diff --git a/openstack_dashboard/conf/neutron_policy.json b/openstack_dashboard/conf/neutron_policy.json index 79f0b6b33f..36b1622504 100644 --- a/openstack_dashboard/conf/neutron_policy.json +++ b/openstack_dashboard/conf/neutron_policy.json @@ -1,107 +1,140 @@ { "context_is_admin": "role:admin", - "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s", - "admin_or_network_owner": "rule:context_is_admin or project_id:%(network:project_id)s", + "owner": "tenant_id:%(tenant_id)s", + "admin_or_owner": "rule:context_is_admin or rule:owner", + "context_is_advsvc": "role:advsvc", + "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s", + "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner", "admin_only": "rule:context_is_admin", "regular_user": "", "shared": "field:networks:shared=True", "shared_firewalls": "field:firewalls:shared=True", + "shared_firewall_policies": "field:firewall_policies:shared=True", + "shared_subnetpools": "field:subnetpools:shared=True", + "shared_address_scopes": "field:address_scopes:shared=True", "external": "field:networks:router:external=True", "default": "rule:admin_or_owner", - "subnets:private:read": "rule:admin_or_owner", - "subnets:private:write": "rule:admin_or_owner", - "subnets:shared:read": "rule:regular_user", - "subnets:shared:write": "rule:admin_only", - "create_subnet": "rule:admin_or_network_owner", + "create_subnet:segment_id": "rule:admin_only", "get_subnet": "rule:admin_or_owner or rule:shared", + "get_subnet:segment_id": "rule:admin_only", "update_subnet": "rule:admin_or_network_owner", "delete_subnet": "rule:admin_or_network_owner", + "create_subnetpool": "", + "create_subnetpool:shared": "rule:admin_only", + "create_subnetpool:is_default": "rule:admin_only", + "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools", + "update_subnetpool": "rule:admin_or_owner", + "update_subnetpool:is_default": "rule:admin_only", + "delete_subnetpool": "rule:admin_or_owner", + + "create_address_scope": "", + "create_address_scope:shared": "rule:admin_only", + "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes", + "update_address_scope": "rule:admin_or_owner", + "update_address_scope:shared": "rule:admin_only", + "delete_address_scope": "rule:admin_or_owner", + "create_network": "", - "get_network": "rule:admin_or_owner or rule:shared or rule:external", + "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc", "get_network:router:external": "rule:regular_user", "get_network:segments": "rule:admin_only", "get_network:provider:network_type": "rule:admin_only", "get_network:provider:physical_network": "rule:admin_only", "get_network:provider:segmentation_id": "rule:admin_only", "get_network:queue_id": "rule:admin_only", + "get_network_ip_availabilities": "rule:admin_only", + "get_network_ip_availability": "rule:admin_only", "create_network:shared": "rule:admin_only", "create_network:router:external": "rule:admin_only", + "create_network:is_default": "rule:admin_only", "create_network:segments": "rule:admin_only", "create_network:provider:network_type": "rule:admin_only", "create_network:provider:physical_network": "rule:admin_only", "create_network:provider:segmentation_id": "rule:admin_only", "update_network": "rule:admin_or_owner", "update_network:segments": "rule:admin_only", + "update_network:shared": "rule:admin_only", "update_network:provider:network_type": "rule:admin_only", "update_network:provider:physical_network": "rule:admin_only", "update_network:provider:segmentation_id": "rule:admin_only", + "update_network:router:external": "rule:admin_only", "delete_network": "rule:admin_or_owner", + "create_segment": "rule:admin_only", + "get_segment": "rule:admin_only", + "update_segment": "rule:admin_only", + "delete_segment": "rule:admin_only", + + "network_device": "field:port:device_owner=~^network:", "create_port": "", - "create_port:mac_address": "rule:admin_or_network_owner", - "create_port:fixed_ips": "rule:admin_or_network_owner", - "create_port:port_security_enabled": "rule:admin_or_network_owner", + "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", "create_port:binding:host_id": "rule:admin_only", "create_port:binding:profile": "rule:admin_only", - "create_port:mac_learning_enabled": "rule:admin_or_network_owner", - "get_port": "rule:admin_or_owner", + "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:allowed_address_pairs": "rule:admin_or_network_owner", + "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", "get_port:queue_id": "rule:admin_only", "get_port:binding:vif_type": "rule:admin_only", - "get_port:binding:capabilities": "rule:admin_only", + "get_port:binding:vif_details": "rule:admin_only", "get_port:binding:host_id": "rule:admin_only", "get_port:binding:profile": "rule:admin_only", - "update_port": "rule:admin_or_owner", - "update_port:fixed_ips": "rule:admin_or_network_owner", - "update_port:port_security_enabled": "rule:admin_or_network_owner", + "update_port": "rule:admin_or_owner or rule:context_is_advsvc", + "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", + "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", + "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", + "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", "update_port:binding:host_id": "rule:admin_only", "update_port:binding:profile": "rule:admin_only", - "update_port:mac_learning_enabled": "rule:admin_or_network_owner", - "delete_port": "rule:admin_or_owner", + "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", + "update_port:allowed_address_pairs": "rule:admin_or_network_owner", + "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", + "get_router:ha": "rule:admin_only", + "create_router": "rule:regular_user", "create_router:external_gateway_info:enable_snat": "rule:admin_only", + "create_router:distributed": "rule:admin_only", + "create_router:ha": "rule:admin_only", + "get_router": "rule:admin_or_owner", + "get_router:distributed": "rule:admin_only", "update_router:external_gateway_info:enable_snat": "rule:admin_only", + "update_router:distributed": "rule:admin_only", + "update_router:ha": "rule:admin_only", + "delete_router": "rule:admin_or_owner", - "create_ikepolicy": "rule:admin_or_owner", - "update_ikepolicy": "rule:admin_or_owner", - "delete_ikepolicy": "rule:admin_or_owner", + "add_router_interface": "rule:admin_or_owner", + "remove_router_interface": "rule:admin_or_owner", - "create_ipsecpolicy": "rule:admin_or_owner", - "update_ipsecpolicy": "rule:admin_or_owner", - "delete_ipsecpolicy": "rule:admin_or_owner", - - "create_vpnservice": "rule:admin_or_owner", - "update_vpnservice": "rule:admin_or_owner", - "delete_vpnservice": "rule:admin_or_owner", - - "create_ipsec_site_connection": "rule:admin_or_owner", - "update_ipsec_site_connection": "rule:admin_or_owner", - "delete_ipsec_site_connection": "rule:admin_or_owner", + "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only", + "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only", "create_firewall": "", "get_firewall": "rule:admin_or_owner", "create_firewall:shared": "rule:admin_only", "get_firewall:shared": "rule:admin_only", "update_firewall": "rule:admin_or_owner", + "update_firewall:shared": "rule:admin_only", "delete_firewall": "rule:admin_or_owner", "create_firewall_policy": "", - "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls", + "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies", "create_firewall_policy:shared": "rule:admin_or_owner", "update_firewall_policy": "rule:admin_or_owner", "delete_firewall_policy": "rule:admin_or_owner", - "create_firewall_rule": "", - "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls", - "create_firewall_rule:shared": "rule:admin_or_owner", - "get_firewall_rule:shared": "rule:admin_or_owner", - "update_firewall_rule": "rule:admin_or_owner", - "delete_firewall_rule": "rule:admin_or_owner", "insert_rule": "rule:admin_or_owner", "remove_rule": "rule:admin_or_owner", + "create_firewall_rule": "", + "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls", + "update_firewall_rule": "rule:admin_or_owner", + "delete_firewall_rule": "rule:admin_or_owner", + "create_qos_queue": "rule:admin_only", "get_qos_queue": "rule:admin_only", @@ -119,40 +152,11 @@ "get_l3-agents": "rule:admin_only", "get_loadbalancer-agent": "rule:admin_only", "get_loadbalancer-pools": "rule:admin_only", - - "create_pool": "rule:admin_or_owner", - "update_pool": "rule:admin_or_owner", - "delete_pool": "rule:admin_or_owner", - - "create_vip": "rule:admin_or_owner", - "update_vip": "rule:admin_or_owner", - "delete_vip": "rule:admin_or_owner", - - "create_member": "rule:admin_or_owner", - "update_member": "rule:admin_or_owner", - "delete_member": "rule:admin_or_owner", - - "create_health_monitor": "rule:admin_or_owner", - "update_health_monitor": "rule:admin_or_owner", - "delete_health_monitor": "rule:admin_or_owner", - - "create_pool_health_monitor": "rule:admin_or_owner", - "delete_pool_health_monitor": "rule:admin_or_owner", - - "create_router": "rule:regular_user", - "get_router": "rule:admin_or_owner", - "update_router": "rule:admin_or_owner", - "add_router_interface": "rule:admin_or_owner", - "remove_router_interface": "rule:admin_or_owner", - "delete_router": "rule:admin_or_owner", - "get_router:distributed": "rule:admin_only", - "create_router:distributed": "rule:admin_only", - "update_router:distributed": "rule:admin_only", - "get_router:ha": "rule:admin_only", - "create_router:ha": "rule:admin_only", - "update_router:ha": "rule:admin_only", + "get_agent-loadbalancers": "rule:admin_only", + "get_loadbalancer-hosting-agent": "rule:admin_only", "create_floatingip": "rule:regular_user", + "create_floatingip:floating_ip_address": "rule:admin_only", "update_floatingip": "rule:admin_or_owner", "delete_floatingip": "rule:admin_or_owner", "get_floatingip": "rule:admin_or_owner", @@ -174,5 +178,45 @@ "delete_metering_label_rule": "rule:admin_only", "get_metering_label_rule": "rule:admin_only", - "get_service_provider": "rule:regular_user" + "get_service_provider": "rule:regular_user", + "get_lsn": "rule:admin_only", + "create_lsn": "rule:admin_only", + + "create_flavor": "rule:admin_only", + "update_flavor": "rule:admin_only", + "delete_flavor": "rule:admin_only", + "get_flavors": "rule:regular_user", + "get_flavor": "rule:regular_user", + "create_service_profile": "rule:admin_only", + "update_service_profile": "rule:admin_only", + "delete_service_profile": "rule:admin_only", + "get_service_profiles": "rule:admin_only", + "get_service_profile": "rule:admin_only", + + "get_policy": "rule:regular_user", + "create_policy": "rule:admin_only", + "update_policy": "rule:admin_only", + "delete_policy": "rule:admin_only", + "get_policy_bandwidth_limit_rule": "rule:regular_user", + "create_policy_bandwidth_limit_rule": "rule:admin_only", + "delete_policy_bandwidth_limit_rule": "rule:admin_only", + "update_policy_bandwidth_limit_rule": "rule:admin_only", + "get_policy_dscp_marking_rule": "rule:regular_user", + "create_policy_dscp_marking_rule": "rule:admin_only", + "delete_policy_dscp_marking_rule": "rule:admin_only", + "update_policy_dscp_marking_rule": "rule:admin_only", + "get_rule_type": "rule:regular_user", + + "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only", + "create_rbac_policy": "", + "create_rbac_policy:target_tenant": "rule:restrict_wildcard", + "update_rbac_policy": "rule:admin_or_owner", + "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner", + "get_rbac_policy": "rule:admin_or_owner", + "delete_rbac_policy": "rule:admin_or_owner", + + "create_flavor_service_profile": "rule:admin_only", + "delete_flavor_service_profile": "rule:admin_only", + "get_flavor_service_profile": "rule:regular_user", + "get_auto_allocated_topology": "rule:admin_or_owner" } diff --git a/openstack_dashboard/dashboards/admin/networks/tests.py b/openstack_dashboard/dashboards/admin/networks/tests.py index 89615027c1..d54b7a3b2a 100644 --- a/openstack_dashboard/dashboards/admin/networks/tests.py +++ b/openstack_dashboard/dashboards/admin/networks/tests.py @@ -622,8 +622,8 @@ class NetworkTests(test.BaseAdminViewTests): @test.create_stubs({api.neutron: ('network_get',)}) def test_network_update_get(self): network = self.networks.first() - api.neutron.network_get(IsA(http.HttpRequest), network.id)\ - .AndReturn(network) + api.neutron.network_get(IsA(http.HttpRequest), network.id, + expand_subnet=False).AndReturn(network) self.mox.ReplayAll() @@ -657,8 +657,8 @@ class NetworkTests(test.BaseAdminViewTests): api.neutron.network_update(IsA(http.HttpRequest), network.id, **params)\ .AndReturn(network) - api.neutron.network_get(IsA(http.HttpRequest), network.id)\ - .AndReturn(network) + api.neutron.network_get(IsA(http.HttpRequest), network.id, + expand_subnet=False).AndReturn(network) self.mox.ReplayAll() form_data = {'network_id': network.id, @@ -683,8 +683,8 @@ class NetworkTests(test.BaseAdminViewTests): api.neutron.network_update(IsA(http.HttpRequest), network.id, **params)\ .AndRaise(self.exceptions.neutron) - api.neutron.network_get(IsA(http.HttpRequest), network.id)\ - .AndReturn(network) + api.neutron.network_get(IsA(http.HttpRequest), network.id, + expand_subnet=False).AndReturn(network) self.mox.ReplayAll() form_data = {'network_id': network.id, diff --git a/openstack_dashboard/dashboards/project/networks/subnets/tables.py b/openstack_dashboard/dashboards/project/networks/subnets/tables.py index c5dc55d939..e4676b09f9 100644 --- a/openstack_dashboard/dashboards/project/networks/subnets/tables.py +++ b/openstack_dashboard/dashboards/project/networks/subnets/tables.py @@ -50,6 +50,8 @@ class SubnetPolicyTargetMixin(policy.PolicyTargetMixin): policy_target = super(SubnetPolicyTargetMixin, self)\ .get_policy_target(request, datum) network = self.table._get_network() + # neutron switched policy target values, we'll support both + policy_target["network:tenant_id"] = network.tenant_id policy_target["network:project_id"] = network.tenant_id return policy_target diff --git a/openstack_dashboard/dashboards/project/networks/tables.py b/openstack_dashboard/dashboards/project/networks/tables.py index e3cd0de19d..95b5fa6c9b 100644 --- a/openstack_dashboard/dashboards/project/networks/tables.py +++ b/openstack_dashboard/dashboards/project/networks/tables.py @@ -123,7 +123,9 @@ class CreateSubnet(policy.PolicyTargetMixin, CheckNetworkEditable, classes = ("ajax-modal",) icon = "plus" policy_rules = (("network", "create_subnet"),) - policy_target_attrs = (("network:project_id", "tenant_id"),) + # neutron has used both in their policy files, supporting both + policy_target_attrs = (("network:tenant_id", "tenant_id"), + ("network:project_id", "tenant_id"),) def allowed(self, request, datum=None): usages = quotas.tenant_quota_usages(request) diff --git a/openstack_dashboard/dashboards/project/networks/tests.py b/openstack_dashboard/dashboards/project/networks/tests.py index f74dde6e6d..5c83ff834c 100644 --- a/openstack_dashboard/dashboards/project/networks/tests.py +++ b/openstack_dashboard/dashboards/project/networks/tests.py @@ -1056,9 +1056,8 @@ class NetworkTests(test.TestCase, NetworkStubMixin): @test.create_stubs({api.neutron: ('network_get',)}) def test_network_update_get(self): network = self.networks.first() - api.neutron.network_get(IsA(http.HttpRequest), network.id)\ - .AndReturn(network) - + api.neutron.network_get(IsA(http.HttpRequest), network.id, + expand_subnet=False).AndReturn(network) self.mox.ReplayAll() url = reverse('horizon:project:networks:update', args=[network.id]) @@ -1089,8 +1088,8 @@ class NetworkTests(test.TestCase, NetworkStubMixin): admin_state_up=network.admin_state_up, shared=network.shared)\ .AndReturn(network) - api.neutron.network_get(IsA(http.HttpRequest), network.id)\ - .AndReturn(network) + api.neutron.network_get(IsA(http.HttpRequest), network.id, + expand_subnet=False).AndReturn(network) self.mox.ReplayAll() form_data = {'network_id': network.id, @@ -1107,13 +1106,13 @@ class NetworkTests(test.TestCase, NetworkStubMixin): 'network_get',)}) def test_network_update_post_exception(self): network = self.networks.first() + api.neutron.network_get(IsA(http.HttpRequest), network.id, + expand_subnet=False).AndReturn(network) api.neutron.network_update(IsA(http.HttpRequest), network.id, name=network.name, admin_state_up=network.admin_state_up, shared=False)\ .AndRaise(self.exceptions.neutron) - api.neutron.network_get(IsA(http.HttpRequest), network.id)\ - .AndReturn(network) self.mox.ReplayAll() form_data = {'network_id': network.id, diff --git a/openstack_dashboard/dashboards/project/networks/views.py b/openstack_dashboard/dashboards/project/networks/views.py index 2a74746ff2..236c6e2fa1 100644 --- a/openstack_dashboard/dashboards/project/networks/views.py +++ b/openstack_dashboard/dashboards/project/networks/views.py @@ -97,7 +97,10 @@ class UpdateView(forms.ModalFormView): def _get_object(self, *args, **kwargs): network_id = self.kwargs['network_id'] try: - return api.neutron.network_get(self.request, network_id) + # no subnet values are read or editable in this view, so + # save the subnet expansion overhead + return api.neutron.network_get(self.request, network_id, + expand_subnet=False) except Exception: redirect = self.success_url msg = _('Unable to retrieve network details.') diff --git a/openstack_dashboard/policy.py b/openstack_dashboard/policy.py index 6bcb2242c7..8f8c1733f0 100644 --- a/openstack_dashboard/policy.py +++ b/openstack_dashboard/policy.py @@ -39,6 +39,7 @@ class PolicyTargetMixin(object): """ policy_target_attrs = (("project_id", "tenant_id"), + ("tenant_id", "tenant_id"), ("user_id", "user_id"), ("domain_id", "domain_id"), ("target.project.domain_id", "domain_id"),