openstack/neutron
Code Issues Proposed changes

Convert policy.json into policy-in-code

Browse Source 
This commit introduces a framework for policy-in-code support
in the neutron stadium and converts the existing policy.json
in the neutron repository into the policy-in-code style.

NOTES:
1) This commit tries not to change the existing policy behavior
provided by the neutron repository even if there are some stale policies
or policies to be defined in a neutron-related project.
They should be clean up later in Stein release.

2) 'default' policy should be dropped from the default policies
as all default policies should be defined in the code (as many projects
which already completed policy-in-code do). However, dropping 'default'
policy potentially affects policy behavior in neutron-related projects,
so it needs to be visit carefully. Considering this, this commit decides
to keep the 'default' policy.

Partially Implements: blueprint neutron-policy-in-code
Change-Id: I6a61079da4d4f5080ee32d640144e6bdb14735fa
This commit is contained in:
Akihiro Motoki
2018-07-24 04:31:00 +09:00
committed by Slawek Kaplonski
parent 7a2b4dcff1
commit f8984c6699
37 changed files with 1806 additions and 686 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
doc/source/contributor/internals/policy.rst
View File

@@ -22,7 +22,7 @@
Authorization Policy Enforcement
==================================
================================
As most OpenStack projects, Neutron leverages oslo_policy [#]_. However, since
Neutron loves to be special and complicate every developer's life, it also
@@ -40,7 +40,7 @@ For any other information please refer to the developer documentation for
oslo_policy [#]_.
Authorization workflow
-----------------------
----------------------
The Neutron API controllers perform policy checks in two phases during the
processing of an API request:
@@ -52,7 +52,7 @@ processing of an API request:
consumer.
Request authorization
~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
The aim of this step is to authorize processing for a request or reject it
with an error status code.
@@ -107,7 +107,7 @@ verification is performed by ``oslo_policy`` with no "customization" from the
Neutron side.
Response Filtering
~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~
Some Neutron extensions, like the provider networks one, add some attribute
to resources which are however not meant to be consumed by all clients. This
@@ -126,7 +126,7 @@ is added to a list of attributes that should be removed from the response
before returning it to the API client.
The neutron.policy API
------------------------
----------------------
The ``neutron.policy`` module exposes a simple API whose main goal if to allow the
REST API controllers to implement the authorization workflow discussed in this
@@ -165,7 +165,7 @@ The neutron.policy API exposes the following routines:
is_advsvc property for a neutron context.
Neutron specific policy rules
------------------------------
-----------------------------
Neutron provides two additional policy rule classes in order to support the
"augmented" authorization capabilities it provides. They both extend
@@ -235,7 +235,7 @@ to ``<value>`` or return ``False`` is the ``<field>`` either is not equal to
Guidance for API developers
----------------------------
---------------------------
When developing REST APIs for Neutron it is important to be aware of how the
policy engine will authorize these requests. This is true both for APIs
@@ -276,7 +276,7 @@ served by Neutron "core" and for the APIs served by the various Neutron
Notes
-----------------------
-----
* No authorization checks are performed for requests coming from the RPC over
AMQP channel. For all these requests a neutron admin context is built, and
@@ -300,6 +300,47 @@ Notes
resource must be managed by the 'core' plugin (ie: the one defined in the
core_plugin configuration variable)
Policy-in-Code support
----------------------
Policy-in-code support in neutron is a bit different from other projects
because the neutron server needs to load policies in code from multiple
projects. Each neutron related project should register the following two entry
points ``oslo.policy.policies`` and ``neutron.policies`` in ``setup.cfg`` like
below:
.. code-block:: none
oslo.policy.policies =
neutron = neutron.conf.policies:list_rules
neutron.policies =
neutron = neutron.conf.policies:list_rules
The above two entries are same, but they have different purposes.
* The first entry point is a normal entry point defined by oslo.policy and it
is used to generate a sample policy file [#]_ [#]_.
* The second one is specific to neutron. It is used by ``neutron.policy``
module to load policies of neutron related projects.
``oslo.policy.policies`` entry point is used by all projects which adopt
oslo.policy, so we cannot determine which projects are neutron related
projects, so the second entry point is required.
The recommended entry point name is a repository name: For example,
'neutron-fwaas' for FWaaS and 'networking-sfc' for SFC:
.. code-block:: none
oslo.policy.policies =
neutron-fwaas = neutron_fwaas.policies:list_rules
neutron.policies =
neutron-fwaas = neutron_fwaas.policies:list_rules
Except registering the ``neutron.policies`` entry point, other steps to be done
in each neutron related project for policy-in-code support are same for all
OpenStack projects.
References
----------
@@ -320,3 +361,6 @@ References
.. [#] Policy reset_ in neutron.api.v2.router
.. _reset: http://git.openstack.org/cgit/openstack/neutron/tree/neutron/api/v2/router.py?id=2015.1.1#n122
.. [#] https://docs.openstack.org/oslo.policy/latest/user/usage.html#sample-file-generation
.. [#] https://docs.openstack.org/oslo.policy/latest/cli/index.html#oslopolicy-sample-generator

4
etc/README.policy.json.txt Normal file
View File

@@ -0,0 +1,4 @@
To generate the sample policy.json file, run the following command from the top
level of the neutron directory:
tox -e genpolicy

3
etc/oslo-policy-generator/policy.conf Normal file
View File

@@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/policy.yaml.sample
namespace = neutron

262
etc/policy.json
View File

@@ -1,262 +0,0 @@
{
"context_is_admin": "role:admin",
"owner": "tenant_id:%(tenant_id)s",
"admin_or_owner": "rule:context_is_admin or rule:owner",
"context_is_advsvc": "role:advsvc",
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
"admin_only": "rule:context_is_admin",
"regular_user": "",
"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator",
"shared": "field:networks:shared=True",
"shared_subnetpools": "field:subnetpools:shared=True",
"shared_address_scopes": "field:address_scopes:shared=True",
"external": "field:networks:router:external=True",
"default": "rule:admin_or_owner",
"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s",
"create_subnet": "rule:admin_or_network_owner",
"create_subnet:segment_id": "rule:admin_only",
"create_subnet:service_types": "rule:admin_only",
"get_subnet": "rule:admin_or_owner or rule:shared",
"get_subnet:segment_id": "rule:admin_only",
"update_subnet": "rule:admin_or_network_owner",
"update_subnet:service_types": "rule:admin_only",
"delete_subnet": "rule:admin_or_network_owner",
"create_subnetpool": "",
"create_subnetpool:shared": "rule:admin_only",
"create_subnetpool:is_default": "rule:admin_only",
"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
"update_subnetpool": "rule:admin_or_owner",
"update_subnetpool:is_default": "rule:admin_only",
"delete_subnetpool": "rule:admin_or_owner",
"create_address_scope": "",
"create_address_scope:shared": "rule:admin_only",
"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
"update_address_scope": "rule:admin_or_owner",
"update_address_scope:shared": "rule:admin_only",
"delete_address_scope": "rule:admin_or_owner",
"create_network": "",
"create_network:shared": "rule:admin_only",
"create_network:router:external": "rule:admin_only",
"create_network:is_default": "rule:admin_only",
"create_network:segments": "rule:admin_only",
"create_network:provider:network_type": "rule:admin_only",
"create_network:provider:physical_network": "rule:admin_only",
"create_network:provider:segmentation_id": "rule:admin_only",
"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
"get_network:router:external": "rule:regular_user",
"get_network:segments": "rule:admin_only",
"get_network:provider:network_type": "rule:admin_only",
"get_network:provider:physical_network": "rule:admin_only",
"get_network:provider:segmentation_id": "rule:admin_only",
"get_network:queue_id": "rule:admin_only",
"get_network_ip_availabilities": "rule:admin_only",
"get_network_ip_availability": "rule:admin_only",
"get_availability_zone": "",
"update_network": "rule:admin_or_owner",
"update_network:segments": "rule:admin_only",
"update_network:shared": "rule:admin_only",
"update_network:provider:network_type": "rule:admin_only",
"update_network:provider:physical_network": "rule:admin_only",
"update_network:provider:segmentation_id": "rule:admin_only",
"update_network:router:external": "rule:admin_only",
"delete_network": "rule:admin_or_owner",
"create_segment": "rule:admin_only",
"get_segment": "rule:admin_only",
"update_segment": "rule:admin_only",
"delete_segment": "rule:admin_only",
"network_device": "field:port:device_owner=~^network:",
"create_port": "",
"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:binding:host_id": "rule:admin_only",
"create_port:binding:profile": "rule:admin_only",
"create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
"get_port:queue_id": "rule:admin_only",
"get_port:binding:vif_type": "rule:admin_only",
"get_port:binding:vif_details": "rule:admin_only",
"get_port:binding:host_id": "rule:admin_only",
"get_port:binding:profile": "rule:admin_only",
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:binding:host_id": "rule:admin_only",
"update_port:binding:profile": "rule:admin_only",
"update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
"update_port:data_plane_status": "rule:admin_or_data_plane_int",
"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
"create_router": "rule:regular_user",
"create_router:external_gateway_info": "rule:admin_or_owner",
"create_router:external_gateway_info:network_id": "rule:admin_or_owner",
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
"create_router:distributed": "rule:admin_only",
"create_router:ha": "rule:admin_only",
"get_router": "rule:admin_or_owner",
"get_router:ha": "rule:admin_only",
"get_router:distributed": "rule:admin_only",
"update_router": "rule:admin_or_owner",
"update_router:external_gateway_info": "rule:admin_or_owner",
"update_router:external_gateway_info:network_id": "rule:admin_or_owner",
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
"update_router:distributed": "rule:admin_only",
"update_router:ha": "rule:admin_only",
"delete_router": "rule:admin_or_owner",
"add_router_interface": "rule:admin_or_owner",
"remove_router_interface": "rule:admin_or_owner",
"create_qos_queue": "rule:admin_only",
"get_qos_queue": "rule:admin_only",
"get_agent": "rule:admin_only",
"update_agent": "rule:admin_only",
"delete_agent": "rule:admin_only",
"create_dhcp-network": "rule:admin_only",
"get_dhcp-networks": "rule:admin_only",
"delete_dhcp-network": "rule:admin_only",
"create_l3-router": "rule:admin_only",
"get_l3-routers": "rule:admin_only",
"delete_l3-router": "rule:admin_only",
"get_dhcp-agents": "rule:admin_only",
"get_l3-agents": "rule:admin_only",
"get_loadbalancer-agent": "rule:admin_only",
"get_loadbalancer-pools": "rule:admin_only",
"get_agent-loadbalancers": "rule:admin_only",
"get_loadbalancer-hosting-agent": "rule:admin_only",
"create_floatingip": "rule:regular_user",
"create_floatingip:floating_ip_address": "rule:admin_only",
"get_floatingip": "rule:admin_or_owner",
"get_floatingip_pool": "rule:regular_user",
"update_floatingip": "rule:admin_or_owner",
"delete_floatingip": "rule:admin_or_owner",
"create_network_profile": "rule:admin_only",
"get_network_profiles": "",
"get_network_profile": "",
"update_network_profile": "rule:admin_only",
"delete_network_profile": "rule:admin_only",
"get_policy_profiles": "",
"get_policy_profile": "",
"update_policy_profiles": "rule:admin_only",
"create_metering_label": "rule:admin_only",
"get_metering_label": "rule:admin_only",
"delete_metering_label": "rule:admin_only",
"create_metering_label_rule": "rule:admin_only",
"get_metering_label_rule": "rule:admin_only",
"delete_metering_label_rule": "rule:admin_only",
"create_lsn": "rule:admin_only",
"get_lsn": "rule:admin_only",
"get_service_provider": "rule:regular_user",
"create_flavor": "rule:admin_only",
"get_flavors": "rule:regular_user",
"get_flavor": "rule:regular_user",
"update_flavor": "rule:admin_only",
"delete_flavor": "rule:admin_only",
"create_service_profile": "rule:admin_only",
"get_service_profiles": "rule:admin_only",
"get_service_profile": "rule:admin_only",
"update_service_profile": "rule:admin_only",
"delete_service_profile": "rule:admin_only",
"create_policy": "rule:admin_only",
"get_policy": "rule:regular_user",
"update_policy": "rule:admin_only",
"delete_policy": "rule:admin_only",
"create_policy_bandwidth_limit_rule": "rule:admin_only",
"get_policy_bandwidth_limit_rule": "rule:regular_user",
"update_policy_bandwidth_limit_rule": "rule:admin_only",
"delete_policy_bandwidth_limit_rule": "rule:admin_only",
"create_policy_dscp_marking_rule": "rule:admin_only",
"get_policy_dscp_marking_rule": "rule:regular_user",
"update_policy_dscp_marking_rule": "rule:admin_only",
"delete_policy_dscp_marking_rule": "rule:admin_only",
"get_rule_type": "rule:regular_user",
"create_policy_minimum_bandwidth_rule": "rule:admin_only",
"get_policy_minimum_bandwidth_rule": "rule:regular_user",
"update_policy_minimum_bandwidth_rule": "rule:admin_only",
"delete_policy_minimum_bandwidth_rule": "rule:admin_only",
"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
"create_rbac_policy": "",
"create_rbac_policy:target_tenant": "rule:restrict_wildcard",
"get_rbac_policy": "rule:admin_or_owner",
"update_rbac_policy": "rule:admin_or_owner",
"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
"delete_rbac_policy": "rule:admin_or_owner",
"create_flavor_service_profile": "rule:admin_only",
"get_flavor_service_profile": "rule:regular_user",
"delete_flavor_service_profile": "rule:admin_only",
"get_auto_allocated_topology": "rule:admin_or_owner",
"delete_auto_allocated_topology": "rule:admin_or_owner",
"create_trunk": "rule:regular_user",
"get_trunk": "rule:admin_or_owner",
"delete_trunk": "rule:admin_or_owner",
"add_subports": "rule:admin_or_owner",
"get_subports": "",
"remove_subports": "rule:admin_or_owner",
"create_security_group": "rule:admin_or_owner",
"get_security_groups": "rule:admin_or_owner",
"get_security_group": "rule:admin_or_owner",
"update_security_group": "rule:admin_or_owner",
"delete_security_group": "rule:admin_or_owner",
"create_security_group_rule": "rule:admin_or_owner",
"get_security_group_rules": "rule:admin_or_owner",
"get_security_group_rule": "rule:admin_or_owner",
"delete_security_group_rule": "rule:admin_or_owner",
"get_loggable_resources": "rule:admin_only",
"create_log": "rule:admin_only",
"get_log": "rule:admin_only",
"get_logs": "rule:admin_only",
"update_log": "rule:admin_only",
"delete_log": "rule:admin_only",
"create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
"get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
"get_floatingip_port_forwardings": "rule:admin_or_ext_parent_owner",
"update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
"delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
}

81
neutron/conf/policies/__init__.py Normal file
View File

@@ -0,0 +1,81 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import inspect
import itertools
import six
from neutron.conf.policies import address_scope
from neutron.conf.policies import agent
from neutron.conf.policies import auto_allocated_topology
from neutron.conf.policies import availability_zone
from neutron.conf.policies import base
from neutron.conf.policies import cisco_plugin
from neutron.conf.policies import flavor
from neutron.conf.policies import floatingip
from neutron.conf.policies import floatingip_pools
from neutron.conf.policies import floatingip_port_forwarding
from neutron.conf.policies import logging
from neutron.conf.policies import metering
from neutron.conf.policies import network
from neutron.conf.policies import network_ip_availability
from neutron.conf.policies import port
from neutron.conf.policies import qos
from neutron.conf.policies import rbac
from neutron.conf.policies import router
from neutron.conf.policies import security_group
from neutron.conf.policies import segment
from neutron.conf.policies import service_type
from neutron.conf.policies import subnet
from neutron.conf.policies import subnetpool
from neutron.conf.policies import trunk
from neutron.conf.policies import vmware_plugin
def list_rules():
return itertools.chain(
base.list_rules(),
address_scope.list_rules(),
agent.list_rules(),
auto_allocated_topology.list_rules(),
availability_zone.list_rules(),
cisco_plugin.list_rules(),
flavor.list_rules(),
floatingip.list_rules(),
floatingip_pools.list_rules(),
floatingip_port_forwarding.list_rules(),
logging.list_rules(),
metering.list_rules(),
network.list_rules(),
network_ip_availability.list_rules(),
port.list_rules(),
qos.list_rules(),
rbac.list_rules(),
router.list_rules(),
security_group.list_rules(),
segment.list_rules(),
service_type.list_rules(),
subnet.list_rules(),
subnetpool.list_rules(),
trunk.list_rules(),
vmware_plugin.list_rules(),
)
def reload_default_policies():
for name, module in globals().items():
if (inspect.ismodule(module) and
module.__name__.startswith(__package__)):
# NOTE: pylint checks function args wrongly.
# pylint: disable=too-many-function-args
six.moves.reload_module(module)

44
neutron/conf/policies/address_scope.py Normal file
View File

@@ -0,0 +1,44 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('shared_address_scopes',
'field:address_scopes:shared=True',
description='Rule of shared address scope'),
policy.RuleDefault('create_address_scope',
'',
description='Access rule for creating address scope'),
policy.RuleDefault('create_address_scope:shared',
'rule:admin_only',
description=('Access rule for creating '
'shared address scope')),
policy.RuleDefault('get_address_scope',
'rule:admin_or_owner or rule:shared_address_scopes',
description='Access rule for getting address scope'),
policy.RuleDefault('update_address_scope',
'rule:admin_or_owner',
description='Access rule for updating address scope'),
policy.RuleDefault('update_address_scope:shared',
'rule:admin_only',
description=('Access rule for updating '
'shared attribute of address scope')),
policy.RuleDefault('delete_address_scope',
'rule:admin_or_owner',
description='Access rule for deleting address scope')
]
def list_rules():
return rules

80
neutron/conf/policies/agent.py Normal file
View File

@@ -0,0 +1,80 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('get_agent',
'rule:admin_only',
description='Access rule for getting agent'),
policy.RuleDefault('update_agent',
'rule:admin_only',
description='Access rule for updating agent'),
policy.RuleDefault('delete_agent',
'rule:admin_only',
description='Access rule for deleting agent'),
policy.RuleDefault('create_dhcp-network',
'rule:admin_only',
description=('Access rule for adding '
'network to dhcp agent')),
policy.RuleDefault('get_dhcp-networks',
'rule:admin_only',
description=('Access rule for listing '
'networks on the dhcp agent')),
policy.RuleDefault('delete_dhcp-network',
'rule:admin_only',
description=('Access rule for removing '
'network from dhcp agent')),
policy.RuleDefault('create_l3-router',
'rule:admin_only',
description=('Access rule for adding '
'router to l3 agent')),
policy.RuleDefault('get_l3-routers',
'rule:admin_only',
description=('Access rule for listing '
'routers on the l3 agent')),
policy.RuleDefault('delete_l3-router',
'rule:admin_only',
description=('Access rule for deleting '
'router from l3 agent')),
policy.RuleDefault('get_dhcp-agents',
'rule:admin_only',
description=('Access rule for listing '
'dhcp agents hosting the network')),
policy.RuleDefault('get_l3-agents',
'rule:admin_only',
description=('Access rule for listing '
'l3 agents hosting the router')),
# TODO(amotoki): Remove LBaaS related policies once neutron-lbaas
# is retired.
policy.RuleDefault('get_loadbalancer-agent',
'rule:admin_only',
description=('Access rule for getting '
'lbaas agent hosting the pool')),
policy.RuleDefault('get_loadbalancer-pools',
'rule:admin_only',
description=('Access rule for listing '
'pools on the lbaas agent')),
policy.RuleDefault('get_agent-loadbalancers',
'rule:admin_only',
description=('Access rule for listing '
'loadbalancers on the lbaasv2 agent')),
policy.RuleDefault('get_loadbalancer-hosting-agent',
'rule:admin_only',
description=('Access rule for getting '
'lbaasv2 agent hosting the loadbalancer')),
]
def list_rules():
return rules

31
neutron/conf/policies/auto_allocated_topology.py Normal file
View File

@@ -0,0 +1,31 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'get_auto_allocated_topology',
'rule:admin_or_owner',
description=("Access rule for getting a project's "
"auto-allocated topology")),
policy.RuleDefault(
'delete_auto_allocated_topology',
'rule:admin_or_owner',
description=("Access rule for deleting a project's "
"auto-allocated topology")),
]
def list_rules():
return rules

25
neutron/conf/policies/availability_zone.py Normal file
View File

@@ -0,0 +1,25 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'get_availability_zone',
'',
description='Access rule for getting availability zone'),
]
def list_rules():
return rules

67
neutron/conf/policies/base.py Normal file
View File

@@ -0,0 +1,67 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'context_is_admin',
'role:admin',
description='Rule for cloud admin access'),
policy.RuleDefault(
'owner',
'tenant_id:%(tenant_id)s',
description='Rule for resource owner access'),
policy.RuleDefault(
'admin_or_owner',
'rule:context_is_admin or rule:owner',
description='Rule for admin or owner access'),
policy.RuleDefault(
'context_is_advsvc',
'role:advsvc',
description='Rule for advsvc role access'),
policy.RuleDefault(
'admin_or_network_owner',
'rule:context_is_admin or tenant_id:%(network:tenant_id)s',
description='Rule for admin or network owner access'),
policy.RuleDefault(
'admin_owner_or_network_owner',
'rule:owner or rule:admin_or_network_owner',
description=('Rule for resource owner, '
'admin or network owner access')),
policy.RuleDefault(
'admin_only',
'rule:context_is_admin',
description='Rule only for admin access'),
policy.RuleDefault(
'regular_user',
'',
description='Rule for regular user access'),
# TODO(amotoki): Should be renamed to shared_network? It seems clearer.
policy.RuleDefault(
'shared',
'field:networks:shared=True',
description='Rule of shared network'),
policy.RuleDefault(
'default',
'rule:admin_or_owner',
description='Default access rule'),
policy.RuleDefault(
'admin_or_ext_parent_owner',
'rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s',
description='Rule for common parent owner check'),
]
def list_rules():
return rules

46
neutron/conf/policies/cisco_plugin.py Normal file
View File

@@ -0,0 +1,46 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
# TODO(amotoki): Move Cisco related policy rules to networking-cisco
rules = [
policy.RuleDefault('create_network_profile',
'rule:admin_only',
description='Access rule for creating network profile'),
policy.RuleDefault('get_network_profiles',
'',
description='Access rule for listing network profiles'),
policy.RuleDefault('get_network_profile',
'',
description='Access rule for getting network profile'),
policy.RuleDefault('update_network_profile',
'rule:admin_only',
description='Access rule for updating network profile'),
policy.RuleDefault('delete_network_profile',
'rule:admin_only',
description='Access rule for deleting network profile'),
policy.RuleDefault('get_policy_profiles',
'',
description='Access rule for listing policy profile'),
policy.RuleDefault('get_policy_profile',
'',
description='Access rule for getting policy prodile'),
policy.RuleDefault('update_policy_profiles',
'rule:admin_only',
description='Access rule for updating policy profile'),
]
def list_rules():
return rules

78
neutron/conf/policies/flavor.py Normal file
View File

@@ -0,0 +1,78 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'create_flavor',
'rule:admin_only',
description='Access rule for creating flavor'),
policy.RuleDefault(
'get_flavors',
'rule:regular_user',
description='Access rule for listing flavors'),
policy.RuleDefault(
'get_flavor',
'rule:regular_user',
description='Access rule for getting flavor'),
policy.RuleDefault(
'update_flavor',
'rule:admin_only',
description='Access rule for updating flavor'),
policy.RuleDefault(
'delete_flavor',
'rule:admin_only',
description='Access rule for deleting flavor'),
policy.RuleDefault(
'create_service_profile',
'rule:admin_only',
description='Access rule for creating service profile'),
policy.RuleDefault(
'get_service_profiles',
'rule:admin_only',
description='Access rule for listing service profiles'),
policy.RuleDefault(
'get_service_profile',
'rule:admin_only',
description='Access rule for getting service profile'),
policy.RuleDefault(
'update_service_profile',
'rule:admin_only',
description='Access rule for updating service profile'),
policy.RuleDefault(
'delete_service_profile',
'rule:admin_only',
description='Access rule for deleting service profile'),
policy.RuleDefault(
'create_flavor_service_profile',
'rule:admin_only',
description=('Access rule for associating '
'flavor with service profile')),
policy.RuleDefault(
'delete_flavor_service_profile',
'rule:admin_only',
description=('Access rule for disassociating '
'flavor with service profile')),
policy.RuleDefault(
'get_flavor_service_profile',
'rule:regular_user',
description=('Access rule for getting flavor associating '
'with the given service profiles')),
]
def list_rules():
return rules

37
neutron/conf/policies/floatingip.py Normal file
View File

@@ -0,0 +1,37 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('create_floatingip',
'rule:regular_user',
description='Access rule for creating floating IP'),
policy.RuleDefault('create_floatingip:floating_ip_address',
'rule:admin_only',
description=('Access rule for creating floating IP '
'with a specific IP address')),
policy.RuleDefault('get_floatingip',
'rule:admin_or_owner',
description='Access rule for getting floating IP'),
policy.RuleDefault('update_floatingip',
'rule:admin_or_owner',
description='Access rule for updating floating IP'),
policy.RuleDefault('delete_floatingip',
'rule:admin_or_owner',
description='Access rule for deleting floating IP'),
]
def list_rules():
return rules

25
neutron/conf/policies/floatingip_pools.py Normal file
View File

@@ -0,0 +1,25 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'get_floatingip_pool',
'rule:regular_user',
description='Access rule for getting floating IP pools'),
]
def list_rules():
return rules

42
neutron/conf/policies/floatingip_port_forwarding.py Normal file
View File

@@ -0,0 +1,42 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'create_floatingip_port_forwarding',
'rule:admin_or_ext_parent_owner',
description='Access rule for creating floating IP port forwarding'),
policy.RuleDefault(
'get_floatingip_port_forwarding',
'rule:admin_or_ext_parent_owner',
description='Access rule for getting floating IP port forwarding'),
# TOOD(amotoki): get_floatingip_port_forwardings looks unnecessary.
policy.RuleDefault(
'get_floatingip_port_forwardings',
'rule:admin_or_ext_parent_owner',
description='Access rule for listing floating IP port forwardings'),
policy.RuleDefault(
'update_floatingip_port_forwarding',
'rule:admin_or_ext_parent_owner',
description='Access rule for updating floating IP port forwarding'),
policy.RuleDefault(
'delete_floatingip_port_forwarding',
'rule:admin_or_ext_parent_owner',
description='Access rule for deleting floating IP port forwarding'),
]
def list_rules():
return rules

45
neutron/conf/policies/logging.py Normal file
View File

@@ -0,0 +1,45 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'get_loggable_resources',
'rule:admin_only',
description='Access rule for getting loggable resources'),
policy.RuleDefault(
'create_log',
'rule:admin_only',
description='Access rule for creating network log'),
policy.RuleDefault(
'get_log',
'rule:admin_only',
description='Access rule for getting network log'),
policy.RuleDefault(
'get_logs',
'rule:admin_only',
description='Access rule for listing network logs'),
policy.RuleDefault(
'update_log',
'rule:admin_only',
description='Access rule for updating network log'),
policy.RuleDefault(
'delete_log',
'rule:admin_only',
description='Access rule for deleting network log'),
]
def list_rules():
return rules

42
neutron/conf/policies/metering.py Normal file
View File

@@ -0,0 +1,42 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('create_metering_label',
'rule:admin_only',
description='Access rule for creating metering label'),
policy.RuleDefault('get_metering_label',
'rule:admin_only',
description='Access rule for getting metering label'),
policy.RuleDefault('delete_metering_label',
'rule:admin_only',
description='Access rule for deleting metering label'),
policy.RuleDefault('create_metering_label_rule',
'rule:admin_only',
description=('Access rule for creating '
'metering label rule')),
policy.RuleDefault('get_metering_label_rule',
'rule:admin_only',
description=('Access rule for getting '
'metering label rule')),
policy.RuleDefault('delete_metering_label_rule',
'rule:admin_only',
description=('Access rule for deleting '
'metering label rule'))
]
def list_rules():
return rules

133
neutron/conf/policies/network.py Normal file
View File

@@ -0,0 +1,133 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'external',
'field:networks:router:external=True',
description='Rule of external network'),
policy.RuleDefault(
'create_network',
'',
description='Access rule for creating network'),
policy.RuleDefault(
'create_network:shared',
'rule:admin_only',
description='Access rule for creating shared network'),
policy.RuleDefault(
'create_network:router:external',
'rule:admin_only',
description='Access rule for creating external network'),
policy.RuleDefault(
'create_network:is_default',
'rule:admin_only',
description='Access rule for creating network with is_default'),
policy.RuleDefault(
'create_network:segments',
'rule:admin_only',
description='Access rule for creating network with segments'),
policy.RuleDefault(
'create_network:provider:network_type',
'rule:admin_only',
description=('Access rule for creating network '
'with provider network_type')),
policy.RuleDefault(
'create_network:provider:physical_network',
'rule:admin_only',
description=('Access rule for creating network '
'with provider physical_network')),
policy.RuleDefault(
'create_network:provider:segmentation_id',
'rule:admin_only',
description=('Access rule for creating network '
'with provider segmentation_id')),
policy.RuleDefault(
'get_network',
('rule:admin_or_owner or rule:shared or '
'rule:external or rule:context_is_advsvc'),
description='Access rule for getting shared network'),
policy.RuleDefault(
'get_network:router:external',
'rule:regular_user',
description='Access rule for getting external network'),
policy.RuleDefault(
'get_network:segments',
'rule:admin_only',
description='Access rule for getting segments of network'),
policy.RuleDefault(
'get_network:provider:network_type',
'rule:admin_only',
description=('Access rule for getting provider '
'network_type of network')),
policy.RuleDefault(
'get_network:provider:physical_network',
'rule:admin_only',
description=('Access rule for getting provider '
'physical_network of network')),
policy.RuleDefault(
'get_network:provider:segmentation_id',
'rule:admin_only',
description=('Access rule for getting provider '
'segmentation_id of network')),
# TODO(amotoki): Move queue_id to vmware-nsx plugin
policy.RuleDefault(
'get_network:queue_id',
'rule:admin_only',
description='Access rule for getting queue_id of network'),
policy.RuleDefault(
'update_network',
'rule:admin_or_owner',
description='Access rule for updating network'),
policy.RuleDefault(
'update_network:segments',
'rule:admin_only',
description='Access rule for updating segments of network'),
policy.RuleDefault(
'update_network:shared',
'rule:admin_only',
description='Access rule for updating shared attribute of network'),
policy.RuleDefault(
'update_network:provider:network_type',
'rule:admin_only',
description=('Access rule for updating provider '
'network_type of network')),
policy.RuleDefault(
'update_network:provider:physical_network',
'rule:admin_only',
description=('Access rule for updating provider '
'physical_network of network')),
policy.RuleDefault(
'update_network:provider:segmentation_id',
'rule:admin_only',
description=('Access rule for updating provider '
'segmentation_id of network')),
policy.RuleDefault(
'update_network:router:external',
'rule:admin_only',
description=('Access rule for updating router:external attribute '
'of network')),
policy.RuleDefault(
'delete_network',
'rule:admin_or_owner',
description='Access rule for deleting network'),
]
def list_rules():
return rules

29
neutron/conf/policies/network_ip_availability.py Normal file
View File

@@ -0,0 +1,29 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'get_network_ip_availabilities',
'rule:admin_only',
description='Access rule for getting network IP availabilities'),
policy.RuleDefault(
'get_network_ip_availability',
'rule:admin_only',
description='Access rule for getting network IP availability'),
]
def list_rules():
return rules

176
neutron/conf/policies/port.py Normal file
View File

@@ -0,0 +1,176 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'network_device',
'field:port:device_owner=~^network:',
description='Rule of port with network device_owner'),
policy.RuleDefault(
'admin_or_data_plane_int',
'rule:context_is_admin or role:data_plane_integrator',
description='Rule for data plane integration'),
policy.RuleDefault(
'create_port',
'',
description='Access rule for creating port'),
policy.RuleDefault(
'create_port:device_owner',
('not rule:network_device or '
'rule:context_is_advsvc or '
'rule:admin_or_network_owner'),
description='Access rule for creating port with device_owner'),
policy.RuleDefault(
'create_port:mac_address',
'rule:context_is_advsvc or rule:admin_or_network_owner',
description=('Access rule for creating port with mac_address')),
policy.RuleDefault(
'create_port:fixed_ips',
'rule:context_is_advsvc or rule:admin_or_network_owner',
description='Access rule for creating port with fixed_ips'),
policy.RuleDefault(
'create_port:fixed_ips:ip_address',
'rule:context_is_advsvc or rule:admin_or_network_owner',
description=('Access rule for creating port specifying IP address in '
'fixed_ips')),
policy.RuleDefault(
'create_port:fixed_ips:subnet_id',
('rule:context_is_advsvc or '
'rule:admin_or_network_owner or '
'rule:shared'),
description=('Access rule for creating port specifying subnet ID in '
'fixed_ips')),
policy.RuleDefault(
'create_port:port_security_enabled',
'rule:context_is_advsvc or rule:admin_or_network_owner',
description=('Access rule for creating '
'port with port_security_enabled')),
policy.RuleDefault(
'create_port:binding:host_id',
'rule:admin_only',
description=('Access rule for creating '
'port with binging host_id')),
policy.RuleDefault(
'create_port:binding:profile',
'rule:admin_only',
description=('Access rule for creating '
'port with binding profile')),
# TODO(amotoki): Add create_port:binding:vnic_type
# TODO(amotoki): Move mac_learning_enabled to vmware-nsx plugin
policy.RuleDefault(
'create_port:mac_learning_enabled',
'rule:context_is_advsvc or rule:admin_or_network_owner',
description=('Access rule for creating port '
'with mac_learning_enabled attribute')),
policy.RuleDefault(
'create_port:allowed_address_pairs',
'rule:admin_or_network_owner',
description=('Access rule for creating port '
'with allowed_address_pairs attribute')),
policy.RuleDefault(
'get_port',
'rule:context_is_advsvc or rule:admin_owner_or_network_owner',
description='Access rule for getting port'),
# TODO(amotoki): Move queue_id to vmware-nsx plugin
policy.RuleDefault(
'get_port:queue_id',
'rule:admin_only',
description='Access rule for getting queue_id of port'),
policy.RuleDefault(
'get_port:binding:vif_type',
'rule:admin_only',
description='Access rule for getting binding vif_type of port'),
policy.RuleDefault(
'get_port:binding:vif_details',
'rule:admin_only',
description='Access rule for getting binding vif_details of port'),
policy.RuleDefault(
'get_port:binding:host_id',
'rule:admin_only',
description='Access rule for getting binding host_id of port'),
policy.RuleDefault(
'get_port:binding:profile',
'rule:admin_only',
description='Access rule for getting binding profile of port'),
# TODO(amotoki): Add get_port:binding:vnic_type
# TODO(amotoki): Add get_port:binding:data_plane_status
policy.RuleDefault(
'update_port',
'rule:admin_or_owner or rule:context_is_advsvc',
description='Access rule for updating port'),
policy.RuleDefault(
'update_port:device_owner',
('not rule:network_device or rule:context_is_advsvc '
'or rule:admin_or_network_owner'),
description='Access rule for updating device_owner of port'),
policy.RuleDefault(
'update_port:mac_address',
'rule:admin_only or rule:context_is_advsvc',
description='Access rule for updating mac_address of port'),
policy.RuleDefault(
'update_port:fixed_ips',
'rule:context_is_advsvc or rule:admin_or_network_owner',
description='Access rule for updating fixed_ips of port'),
policy.RuleDefault(
'update_port:fixed_ips:ip_address',
'rule:context_is_advsvc or rule:admin_or_network_owner',
description=('Access rule for updating port specifying IP address in '
'fixed_ips')),
policy.RuleDefault(
'update_port:fixed_ips:subnet_id',
('rule:context_is_advsvc or '
'rule:admin_or_network_owner or '
'rule:shared'),
description=('Access rule for updating port specifying subnet ID in '
'fixed_ips')),
policy.RuleDefault(
'update_port:port_security_enabled',
'rule:context_is_advsvc or rule:admin_or_network_owner',
description='Access rule for updating port_security_enabled of port'),
policy.RuleDefault(
'update_port:binding:host_id',
'rule:admin_only',
description='Access rule for updating binding host_id of port'),
policy.RuleDefault(
'update_port:binding:profile',
'rule:admin_only',
description='Access rule for updating binding profile of port'),
# TODO(amotoki): Move mac_learning_enabled to vmware-nsx plugin
policy.RuleDefault(
'update_port:mac_learning_enabled',
'rule:context_is_advsvc or rule:admin_or_network_owner',
description='Access rule for updating mac_learning_enabled of port'),
# TODO(amotoki): Add update_port:binding:vnic_type
policy.RuleDefault(
'update_port:allowed_address_pairs',
'rule:admin_or_network_owner',
description='Access rule for updating allowed_address_pairs of port'),
policy.RuleDefault(
'update_port:data_plane_status',
'rule:admin_or_data_plane_int',
description='Access rule for updating data_plane_status of port'),
policy.RuleDefault(
'delete_port',
'rule:context_is_advsvc or rule:admin_owner_or_network_owner',
description='Access rule for deleting port'),
]
def list_rules():
return rules

89
neutron/conf/policies/qos.py Normal file
View File

@@ -0,0 +1,89 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('get_policy',
'rule:regular_user',
description='Access rule for getting QoS policy'),
policy.RuleDefault('create_policy',
'rule:admin_only',
description='Access rule for creating QoS policy'),
policy.RuleDefault('update_policy',
'rule:admin_only',
description='Access rule for updating QoS policy'),
policy.RuleDefault('delete_policy',
'rule:admin_only',
description='Access rule for deleting QoS policy'),
policy.RuleDefault('get_rule_type',
'rule:regular_user',
description=('Access rule for getting '
'all available QoS rule types')),
policy.RuleDefault('get_policy_bandwidth_limit_rule',
'rule:regular_user',
description=('Access rule for getting '
'QoS bandwidth limit rule')),
policy.RuleDefault('create_policy_bandwidth_limit_rule',
'rule:admin_only',
description=('Access rule for creating '
'QoS bandwidth limit rule')),
policy.RuleDefault('update_policy_bandwidth_limit_rule',
'rule:admin_only',
description=('Access rule for updating '
'QoS bandwidth limit rule')),
policy.RuleDefault('delete_policy_bandwidth_limit_rule',
'rule:admin_only',
description=('Access rule for deleting '
'QoS bandwidth limit rule')),
policy.RuleDefault('get_policy_dscp_marking_rule',
'rule:regular_user',
description=('Access rule for getting '
'QoS dscp marking rule')),
policy.RuleDefault('create_policy_dscp_marking_rule',
'rule:admin_only',
description=('Access rule for creating '
'QoS dscp marking rule')),
policy.RuleDefault('update_policy_dscp_marking_rule',
'rule:admin_only',
description=('Access rule for updating '
'QoS dscp marking rule')),
policy.RuleDefault('delete_policy_dscp_marking_rule',
'rule:admin_only',
description=('Access rule for deleting '
'QoS dscp marking rule')),
policy.RuleDefault('get_policy_minimum_bandwidth_rule',
'rule:regular_user',
description=('Access rule for getting '
'QoS minimum bandwidth rule')),
policy.RuleDefault('create_policy_minimum_bandwidth_rule',
'rule:admin_only',
description=('Access rule for creating '
'QoS minimum bandwidth rule')),
policy.RuleDefault('update_policy_minimum_bandwidth_rule',
'rule:admin_only',
description=('Access rule for updating '
'QoS minimum bandwidth rule')),
policy.RuleDefault('delete_policy_minimum_bandwidth_rule',
'rule:admin_only',
description=('Access rule for deleting '
'QoS minimum bandwidth rule')),
]
def list_rules():
return rules

52
neutron/conf/policies/rbac.py Normal file
View File

@@ -0,0 +1,52 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'restrict_wildcard',
'(not field:rbac_policy:target_tenant=*) or rule:admin_only',
description='Rule of restrict wildcard'),
policy.RuleDefault(
'create_rbac_policy',
'',
description='Access rule for creating RBAC policy'),
policy.RuleDefault(
'create_rbac_policy:target_tenant',
'rule:restrict_wildcard',
description=('Access rule for creating RBAC '
'policy with a specific target tenant')),
policy.RuleDefault(
'update_rbac_policy',
'rule:admin_or_owner',
description='Access rule for updating RBAC policy'),
policy.RuleDefault(
'update_rbac_policy:target_tenant',
'rule:restrict_wildcard and rule:admin_or_owner',
description=('Access rule for updating target_tenant '
'attribute of RBAC policy')),
policy.RuleDefault(
'get_rbac_policy',
'rule:admin_or_owner',
description='Access rule for getting RBAC policy'),
policy.RuleDefault(
'delete_rbac_policy',
'rule:admin_or_owner',
description='Access rule for deleting RBAC policy'),
]
def list_rules():
return rules

119
neutron/conf/policies/router.py Normal file
View File

@@ -0,0 +1,119 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'create_router',
'rule:regular_user',
description='Access rule for creating router'),
policy.RuleDefault(
'create_router:distributed',
'rule:admin_only',
description=('Access rule for creating '
'router with distributed attribute')),
policy.RuleDefault(
'create_router:ha',
'rule:admin_only',
description=('Access rule for creating '
'router with ha attribute')),
policy.RuleDefault(
'create_router:external_gateway_info',
'rule:admin_or_owner',
description=('Access rule for creating router with '
'external_gateway_info information')),
policy.RuleDefault(
'create_router:external_gateway_info:network_id',
'rule:admin_or_owner',
description=('Access rule for creating router with network_id '
'attribute of external_gateway_info information')),
policy.RuleDefault(
'create_router:external_gateway_info:enable_snat',
'rule:admin_only',
description=('Access rule for creating router with enable_snat '
'attribute of external_gateway_info information')),
policy.RuleDefault(
'create_router:external_gateway_info:external_fixed_ips',
'rule:admin_only',
description=('Access rule for creating router with '
'external_fixed_ips attribute of '
'external_gateway_info information')),
policy.RuleDefault(
'get_router',
'rule:admin_or_owner',
description='Access rule for getting router'),
policy.RuleDefault(
'get_router:distributed',
'rule:admin_only',
description=('Access rule for getting distributed attribute of '
'router')),
policy.RuleDefault(
'get_router:ha',
'rule:admin_only',
description='Access rule for getting ha attribute of router'),
policy.RuleDefault(
'update_router',
'rule:admin_or_owner',
description='Access rule for updating router'),
policy.RuleDefault(
'update_router:distributed',
'rule:admin_only',
description=('Access rule for updating distributed attribute '
'of router')),
policy.RuleDefault(
'update_router:ha',
'rule:admin_only',
description='Access rule for updating ha attribute of router'),
policy.RuleDefault(
'update_router:external_gateway_info',
'rule:admin_or_owner',
description=('Access rule for updating external_gateway_info '
'information of router')),
policy.RuleDefault(
'update_router:external_gateway_info:network_id',
'rule:admin_or_owner',
description=('Access rule for updating network_id attribute of '
'external_gateway_info information of router')),
policy.RuleDefault(
'update_router:external_gateway_info:enable_snat',
'rule:admin_only',
description=('Access rule for updating enable_snat attribute of '
'external_gateway_info information of router')),
policy.RuleDefault(
'update_router:external_gateway_info:external_fixed_ips',
'rule:admin_only',
description=('Access rule for updating external_fixed_ips '
'attribute of external_gateway_info information '
'of router')),
policy.RuleDefault(
'delete_router',
'rule:admin_or_owner',
description='Access rule for deleting router'),
policy.RuleDefault(
'add_router_interface',
'rule:admin_or_owner',
description='Access rule for adding router interface'),
policy.RuleDefault(
'remove_router_interface',
'rule:admin_or_owner',
description='Access rule for removing router interface'),
]
def list_rules():
return rules

62
neutron/conf/policies/security_group.py Normal file
View File

@@ -0,0 +1,62 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
# TODO(amotoki): admin_or_owner is the right rule?
# Does an empty string make more sense for create_security_group?
policy.RuleDefault(
'create_security_group',
'rule:admin_or_owner',
description='Access rule for creating security group'),
policy.RuleDefault(
'get_security_group',
'rule:admin_or_owner',
description='Access rule for getting security group'),
policy.RuleDefault(
'get_security_groups',
'rule:admin_or_owner',
description='Access rule for getting security groups'),
policy.RuleDefault(
'update_security_group',
'rule:admin_or_owner',
description='Access rule for updating security group'),
policy.RuleDefault(
'delete_security_group',
'rule:admin_or_owner',
description='Access rule for deleting security group'),
# TODO(amotoki): admin_or_owner is the right rule?
# Does an empty string make more sense for create_security_group_rule?
policy.RuleDefault(
'create_security_group_rule',
'rule:admin_or_owner',
description='Access rule for creating security group rule'),
policy.RuleDefault(
'get_security_group_rule',
'rule:admin_or_owner',
description='Access rule for getting security group rule'),
policy.RuleDefault(
'get_security_group_rules',
'rule:admin_or_owner',
description='Access rule for getting security groups rules'),
policy.RuleDefault(
'delete_security_group_rule',
'rule:admin_or_owner',
description='Access rule for deleting security group rule'),
]
def list_rules():
return rules

33
neutron/conf/policies/segment.py Normal file
View File

@@ -0,0 +1,33 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('create_segment',
'rule:admin_only',
description='Access rule for creating segment'),
policy.RuleDefault('get_segment',
'rule:admin_only',
description='Access rule for getting segment'),
policy.RuleDefault('update_segment',
'rule:admin_only',
description='Access rule for updating segment'),
policy.RuleDefault('delete_segment',
'rule:admin_only',
description='Access rule for deleting segment'),
]
def list_rules():
return rules

25
neutron/conf/policies/service_type.py Normal file
View File

@@ -0,0 +1,25 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'get_service_provider',
'rule:regular_user',
description='Access rule for listing all service providers'),
]
def list_rules():
return rules

49
neutron/conf/policies/subnet.py Normal file
View File

@@ -0,0 +1,49 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('create_subnet',
'rule:admin_or_network_owner',
description='Access rule for creating subnet'),
policy.RuleDefault('create_subnet:segment_id',
'rule:admin_only',
description=('Access rule for creating '
'subnet with segment_id')),
policy.RuleDefault('create_subnet:service_types',
'rule:admin_only',
description=('Access rule for creating '
'subnet with service_type')),
policy.RuleDefault('get_subnet',
'rule:admin_or_owner or rule:shared',
description='Access rule for getting subnet'),
policy.RuleDefault('get_subnet:segment_id',
'rule:admin_only',
description=('Access rule for getting '
'segment_id of subnet')),
policy.RuleDefault('update_subnet',
'rule:admin_or_network_owner',
description='Access rule for updating subnet'),
policy.RuleDefault('update_subnet:service_types',
'rule:admin_only',
description=('Access rule for updating '
'service_types of subnet')),
policy.RuleDefault('delete_subnet',
'rule:admin_or_network_owner',
description='Access rule for deleting subnet')
]
def list_rules():
return rules

48
neutron/conf/policies/subnetpool.py Normal file
View File

@@ -0,0 +1,48 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('shared_subnetpools',
'field:subnetpools:shared=True',
description='Rule of shared subnetpool'),
policy.RuleDefault('create_subnetpool',
'',
description='Access rule for creating subnetpool'),
policy.RuleDefault('create_subnetpool:shared',
'rule:admin_only',
description=('Access rule for creating '
'shared subnetpool')),
policy.RuleDefault('create_subnetpool:is_default',
'rule:admin_only',
description=('Access rule for creating '
'subnetpool with is_default')),
policy.RuleDefault('get_subnetpool',
'rule:admin_or_owner or rule:shared_subnetpools',
description='Access rule for getting subnetpool'),
policy.RuleDefault('update_subnetpool',
'rule:admin_or_owner',
description='Access rule for updating subnetpool'),
policy.RuleDefault('update_subnetpool:is_default',
'rule:admin_only',
description=('Access rule for updating '
'is_default of subnetpool')),
policy.RuleDefault('delete_subnetpool',
'rule:admin_or_owner',
description='Access rule for deleting subnetpool')
]
def list_rules():
return rules

45
neutron/conf/policies/trunk.py Normal file
View File

@@ -0,0 +1,45 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
'create_trunk',
'rule:regular_user',
description='Access rule for creating trunk'),
policy.RuleDefault(
'get_trunk',
'rule:admin_or_owner',
description='Access rule for getting trunk'),
policy.RuleDefault(
'delete_trunk',
'rule:admin_or_owner',
description='Access rule for deleting trunk'),
policy.RuleDefault(
'get_subports',
'',
description='Access rule for listing subports attached to a trunk'),
policy.RuleDefault(
'add_subports',
'rule:admin_or_owner',
description='Access rule for adding subports to a trunk'),
policy.RuleDefault(
'remove_subports',
'rule:admin_or_owner',
description='Access rule for deleting subports from a trunk'),
]
def list_rules():
return rules

35
neutron/conf/policies/vmware_plugin.py Normal file
View File

@@ -0,0 +1,35 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
# TODO(amotoki): Move VMware related policy rules to vmware-nsx
rules = [
policy.RuleDefault('create_lsn',
'rule:admin_only',
description='Access rule for creating lsn'),
policy.RuleDefault('get_lsn',
'rule:admin_only',
description='Access rule for getting lsn'),
policy.RuleDefault('create_qos_queue',
'rule:admin_only',
description='Access rule for creating qos queue'),
policy.RuleDefault('get_qos_queue',
'rule:admin_only',
description='Access rule for getting qos queue'),
]
def list_rules():
return rules

35
neutron/policy.py
View File

@@ -14,7 +14,9 @@
# under the License.
import collections
import itertools
import re
import sys
from neutron_lib.api import attributes
from neutron_lib.api.definitions import network as net_apidef
@@ -28,6 +30,7 @@ from oslo_log import log as logging
from oslo_policy import policy
from oslo_utils import excutils
import six
import stevedore
from neutron._i18n import _
from neutron.common import cache_utils as cache
@@ -53,12 +56,23 @@ def reset():
_ENFORCER = None
def register_rules(enforcer):
extmgr = stevedore.extension.ExtensionManager('neutron.policies',
invoke_on_load=True)
policies = [list(e.obj) for e in extmgr.extensions]
LOG.debug('Loaded default policies from %s '
'under neutron.policies entry points',
[e.name for e in extmgr.extensions])
enforcer.register_defaults(itertools.chain(*policies))
def init(conf=cfg.CONF, policy_file=None):
"""Init an instance of the Enforcer class."""
global _ENFORCER
if not _ENFORCER:
_ENFORCER = policy.Enforcer(conf, policy_file=policy_file)
register_rules(_ENFORCER)
_ENFORCER.load_rules(True)
@@ -421,3 +435,24 @@ def enforce(context, action, target, plugin=None, pluralized=None):
log_rule_list(rule)
LOG.debug("Failed policy check for '%s'", action)
return result
def get_enforcer():
# NOTE(amotoki): This was borrowed from nova/policy.py.
# This method is for use by oslo.policy CLI scripts. Those scripts need the
# 'output-file' and 'namespace' options, but having those in sys.argv means
# loading the neutron config options will fail as those are not expected to
# be present. So we pass in an arg list with those stripped out.
conf_args = []
# Start at 1 because cfg.CONF expects the equivalent of sys.argv[1:]
i = 1
while i < len(sys.argv):
if sys.argv[i].strip('-') in ['namespace', 'output-file']:
i += 2
continue
conf_args.append(sys.argv[i])
i += 1
cfg.CONF(conf_args, project='neutron')
init()
return _ENFORCER

262
neutron/tests/etc/policy.json
View File

@@ -1,262 +0,0 @@
{
"context_is_admin": "role:admin",
"owner": "tenant_id:%(tenant_id)s",
"admin_or_owner": "rule:context_is_admin or rule:owner",
"context_is_advsvc": "role:advsvc",
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
"admin_only": "rule:context_is_admin",
"regular_user": "",
"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator",
"shared": "field:networks:shared=True",
"shared_subnetpools": "field:subnetpools:shared=True",
"shared_address_scopes": "field:address_scopes:shared=True",
"external": "field:networks:router:external=True",
"default": "rule:admin_or_owner",
"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s",
"create_subnet": "rule:admin_or_network_owner",
"create_subnet:segment_id": "rule:admin_only",
"create_subnet:service_types": "rule:admin_only",
"get_subnet": "rule:admin_or_owner or rule:shared",
"get_subnet:segment_id": "rule:admin_only",
"update_subnet": "rule:admin_or_network_owner",
"update_subnet:service_types": "rule:admin_only",
"delete_subnet": "rule:admin_or_network_owner",
"create_subnetpool": "",
"create_subnetpool:shared": "rule:admin_only",
"create_subnetpool:is_default": "rule:admin_only",
"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
"update_subnetpool": "rule:admin_or_owner",
"update_subnetpool:is_default": "rule:admin_only",
"delete_subnetpool": "rule:admin_or_owner",
"create_address_scope": "",
"create_address_scope:shared": "rule:admin_only",
"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
"update_address_scope": "rule:admin_or_owner",
"update_address_scope:shared": "rule:admin_only",
"delete_address_scope": "rule:admin_or_owner",
"create_network": "",
"create_network:shared": "rule:admin_only",
"create_network:router:external": "rule:admin_only",
"create_network:is_default": "rule:admin_only",
"create_network:segments": "rule:admin_only",
"create_network:provider:network_type": "rule:admin_only",
"create_network:provider:physical_network": "rule:admin_only",
"create_network:provider:segmentation_id": "rule:admin_only",
"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
"get_network:router:external": "rule:regular_user",
"get_network:segments": "rule:admin_only",
"get_network:provider:network_type": "rule:admin_only",
"get_network:provider:physical_network": "rule:admin_only",
"get_network:provider:segmentation_id": "rule:admin_only",
"get_network:queue_id": "rule:admin_only",
"get_network_ip_availabilities": "rule:admin_only",
"get_network_ip_availability": "rule:admin_only",
"get_availability_zone": "",
"update_network": "rule:admin_or_owner",
"update_network:segments": "rule:admin_only",
"update_network:shared": "rule:admin_only",
"update_network:provider:network_type": "rule:admin_only",
"update_network:provider:physical_network": "rule:admin_only",
"update_network:provider:segmentation_id": "rule:admin_only",
"update_network:router:external": "rule:admin_only",
"delete_network": "rule:admin_or_owner",
"create_segment": "rule:admin_only",
"get_segment": "rule:admin_only",
"update_segment": "rule:admin_only",
"delete_segment": "rule:admin_only",
"network_device": "field:port:device_owner=~^network:",
"create_port": "",
"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:binding:host_id": "rule:admin_only",
"create_port:binding:profile": "rule:admin_only",
"create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
"get_port:queue_id": "rule:admin_only",
"get_port:binding:vif_type": "rule:admin_only",
"get_port:binding:vif_details": "rule:admin_only",
"get_port:binding:host_id": "rule:admin_only",
"get_port:binding:profile": "rule:admin_only",
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:binding:host_id": "rule:admin_only",
"update_port:binding:profile": "rule:admin_only",
"update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
"update_port:data_plane_status": "rule:admin_or_data_plane_int",
"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
"create_router": "rule:regular_user",
"create_router:external_gateway_info": "rule:admin_or_owner",
"create_router:external_gateway_info:network_id": "rule:admin_or_owner",
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
"create_router:distributed": "rule:admin_only",
"create_router:ha": "rule:admin_only",
"get_router": "rule:admin_or_owner",
"get_router:ha": "rule:admin_only",
"get_router:distributed": "rule:admin_only",
"update_router": "rule:admin_or_owner",
"update_router:external_gateway_info": "rule:admin_or_owner",
"update_router:external_gateway_info:network_id": "rule:admin_or_owner",
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
"update_router:distributed": "rule:admin_only",
"update_router:ha": "rule:admin_only",
"delete_router": "rule:admin_or_owner",
"add_router_interface": "rule:admin_or_owner",
"remove_router_interface": "rule:admin_or_owner",
"create_qos_queue": "rule:admin_only",
"get_qos_queue": "rule:admin_only",
"get_agent": "rule:admin_only",
"update_agent": "rule:admin_only",
"delete_agent": "rule:admin_only",
"create_dhcp-network": "rule:admin_only",
"get_dhcp-networks": "rule:admin_only",
"delete_dhcp-network": "rule:admin_only",
"create_l3-router": "rule:admin_only",
"get_l3-routers": "rule:admin_only",
"delete_l3-router": "rule:admin_only",
"get_dhcp-agents": "rule:admin_only",
"get_l3-agents": "rule:admin_only",
"get_loadbalancer-agent": "rule:admin_only",
"get_loadbalancer-pools": "rule:admin_only",
"get_agent-loadbalancers": "rule:admin_only",
"get_loadbalancer-hosting-agent": "rule:admin_only",
"create_floatingip": "rule:regular_user",
"create_floatingip:floating_ip_address": "rule:admin_only",
"get_floatingip": "rule:admin_or_owner",
"get_floatingip_pool": "rule:regular_user",
"update_floatingip": "rule:admin_or_owner",
"delete_floatingip": "rule:admin_or_owner",
"create_network_profile": "rule:admin_only",
"get_network_profiles": "",
"get_network_profile": "",
"update_network_profile": "rule:admin_only",
"delete_network_profile": "rule:admin_only",
"get_policy_profiles": "",
"get_policy_profile": "",
"update_policy_profiles": "rule:admin_only",
"create_metering_label": "rule:admin_only",
"get_metering_label": "rule:admin_only",
"delete_metering_label": "rule:admin_only",
"create_metering_label_rule": "rule:admin_only",
"get_metering_label_rule": "rule:admin_only",
"delete_metering_label_rule": "rule:admin_only",
"create_lsn": "rule:admin_only",
"get_lsn": "rule:admin_only",
"get_service_provider": "rule:regular_user",
"create_flavor": "rule:admin_only",
"get_flavors": "rule:regular_user",
"get_flavor": "rule:regular_user",
"update_flavor": "rule:admin_only",
"delete_flavor": "rule:admin_only",
"create_service_profile": "rule:admin_only",
"get_service_profiles": "rule:admin_only",
"get_service_profile": "rule:admin_only",
"update_service_profile": "rule:admin_only",
"delete_service_profile": "rule:admin_only",
"create_policy": "rule:admin_only",
"get_policy": "rule:regular_user",
"update_policy": "rule:admin_only",
"delete_policy": "rule:admin_only",
"create_policy_bandwidth_limit_rule": "rule:admin_only",
"get_policy_bandwidth_limit_rule": "rule:regular_user",
"update_policy_bandwidth_limit_rule": "rule:admin_only",
"delete_policy_bandwidth_limit_rule": "rule:admin_only",
"create_policy_dscp_marking_rule": "rule:admin_only",
"get_policy_dscp_marking_rule": "rule:regular_user",
"update_policy_dscp_marking_rule": "rule:admin_only",
"delete_policy_dscp_marking_rule": "rule:admin_only",
"get_rule_type": "rule:regular_user",
"create_policy_minimum_bandwidth_rule": "rule:admin_only",
"get_policy_minimum_bandwidth_rule": "rule:regular_user",
"update_policy_minimum_bandwidth_rule": "rule:admin_only",
"delete_policy_minimum_bandwidth_rule": "rule:admin_only",
"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
"create_rbac_policy": "",
"create_rbac_policy:target_tenant": "rule:restrict_wildcard",
"get_rbac_policy": "rule:admin_or_owner",
"update_rbac_policy": "rule:admin_or_owner",
"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
"delete_rbac_policy": "rule:admin_or_owner",
"create_flavor_service_profile": "rule:admin_only",
"get_flavor_service_profile": "rule:regular_user",
"delete_flavor_service_profile": "rule:admin_only",
"get_auto_allocated_topology": "rule:admin_or_owner",
"delete_auto_allocated_topology": "rule:admin_or_owner",
"create_trunk": "rule:regular_user",
"get_trunk": "rule:admin_or_owner",
"delete_trunk": "rule:admin_or_owner",
"add_subports": "rule:admin_or_owner",
"get_subports": "",
"remove_subports": "rule:admin_or_owner",
"create_security_group": "rule:admin_or_owner",
"get_security_groups": "rule:admin_or_owner",
"get_security_group": "rule:admin_or_owner",
"update_security_group": "rule:admin_or_owner",
"delete_security_group": "rule:admin_or_owner",
"create_security_group_rule": "rule:admin_or_owner",
"get_security_group_rules": "rule:admin_or_owner",
"get_security_group_rule": "rule:admin_or_owner",
"delete_security_group_rule": "rule:admin_or_owner",
"get_loggable_resources": "rule:admin_only",
"create_log": "rule:admin_only",
"get_log": "rule:admin_only",
"get_logs": "rule:admin_only",
"update_log": "rule:admin_only",
"delete_log": "rule:admin_only",
"create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
"get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
"get_floatingip_port_forwardings": "rule:admin_or_ext_parent_owner",
"update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner",
"delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
}

5
neutron/tests/functional/api/test_policies.py
View File

@@ -20,6 +20,7 @@ from neutron_lib import context
from neutron_lib import fixture
from neutron.api import extensions
from neutron.conf import policies
from neutron import policy
from neutron.tests.functional import base
@@ -86,6 +87,10 @@ class APIPolicyTestCase(base.BaseLoggingTestCase):
extension_manager = extensions.ExtensionManager(self.extension_path)
extension_manager.extend_resources(self.api_version,
attributes.RESOURCES)
# TODO(amotoki): Consider this should be part of
# neutron.policy.reset (or refresh), but as of now
# this is only required for unit testing.
policies.reload_default_policies()
policy.init()
admin_context = context.get_admin_context()
tenant_context = context.Context('test_user', 'test_tenant_id', False)

17
neutron/tests/unit/db/test_db_base_plugin_v2.py
View File

@@ -50,6 +50,7 @@ from neutron.common import exceptions as n_exc
from neutron.common import ipv6_utils
from neutron.common import test_lib
from neutron.common import utils
from neutron.conf import policies
from neutron.db import db_base_plugin_common
from neutron.db import ipam_backend_mixin
from neutron.db.models import l3 as l3_models
@@ -61,6 +62,7 @@ from neutron.ipam import exceptions as ipam_exc
from neutron.objects import network as network_obj
from neutron.objects import router as l3_obj
from neutron.plugins.ml2.common import exceptions as ml2_exceptions
from neutron import policy
from neutron.tests import base
from neutron.tests import tools
from neutron.tests.unit.api import test_extensions
@@ -177,6 +179,21 @@ class NeutronDbPluginV2TestCase(testlib_api.WebTestCase):
self._skip_native_sorting = not _is_native_sorting_support()
if ext_mgr:
self.ext_api = test_extensions.setup_extensions_middleware(ext_mgr)
# NOTE(amotoki): policy._ENFORCER is initialized in
# neutron.tests.base.BaseTestCase.setUp() but this is too early
# and neutron.policy.FieldCheck conv_func does not work
# because extended resources are not populated to
# attributes.RESOURCES yet.
# Thus we need to refresh the default policy rules after loading
# extensions. Especially it is important to re-instantiate
# DefaultRule() under neutron.conf.policies. To do this,
# we need to reload the default policy modules.
policy.reset()
# TODO(amotoki): Consider this should be part of
# neutron.policy.reset (or refresh), but as of now
# this is only required for unit testing.
policies.reload_default_policies()
policy.init()
def setup_config(self):
# Create the default configurations

7
setup.cfg
View File

@@ -24,7 +24,6 @@ packages =
data_files =
etc/neutron =
etc/api-paste.ini
etc/policy.json
etc/rootwrap.conf
etc/neutron/rootwrap.d = etc/neutron/rootwrap.d/*
scripts =
@@ -143,6 +142,12 @@ oslo.config.opts =
nova.auth = neutron.opts:list_auth_opts
oslo.config.opts.defaults =
neutron = neutron.common.config:set_cors_middleware_defaults
oslo.policy.enforcer =
neutron = neutron.policy:get_enforcer
oslo.policy.policies =
neutron = neutron.conf.policies:list_rules
neutron.policies =
neutron = neutron.conf.policies:list_rules
neutron.db.alembic_migrations =
neutron = neutron.db.migration:alembic_migrations
neutron.interface_drivers =

13
tools/misc-sanity-checks.sh
View File

@@ -45,22 +45,9 @@ check_pot_files_errors () {
fi
}
check_identical_policy_files () {
# For unit tests, we maintain their own policy.json file to make test suite
# independent of whether it's executed from the neutron source tree or from
# site-packages installation path. We don't want two copies of the same
# file to diverge, so checking that they are identical
diff etc/policy.json neutron/tests/etc/policy.json 2>&1 > /dev/null
if [ "$?" -ne 0 ]; then
echo "policy.json files must be identical!" >>$FAILURES
fi
}
# Add your checks here...
check_no_symlinks_allowed
check_pot_files_errors
check_identical_policy_files
# Fail, if there are emitted failures
if [ -f $FAILURES ]; then

6
tox.ini
View File

@@ -116,6 +116,7 @@ commands=
{[testenv:genconfig]commands}
{[testenv:bashate]commands}
{[testenv:bandit]commands}
{[testenv:genpolicy]commands}
whitelist_externals =
sh
bash
@@ -202,6 +203,11 @@ basepython = python3
envdir = {toxworkdir}/shared
commands = {toxinidir}/tools/generate_config_file_samples.sh
[testenv:genpolicy]
basepython = python3
envdir = {toxworkdir}/shared
commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
# This environment can be used to quickly validate that all needed system
# packages required to successfully execute test targets are installed
[testenv:bindep]