Define default policies in code

New role ``neutron_interconnection_peer`` must be added for neutron-interconnection specific user used for interconnection refresh and parameters exchange. This patch adds policies in code and corresponding documentation. Partially Implements: blueprint neutron-policy-in-code Signed-off-by: Thomas Morin <thomas.morin@orange.com> Submitted on behalf of a third-party: Orange Change-Id: I235e79e2c165ba2d5d2d6b3c976f6fda16f19a68
2019-01-25 17:13:30 +01:00 · 2019-01-25 17:13:30 +01:00 · 74e6ae9831
parent 633108cdc2
commit 74e6ae9831
11 changed files with 237 additions and 7 deletions
--- a/doc/source/conf.py
+++ b/doc/source/conf.py
@ -23,7 +23,8 @@ sys.path.insert(0, os.path.abspath('../..'))
 extensions = [
    'sphinx.ext.autodoc',
    'openstackdocstheme',
-    #'sphinx.ext.intersphinx',
+    'oslo_policy.sphinxext',
+    'oslo_policy.sphinxpolicygen',
 ]

 # autodoc generation is a bit aggressive and a nuisance when doing heavy
@ -80,3 +81,8 @@ latex_documents = [

 # Example configuration for intersphinx: refer to the Python standard library.
 #intersphinx_mapping = {'http://docs.python.org/': None}
+
+# -- Options for oslo_policy.sphinxpolicygen ---------------------------------
+
+policy_generator_config_file = '../../etc/oslo-policy-generator/policy.conf'
+sample_policy_basename = '_static/neutron-interconnection'
--- a/doc/source/configuration/index.rst
+++ b/doc/source/configuration/index.rst
@ -1,5 +1,15 @@
-=============
-Configuration
-=============
+===================
+Configuration Guide
+===================

-Configuration of neutron-interconnection.
+Policy
+------
+
+Like most OpenStack projects, neutron-interconnection uses policies to restrict
+permissions on REST API actions.
+
+.. toctree::
+   :maxdepth: 1
+
+   Policy Reference <policy>
+   Sample Policy File <policy-sample>
--- a/doc/source/configuration/policy-sample.rst
+++ b/doc/source/configuration/policy-sample.rst
@ -0,0 +1,17 @@
+==========================================
+Neutron Interconnection Sample Policy File
+==========================================
+
+The following is a neutron-interconnection sample policy file for adaptation
+and use.
+
+This sample policy can also be viewed in :download:`file form
+</_static/neutron-interconnection.policy.yaml.sample>`.
+
+.. important::
+
+   The sample policy file was auto-generated when neutron-interconnection
+   documentation was build. You must ensure your neutron-interconnection
+   version matches the version of this documentation.
+
+.. literalinclude:: /_static/neutron-interconnection.policy.yaml.sample
--- a/doc/source/configuration/policy.rst
+++ b/doc/source/configuration/policy.rst
@ -0,0 +1,10 @@
+================================
+Neutron Interconnection Policies
+================================
+
+The following is an overview of all available policies in
+neutron-interconnection.
+Refer to :doc:`/configuration/policy-sample` for a sample configuration file.
+
+.. show-policy::
+      :config-file: etc/oslo-policy-generator/policy.conf
--- a/etc/oslo-policy-generator/policy.conf
+++ b/etc/oslo-policy-generator/policy.conf
@ -0,0 +1,3 @@
+[DEFAULT]
+output_file = etc/policy.yaml.sample
+namespace = neutron-interconnection
--- a/neutron_interconnection/policies/init.py
+++ b/neutron_interconnection/policies/init.py
@ -0,0 +1,24 @@
+# Copyright (c) 2018 Orange.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import itertools
+
+from neutron_interconnection.policies import interconnection
+
+
+def list_rules():
+    return itertools.chain(
+        interconnection.list_rules(),
+    )
--- a/neutron_interconnection/policies/base.py
+++ b/neutron_interconnection/policies/base.py
@ -0,0 +1,23 @@
+# Copyright (c) 2018 Orange.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+# TODO(ythomas1): Define these in neutron or neutron-lib
+RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
+RULE_ANY = 'rule:regular_user'
+
+RULE_NEUTRON_INTERCONNECTION_PEER = 'role:neutron_interconnection_peer'
+RULE_ADMIN_OR_NEUTRON_INTERCONNECTION_PEER = (
+    'rule:context_is_admin or role:neutron_interconnection_peer'
+)
--- a/neutron_interconnection/policies/interconnection.py
+++ b/neutron_interconnection/policies/interconnection.py
@ -0,0 +1,122 @@
+# Copyright (c) 2018 Orange.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from neutron_interconnection.policies import base
+
+
+rules = [
+    policy.DocumentedRuleDefault(
+        'create_interconnection',
+        base.RULE_ADMIN_OR_OWNER,
+        'Create an interconnection',
+        [
+            {
+                'method': 'POST',
+                'path': '/inter/interconnections',
+            },
+        ]
+    ),
+
+    policy.DocumentedRuleDefault(
+        'update_interconnection',
+        base.RULE_ADMIN_OR_OWNER,
+        'Update an interconnection',
+        [
+            {
+                'method': 'PUT',
+                'path': '/inter/interconnections/{id}',
+            },
+        ]
+    ),
+
+    policy.DocumentedRuleDefault(
+        'delete_interconnection',
+        base.RULE_ADMIN_OR_OWNER,
+        'Delete an interconnection',
+        [
+            {
+                'method': 'DELETE',
+                'path': '/inter/interconnections/{id}',
+            },
+        ]
+    ),
+
+    policy.DocumentedRuleDefault(
+        'get_interconnection',
+        base.RULE_ADMIN_OR_OWNER,
+        'Get interconnections',
+        [
+            {
+                'method': 'GET',
+                'path': '/inter/interconnections',
+            },
+            {
+                'method': 'GET',
+                'path': '/inter/interconnections/{id}',
+            },
+        ]
+    ),
+
+    policy.DocumentedRuleDefault(
+        'get_interconnection:local_parameters',
+        base.RULE_ADMIN_OR_NEUTRON_INTERCONNECTION_PEER,
+        'Get ``local_parameters`` attributes of interconnections',
+        [
+            {
+                'method': 'GET',
+                'path': '/inter/interconnections',
+            },
+            {
+                'method': 'GET',
+                'path': '/inter/interconnections/{id}',
+            },
+        ]
+    ),
+
+    policy.DocumentedRuleDefault(
+        'get_interconnection:remote_parameters',
+        base.RULE_ADMIN_OR_NEUTRON_INTERCONNECTION_PEER,
+        'Get ``remote_parameters`` attributes of interconnections',
+        [
+            {
+                'method': 'GET',
+                'path': '/inter/interconnections',
+            },
+            {
+                'method': 'GET',
+                'path': '/inter/interconnections/{id}',
+            },
+        ]
+    ),
+
+    policy.DocumentedRuleDefault(
+        'refresh',
+        base.RULE_NEUTRON_INTERCONNECTION_PEER,
+        'Refresh an interconnection',
+        [
+            {
+                'method': 'PUT',
+                'path': '/inter/interconnections/{id}/refresh',
+            },
+        ]
+    ),
+
+]
+
+
+def list_rules():
+    return rules
--- a/requirements.txt
+++ b/requirements.txt
@ -3,3 +3,4 @@
 # process, which may cause wedges in the gate later.

 pbr>=2.0 # Apache-2.0
+oslo.policy>=1.30.0 # Apache-2.0
--- a/setup.cfg
+++ b/setup.cfg
@ -22,6 +22,12 @@ classifier =
 packages =
    neutron_interconnection

+[entry_points]
+oslo.policy.policies =
+    neutron-interconnection = neutron_interconnection.policies:list_rules
+neutron.policies =
+    neutron-interconnection = neutron_interconnection.policies:list_rules
+
 [compile_catalog]
 directory = neutron_interconnection/locale
 domain = neutron_interconnection
--- a/tox.ini
+++ b/tox.ini
@ -12,11 +12,16 @@ setenv =
   OS_STDOUT_CAPTURE=1
   OS_STDERR_CAPTURE=1
   OS_TEST_TIMEOUT=60
-deps = -r{toxinidir}/test-requirements.txt
+deps = -r{toxinidir}/requirements.txt
+       -r{toxinidir}/test-requirements.txt
 commands = stestr run {posargs}

 [testenv:pep8]
-commands = flake8 {posargs}
+deps =
+    {[testenv]deps}
+commands =
+    flake8 {posargs}
+    {[testenv:genpolicy]commands}

 [testenv:venv]
 commands = {posargs}
@ -43,6 +48,9 @@ commands =
 [testenv:debug]
 commands = oslo_debug_helper {posargs}

+[testenv:genpolicy]
+commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
+
 [flake8]
 # E123, E125 skipped as they are invalid PEP-8.