index 0000000000..ec7fe9f9f5 --- /dev/null +++ b/vmware_nsx/policies/network_gateway.py @@ -0,0 +1,143 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_network_gateway', + base.RULE_ADMIN_OR_OWNER, + 'Create a network gateway', + [ + { + 'method': 'POST', + 'path': '/network-gateways', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_network_gateway', + base.RULE_ADMIN_OR_OWNER, + 'Update a network gateway', + [ + { + 'method': 'PUT', + 'path': '/network-gateways/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_network_gateway', + base.RULE_ADMIN_OR_OWNER, + 'Delete a network gateway', + [ + { + 'method': 'DELETE', + 'path': '/network-gateways/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_network_gateway', + base.RULE_ADMIN_OR_OWNER, + 'Get network gateways', + [ + { + 'method': 'GET', + 'path': '/network-gateways', + }, + { + 'method': 'GET', + 'path': '/network-gateways/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'connect_network', + base.RULE_ADMIN_OR_OWNER, + 'Connect a network to a network gateway', + [ + { + 'method': 'PUT', + 'path': '/network-gateways/{id}/connect_network', + }, + ] + ), + policy.DocumentedRuleDefault( + 'disconnect_network', + base.RULE_ADMIN_OR_OWNER, + 'Disconnect a network from a network gateway', + [ + { + 'method': 'PUT', + 'path': '/network-gateways/{id}/disconnect_network', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'create_gateway_device', + base.RULE_ADMIN_OR_OWNER, + 'Create a gateway device', + [ + { + 'method': 'POST', + 'path': '/gateway-devices', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_gateway_device', + base.RULE_ADMIN_OR_OWNER, + 'Update a gateway device', + [ + { + 'method': 'PUT', + 'path': '/gateway-devices/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_gateway_device', + base.RULE_ADMIN_OR_OWNER, + 'Delete a gateway device', + [ + { + 'method': 'DELETE', + 'path': '/gateway-devices/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_gateway_device', + base.RULE_ADMIN_OR_OWNER, + 'Get gateway devices', + [ + { + 'method': 'GET', + 'path': '/gateway-devices', + }, + { + 'method': 'GET', + 'path': '/gateway-devices/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/vmware_nsx/policies/nsxpolicy.py b/vmware_nsx/policies/nsxpolicy.py new file mode 100644 index 0000000000..ae381f0de9 --- /dev/null +++ b/vmware_nsx/policies/nsxpolicy.py @@ -0,0 +1,38 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'get_nsx_policy', + base.RULE_ANY, + 'Get NSX policies', + [ + { + 'method': 'GET', + 'path': '/nsx-policies', + }, + { + 'method': 'GET', + 'path': '/nsx-policies/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/vmware_nsx/policies/providersecuritygroup.py b/vmware_nsx/policies/providersecuritygroup.py new file mode 100644 index 0000000000..9b6537a6c1 --- /dev/null +++ b/vmware_nsx/policies/providersecuritygroup.py @@ -0,0 +1,45 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_port:provider_security_groups', + base.RULE_ADMIN_ONLY, + 'Create a port with ``provider_security_groups`` attribute', + [ + { + 'method': 'POST', + 'path': '/ports', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_port:provider_security_groups', + base.RULE_ADMIN_ONLY, + 'Update ``provider_security_groups`` attribute of a port', + [ + { + 'method': 'PUT', + 'path': '/ports/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/vmware_nsx/policies/qos_queue.py b/vmware_nsx/policies/qos_queue.py new file mode 100644 index 0000000000..f3b16f5a0d --- /dev/null +++ b/vmware_nsx/policies/qos_queue.py @@ -0,0 +1,62 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.RuleDefault( + 'create_qos_queue', + base.RULE_ADMIN_ONLY, + description='Create a QoS queue'), + policy.RuleDefault( + 'get_qos_queue', + base.RULE_ADMIN_ONLY, + description='Get QoS queues'), + + policy.DocumentedRuleDefault( + 'get_network:queue_id', + base.RULE_ADMIN_ONLY, + 'Get ``queue_id`` attributes of networks', + [ + { + 'method': 'GET', + 'path': '/networks', + }, + { + 'method': 'GET', + 'path': '/networks/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_port:queue_id', + base.RULE_ADMIN_ONLY, + 'Get ``queue_id`` attributes of ports', + [ + { + 'method': 'GET', + 'path': '/ports', + }, + { + 'method': 'GET', + 'path': '/ports/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/vmware_nsx/policies/security_group.py b/vmware_nsx/policies/security_group.py new file mode 100644 index 0000000000..f7efcc7dd6 --- /dev/null +++ b/vmware_nsx/policies/security_group.py @@ -0,0 +1,95 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from vmware_nsx.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_security_group:logging', + base.RULE_ADMIN_ONLY, + 'Create a security group with ``logging`` attribute', + [ + { + 'method': 'POST', + 'path': '/security-groups', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_security_group:logging', + base.RULE_ADMIN_ONLY, + 'Update ``logging`` attribute of a security group', + [ + { + 'method': 'PUT', + 'path': '/security-groups/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_security_group:logging', + base.RULE_ADMIN_ONLY, + 'Get ``logging`` attributes of security groups', + [ + { + 'method': 'GET', + 'path': '/security-groups', + }, + { + 'method': 'GET', + 'path': '/security-groups/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'create_security_group:provider', + base.RULE_ADMIN_ONLY, + 'Create a security group with ``provider`` attribute', + [ + { + 'method': 'POST', + 'path': '/security-groups', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'create_security_group:policy', + base.RULE_ADMIN_ONLY, + 'Create a security group with ``policy`` attribute', + [ + { + 'method': 'POST', + 'path': '/security-groups', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_security_group:policy', + base.RULE_ADMIN_ONLY, + 'Update ``policy`` attribute of a security group', + [ + { + 'method': 'PUT', + 'path': '/security-groups/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules