From 2ba48eb53520628898a63503aad4c3df39cda438 Mon Sep 17 00:00:00 2001 From: Akihiro Motoki Date: 2018年12月16日 23:20:29 +0900 Subject: [PATCH] Convert policy.json into policy-in-code This commit converts the existing networking-bgpvpn policy.json into policy-in-code. Partially Implements: blueprint neutron-policy-in-code Change-Id: I7cee0efef016dd8650ccf97686fe680667d52683 --- devstack/plugin.sh | 1 - etc/neutron/policy.d/bgpvpn.conf | 45 ---- etc/oslo-policy-generator/policy.conf | 3 + networking_bgpvpn/policies/__init__.py | 27 ++ networking_bgpvpn/policies/base.py | 17 ++ networking_bgpvpn/policies/bgpvpn.py | 232 ++++++++++++++++++ .../policies/network_association.py | 91 +++++++ .../policies/port_association.py | 90 +++++++ .../policies/router_association.py | 90 +++++++ setup.cfg | 6 +- tox.ini | 6 +- 11 files changed, 559 insertions(+), 49 deletions(-) delete mode 100644 etc/neutron/policy.d/bgpvpn.conf create mode 100644 etc/oslo-policy-generator/policy.conf create mode 100644 networking_bgpvpn/policies/__init__.py create mode 100644 networking_bgpvpn/policies/base.py create mode 100644 networking_bgpvpn/policies/bgpvpn.py create mode 100644 networking_bgpvpn/policies/network_association.py create mode 100644 networking_bgpvpn/policies/port_association.py create mode 100644 networking_bgpvpn/policies/router_association.py diff --git a/devstack/plugin.sh b/devstack/plugin.sh index b36d1140..d977a46b 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -14,7 +14,6 @@ elif [[ "1ドル" == "stack" && "2ドル" == "post-config" ]]; then if is_service_enabled neutron-api || is_service_enabled q-svc; then echo_summary "Configuring networking-bgpvpn" neutron_service_plugin_class_add bgpvpn - mkdir -v -p $NEUTRON_CONF_DIR/policy.d && cp -v $NETWORKING_BGPVPN_DIR/etc/neutron/policy.d/bgpvpn.conf $NEUTRON_CONF_DIR/policy.d mkdir -v -p $(dirname $NETWORKING_BGPVPN_CONF) && cp -v $NETWORKING_BGPVPN_DIR/etc/neutron/networking_bgpvpn.conf $NETWORKING_BGPVPN_CONF inicomment $NETWORKING_BGPVPN_CONF service_providers service_provider iniadd $NETWORKING_BGPVPN_CONF service_providers service_provider $NETWORKING_BGPVPN_DRIVER diff --git a/etc/neutron/policy.d/bgpvpn.conf b/etc/neutron/policy.d/bgpvpn.conf deleted file mode 100644 index 0b48ace3..00000000 --- a/etc/neutron/policy.d/bgpvpn.conf +++ /dev/null @@ -1,45 +0,0 @@ -{ - "admin_only": "rule:context_is_admin", - "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s", - - "create_bgpvpn": "rule:admin_only", - - "get_bgpvpn": "rule:admin_or_owner", - "get_bgpvpn:tenant_id": "rule:admin_only", - "get_bgpvpn:route_targets": "rule:admin_only", - "get_bgpvpn:import_targets": "rule:admin_only", - "get_bgpvpn:export_targets": "rule:admin_only", - "get_bgpvpn:route_distinguishers": "rule:admin_only", - "get_bgpvpn:vni": "rule:admin_only", - - "update_bgpvpn": "rule:admin_or_owner", - "update_bgpvpn:tenant_id": "rule:admin_only", - "update_bgpvpn:route_targets": "rule:admin_only", - "update_bgpvpn:import_targets": "rule:admin_only", - "update_bgpvpn:export_targets": "rule:admin_only", - "update_bgpvpn:route_distinguishers": "rule:admin_only", - "update_bgpvpn:vni": "rule:admin_only", - - "delete_bgpvpn": "rule:admin_only", - - "create_bgpvpn_network_association": "rule:admin_or_owner", - "get_bgpvpn_network_association": "rule:admin_or_owner", - "get_bgpvpn_network_association:tenant_id": "rule:admin_only", - "get_bgpvpn_network_associations": "rule:admin_or_owner", - "update_bgpvpn_network_association": "rule:admin_or_owner", - "delete_bgpvpn_network_association": "rule:admin_or_owner", - - "create_bgpvpn_router_association": "rule:admin_or_owner", - "get_bgpvpn_router_association": "rule:admin_or_owner", - "get_bgpvpn_router_association:tenant_id": "rule:admin_only", - "get_bgpvpn_router_associations": "rule:admin_or_owner", - "update_bgpvpn_router_association": "rule:admin_or_owner", - "delete_bgpvpn_router_association": "rule:admin_or_owner", - - "create_bgpvpn_port_association": "rule:admin_or_owner", - "get_bgpvpn_port_association": "rule:admin_or_owner", - "get_bgpvpn_port_association:tenant_id": "rule:admin_only", - "get_bgpvpn_port_associations": "rule:admin_or_owner", - "update_bgpvpn_port_association": "rule:admin_or_owner", - "delete_bgpvpn_port_association": "rule:admin_or_owner" -} diff --git a/etc/oslo-policy-generator/policy.conf b/etc/oslo-policy-generator/policy.conf new file mode 100644 index 00000000..eabf2651 --- /dev/null +++ b/etc/oslo-policy-generator/policy.conf @@ -0,0 +1,3 @@ +[DEFAULT] +output_file = etc/policy.yaml.sample +namespace = networking-bgpvpn diff --git a/networking_bgpvpn/policies/__init__.py b/networking_bgpvpn/policies/__init__.py new file mode 100644 index 00000000..b78112b7 --- /dev/null +++ b/networking_bgpvpn/policies/__init__.py @@ -0,0 +1,27 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import itertools + +from networking_bgpvpn.policies import bgpvpn +from networking_bgpvpn.policies import network_association +from networking_bgpvpn.policies import port_association +from networking_bgpvpn.policies import router_association + + +def list_rules(): + return itertools.chain( + bgpvpn.list_rules(), + network_association.list_rules(), + router_association.list_rules(), + port_association.list_rules(), + ) diff --git a/networking_bgpvpn/policies/base.py b/networking_bgpvpn/policies/base.py new file mode 100644 index 00000000..463ec829 --- /dev/null +++ b/networking_bgpvpn/policies/base.py @@ -0,0 +1,17 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# TODO(amotoki): Define these in neutron or neutron-lib +RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' +RULE_ADMIN_ONLY = 'rule:admin_only' +RULE_ANY = 'rule:regular_user' diff --git a/networking_bgpvpn/policies/bgpvpn.py b/networking_bgpvpn/policies/bgpvpn.py new file mode 100644 index 00000000..e4862f41 --- /dev/null +++ b/networking_bgpvpn/policies/bgpvpn.py @@ -0,0 +1,232 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from networking_bgpvpn.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_bgpvpn', + base.RULE_ADMIN_ONLY, + 'Create a BGP VPN', + [ + { + 'method': 'POST', + 'path': '/bgpvpn/bgpvpns', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'update_bgpvpn', + base.RULE_ADMIN_OR_OWNER, + 'Update a BGP VPN', + [ + { + 'method': 'PUT', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), + # TODO(amotoki): tenant_id is not updatable, so perhaps this can be dropped + policy.DocumentedRuleDefault( + 'update_bgpvpn:tenant_id', + base.RULE_ADMIN_ONLY, + 'Update ``tenant_id`` attribute of a BGP VPN', + [ + { + 'method': 'PUT', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_bgpvpn:route_targets', + base.RULE_ADMIN_ONLY, + 'Update ``route_targets`` attribute of a BGP VPN', + [ + { + 'method': 'PUT', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_bgpvpn:import_targets', + base.RULE_ADMIN_ONLY, + 'Update ``import_targets`` attribute of a BGP VPN', + [ + { + 'method': 'PUT', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_bgpvpn:export_targets', + base.RULE_ADMIN_ONLY, + 'Update ``export_targets`` attribute of a BGP VPN', + [ + { + 'method': 'PUT', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_bgpvpn:route_distinguishers', + base.RULE_ADMIN_ONLY, + 'Update ``route_distinguishers`` attribute of a BGP VPN', + [ + { + 'method': 'PUT', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), + # TODO(amotoki): vni is not updatable, so perhaps this can be dropped + policy.DocumentedRuleDefault( + 'update_bgpvpn:vni', + base.RULE_ADMIN_ONLY, + 'Update ``vni`` attribute of a BGP VPN', + [ + { + 'method': 'PUT', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'delete_bgpvpn', + base.RULE_ADMIN_ONLY, + 'Delete a BGP VPN', + [ + { + 'method': 'DELETE', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_bgpvpn', + base.RULE_ADMIN_OR_OWNER, + 'Get BGP VPNs', + [ + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns', + }, + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'get_bgpvpn:tenant_id', + base.RULE_ADMIN_ONLY, + 'Get ``tenant_id`` attributes of BGP VPNs', + [ + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns', + }, + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_bgpvpn:route_targets', + base.RULE_ADMIN_ONLY, + 'Get ``route_targets`` attributes of BGP VPNs', + [ + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns', + }, + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_bgpvpn:import_targets', + base.RULE_ADMIN_ONLY, + 'Get ``import_targets`` attributes of BGP VPNs', + [ + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns', + }, + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_bgpvpn:export_targets', + base.RULE_ADMIN_ONLY, + 'Get ``export_targets`` attributes of BGP VPNs', + [ + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns', + }, + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_bgpvpn:route_distinguishers', + base.RULE_ADMIN_ONLY, + 'Get ``route_distinguishers`` attributes of BGP VPNs', + [ + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns', + }, + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_bgpvpn:vni', + base.RULE_ADMIN_ONLY, + 'Get ``vni`` attributes of BGP VPNs', + [ + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns', + }, + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/networking_bgpvpn/policies/network_association.py b/networking_bgpvpn/policies/network_association.py new file mode 100644 index 00000000..d79a8112 --- /dev/null +++ b/networking_bgpvpn/policies/network_association.py @@ -0,0 +1,91 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from networking_bgpvpn.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_bgpvpn_network_association', + base.RULE_ADMIN_OR_OWNER, + 'Create a network association', + [ + { + 'method': 'POST', + 'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/network_associations', + }, + ] + ), + # TODO(amotoki): PUT operation is not defined in the API ref. Drop it? + policy.DocumentedRuleDefault( + 'update_bgpvpn_network_association', + base.RULE_ADMIN_OR_OWNER, + 'Update a network association', + [ + { + 'method': 'PUT', + 'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/' + 'network_associations/{network_association_id}'), + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_bgpvpn_network_association', + base.RULE_ADMIN_OR_OWNER, + 'Delete a network association', + [ + { + 'method': 'DELETE', + 'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/' + 'network_associations/{network_association_id}'), + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_bgpvpn_network_association', + base.RULE_ADMIN_OR_OWNER, + 'Get network associations', + [ + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/network_associations', + }, + { + 'method': 'GET', + 'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/' + 'network_associations/{network_association_id}'), + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_bgpvpn_network_association:tenant_id', + base.RULE_ADMIN_ONLY, + 'Get ``tenant_id`` attributes of network associations', + [ + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/network_associations', + }, + { + 'method': 'GET', + 'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/' + 'network_associations/{network_association_id}'), + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/networking_bgpvpn/policies/port_association.py b/networking_bgpvpn/policies/port_association.py new file mode 100644 index 00000000..7689b0a5 --- /dev/null +++ b/networking_bgpvpn/policies/port_association.py @@ -0,0 +1,90 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from networking_bgpvpn.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_bgpvpn_port_association', + base.RULE_ADMIN_OR_OWNER, + 'Create a port association', + [ + { + 'method': 'POST', + 'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/port_associations', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_bgpvpn_port_association', + base.RULE_ADMIN_OR_OWNER, + 'Update a port association', + [ + { + 'method': 'PUT', + 'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/' + 'port_associations/{port_association_id}'), + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_bgpvpn_port_association', + base.RULE_ADMIN_OR_OWNER, + 'Delete a port association', + [ + { + 'method': 'DELETE', + 'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/' + 'port_associations/{port_association_id}'), + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_bgpvpn_port_association', + base.RULE_ADMIN_OR_OWNER, + 'Get port associations', + [ + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/port_associations', + }, + { + 'method': 'GET', + 'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/' + 'port_associations/{port_association_id}'), + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_bgpvpn_port_association:tenant_id', + base.RULE_ADMIN_ONLY, + 'Get ``tenant_id`` attributes of port associations', + [ + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/port_associations', + }, + { + 'method': 'GET', + 'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/' + 'port_associations/{port_association_id}'), + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/networking_bgpvpn/policies/router_association.py b/networking_bgpvpn/policies/router_association.py new file mode 100644 index 00000000..2d873ba7 --- /dev/null +++ b/networking_bgpvpn/policies/router_association.py @@ -0,0 +1,90 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from networking_bgpvpn.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_bgpvpn_router_association', + base.RULE_ADMIN_OR_OWNER, + 'Create a router association', + [ + { + 'method': 'POST', + 'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/router_associations', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_bgpvpn_router_association', + base.RULE_ADMIN_OR_OWNER, + 'Update a router association', + [ + { + 'method': 'PUT', + 'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/' + 'router_associations/{router_association_id}'), + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_bgpvpn_router_association', + base.RULE_ADMIN_OR_OWNER, + 'Delete a router association', + [ + { + 'method': 'DELETE', + 'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/' + 'router_associations/{router_association_id}'), + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_bgpvpn_router_association', + base.RULE_ADMIN_OR_OWNER, + 'Get router associations', + [ + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/router_associations', + }, + { + 'method': 'GET', + 'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/' + 'router_associations/{router_association_id}'), + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_bgpvpn_router_association:tenant_id', + base.RULE_ADMIN_ONLY, + 'Get ``tenant_id`` attributes of router associations', + [ + { + 'method': 'GET', + 'path': '/bgpvpn/bgpvpns/{bgpvpn_id}/router_associations', + }, + { + 'method': 'GET', + 'path': ('/bgpvpn/bgpvpns/{bgpvpn_id}/' + 'router_associations/{router_association_id}'), + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/setup.cfg b/setup.cfg index 0376a521..c8b0f054 100644 --- a/setup.cfg +++ b/setup.cfg @@ -25,8 +25,6 @@ packages = networking_bgpvpn_heat bgpvpn_dashboard data_files = - etc/neutron/policy.d = - etc/neutron/policy.d/bgpvpn.conf etc/neutron = etc/neutron/networking_bgpvpn.conf @@ -45,6 +43,10 @@ oslo.config.opts = networking-bgpvpn.service_provider = networking_bgpvpn.neutron.opts:list_service_provider oslo.config.opts.defaults = networking-bgpvpn.service_provider = networking_bgpvpn.neutron.opts:set_service_provider_default +oslo.policy.policies = + networking-bgpvpn = networking_bgpvpn.policies:list_rules +neutron.policies = + networking-bgpvpn = networking_bgpvpn.policies:list_rules [build_sphinx] source-dir = doc/source diff --git a/tox.ini b/tox.ini index 1123fa2c..f12a3c2b 100644 --- a/tox.ini +++ b/tox.ini @@ -34,6 +34,7 @@ commands = pylint --rcfile=.pylintrc --output-format=colorized doc/source/samples neutron-db-manage --subproject networking-bgpvpn --database-connection sqlite:// check_migration {[testenv:genconfig]commands} + {[testenv:genpolicy]commands} [testenv:dsvm] setenv = OS_FAIL_ON_MISSING_DEPS=1 @@ -103,6 +104,9 @@ commands = oslo_debug_helper -t networking_bgpvpn/tests/unit {posargs} [testenv:genconfig] commands = {toxinidir}/tools/generate_config_file_samples.sh +[testenv:genpolicy] +commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf + [flake8] show-source = True # E123, E125 skipped as they are invalid PEP-8. @@ -146,4 +150,4 @@ deps = {[testenv:pep8]deps} commands = {[testenv:dev]commands} - {[testenv:pep8]commands} \ No newline at end of file + {[testenv:pep8]commands}

AltStyle によって変換されたページ (->オリジナル) /