summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorythomas1 <ythomas1.ext@orange.com>2019-01-25 17:13:30 +0100
committerythomas1 <ythomas1.ext@orange.com>2019-01-31 10:09:50 +0100
commit74e6ae9831bb104880b0dad1906657f56715f1d4 (patch)
treea53bcec398c4a6d7140b3e33509b4f5da7d41997
parent633108cdc2b0aae38383d4d55198e87b64ed05e6 (diff)
Define default policies in codeHEADmaster
New role ``neutron_interconnection_peer`` must be added for neutron-interconnection specific user used for interconnection refresh and parameters exchange. This patch adds policies in code and corresponding documentation. Partially Implements: blueprint neutron-policy-in-code Signed-off-by: Thomas Morin <thomas.morin@orange.com> Submitted on behalf of a third-party: Orange Change-Id: I235e79e2c165ba2d5d2d6b3c976f6fda16f19a68
Notes
Notes (review): Code-Review+2: Akihiro Motoki <amotoki@gmail.com> Code-Review+2: Slawek Kaplonski <skaplons@redhat.com> Workflow+1: Slawek Kaplonski <skaplons@redhat.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Tue, 12 Feb 2019 22:23:42 +0000 Reviewed-on: https://review.openstack.org/633534 Project: openstack/neutron-interconnection Branch: refs/heads/master
-rwxr-xr-xdoc/source/conf.py8
-rw-r--r--doc/source/configuration/index.rst18
-rw-r--r--doc/source/configuration/policy-sample.rst17
-rw-r--r--doc/source/configuration/policy.rst10
-rw-r--r--etc/oslo-policy-generator/policy.conf3
-rw-r--r--neutron_interconnection/policies/__init__.py24
-rw-r--r--neutron_interconnection/policies/base.py23
-rw-r--r--neutron_interconnection/policies/interconnection.py122
-rw-r--r--requirements.txt1
-rw-r--r--setup.cfg6
-rw-r--r--tox.ini12
11 files changed, 237 insertions, 7 deletions
diff --git a/doc/source/conf.py b/doc/source/conf.py
index 9838268..e778a50 100755
--- a/doc/source/conf.py
+++ b/doc/source/conf.py
@@ -23,7 +23,8 @@ sys.path.insert(0, os.path.abspath('../..'))
23extensions = [ 23extensions = [
24 'sphinx.ext.autodoc', 24 'sphinx.ext.autodoc',
25 'openstackdocstheme', 25 'openstackdocstheme',
26 #'sphinx.ext.intersphinx', 26 'oslo_policy.sphinxext',
27 'oslo_policy.sphinxpolicygen',
27] 28]
28 29
29# autodoc generation is a bit aggressive and a nuisance when doing heavy 30# autodoc generation is a bit aggressive and a nuisance when doing heavy
@@ -80,3 +81,8 @@ latex_documents = [
80 81
81# Example configuration for intersphinx: refer to the Python standard library. 82# Example configuration for intersphinx: refer to the Python standard library.
82#intersphinx_mapping = {'http://docs.python.org/': None} 83#intersphinx_mapping = {'http://docs.python.org/': None}
84
85# -- Options for oslo_policy.sphinxpolicygen ---------------------------------
86
87policy_generator_config_file = '../../etc/oslo-policy-generator/policy.conf'
88sample_policy_basename = '_static/neutron-interconnection' \ No newline at end of file
diff --git a/doc/source/configuration/index.rst b/doc/source/configuration/index.rst
index 87e68ea..c46732e 100644
--- a/doc/source/configuration/index.rst
+++ b/doc/source/configuration/index.rst
@@ -1,5 +1,15 @@
1============= 1===================
2Configuration 2Configuration Guide
3============= 3===================
4 4
5Configuration of neutron-interconnection. 5Policy
6------
7
8Like most OpenStack projects, neutron-interconnection uses policies to restrict
9permissions on REST API actions.
10
11.. toctree::
12 :maxdepth: 1
13
14 Policy Reference <policy>
15 Sample Policy File <policy-sample>
diff --git a/doc/source/configuration/policy-sample.rst b/doc/source/configuration/policy-sample.rst
new file mode 100644
index 0000000..3064e6d
--- /dev/null
+++ b/doc/source/configuration/policy-sample.rst
@@ -0,0 +1,17 @@
1==========================================
2Neutron Interconnection Sample Policy File
3==========================================
4
5The following is a neutron-interconnection sample policy file for adaptation
6and use.
7
8This sample policy can also be viewed in :download:`file form
9</_static/neutron-interconnection.policy.yaml.sample>`.
10
11.. important::
12
13 The sample policy file was auto-generated when neutron-interconnection
14 documentation was build. You must ensure your neutron-interconnection
15 version matches the version of this documentation.
16
17.. literalinclude:: /_static/neutron-interconnection.policy.yaml.sample
diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst
new file mode 100644
index 0000000..ae15096
--- /dev/null
+++ b/doc/source/configuration/policy.rst
@@ -0,0 +1,10 @@
1================================
2Neutron Interconnection Policies
3================================
4
5The following is an overview of all available policies in
6neutron-interconnection.
7Refer to :doc:`/configuration/policy-sample` for a sample configuration file.
8
9.. show-policy::
10 :config-file: etc/oslo-policy-generator/policy.conf
diff --git a/etc/oslo-policy-generator/policy.conf b/etc/oslo-policy-generator/policy.conf
new file mode 100644
index 0000000..e7b7d5f
--- /dev/null
+++ b/etc/oslo-policy-generator/policy.conf
@@ -0,0 +1,3 @@
1[DEFAULT]
2output_file = etc/policy.yaml.sample
3namespace = neutron-interconnection
diff --git a/neutron_interconnection/policies/__init__.py b/neutron_interconnection/policies/__init__.py
new file mode 100644
index 0000000..cb562b1
--- /dev/null
+++ b/neutron_interconnection/policies/__init__.py
@@ -0,0 +1,24 @@
1# Copyright (c) 2018 Orange.
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
16import itertools
17
18from neutron_interconnection.policies import interconnection
19
20
21def list_rules():
22 return itertools.chain(
23 interconnection.list_rules(),
24 )
diff --git a/neutron_interconnection/policies/base.py b/neutron_interconnection/policies/base.py
new file mode 100644
index 0000000..97d6996
--- /dev/null
+++ b/neutron_interconnection/policies/base.py
@@ -0,0 +1,23 @@
1# Copyright (c) 2018 Orange.
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
16# TODO(ythomas1): Define these in neutron or neutron-lib
17RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
18RULE_ANY = 'rule:regular_user'
19
20RULE_NEUTRON_INTERCONNECTION_PEER = 'role:neutron_interconnection_peer'
21RULE_ADMIN_OR_NEUTRON_INTERCONNECTION_PEER = (
22 'rule:context_is_admin or role:neutron_interconnection_peer'
23)
diff --git a/neutron_interconnection/policies/interconnection.py b/neutron_interconnection/policies/interconnection.py
new file mode 100644
index 0000000..4f6a75d
--- /dev/null
+++ b/neutron_interconnection/policies/interconnection.py
@@ -0,0 +1,122 @@
1# Copyright (c) 2018 Orange.
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
16from oslo_policy import policy
17
18from neutron_interconnection.policies import base
19
20
21rules = [
22 policy.DocumentedRuleDefault(
23 'create_interconnection',
24 base.RULE_ADMIN_OR_OWNER,
25 'Create an interconnection',
26 [
27 {
28 'method': 'POST',
29 'path': '/inter/interconnections',
30 },
31 ]
32 ),
33
34 policy.DocumentedRuleDefault(
35 'update_interconnection',
36 base.RULE_ADMIN_OR_OWNER,
37 'Update an interconnection',
38 [
39 {
40 'method': 'PUT',
41 'path': '/inter/interconnections/{id}',
42 },
43 ]
44 ),
45
46 policy.DocumentedRuleDefault(
47 'delete_interconnection',
48 base.RULE_ADMIN_OR_OWNER,
49 'Delete an interconnection',
50 [
51 {
52 'method': 'DELETE',
53 'path': '/inter/interconnections/{id}',
54 },
55 ]
56 ),
57
58 policy.DocumentedRuleDefault(
59 'get_interconnection',
60 base.RULE_ADMIN_OR_OWNER,
61 'Get interconnections',
62 [
63 {
64 'method': 'GET',
65 'path': '/inter/interconnections',
66 },
67 {
68 'method': 'GET',
69 'path': '/inter/interconnections/{id}',
70 },
71 ]
72 ),
73
74 policy.DocumentedRuleDefault(
75 'get_interconnection:local_parameters',
76 base.RULE_ADMIN_OR_NEUTRON_INTERCONNECTION_PEER,
77 'Get ``local_parameters`` attributes of interconnections',
78 [
79 {
80 'method': 'GET',
81 'path': '/inter/interconnections',
82 },
83 {
84 'method': 'GET',
85 'path': '/inter/interconnections/{id}',
86 },
87 ]
88 ),
89
90 policy.DocumentedRuleDefault(
91 'get_interconnection:remote_parameters',
92 base.RULE_ADMIN_OR_NEUTRON_INTERCONNECTION_PEER,
93 'Get ``remote_parameters`` attributes of interconnections',
94 [
95 {
96 'method': 'GET',
97 'path': '/inter/interconnections',
98 },
99 {
100 'method': 'GET',
101 'path': '/inter/interconnections/{id}',
102 },
103 ]
104 ),
105
106 policy.DocumentedRuleDefault(
107 'refresh',
108 base.RULE_NEUTRON_INTERCONNECTION_PEER,
109 'Refresh an interconnection',
110 [
111 {
112 'method': 'PUT',
113 'path': '/inter/interconnections/{id}/refresh',
114 },
115 ]
116 ),
117
118]
119
120
121def list_rules():
122 return rules
diff --git a/requirements.txt b/requirements.txt
index 1d18dd3..fcbb4d1 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -3,3 +3,4 @@
3# process, which may cause wedges in the gate later. 3# process, which may cause wedges in the gate later.
4 4
5pbr>=2.0 # Apache-2.0 5pbr>=2.0 # Apache-2.0
6oslo.policy>=1.30.0 # Apache-2.0
diff --git a/setup.cfg b/setup.cfg
index fdf130d..eb6731c 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -22,6 +22,12 @@ classifier =
22packages = 22packages =
23 neutron_interconnection 23 neutron_interconnection
24 24
25[entry_points]
26oslo.policy.policies =
27 neutron-interconnection = neutron_interconnection.policies:list_rules
28neutron.policies =
29 neutron-interconnection = neutron_interconnection.policies:list_rules
30
25[compile_catalog] 31[compile_catalog]
26directory = neutron_interconnection/locale 32directory = neutron_interconnection/locale
27domain = neutron_interconnection 33domain = neutron_interconnection
diff --git a/tox.ini b/tox.ini
index ceaa9d8..1d61528 100644
--- a/tox.ini
+++ b/tox.ini
@@ -12,11 +12,16 @@ setenv =
12 OS_STDOUT_CAPTURE=1 12 OS_STDOUT_CAPTURE=1
13 OS_STDERR_CAPTURE=1 13 OS_STDERR_CAPTURE=1
14 OS_TEST_TIMEOUT=60 14 OS_TEST_TIMEOUT=60
15deps = -r{toxinidir}/test-requirements.txt 15deps = -r{toxinidir}/requirements.txt
16 -r{toxinidir}/test-requirements.txt
16commands = stestr run {posargs} 17commands = stestr run {posargs}
17 18
18[testenv:pep8] 19[testenv:pep8]
19commands = flake8 {posargs} 20deps =
21 {[testenv]deps}
22commands =
23 flake8 {posargs}
24 {[testenv:genpolicy]commands}
20 25
21[testenv:venv] 26[testenv:venv]
22commands = {posargs} 27commands = {posargs}
@@ -43,6 +48,9 @@ commands =
43[testenv:debug] 48[testenv:debug]
44commands = oslo_debug_helper {posargs} 49commands = oslo_debug_helper {posargs}
45 50
51[testenv:genpolicy]
52commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
53
46[flake8] 54[flake8]
47# E123, E125 skipped as they are invalid PEP-8. 55# E123, E125 skipped as they are invalid PEP-8.
48 56