Convert policy.json into policy-in-code
This commit converts the existing networking-bgpvpn policy.json into policy-in-code. Partially Implements: blueprint neutron-policy-in-code Change-Id: I7cee0efef016dd8650ccf97686fe680667d52683
This commit is contained in:
11 changed files with 559 additions and 49 deletions
@@ -14,7 +14,6 @@ elif [[ "1ドル" == "stack" && "2ドル" == "post-config" ]]; then
if is_service_enabled neutron-api || is_service_enabled q-svc; then
echo_summary "Configuring networking-bgpvpn"
neutron_service_plugin_class_add bgpvpn
mkdir -v -p $NEUTRON_CONF_DIR/policy.d && cp -v $NETWORKING_BGPVPN_DIR/etc/neutron/policy.d/bgpvpn.conf $NEUTRON_CONF_DIR/policy.d
mkdir -v -p $(dirname $NETWORKING_BGPVPN_CONF) && cp -v $NETWORKING_BGPVPN_DIR/etc/neutron/networking_bgpvpn.conf $NETWORKING_BGPVPN_CONF
inicomment $NETWORKING_BGPVPN_CONF service_providers service_provider
iniadd $NETWORKING_BGPVPN_CONF service_providers service_provider $NETWORKING_BGPVPN_DRIVER
@@ -1,45 +0,0 @@
{
"admin_only": "rule:context_is_admin",
"admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
"create_bgpvpn": "rule:admin_only",
"get_bgpvpn": "rule:admin_or_owner",
"get_bgpvpn:tenant_id": "rule:admin_only",
"get_bgpvpn:route_targets": "rule:admin_only",
"get_bgpvpn:import_targets": "rule:admin_only",
"get_bgpvpn:export_targets": "rule:admin_only",
"get_bgpvpn:route_distinguishers": "rule:admin_only",
"get_bgpvpn:vni": "rule:admin_only",
"update_bgpvpn": "rule:admin_or_owner",
"update_bgpvpn:tenant_id": "rule:admin_only",
"update_bgpvpn:route_targets": "rule:admin_only",
"update_bgpvpn:import_targets": "rule:admin_only",
"update_bgpvpn:export_targets": "rule:admin_only",
"update_bgpvpn:route_distinguishers": "rule:admin_only",
"update_bgpvpn:vni": "rule:admin_only",
"delete_bgpvpn": "rule:admin_only",
"create_bgpvpn_network_association": "rule:admin_or_owner",
"get_bgpvpn_network_association": "rule:admin_or_owner",
"get_bgpvpn_network_association:tenant_id": "rule:admin_only",
"get_bgpvpn_network_associations": "rule:admin_or_owner",
"update_bgpvpn_network_association": "rule:admin_or_owner",
"delete_bgpvpn_network_association": "rule:admin_or_owner",
"create_bgpvpn_router_association": "rule:admin_or_owner",
"get_bgpvpn_router_association": "rule:admin_or_owner",
"get_bgpvpn_router_association:tenant_id": "rule:admin_only",
"get_bgpvpn_router_associations": "rule:admin_or_owner",
"update_bgpvpn_router_association": "rule:admin_or_owner",
"delete_bgpvpn_router_association": "rule:admin_or_owner",
"create_bgpvpn_port_association": "rule:admin_or_owner",
"get_bgpvpn_port_association": "rule:admin_or_owner",
"get_bgpvpn_port_association:tenant_id": "rule:admin_only",
"get_bgpvpn_port_associations": "rule:admin_or_owner",
"update_bgpvpn_port_association": "rule:admin_or_owner",
"delete_bgpvpn_port_association": "rule:admin_or_owner"
}
3
etc/oslo-policy-generator/policy.conf
Normal file
3
etc/oslo-policy-generator/policy.conf
Normal file
@@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/policy.yaml.sample
namespace = networking-bgpvpn
27
networking_bgpvpn/policies/__init__.py
Normal file
27
networking_bgpvpn/policies/__init__.py
Normal file
@@ -0,0 +1,27 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import itertools
from networking_bgpvpn.policies import bgpvpn
from networking_bgpvpn.policies import network_association
from networking_bgpvpn.policies import port_association
from networking_bgpvpn.policies import router_association
def list_rules():
return itertools.chain(
bgpvpn.list_rules(),
network_association.list_rules(),
router_association.list_rules(),
port_association.list_rules(),
)
17
networking_bgpvpn/policies/base.py
Normal file
17
networking_bgpvpn/policies/base.py
Normal file
@@ -0,0 +1,17 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# TODO(amotoki): Define these in neutron or neutron-lib
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN_ONLY = 'rule:admin_only'
RULE_ANY = 'rule:regular_user'
232
networking_bgpvpn/policies/bgpvpn.py
Normal file
232
networking_bgpvpn/policies/bgpvpn.py
Normal file
@@ -0,0 +1,232 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from networking_bgpvpn.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_bgpvpn',
base.RULE_ADMIN_ONLY,
'Create a BGP VPN',
[
{
'method': 'POST',
'path': '/bgpvpn/bgpvpns',
},
]
),
policy.DocumentedRuleDefault(
'update_bgpvpn',
base.RULE_ADMIN_OR_OWNER,
'Update a BGP VPN',
[
{
'method': 'PUT',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
# TODO(amotoki): tenant_id is not updatable, so perhaps this can be dropped
policy.DocumentedRuleDefault(
'update_bgpvpn:tenant_id',
base.RULE_ADMIN_ONLY,
'Update ``tenant_id`` attribute of a BGP VPN',
[
{
'method': 'PUT',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
policy.DocumentedRuleDefault(
'update_bgpvpn:route_targets',
base.RULE_ADMIN_ONLY,
'Update ``route_targets`` attribute of a BGP VPN',
[
{
'method': 'PUT',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
policy.DocumentedRuleDefault(
'update_bgpvpn:import_targets',
base.RULE_ADMIN_ONLY,
'Update ``import_targets`` attribute of a BGP VPN',
[
{
'method': 'PUT',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
policy.DocumentedRuleDefault(
'update_bgpvpn:export_targets',
base.RULE_ADMIN_ONLY,
'Update ``export_targets`` attribute of a BGP VPN',
[
{
'method': 'PUT',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
policy.DocumentedRuleDefault(
'update_bgpvpn:route_distinguishers',
base.RULE_ADMIN_ONLY,
'Update ``route_distinguishers`` attribute of a BGP VPN',
[
{
'method': 'PUT',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
# TODO(amotoki): vni is not updatable, so perhaps this can be dropped
policy.DocumentedRuleDefault(
'update_bgpvpn:vni',
base.RULE_ADMIN_ONLY,
'Update ``vni`` attribute of a BGP VPN',
[
{
'method': 'PUT',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
policy.DocumentedRuleDefault(
'delete_bgpvpn',
base.RULE_ADMIN_ONLY,
'Delete a BGP VPN',
[
{
'method': 'DELETE',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_bgpvpn',
base.RULE_ADMIN_OR_OWNER,
'Get BGP VPNs',
[
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns',
},
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_bgpvpn:tenant_id',
base.RULE_ADMIN_ONLY,
'Get ``tenant_id`` attributes of BGP VPNs',
[
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns',
},
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_bgpvpn:route_targets',
base.RULE_ADMIN_ONLY,
'Get ``route_targets`` attributes of BGP VPNs',
[
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns',
},
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_bgpvpn:import_targets',
base.RULE_ADMIN_ONLY,
'Get ``import_targets`` attributes of BGP VPNs',
[
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns',
},
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_bgpvpn:export_targets',
base.RULE_ADMIN_ONLY,
'Get ``export_targets`` attributes of BGP VPNs',
[
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns',
},
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_bgpvpn:route_distinguishers',
base.RULE_ADMIN_ONLY,
'Get ``route_distinguishers`` attributes of BGP VPNs',
[
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns',
},
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_bgpvpn:vni',
base.RULE_ADMIN_ONLY,
'Get ``vni`` attributes of BGP VPNs',
[
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns',
},
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns/{id}',
},
]
),
]
def list_rules():
return rules
91
networking_bgpvpn/policies/network_association.py
Normal file
91
networking_bgpvpn/policies/network_association.py
Normal file
@@ -0,0 +1,91 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from networking_bgpvpn.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_bgpvpn_network_association',
base.RULE_ADMIN_OR_OWNER,
'Create a network association',
[
{
'method': 'POST',
'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/network_associations',
},
]
),
# TODO(amotoki): PUT operation is not defined in the API ref. Drop it?
policy.DocumentedRuleDefault(
'update_bgpvpn_network_association',
base.RULE_ADMIN_OR_OWNER,
'Update a network association',
[
{
'method': 'PUT',
'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/'
'network_associations/{network_association_id}'),
},
]
),
policy.DocumentedRuleDefault(
'delete_bgpvpn_network_association',
base.RULE_ADMIN_OR_OWNER,
'Delete a network association',
[
{
'method': 'DELETE',
'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/'
'network_associations/{network_association_id}'),
},
]
),
policy.DocumentedRuleDefault(
'get_bgpvpn_network_association',
base.RULE_ADMIN_OR_OWNER,
'Get network associations',
[
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/network_associations',
},
{
'method': 'GET',
'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/'
'network_associations/{network_association_id}'),
},
]
),
policy.DocumentedRuleDefault(
'get_bgpvpn_network_association:tenant_id',
base.RULE_ADMIN_ONLY,
'Get ``tenant_id`` attributes of network associations',
[
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/network_associations',
},
{
'method': 'GET',
'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/'
'network_associations/{network_association_id}'),
},
]
),
]
def list_rules():
return rules
90
networking_bgpvpn/policies/port_association.py
Normal file
90
networking_bgpvpn/policies/port_association.py
Normal file
@@ -0,0 +1,90 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from networking_bgpvpn.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_bgpvpn_port_association',
base.RULE_ADMIN_OR_OWNER,
'Create a port association',
[
{
'method': 'POST',
'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/port_associations',
},
]
),
policy.DocumentedRuleDefault(
'update_bgpvpn_port_association',
base.RULE_ADMIN_OR_OWNER,
'Update a port association',
[
{
'method': 'PUT',
'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/'
'port_associations/{port_association_id}'),
},
]
),
policy.DocumentedRuleDefault(
'delete_bgpvpn_port_association',
base.RULE_ADMIN_OR_OWNER,
'Delete a port association',
[
{
'method': 'DELETE',
'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/'
'port_associations/{port_association_id}'),
},
]
),
policy.DocumentedRuleDefault(
'get_bgpvpn_port_association',
base.RULE_ADMIN_OR_OWNER,
'Get port associations',
[
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/port_associations',
},
{
'method': 'GET',
'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/'
'port_associations/{port_association_id}'),
},
]
),
policy.DocumentedRuleDefault(
'get_bgpvpn_port_association:tenant_id',
base.RULE_ADMIN_ONLY,
'Get ``tenant_id`` attributes of port associations',
[
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/port_associations',
},
{
'method': 'GET',
'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/'
'port_associations/{port_association_id}'),
},
]
),
]
def list_rules():
return rules
90
networking_bgpvpn/policies/router_association.py
Normal file
90
networking_bgpvpn/policies/router_association.py
Normal file
@@ -0,0 +1,90 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from networking_bgpvpn.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_bgpvpn_router_association',
base.RULE_ADMIN_OR_OWNER,
'Create a router association',
[
{
'method': 'POST',
'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/router_associations',
},
]
),
policy.DocumentedRuleDefault(
'update_bgpvpn_router_association',
base.RULE_ADMIN_OR_OWNER,
'Update a router association',
[
{
'method': 'PUT',
'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/'
'router_associations/{router_association_id}'),
},
]
),
policy.DocumentedRuleDefault(
'delete_bgpvpn_router_association',
base.RULE_ADMIN_OR_OWNER,
'Delete a router association',
[
{
'method': 'DELETE',
'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/'
'router_associations/{router_association_id}'),
},
]
),
policy.DocumentedRuleDefault(
'get_bgpvpn_router_association',
base.RULE_ADMIN_OR_OWNER,
'Get router associations',
[
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/router_associations',
},
{
'method': 'GET',
'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/'
'router_associations/{router_association_id}'),
},
]
),
policy.DocumentedRuleDefault(
'get_bgpvpn_router_association:tenant_id',
base.RULE_ADMIN_ONLY,
'Get ``tenant_id`` attributes of router associations',
[
{
'method': 'GET',
'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/router_associations',
},
{
'method': 'GET',
'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/'
'router_associations/{router_association_id}'),
},
]
),
]
def list_rules():
return rules
@@ -25,8 +25,6 @@ packages =
networking_bgpvpn_heat
bgpvpn_dashboard
data_files =
etc/neutron/policy.d =
etc/neutron/policy.d/bgpvpn.conf
etc/neutron =
etc/neutron/networking_bgpvpn.conf
@@ -45,6 +43,10 @@ oslo.config.opts =
networking-bgpvpn.service_provider = networking_bgpvpn.neutron.opts:list_service_provider
oslo.config.opts.defaults =
networking-bgpvpn.service_provider = networking_bgpvpn.neutron.opts:set_service_provider_default
oslo.policy.policies =
networking-bgpvpn = networking_bgpvpn.policies:list_rules
neutron.policies =
networking-bgpvpn = networking_bgpvpn.policies:list_rules
[build_sphinx]
source-dir = doc/source
6
tox.ini
6
tox.ini
@@ -34,6 +34,7 @@ commands =
pylint --rcfile=.pylintrc --output-format=colorized doc/source/samples
neutron-db-manage --subproject networking-bgpvpn --database-connection sqlite:// check_migration
{[testenv:genconfig]commands}
{[testenv:genpolicy]commands}
[testenv:dsvm]
setenv = OS_FAIL_ON_MISSING_DEPS=1
@@ -103,6 +104,9 @@ commands = oslo_debug_helper -t networking_bgpvpn/tests/unit {posargs}
[testenv:genconfig]
commands = {toxinidir}/tools/generate_config_file_samples.sh
[testenv:genpolicy]
commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
[flake8]
show-source = True
# E123, E125 skipped as they are invalid PEP-8.
@@ -146,4 +150,4 @@ deps =
{[testenv:pep8]deps}
commands =
{[testenv:dev]commands}
{[testenv:pep8]commands}
{[testenv:pep8]commands}
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.