openstack
/
neutron
Code Issues Proposed changes

Define popular policy rules by constants (part 2) 

This commit defines complex policy rules with constants.

Convenient functions policy_or and policy_and are introduced
so that complex policy rules can be defined easily.

Partially Implements: blueprint neutron-policy-in-code

Change-Id: Id56c787733f5bd016dab7adaf956d676dd358b82
This commit is contained in:
Akihiro Motoki 2018-12-19 04:08:27 +09:00
parent d6c6c68e46
commit 6ad0c2908e
7 changed files with 69 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
neutron/conf/policies/address_scope.py
View File

@ -27,7 +27,8 @@ rules = [
description=('Access rule for creating '
'shared address scope')),
policy.RuleDefault('get_address_scope',
'rule:admin_or_owner or rule:shared_address_scopes',
base.policy_or(base.RULE_ADMIN_OR_OWNER,
'rule:shared_address_scopes'),
description='Access rule for getting address scope'),
policy.RuleDefault('update_address_scope',
base.RULE_ADMIN_OR_OWNER,

26
neutron/conf/policies/base.py
View File

@ -13,6 +13,14 @@
from oslo_policy import policy
def policy_and(*args):
return ' and '.join(args)
def policy_or(*args):
return ' or '.join(args)
# TODO(amotoki): Define these in neutron-lib once what constants are required
# from stadium and 3rd party projects.
# As of now, the following are candidates.
@ -21,8 +29,8 @@ RULE_ADMIN_ONLY = 'rule:admin_only'
RULE_ANY = 'rule:regular_user'
RULE_ADVSVC = 'rule:context_is_advsvc'
RULE_ADMIN_OR_NET_OWNER = 'rule:admin_or_network_owner'
RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC = ' or '.join([RULE_ADMIN_OR_NET_OWNER,
RULE_ADVSVC])
RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC = policy_or(RULE_ADMIN_OR_NET_OWNER,
RULE_ADVSVC)
RULE_ADMIN_OR_PARENT_OWNER = 'rule:admin_or_ext_parent_owner'
@ -37,7 +45,8 @@ rules = [
description='Rule for resource owner access'),
policy.RuleDefault(
'admin_or_owner',
'rule:context_is_admin or rule:owner',
policy_or('rule:context_is_admin',
'rule:owner'),
description='Rule for admin or owner access'),
policy.RuleDefault(
'context_is_advsvc',
@ -45,11 +54,13 @@ rules = [
description='Rule for advsvc role access'),
policy.RuleDefault(
'admin_or_network_owner',
'rule:context_is_admin or tenant_id:%(network:tenant_id)s',
policy_or('rule:context_is_admin',
'tenant_id:%(network:tenant_id)s'),
description='Rule for admin or network owner access'),
policy.RuleDefault(
'admin_owner_or_network_owner',
'rule:owner or rule:admin_or_network_owner',
policy_or('rule:owner',
RULE_ADMIN_OR_NET_OWNER),
description=('Rule for resource owner, '
'admin or network owner access')),
policy.RuleDefault(
@ -67,11 +78,12 @@ rules = [
description='Rule of shared network'),
policy.RuleDefault(
'default',
'rule:admin_or_owner',
RULE_ADMIN_OR_OWNER,
description='Default access rule'),
policy.RuleDefault(
'admin_or_ext_parent_owner',
'rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s',
policy_or('rule:context_is_admin',
'tenant_id:%(ext_parent:tenant_id)s'),
description='Rule for common parent owner check'),
]

6
neutron/conf/policies/network.py
View File

@ -59,8 +59,10 @@ rules = [
policy.RuleDefault(
'get_network',
('rule:admin_or_owner or rule:shared or '
'rule:external or rule:context_is_advsvc'),
base.policy_or(base.RULE_ADMIN_OR_OWNER,
'rule:shared',
'rule:external',
base.RULE_ADVSVC),
description='Access rule for getting shared network'),
policy.RuleDefault(
'get_network:router:external',

59
neutron/conf/policies/port.py
View File

@ -22,7 +22,8 @@ rules = [
description='Rule of port with network device_owner'),
policy.RuleDefault(
'admin_or_data_plane_int',
'rule:context_is_admin or role:data_plane_integrator',
base.policy_or('rule:context_is_admin',
'role:data_plane_integrator'),
description='Rule for data plane integration'),
policy.RuleDefault(
@ -31,33 +32,37 @@ rules = [
description='Access rule for creating port'),
policy.RuleDefault(
'create_port:device_owner',
('not rule:network_device or '
'rule:context_is_advsvc or '
'rule:admin_or_network_owner'),
base.policy_or('not rule:network_device',
base.RULE_ADVSVC,
base.RULE_ADMIN_OR_NET_OWNER),
description='Access rule for creating port with device_owner'),
policy.RuleDefault(
'create_port:mac_address',
'rule:context_is_advsvc or rule:admin_or_network_owner',
base.policy_or(base.RULE_ADVSVC,
base.RULE_ADMIN_OR_NET_OWNER),
description=('Access rule for creating port with mac_address')),
policy.RuleDefault(
'create_port:fixed_ips',
'rule:context_is_advsvc or rule:admin_or_network_owner',
base.policy_or(base.RULE_ADVSVC,
base.RULE_ADMIN_OR_NET_OWNER),
description='Access rule for creating port with fixed_ips'),
policy.RuleDefault(
'create_port:fixed_ips:ip_address',
'rule:context_is_advsvc or rule:admin_or_network_owner',
base.policy_or(base.RULE_ADVSVC,
base.RULE_ADMIN_OR_NET_OWNER),
description=('Access rule for creating port specifying IP address in '
'fixed_ips')),
policy.RuleDefault(
'create_port:fixed_ips:subnet_id',
('rule:context_is_advsvc or '
'rule:admin_or_network_owner or '
'rule:shared'),
base.policy_or(base.RULE_ADVSVC,
base.RULE_ADMIN_OR_NET_OWNER,
'rule:shared'),
description=('Access rule for creating port specifying subnet ID in '
'fixed_ips')),
policy.RuleDefault(
'create_port:port_security_enabled',
'rule:context_is_advsvc or rule:admin_or_network_owner',
base.policy_or(base.RULE_ADVSVC,
base.RULE_ADMIN_OR_NET_OWNER),
description=('Access rule for creating '
'port with port_security_enabled')),
policy.RuleDefault(
@ -79,7 +84,8 @@ rules = [
policy.RuleDefault(
'get_port',
'rule:context_is_advsvc or rule:admin_owner_or_network_owner',
base.policy_or(base.RULE_ADVSVC,
'rule:admin_owner_or_network_owner'),
description='Access rule for getting port'),
policy.RuleDefault(
'get_port:binding:vif_type',
@ -102,36 +108,42 @@ rules = [
policy.RuleDefault(
'update_port',
'rule:admin_or_owner or rule:context_is_advsvc',
base.policy_or(base.RULE_ADMIN_OR_OWNER,
base.RULE_ADVSVC),
description='Access rule for updating port'),
policy.RuleDefault(
'update_port:device_owner',
('not rule:network_device or rule:context_is_advsvc '
'or rule:admin_or_network_owner'),
base.policy_or('not rule:network_device',
base.RULE_ADVSVC,
base.RULE_ADMIN_OR_NET_OWNER),
description='Access rule for updating device_owner of port'),
policy.RuleDefault(
'update_port:mac_address',
'rule:admin_only or rule:context_is_advsvc',
base.policy_or(base.RULE_ADMIN_ONLY,
base.RULE_ADVSVC),
description='Access rule for updating mac_address of port'),
policy.RuleDefault(
'update_port:fixed_ips',
'rule:context_is_advsvc or rule:admin_or_network_owner',
base.policy_or(base.RULE_ADVSVC,
base.RULE_ADMIN_OR_NET_OWNER),
description='Access rule for updating fixed_ips of port'),
policy.RuleDefault(
'update_port:fixed_ips:ip_address',
'rule:context_is_advsvc or rule:admin_or_network_owner',
base.policy_or(base.RULE_ADVSVC,
base.RULE_ADMIN_OR_NET_OWNER),
description=('Access rule for updating port specifying IP address in '
'fixed_ips')),
policy.RuleDefault(
'update_port:fixed_ips:subnet_id',
('rule:context_is_advsvc or '
'rule:admin_or_network_owner or '
'rule:shared'),
base.policy_or(base.RULE_ADVSVC,
base.RULE_ADMIN_OR_NET_OWNER,
'rule:shared'),
description=('Access rule for updating port specifying subnet ID in '
'fixed_ips')),
policy.RuleDefault(
'update_port:port_security_enabled',
'rule:context_is_advsvc or rule:admin_or_network_owner',
base.policy_or(base.RULE_ADVSVC,
base.RULE_ADMIN_OR_NET_OWNER),
description='Access rule for updating port_security_enabled of port'),
policy.RuleDefault(
'update_port:binding:host_id',
@ -153,7 +165,8 @@ rules = [
policy.RuleDefault(
'delete_port',
'rule:context_is_advsvc or rule:admin_owner_or_network_owner',
base.policy_or(base.RULE_ADVSVC,
'rule:admin_owner_or_network_owner'),
description='Access rule for deleting port'),
]

6
neutron/conf/policies/rbac.py
View File

@ -18,7 +18,8 @@ from neutron.conf.policies import base
rules = [
policy.RuleDefault(
'restrict_wildcard',
'(not field:rbac_policy:target_tenant=*) or rule:admin_only',
base.policy_or('(not field:rbac_policy:target_tenant=*)',
base.RULE_ADMIN_ONLY),
description='Rule of restrict wildcard'),
policy.RuleDefault(
@ -36,7 +37,8 @@ rules = [
description='Access rule for updating RBAC policy'),
policy.RuleDefault(
'update_rbac_policy:target_tenant',
'rule:restrict_wildcard and rule:admin_or_owner',
base.policy_and('rule:restrict_wildcard',
base.RULE_ADMIN_OR_OWNER),
description=('Access rule for updating target_tenant '
'attribute of RBAC policy')),
policy.RuleDefault(

3
neutron/conf/policies/subnet.py
View File

@ -28,7 +28,8 @@ rules = [
description=('Access rule for creating '
'subnet with service_type')),
policy.RuleDefault('get_subnet',
'rule:admin_or_owner or rule:shared',
base.policy_or(base.RULE_ADMIN_OR_OWNER,
'rule:shared'),
description='Access rule for getting subnet'),
policy.RuleDefault('get_subnet:segment_id',
base.RULE_ADMIN_ONLY,

3
neutron/conf/policies/subnetpool.py
View File

@ -31,7 +31,8 @@ rules = [
description=('Access rule for creating '
'subnetpool with is_default')),
policy.RuleDefault('get_subnetpool',
'rule:admin_or_owner or rule:shared_subnetpools',
base.policy_or(base.RULE_ADMIN_OR_OWNER,
'rule:shared_subnetpools'),
description='Access rule for getting subnetpool'),
policy.RuleDefault('update_subnetpool',
base.RULE_ADMIN_OR_OWNER,