Convert policy.json into policy-in-code

This commit converts the existing neutron-fwaas policy.json
into policy-in-code.

policy.json for testing is also removed. As a result, setup_config()
in neutron_fwaas.tests.base.NeutronDbPluginV2TestCase is no longer
required now (as the content of setup_config() is now same as that
in neutron).

Partially Implements: blueprint neutron-policy-in-code
Change-Id: I67be3a21f19e3f793312d64d358452ee4531c080
This commit is contained in:
Akihiro Motoki 2017-12-12 10:10:17 +09:00
parent 781a06c983
commit 3288743827
15 changed files with 534 additions and 135 deletions

View File

@ -72,10 +72,6 @@ function neutron_fwaas_generate_config_files {
function init_fwaas() { function init_fwaas() {
# Initialize and start the service. # Initialize and start the service.
: :
if [ ! -d /etc/neutron/policy.d ]; then
mkdir /etc/neutron/policy.d
fi
cp $DEST/neutron-fwaas/etc/neutron/policy.d/neutron-fwaas.json /etc/neutron/policy.d/neutron-fwaas.json
# Using sudo to gain the root privilege to be able to copy file to rootwrap.d # Using sudo to gain the root privilege to be able to copy file to rootwrap.d
sudo cp $DEST/neutron-fwaas/etc/neutron/rootwrap.d/fwaas-privsep.filters /etc/neutron/rootwrap.d/fwaas-privsep.filters sudo cp $DEST/neutron-fwaas/etc/neutron/rootwrap.d/fwaas-privsep.filters /etc/neutron/rootwrap.d/fwaas-privsep.filters
} }

View File

@ -1,52 +0,0 @@
{
"shared_firewalls": "field:firewalls:shared=True",
"shared_firewall_policies": "field:firewall_policies:shared=True",
"shared_firewall_rules": "field:firewall_rules:shared=True",
"create_firewall": "",
"update_firewall": "rule:admin_or_owner",
"delete_firewall": "rule:admin_or_owner",
"create_firewall:shared": "rule:admin_only",
"update_firewall:shared": "rule:admin_only",
"delete_firewall:shared": "rule:admin_only",
"get_firewall": "rule:admin_or_owner or rule:shared_firewalls",
"shared_firewall_groups": "field:firewall_groups:shared=True",
"shared_firewall_policies": "field:firewall_policies:shared=True",
"shared_firewall_rules": "field:firewall_rules:shared=True",
"create_firewall_group": "",
"update_firewall_group": "rule:admin_or_owner",
"delete_firewall_group": "rule:admin_or_owner",
"create_firewall_group:shared": "rule:admin_only",
"update_firewall_group:shared": "rule:admin_only",
"delete_firewall_group:shared": "rule:admin_only",
"get_firewall_group": "rule:admin_or_owner or rule:shared_firewall_groups",
"create_firewall_policy": "",
"update_firewall_policy": "rule:admin_or_owner",
"delete_firewall_policy": "rule:admin_or_owner",
"create_firewall_policy:shared": "rule:admin_only",
"update_firewall_policy:shared": "rule:admin_only",
"delete_firewall_policy:shared": "rule:admin_only",
"get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
"insert_rule": "rule:admin_or_owner",
"remove_rule": "rule:admin_or_owner",
"create_firewall_rule": "",
"update_firewall_rule": "rule:admin_or_owner",
"delete_firewall_rule": "rule:admin_or_owner",
"create_firewall_rule:shared": "rule:admin_only",
"update_firewall_rule:shared": "rule:admin_only",
"delete_firewall_rule:shared": "rule:admin_only",
"get_firewall_rule": "rule:admin_or_owner or rule:shared_firewall_rules"
}

View File

@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/policy.yaml.sample
namespace = neutron-fwaas

View File

@ -0,0 +1,27 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import itertools
from neutron_fwaas.policies import firewall
from neutron_fwaas.policies import firewall_group
from neutron_fwaas.policies import firewall_policy
from neutron_fwaas.policies import firewall_rule
def list_rules():
return itertools.chain(
firewall.list_rules(),
firewall_group.list_rules(),
firewall_policy.list_rules(),
firewall_rule.list_rules(),
)

View File

@ -0,0 +1,17 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# TODO(amotoki): Define these in neutron or neutron-lib
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN_ONLY = 'rule:admin_only'
RULE_ANY = 'rule:regular_user'

View File

@ -0,0 +1,113 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron_fwaas.policies import base
rules = [
policy.RuleDefault(
'shared_firewalls',
'field:firewalls:shared=True',
'(FWaaS v1) Definition of shared firewalls'
),
policy.DocumentedRuleDefault(
'create_firewall',
base.RULE_ANY,
'(FWaaS v1) Create a firewall',
[
{
'method': 'POST',
'path': '/fw/firewalls',
},
]
),
policy.DocumentedRuleDefault(
'update_firewall',
base.RULE_ADMIN_OR_OWNER,
'(FWaaS v1) Update a firewall',
[
{
'method': 'PUT',
'path': '/fw/firewalls/{id}',
},
]
),
policy.DocumentedRuleDefault(
'delete_firewall',
base.RULE_ADMIN_OR_OWNER,
'(FWaaS v1) Delete a firewall',
[
{
'method': 'DELETE',
'path': '/fw/firewalls/{id}',
},
]
),
policy.DocumentedRuleDefault(
'create_firewall:shared',
base.RULE_ADMIN_ONLY,
'(FWaaS v1) Create a shared firewall',
[
{
'method': 'POST',
'path': '/fw/firewalls',
},
]
),
policy.DocumentedRuleDefault(
'update_firewall:shared',
base.RULE_ADMIN_ONLY,
'(FWaaS v1) Update ``shared`` attribute of a firewall',
[
{
'method': 'PUT',
'path': '/fw/firewalls/{id}',
},
]
),
# TODO(amotoki): Drop this rule as it has no effect.
policy.DocumentedRuleDefault(
'delete_firewall:shared',
base.RULE_ADMIN_ONLY,
'(FWaaS v1) Delete a shared firewall',
[
{
'method': 'DELETE',
'path': '/fw/firewalls/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_firewall',
'rule:admin_or_owner or rule:shared_firewalls',
'(FWaaS v1) Get firewalls',
[
{
'method': 'GET',
'path': '/fw/firewalls',
},
{
'method': 'GET',
'path': '/fw/firewalls/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,113 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron_fwaas.policies import base
rules = [
policy.RuleDefault(
'shared_firewall_groups',
'field:firewall_groups:shared=True',
'Definition of shared firewall groups'
),
policy.DocumentedRuleDefault(
'create_firewall_group',
base.RULE_ANY,
'Create a firewall group',
[
{
'method': 'POST',
'path': '/fwaas/firewall_groups',
},
]
),
policy.DocumentedRuleDefault(
'update_firewall_group',
base.RULE_ADMIN_OR_OWNER,
'Update a firewall group',
[
{
'method': 'PUT',
'path': '/fwaas/firewall_groups/{id}',
},
]
),
policy.DocumentedRuleDefault(
'delete_firewall_group',
base.RULE_ADMIN_OR_OWNER,
'Delete a firewall group',
[
{
'method': 'DELETE',
'path': '/fwaas/firewall_groups/{id}',
},
]
),
policy.DocumentedRuleDefault(
'create_firewall_group:shared',
base.RULE_ADMIN_ONLY,
'Create a shared firewall group',
[
{
'method': 'POST',
'path': '/fwaas/firewall_groups',
},
]
),
policy.DocumentedRuleDefault(
'update_firewall_group:shared',
base.RULE_ADMIN_ONLY,
'Update ``shared`` attribute of a firewall group',
[
{
'method': 'PUT',
'path': '/fwaas/firewall_groups/{id}',
},
]
),
# TODO(amotoki): Drop this rule as it has no effect.
policy.DocumentedRuleDefault(
'delete_firewall_group:shared',
base.RULE_ADMIN_ONLY,
'Delete a shared firewall group',
[
{
'method': 'DELETE',
'path': '/fwaas/firewall_groups/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_firewall_group',
'rule:admin_or_owner or rule:shared_firewall_groups',
'Get firewall groups',
[
{
'method': 'GET',
'path': '/fwaas/firewall_groups',
},
{
'method': 'GET',
'path': '/fwaas/firewall_groups/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,113 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron_fwaas.policies import base
rules = [
policy.RuleDefault(
'shared_firewall_policies',
'field:firewall_policies:shared=True',
'Definition of shared firewall policies'
),
policy.DocumentedRuleDefault(
'create_firewall_policy',
base.RULE_ANY,
'Create a firewall policy',
[
{
'method': 'POST',
'path': '/fwaas/firewall_policies',
},
]
),
policy.DocumentedRuleDefault(
'update_firewall_policy',
base.RULE_ADMIN_OR_OWNER,
'Update a firewall policy',
[
{
'method': 'PUT',
'path': '/fwaas/firewall_policies/{id}',
},
]
),
policy.DocumentedRuleDefault(
'delete_firewall_policy',
base.RULE_ADMIN_OR_OWNER,
'Delete a firewall policy',
[
{
'method': 'DELETE',
'path': '/fwaas/firewall_policies/{id}',
},
]
),
policy.DocumentedRuleDefault(
'create_firewall_policy:shared',
base.RULE_ADMIN_ONLY,
'Create a shared firewall policy',
[
{
'method': 'POST',
'path': '/fwaas/firewall_policies',
},
]
),
policy.DocumentedRuleDefault(
'update_firewall_policy:shared',
base.RULE_ADMIN_ONLY,
'Update ``shared`` attribute of a firewall policy',
[
{
'method': 'PUT',
'path': '/fwaas/firewall_policies/{id}',
},
]
),
# TODO(amotoki): Drop this rule as it has no effect.
policy.DocumentedRuleDefault(
'delete_firewall_policy:shared',
base.RULE_ADMIN_ONLY,
'Delete a shread firewall policy',
[
{
'method': 'DELETE',
'path': '/fwaas/firewall_policies/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_firewall_policy',
'rule:admin_or_owner or rule:shared_firewall_policies',
'Get firewall policies',
[
{
'method': 'GET',
'path': '/fwaas/firewall_policies',
},
{
'method': 'GET',
'path': '/fwaas/firewall_policies/{id}',
},
]
),
]
def list_rules():
return rules

View File

@ -0,0 +1,136 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from neutron_fwaas.policies import base
rules = [
policy.RuleDefault(
'shared_firewall_rules',
'field:firewall_rules:shared=True',
'Definition of shared firewall rules'
),
policy.DocumentedRuleDefault(
'create_firewall_rule',
base.RULE_ANY,
'Create a firewall rule',
[
{
'method': 'POST',
'path': '/fwaas/firewall_rules',
},
]
),
policy.DocumentedRuleDefault(
'update_firewall_rule',
base.RULE_ADMIN_OR_OWNER,
'Update a firewall rule',
[
{
'method': 'PUT',
'path': '/fwaas/firewall_rules/{id}',
},
]
),
policy.DocumentedRuleDefault(
'delete_firewall_rule',
base.RULE_ADMIN_OR_OWNER,
'Delete a firewall rule',
[
{
'method': 'DELETE',
'path': '/fwaas/firewall_rules/{id}',
},
]
),
policy.DocumentedRuleDefault(
'create_firewall_rule:shared',
base.RULE_ADMIN_ONLY,
'Create a shared firewall rule',
[
{
'method': 'POST',
'path': '/fwaas/firewall_rules',
},
]
),
policy.DocumentedRuleDefault(
'update_firewall_rule:shared',
base.RULE_ADMIN_ONLY,
'Update ``shared`` attribute of a firewall rule',
[
{
'method': 'PUT',
'path': '/fwaas/firewall_rules/{id}',
},
]
),
# TODO(amotoki): Drop this rule as it has no effect.
policy.DocumentedRuleDefault(
'delete_firewall_rule:shared',
base.RULE_ADMIN_ONLY,
'Delete a shread firewall rule',
[
{
'method': 'DELETE',
'path': '/fwaas/firewall_rules/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_firewall_rule',
'rule:admin_or_owner or rule:shared_firewall_rules',
'Get firewall rules',
[
{
'method': 'GET',
'path': '/fwaas/firewall_rules',
},
{
'method': 'GET',
'path': '/fwaas/firewall_rules/{id}',
},
]
),
policy.DocumentedRuleDefault(
'insert_rule',
base.RULE_ADMIN_OR_OWNER,
'Insert rule into a firewall policy',
[
{
'method': 'PUT',
'path': '/fwaas/firewall_policies/{id}/insert_rule',
},
]
),
policy.DocumentedRuleDefault(
'remove_rule',
base.RULE_ADMIN_OR_OWNER,
'Remove rule from a firewall policy',
[
{
'method': 'PUT',
'path': '/fwaas/firewall_policies/{id}/remove_rule',
},
]
),
]
def list_rules():
return rules

View File

@ -14,31 +14,8 @@
# under the License. # under the License.
# #
import os
from neutron.common import test_lib
from neutron.tests import base as n_base from neutron.tests import base as n_base
from neutron.tests.unit.db import test_db_base_plugin_v2 as test_db_plugin
class BaseTestCase(n_base.BaseTestCase): class BaseTestCase(n_base.BaseTestCase):
pass pass
class NeutronDbPluginV2TestCase(test_db_plugin.NeutronDbPluginV2TestCase):
def setup_config(self):
# Copied from neutron's test_db_base_plugin_v2 because they
# don't allow to specify args
# Create the default configurations
args = ['--config-file', n_base.etcdir('neutron.conf')]
# If test_config specifies some config-file, use it, as well
for config_file in test_lib.test_config.get('config_files', []):
args.extend(['--config-file', config_file])
# our own stuff
dirpath = os.path.join(os.path.dirname(__file__),
'etc/neutron/policy.d')
args.extend(['--config-dir', dirpath])
self.config_parse(args=args)

View File

@ -1,52 +0,0 @@
{
"shared_firewalls": "field:firewalls:shared=True",
"shared_firewall_policies": "field:firewall_policies:shared=True",
"shared_firewall_rules": "field:firewall_rules:shared=True",
"create_firewall": "",
"update_firewall": "rule:admin_or_owner",
"delete_firewall": "rule:admin_or_owner",
"create_firewall:shared": "rule:admin_only",
"update_firewall:shared": "rule:admin_only",
"delete_firewall:shared": "rule:admin_only",
"get_firewall": "rule:admin_or_owner or rule:shared_firewalls",
"shared_firewall_groups": "field:firewall_groups:shared=True",
"shared_firewall_policies": "field:firewall_policies:shared=True",
"shared_firewall_rules": "field:firewall_rules:shared=True",
"create_firewall_group": "",
"update_firewall_group": "rule:admin_or_owner",
"delete_firewall_group": "rule:admin_or_owner",
"create_firewall_group:shared": "rule:admin_only",
"update_firewall_group:shared": "rule:admin_only",
"delete_firewall_group:shared": "rule:admin_only",
"get_firewall_group": "rule:admin_or_owner or rule:shared_firewall_groups",
"create_firewall_policy": "",
"update_firewall_policy": "rule:admin_or_owner",
"delete_firewall_policy": "rule:admin_or_owner",
"create_firewall_policy:shared": "rule:admin_only",
"update_firewall_policy:shared": "rule:admin_only",
"delete_firewall_policy:shared": "rule:admin_only",
"get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
"insert_rule": "rule:admin_or_owner",
"remove_rule": "rule:admin_or_owner",
"create_firewall_rule": "",
"update_firewall_rule": "rule:admin_or_owner",
"delete_firewall_rule": "rule:admin_or_owner",
"create_firewall_rule:shared": "rule:admin_only",
"update_firewall_rule:shared": "rule:admin_only",
"delete_firewall_rule:shared": "rule:admin_only",
"get_firewall_rule": "rule:admin_or_owner or rule:shared_firewall_rules"
}

View File

@ -18,6 +18,7 @@ import contextlib
import mock import mock
from neutron.api import extensions as api_ext from neutron.api import extensions as api_ext
from neutron.common import config from neutron.common import config
from neutron.tests.unit.db import test_db_base_plugin_v2 as test_db_plugin
from neutron_lib.api.definitions import firewall from neutron_lib.api.definitions import firewall
from neutron_lib import constants as nl_constants from neutron_lib import constants as nl_constants
from neutron_lib import context from neutron_lib import context
@ -33,7 +34,6 @@ import webob.exc
from neutron_fwaas.db.firewall import firewall_db as fdb from neutron_fwaas.db.firewall import firewall_db as fdb
from neutron_fwaas import extensions from neutron_fwaas import extensions
from neutron_fwaas.services.firewall import fwaas_plugin from neutron_fwaas.services.firewall import fwaas_plugin
from neutron_fwaas.tests import base
DB_FW_PLUGIN_KLASS = ( DB_FW_PLUGIN_KLASS = (
@ -73,7 +73,7 @@ class FakeAgentApi(fwaas_plugin.FirewallCallbacks):
self.firewall_deleted(context, firewall['id'], **kwargs) self.firewall_deleted(context, firewall['id'], **kwargs)
class FirewallPluginDbTestCase(base.NeutronDbPluginV2TestCase): class FirewallPluginDbTestCase(test_db_plugin.NeutronDbPluginV2TestCase):
resource_prefix_map = dict( resource_prefix_map = dict(
(k, firewall.API_PREFIX) (k, firewall.API_PREFIX)
for k in firewall.RESOURCE_ATTRIBUTE_MAP.keys() for k in firewall.RESOURCE_ATTRIBUTE_MAP.keys()

View File

@ -21,6 +21,7 @@ import webob.exc
from neutron.api import extensions as api_ext from neutron.api import extensions as api_ext
from neutron.db import servicetype_db as sdb from neutron.db import servicetype_db as sdb
from neutron.tests.unit.db import test_db_base_plugin_v2 as test_db_plugin
from neutron_lib.api.definitions import firewall_v2 from neutron_lib.api.definitions import firewall_v2
from neutron_lib import constants as nl_constants from neutron_lib import constants as nl_constants
from neutron_lib import context from neutron_lib import context
@ -33,7 +34,6 @@ from neutron_fwaas import extensions
from neutron_fwaas.services.firewall import fwaas_plugin_v2 from neutron_fwaas.services.firewall import fwaas_plugin_v2
from neutron_fwaas.services.firewall.service_drivers.driver_api import \ from neutron_fwaas.services.firewall.service_drivers.driver_api import \
FirewallDriverDB FirewallDriverDB
from neutron_fwaas.tests import base
def http_client_error(req, res): def http_client_error(req, res):
@ -51,7 +51,7 @@ class DummyDriverDB(FirewallDriverDB):
return True return True
class FirewallPluginV2TestCase(base.NeutronDbPluginV2TestCase): class FirewallPluginV2TestCase(test_db_plugin.NeutronDbPluginV2TestCase):
DESCRIPTION = 'default description' DESCRIPTION = 'default description'
PROTOCOL = 'tcp' PROTOCOL = 'tcp'
IP_VERSION = 4 IP_VERSION = 4

View File

@ -49,6 +49,10 @@ tempest.test_plugins =
oslo.config.opts = oslo.config.opts =
neutron.fwaas = neutron_fwaas.opts:list_opts neutron.fwaas = neutron_fwaas.opts:list_opts
firewall.agent = neutron_fwaas.opts:list_agent_opts firewall.agent = neutron_fwaas.opts:list_agent_opts
oslo.policy.policies =
neutron-fwaas = neutron_fwaas.policies:list_rules
neutron.policies =
neutron-fwaas = neutron_fwaas.policies:list_rules
neutron.agent.l2.extensions = neutron.agent.l2.extensions =
fwaas_v2 = neutron_fwaas.services.firewall.service_drivers.agents.l2.fwaas_v2:FWaaSV2AgentExtension fwaas_v2 = neutron_fwaas.services.firewall.service_drivers.agents.l2.fwaas_v2:FWaaSV2AgentExtension
neutron.agent.l2.firewall_drivers = neutron.agent.l2.firewall_drivers =

View File

@ -99,6 +99,7 @@ commands =
{toxinidir}/tools/check_unit_test_structure.sh {toxinidir}/tools/check_unit_test_structure.sh
neutron-db-manage --subproject neutron-fwaas --database-connection sqlite:// check_migration neutron-db-manage --subproject neutron-fwaas --database-connection sqlite:// check_migration
{[testenv:genconfig]commands} {[testenv:genconfig]commands}
{[testenv:genpolicy]commands}
whitelist_externals = sh whitelist_externals = sh
[testenv:cover] [testenv:cover]
@ -158,6 +159,9 @@ local-check-factory = neutron_lib.hacking.checks.factory
[testenv:genconfig] [testenv:genconfig]
commands = {toxinidir}/tools/generate_config_file_samples.sh commands = {toxinidir}/tools/generate_config_file_samples.sh
[testenv:genpolicy]
commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf
[testenv:lower-constraints] [testenv:lower-constraints]
basepython = python3 basepython = python3
deps = deps =