The neutron policy file is out of date. This patch updates it to

match neutron master. Since the neutron policy was last updated, LBaaS, VPNaaS, and FWaaS, have all been moved out of the neutron repo. When that was done, apparently all policy support was removed as well. This patch retains the related policy checks matching the old policy file rules. If operators use the new policy file, the policy checks are harmless, as the definition won't be found which will result in policy.check returning True. Additionally, the get_network call for the update network view was modified to not have the subnet info populated as it's not used in the form. Change-Id: I6c40b99e88937d428a8e21fa28cdbc8a4190eb57
2016-06-03 15:06:59 -06:00 · 2016-06-03 15:06:59 -06:00 · d599fdec59
parent 47b0f5b927
commit d599fdec59
7 changed files with 139 additions and 88 deletions
--- a/openstack_dashboard/conf/neutron_policy.json
+++ b/openstack_dashboard/conf/neutron_policy.json
@ -1,107 +1,140 @@
 {
    "context_is_admin":  "role:admin",
-    "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
-    "admin_or_network_owner": "rule:context_is_admin or project_id:%(network:project_id)s",
+    "owner": "tenant_id:%(tenant_id)s",
+    "admin_or_owner": "rule:context_is_admin or rule:owner",
+    "context_is_advsvc":  "role:advsvc",
+    "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
+    "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
    "admin_only": "rule:context_is_admin",
    "regular_user": "",
    "shared": "field:networks:shared=True",
    "shared_firewalls": "field:firewalls:shared=True",
+    "shared_firewall_policies": "field:firewall_policies:shared=True",
+    "shared_subnetpools": "field:subnetpools:shared=True",
+    "shared_address_scopes": "field:address_scopes:shared=True",
    "external": "field:networks:router:external=True",
    "default": "rule:admin_or_owner",

-    "subnets:private:read": "rule:admin_or_owner",
-    "subnets:private:write": "rule:admin_or_owner",
-    "subnets:shared:read": "rule:regular_user",
-    "subnets:shared:write": "rule:admin_only",
-
    "create_subnet": "rule:admin_or_network_owner",
+    "create_subnet:segment_id": "rule:admin_only",
    "get_subnet": "rule:admin_or_owner or rule:shared",
+    "get_subnet:segment_id": "rule:admin_only",
    "update_subnet": "rule:admin_or_network_owner",
    "delete_subnet": "rule:admin_or_network_owner",

+    "create_subnetpool": "",
+    "create_subnetpool:shared": "rule:admin_only",
+    "create_subnetpool:is_default": "rule:admin_only",
+    "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
+    "update_subnetpool": "rule:admin_or_owner",
+    "update_subnetpool:is_default": "rule:admin_only",
+    "delete_subnetpool": "rule:admin_or_owner",
+
+    "create_address_scope": "",
+    "create_address_scope:shared": "rule:admin_only",
+    "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
+    "update_address_scope": "rule:admin_or_owner",
+    "update_address_scope:shared": "rule:admin_only",
+    "delete_address_scope": "rule:admin_or_owner",
+
    "create_network": "",
-    "get_network": "rule:admin_or_owner or rule:shared or rule:external",
+    "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
    "get_network:router:external": "rule:regular_user",
    "get_network:segments": "rule:admin_only",
    "get_network:provider:network_type": "rule:admin_only",
    "get_network:provider:physical_network": "rule:admin_only",
    "get_network:provider:segmentation_id": "rule:admin_only",
    "get_network:queue_id": "rule:admin_only",
+    "get_network_ip_availabilities": "rule:admin_only",
+    "get_network_ip_availability": "rule:admin_only",
    "create_network:shared": "rule:admin_only",
    "create_network:router:external": "rule:admin_only",
+    "create_network:is_default": "rule:admin_only",
    "create_network:segments": "rule:admin_only",
    "create_network:provider:network_type": "rule:admin_only",
    "create_network:provider:physical_network": "rule:admin_only",
    "create_network:provider:segmentation_id": "rule:admin_only",
    "update_network": "rule:admin_or_owner",
    "update_network:segments": "rule:admin_only",
+    "update_network:shared": "rule:admin_only",
    "update_network:provider:network_type": "rule:admin_only",
    "update_network:provider:physical_network": "rule:admin_only",
    "update_network:provider:segmentation_id": "rule:admin_only",
+    "update_network:router:external": "rule:admin_only",
    "delete_network": "rule:admin_or_owner",

+    "create_segment": "rule:admin_only",
+    "get_segment": "rule:admin_only",
+    "update_segment": "rule:admin_only",
+    "delete_segment": "rule:admin_only",
+
+    "network_device": "field:port:device_owner=~^network:",
    "create_port": "",
-    "create_port:mac_address": "rule:admin_or_network_owner",
-    "create_port:fixed_ips": "rule:admin_or_network_owner",
-    "create_port:port_security_enabled": "rule:admin_or_network_owner",
+    "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
    "create_port:binding:host_id": "rule:admin_only",
    "create_port:binding:profile": "rule:admin_only",
-    "create_port:mac_learning_enabled": "rule:admin_or_network_owner",
-    "get_port": "rule:admin_or_owner",
+    "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
+    "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
    "get_port:queue_id": "rule:admin_only",
    "get_port:binding:vif_type": "rule:admin_only",
-    "get_port:binding:capabilities": "rule:admin_only",
+    "get_port:binding:vif_details": "rule:admin_only",
    "get_port:binding:host_id": "rule:admin_only",
    "get_port:binding:profile": "rule:admin_only",
-    "update_port": "rule:admin_or_owner",
-    "update_port:fixed_ips": "rule:admin_or_network_owner",
-    "update_port:port_security_enabled": "rule:admin_or_network_owner",
+    "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
+    "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
+    "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
    "update_port:binding:host_id": "rule:admin_only",
    "update_port:binding:profile": "rule:admin_only",
-    "update_port:mac_learning_enabled": "rule:admin_or_network_owner",
-    "delete_port": "rule:admin_or_owner",
+    "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
+    "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",

+    "get_router:ha": "rule:admin_only",
+    "create_router": "rule:regular_user",
    "create_router:external_gateway_info:enable_snat": "rule:admin_only",
+    "create_router:distributed": "rule:admin_only",
+    "create_router:ha": "rule:admin_only",
+    "get_router": "rule:admin_or_owner",
+    "get_router:distributed": "rule:admin_only",
    "update_router:external_gateway_info:enable_snat": "rule:admin_only",
+    "update_router:distributed": "rule:admin_only",
+    "update_router:ha": "rule:admin_only",
+    "delete_router": "rule:admin_or_owner",

-    "create_ikepolicy": "rule:admin_or_owner",
-    "update_ikepolicy": "rule:admin_or_owner",
-    "delete_ikepolicy": "rule:admin_or_owner",
+    "add_router_interface": "rule:admin_or_owner",
+    "remove_router_interface": "rule:admin_or_owner",

-    "create_ipsecpolicy": "rule:admin_or_owner",
-    "update_ipsecpolicy": "rule:admin_or_owner",
-    "delete_ipsecpolicy": "rule:admin_or_owner",
-
-    "create_vpnservice": "rule:admin_or_owner",
-    "update_vpnservice": "rule:admin_or_owner",
-    "delete_vpnservice": "rule:admin_or_owner",
-
-    "create_ipsec_site_connection": "rule:admin_or_owner",
-    "update_ipsec_site_connection": "rule:admin_or_owner",
-    "delete_ipsec_site_connection": "rule:admin_or_owner",
+    "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
+    "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",

    "create_firewall": "",
    "get_firewall": "rule:admin_or_owner",
    "create_firewall:shared": "rule:admin_only",
    "get_firewall:shared": "rule:admin_only",
    "update_firewall": "rule:admin_or_owner",
+    "update_firewall:shared": "rule:admin_only",
    "delete_firewall": "rule:admin_or_owner",

    "create_firewall_policy": "",
-    "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
+    "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
    "create_firewall_policy:shared": "rule:admin_or_owner",
    "update_firewall_policy": "rule:admin_or_owner",
    "delete_firewall_policy": "rule:admin_or_owner",

-    "create_firewall_rule": "",
-    "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
-    "create_firewall_rule:shared": "rule:admin_or_owner",
-    "get_firewall_rule:shared": "rule:admin_or_owner",
-    "update_firewall_rule": "rule:admin_or_owner",
-    "delete_firewall_rule": "rule:admin_or_owner",
    "insert_rule": "rule:admin_or_owner",
    "remove_rule": "rule:admin_or_owner",

+    "create_firewall_rule": "",
+    "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
+    "update_firewall_rule": "rule:admin_or_owner",
+    "delete_firewall_rule": "rule:admin_or_owner",
+
    "create_qos_queue": "rule:admin_only",
    "get_qos_queue": "rule:admin_only",

@ -119,40 +152,11 @@
    "get_l3-agents": "rule:admin_only",
    "get_loadbalancer-agent": "rule:admin_only",
    "get_loadbalancer-pools": "rule:admin_only",
-
-    "create_pool": "rule:admin_or_owner",
-    "update_pool": "rule:admin_or_owner",
-    "delete_pool": "rule:admin_or_owner",
-
-    "create_vip": "rule:admin_or_owner",
-    "update_vip": "rule:admin_or_owner",
-    "delete_vip": "rule:admin_or_owner",
-
-    "create_member": "rule:admin_or_owner",
-    "update_member": "rule:admin_or_owner",
-    "delete_member": "rule:admin_or_owner",
-
-    "create_health_monitor": "rule:admin_or_owner",
-    "update_health_monitor": "rule:admin_or_owner",
-    "delete_health_monitor": "rule:admin_or_owner",
-
-    "create_pool_health_monitor": "rule:admin_or_owner",
-    "delete_pool_health_monitor": "rule:admin_or_owner",
-
-    "create_router": "rule:regular_user",
-    "get_router": "rule:admin_or_owner",
-    "update_router": "rule:admin_or_owner",
-    "add_router_interface": "rule:admin_or_owner",
-    "remove_router_interface": "rule:admin_or_owner",
-    "delete_router": "rule:admin_or_owner",
-    "get_router:distributed": "rule:admin_only",
-    "create_router:distributed": "rule:admin_only",
-    "update_router:distributed": "rule:admin_only",
-    "get_router:ha": "rule:admin_only",
-    "create_router:ha": "rule:admin_only",
-    "update_router:ha": "rule:admin_only",
+    "get_agent-loadbalancers": "rule:admin_only",
+    "get_loadbalancer-hosting-agent": "rule:admin_only",

    "create_floatingip": "rule:regular_user",
+    "create_floatingip:floating_ip_address": "rule:admin_only",
    "update_floatingip": "rule:admin_or_owner",
    "delete_floatingip": "rule:admin_or_owner",
    "get_floatingip": "rule:admin_or_owner",
@ -174,5 +178,45 @@
    "delete_metering_label_rule": "rule:admin_only",
    "get_metering_label_rule": "rule:admin_only",

-    "get_service_provider": "rule:regular_user"
+    "get_service_provider": "rule:regular_user",
+    "get_lsn": "rule:admin_only",
+    "create_lsn": "rule:admin_only",
+
+    "create_flavor": "rule:admin_only",
+    "update_flavor": "rule:admin_only",
+    "delete_flavor": "rule:admin_only",
+    "get_flavors": "rule:regular_user",
+    "get_flavor": "rule:regular_user",
+    "create_service_profile": "rule:admin_only",
+    "update_service_profile": "rule:admin_only",
+    "delete_service_profile": "rule:admin_only",
+    "get_service_profiles": "rule:admin_only",
+    "get_service_profile": "rule:admin_only",
+
+    "get_policy": "rule:regular_user",
+    "create_policy": "rule:admin_only",
+    "update_policy": "rule:admin_only",
+    "delete_policy": "rule:admin_only",
+    "get_policy_bandwidth_limit_rule": "rule:regular_user",
+    "create_policy_bandwidth_limit_rule": "rule:admin_only",
+    "delete_policy_bandwidth_limit_rule": "rule:admin_only",
+    "update_policy_bandwidth_limit_rule": "rule:admin_only",
+    "get_policy_dscp_marking_rule": "rule:regular_user",
+    "create_policy_dscp_marking_rule": "rule:admin_only",
+    "delete_policy_dscp_marking_rule": "rule:admin_only",
+    "update_policy_dscp_marking_rule": "rule:admin_only",
+    "get_rule_type": "rule:regular_user",
+
+    "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
+    "create_rbac_policy": "",
+    "create_rbac_policy:target_tenant": "rule:restrict_wildcard",
+    "update_rbac_policy": "rule:admin_or_owner",
+    "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
+    "get_rbac_policy": "rule:admin_or_owner",
+    "delete_rbac_policy": "rule:admin_or_owner",
+
+    "create_flavor_service_profile": "rule:admin_only",
+    "delete_flavor_service_profile": "rule:admin_only",
+    "get_flavor_service_profile": "rule:regular_user",
+    "get_auto_allocated_topology": "rule:admin_or_owner"
 }
--- a/openstack_dashboard/dashboards/admin/networks/tests.py
+++ b/openstack_dashboard/dashboards/admin/networks/tests.py
@ -622,8 +622,8 @@ class NetworkTests(test.BaseAdminViewTests):
    @test.create_stubs({api.neutron: ('network_get',)})
    def test_network_update_get(self):
        network = self.networks.first()
-        api.neutron.network_get(IsA(http.HttpRequest), network.id)\
-            .AndReturn(network)
+        api.neutron.network_get(IsA(http.HttpRequest), network.id,
+                                expand_subnet=False).AndReturn(network)

        self.mox.ReplayAll()

@ -657,8 +657,8 @@ class NetworkTests(test.BaseAdminViewTests):
        api.neutron.network_update(IsA(http.HttpRequest), network.id,
                                   **params)\
            .AndReturn(network)
-        api.neutron.network_get(IsA(http.HttpRequest), network.id)\
-            .AndReturn(network)
+        api.neutron.network_get(IsA(http.HttpRequest), network.id,
+                                expand_subnet=False).AndReturn(network)
        self.mox.ReplayAll()

        form_data = {'network_id': network.id,
@ -683,8 +683,8 @@ class NetworkTests(test.BaseAdminViewTests):
        api.neutron.network_update(IsA(http.HttpRequest), network.id,
                                   **params)\
            .AndRaise(self.exceptions.neutron)
-        api.neutron.network_get(IsA(http.HttpRequest), network.id)\
-            .AndReturn(network)
+        api.neutron.network_get(IsA(http.HttpRequest), network.id,
+                                expand_subnet=False).AndReturn(network)
        self.mox.ReplayAll()

        form_data = {'network_id': network.id,
--- a/openstack_dashboard/dashboards/project/networks/subnets/tables.py
+++ b/openstack_dashboard/dashboards/project/networks/subnets/tables.py
@ -50,6 +50,8 @@ class SubnetPolicyTargetMixin(policy.PolicyTargetMixin):
        policy_target = super(SubnetPolicyTargetMixin, self)\
            .get_policy_target(request, datum)
        network = self.table._get_network()
+        # neutron switched policy target values, we'll support both
+        policy_target["network:tenant_id"] = network.tenant_id
        policy_target["network:project_id"] = network.tenant_id
        return policy_target

--- a/openstack_dashboard/dashboards/project/networks/tables.py
+++ b/openstack_dashboard/dashboards/project/networks/tables.py
@ -123,7 +123,9 @@ class CreateSubnet(policy.PolicyTargetMixin, CheckNetworkEditable,
    classes = ("ajax-modal",)
    icon = "plus"
    policy_rules = (("network", "create_subnet"),)
-    policy_target_attrs = (("network:project_id", "tenant_id"),)
+    # neutron has used both in their policy files, supporting both
+    policy_target_attrs = (("network:tenant_id", "tenant_id"),
+                           ("network:project_id", "tenant_id"),)

    def allowed(self, request, datum=None):
        usages = quotas.tenant_quota_usages(request)
--- a/openstack_dashboard/dashboards/project/networks/tests.py
+++ b/openstack_dashboard/dashboards/project/networks/tests.py
@ -1056,9 +1056,8 @@ class NetworkTests(test.TestCase, NetworkStubMixin):
    @test.create_stubs({api.neutron: ('network_get',)})
    def test_network_update_get(self):
        network = self.networks.first()
-        api.neutron.network_get(IsA(http.HttpRequest), network.id)\
-            .AndReturn(network)
-
+        api.neutron.network_get(IsA(http.HttpRequest), network.id,
+                                expand_subnet=False).AndReturn(network)
        self.mox.ReplayAll()

        url = reverse('horizon:project:networks:update', args=[network.id])
@ -1089,8 +1088,8 @@ class NetworkTests(test.TestCase, NetworkStubMixin):
                                   admin_state_up=network.admin_state_up,
                                   shared=network.shared)\
            .AndReturn(network)
-        api.neutron.network_get(IsA(http.HttpRequest), network.id)\
-            .AndReturn(network)
+        api.neutron.network_get(IsA(http.HttpRequest), network.id,
+                                expand_subnet=False).AndReturn(network)
        self.mox.ReplayAll()

        form_data = {'network_id': network.id,
@ -1107,13 +1106,13 @@ class NetworkTests(test.TestCase, NetworkStubMixin):
                                      'network_get',)})
    def test_network_update_post_exception(self):
        network = self.networks.first()
+        api.neutron.network_get(IsA(http.HttpRequest), network.id,
+                                expand_subnet=False).AndReturn(network)
        api.neutron.network_update(IsA(http.HttpRequest), network.id,
                                   name=network.name,
                                   admin_state_up=network.admin_state_up,
                                   shared=False)\
            .AndRaise(self.exceptions.neutron)
-        api.neutron.network_get(IsA(http.HttpRequest), network.id)\
-            .AndReturn(network)
        self.mox.ReplayAll()

        form_data = {'network_id': network.id,
--- a/openstack_dashboard/dashboards/project/networks/views.py
+++ b/openstack_dashboard/dashboards/project/networks/views.py
@ -97,7 +97,10 @@ class UpdateView(forms.ModalFormView):
    def _get_object(self, *args, **kwargs):
        network_id = self.kwargs['network_id']
        try:
-            return api.neutron.network_get(self.request, network_id)
+            # no subnet values are read or editable in this view, so
+            # save the subnet expansion overhead
+            return api.neutron.network_get(self.request, network_id,
+                                           expand_subnet=False)
        except Exception:
            redirect = self.success_url
            msg = _('Unable to retrieve network details.')
--- a/openstack_dashboard/policy.py
+++ b/openstack_dashboard/policy.py
@ -39,6 +39,7 @@ class PolicyTargetMixin(object):
    """

    policy_target_attrs = (("project_id", "tenant_id"),
+                           ("tenant_id", "tenant_id"),
                           ("user_id", "user_id"),
                           ("domain_id", "domain_id"),
                           ("target.project.domain_id", "domain_id"),