Update Neutron Configuration for Liberty

This patch includes the updates to the configuration files for Neutron for the Liberty release. Files Removed: - rootwrap.d/nec-plugin.filters - rootwrap.d/ryu-plugin.filters Variables removed due to upstream deprecation: - neutron_l3_router_delete_namespaces - neutron_dhcp_delete_namespaces Defaults changed to match new upstream defaults: - neutron_driver_network_scheduler - neutron_driver_quota Upgrade Notes: - The LinuxBridge configuration has been seperated out from plugins/ml2/ml2_conf.ini to plugins/ml2/linuxbridge_agent.ini - prevent_arp_spoofing is now set to the upstream default, which is True. DocImpact UpgradeImpact Closes-Bug: #1482756 Implements: blueprint liberty-release Change-Id: I879fd37db2e699bc3d48bcdd65ec7888b0f3f1a9
2015-10-14 19:35:45 +01:00 · 2015-10-14 19:35:45 +01:00 · 66dc88adc0
commit 66dc88adc0
parent 725a535335
23 changed files with 149 additions and 142 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -102,11 +102,11 @@ neutron_services:
 neutron-linuxbridge-agent:
   service_name: neutron-linuxbridge-agent
   service_en: True
-   service_conf: plugins/ml2/ml2_conf.ini
+   service_conf: plugins/ml2/linuxbridge_agent.ini
   service_group: neutron_linuxbridge_agent
   service_rootwrap: rootwrap.d/linuxbridge-plugin.filters
-   config_options: --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini
-   config_overrides: "{{ neutron_ml2_conf_ini_overrides }}"
+   config_options: --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini
+   config_overrides: "{{ neutron_linuxbridge_agent_ini_overrides }}"
   config_type: "ini"
 neutron-metadata-agent:
   service_name: neutron-metadata-agent
@ -140,14 +140,14 @@ neutron_services:
   config_options: --config-file /etc/neutron/neutron.conf --config-file "/etc/neutron/{{ neutron_plugins[neutron_plugin_type].plugin_ini }}"

 ## Drivers
-neutron_driver_network_scheduler: neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler
+neutron_driver_network_scheduler: neutron.scheduler.dhcp_agent_scheduler.WeightScheduler
 neutron_driver_router_scheduler: neutron.scheduler.l3_agent_scheduler.LeastRoutersScheduler
 neutron_driver_loadbalancer_pool_scheduler: neutron.services.loadbalancer.agent_scheduler.ChanceScheduler
 neutron_driver_interface: neutron.agent.linux.interface.BridgeInterfaceDriver
 neutron_driver_metering: neutron.services.metering.drivers.iptables.iptables_driver.IptablesMeteringDriver
 neutron_driver_dhcp: neutron.agent.linux.dhcp.Dnsmasq
 neutron_driver_notification: neutron.openstack.common.notifier.rpc_notifier
-neutron_driver_quota: neutron.db.quota_db.DbQuotaDriver
+neutron_driver_quota: neutron.db.quota.driver.DbQuotaDriver
 neutron_driver_firewall: neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

 ## Quotas
@ -218,9 +218,6 @@ neutron_agent_polling_interval: 5
 neutron_report_interval: "{{ neutron_agent_down_time | int / 2 | int }}"
 neutron_network_device_mtu: 1450

-# L3 configuration options
-neutron_l3_router_delete_namespaces: True
-
 # L3HA configuration options.
 neutron_ha_vrrp_advert_int: 2
 neutron_ha_vrrp_auth_password: None
@ -274,7 +271,6 @@ neutron_vxlan_group: ""
 neutron_vxlan_enabled: true

 neutron_dhcp_domain: openstacklocal
-neutron_dhcp_delete_namespaces: True
 # Comma-separated list of DNS servers which will be used by dnsmasq as forwarders.
 neutron_dnsmasq_dns_servers: ""
 # Limit number of leases to prevent a denial-of-service.
@ -350,3 +346,4 @@ neutron_dnsmasq_neutron_conf_overrides: {}
 neutron_l3_agent_ini_overrides: {}
 neutron_metadata_agent_ini_overrides: {}
 neutron_metering_agent_ini_overrides: {}
+neutron_linuxbridge_agent_ini_overrides: {}
--- a/templates/rootwrap.d/debug.filters.j2
+++ b/templates/rootwrap.d/debug.filters.j2
@ -10,5 +10,9 @@

 # This is needed because we should ping
 # from inside a namespace which requires root
+# _alt variants allow to match -c and -w in any order
+#   (used by NeutronDebugAgent.ping_all)
 ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
+ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
 ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
+ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
--- a/templates/rootwrap.d/dhcp.filters.j2
+++ b/templates/rootwrap.d/dhcp.filters.j2
@ -23,10 +23,6 @@ dhcp_release: CommandFilter, dhcp_release, root

 # metadata proxy
 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
-# If installed from source (say, by devstack), the prefix will be
-# /usr/local instead of /usr/bin.
-
-metadata_proxy_local: CommandFilter, {{ neutron_bin }}/neutron-ns-metadata-proxy, root
 # RHEL invocation of the metadata proxy will report /usr/bin/python
 kill_metadata: KillFilter, root, python, -9
 kill_metadata7: KillFilter, root, python2.7, -9
--- a/files/rootwrap.d/dibbler.filters
+++ b/files/rootwrap.d/dibbler.filters
@ -0,0 +1,16 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+#
+# This file should be owned by (and only-writeable by) the root user
+
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+
+[Filters]
+
+# Filters for the dibbler-based reference implementation of the pluggable
+# Prefix Delegation driver. Other implementations using an alternative agent
+# should include a similar filter in this folder.
+
+# prefix_delegation_agent
+dibbler-client: CommandFilter, dibbler-client, root
--- a/templates/rootwrap.d/nec-plugin.filters.j2
+++ b/templates/rootwrap.d/nec-plugin.filters.j2
@ -8,5 +8,4 @@

 [Filters]

-# nec_neutron_agent
-ovs-vsctl: CommandFilter, ovs-vsctl, root
+ebtables: CommandFilter, ebtables, root
--- a/templates/rootwrap.d/ipset-firewall.filters.j2
+++ b/templates/rootwrap.d/ipset-firewall.filters.j2
--- a/templates/rootwrap.d/iptables-firewall.filters.j2
+++ b/templates/rootwrap.d/iptables-firewall.filters.j2
--- a/templates/rootwrap.d/l3.filters.j2
+++ b/templates/rootwrap.d/l3.filters.j2
@ -18,10 +18,6 @@ radvd: CommandFilter, radvd, root

 # metadata proxy
 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
-# If installed from source (say, by devstack), the prefix will be
-# /usr/local instead of /usr/bin.
-
-metadata_proxy_local: CommandFilter, {{ neutron_bin }}/neutron-ns-metadata-proxy, root
 # RHEL invocation of the metadata proxy will report /usr/bin/python
 kill_metadata: KillFilter, root, python, -9
 kill_metadata7: KillFilter, root, python2.7, -9
--- a/templates/rootwrap.d/lbaas-haproxy.filters.j2
+++ b/templates/rootwrap.d/lbaas-haproxy.filters.j2
--- a/templates/rootwrap.d/linuxbridge-plugin.filters.j2
+++ b/templates/rootwrap.d/linuxbridge-plugin.filters.j2
--- a/templates/rootwrap.d/openvswitch-plugin.filters.j2
+++ b/templates/rootwrap.d/openvswitch-plugin.filters.j2
@ -12,6 +12,7 @@
 # unclear whether both variants are necessary, but I'm transliterating
 # from the old mechanism
 ovs-vsctl: CommandFilter, ovs-vsctl, root
+# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
 ovs-ofctl: CommandFilter, ovs-ofctl, root
 kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
 ovsdb-client: CommandFilter, ovsdb-client, root
--- a/files/rootwrap.d/vpnaas.filters
+++ b/files/rootwrap.d/vpnaas.filters
@ -0,0 +1,17 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+#
+# This file should be owned by (and only-writeable by) the root user
+
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+
+[Filters]
+
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
+ipsec: CommandFilter, ipsec, root
+strongswan: CommandFilter, strongswan, root
+neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
+neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
+chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/ipsec.secrets
--- a/tasks/neutron_post_install.yml
+++ b/tasks/neutron_post_install.yml
@ -79,34 +79,34 @@
  when:
       - item.value.service_en | bool
       - item.value.service_conf is defined
-       - inventory_hostname in groups['neutron_agents_container']
+       - (inventory_hostname in groups['neutron_agents_container'] or
+         inventory_hostname in groups['neutron_linuxbridge_agent'])
  tags:
    - neutron-config

 - name: Drop neutron Configs
-  template:
+  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: "{{ neutron_system_user_name }}"
    group: "{{ neutron_system_group_name }}"
  with_items:
-    - { src: "rootwrap.d/debug.filters.j2", dest: "/etc/neutron/rootwrap.d/debug.filters" }
-    - { src: "rootwrap.d/ipset-firewall.filters.j2", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" }
-    - { src: "rootwrap.d/iptables-firewall.filters.j2", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" }
-    - { src: "rootwrap.d/nec-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/nec-plugin.filters" }
-    - { src: "rootwrap.d/openvswitch-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" }
-    - { src: "rootwrap.d/ryu-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/ryu-plugin.filters" }
-    - { src: "rootwrap.d/lbaas-haproxy.filters.j2", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" }
-    - { src: "rootwrap.d/vpnaas.filters.j2", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
-    - { src: "rootwrap.d/ebtables.filters.j2", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
+    - { src: "rootwrap.d/debug.filters", dest: "/etc/neutron/rootwrap.d/debug.filters" }
+    - { src: "rootwrap.d/dibbler.filters", dest: "/etc/neutron/rootwrap.d/dibbler.filters" }
+    - { src: "rootwrap.d/ipset-firewall.filters", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" }
+    - { src: "rootwrap.d/iptables-firewall.filters", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" }
+    - { src: "rootwrap.d/openvswitch-plugin.filters", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" }
+    - { src: "rootwrap.d/lbaas-haproxy.filters", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" }
+    - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" }
+    - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" }
  notify:
    - Restart neutron services
  tags:
    - neutron-config

 - name: Drop neutron agent filters
-  template:
-    src: "{{ item.value.service_rootwrap }}.j2"
+  copy:
+    src: "{{ item.value.service_rootwrap }}"
    dest: "/etc/neutron/{{ item.value.service_rootwrap }}"
    owner: "{{ neutron_system_user_name }}"
    group: "{{ neutron_system_group_name }}"
--- a/templates/api-paste.ini.j2
+++ b/templates/api-paste.ini.j2
@ -9,10 +9,10 @@ noauth = request_id catch_errors extensions neutronapiapp_v2_0
 keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0

 [filter:request_id]
-paste.filter_factory = oslo.middleware:RequestId.factory
+paste.filter_factory = oslo_middleware:RequestId.factory

 [filter:catch_errors]
-paste.filter_factory = oslo.middleware:CatchErrors.factory
+paste.filter_factory = oslo_middleware:CatchErrors.factory

 [filter:keystonecontext]
 paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory
--- a/templates/dhcp_agent.ini.j2
+++ b/templates/dhcp_agent.ini.j2
@ -24,7 +24,3 @@ dnsmasq_lease_max = {{ neutron_dnsmasq_lease_max }}

 # Metadata
 enable_isolated_metadata = True
-
-# Delete defunct namespaces
-dhcp_delete_namespaces = {{ neutron_dhcp_delete_namespaces }}
-
--- a/templates/l3_agent.ini.j2
+++ b/templates/l3_agent.ini.j2
@ -5,7 +5,9 @@
 verbose = {{ verbose }}
 debug = {{ debug }}

-handle_internal_only_routers = True
+# While this option is deprecated in Liberty, if we remove it then it takes
+# a default value of 'br-ex', which we do not want. We therefore leave it
+# in place for now and can remove it in Mitaka.
 external_network_bridge = {{ neutron_external_network_bridge }}
 gateway_external_network_id = {{ neutron_gateway_external_network_id }}

@ -36,6 +38,3 @@ send_arp_for_ha = 3

 # Metadata
 enable_metadata_proxy = True
-
-# Delete defunct namespaces
-router_delete_namespaces = {{ neutron_l3_router_delete_namespaces }}
--- a/templates/neutron.conf.j2
+++ b/templates/neutron.conf.j2
@ -8,7 +8,6 @@
 verbose = {{ verbose }}
 debug = {{ debug }}
 fatal_deprecations = {{ neutron_fatal_deprecations }}
-use_syslog = False
 log_file = /var/log/neutron/neutron.log

 {% if inventory_hostname in groups['neutron_server'] %}
@ -69,7 +68,7 @@ nova_url = {{ nova_service_adminurl|replace('/%(tenant_id)s', '') }}

 ## Rpc all
 rpc_backend = {{ neutron_rpc_backend }}
-rpc_thread_pool_size = {{ neutron_rpc_thread_pool_size }}
+executor__thread_pool_size = {{ neutron_rpc_thread_pool_size }}
 rpc_conn_pool_size = {{ neutron_rpc_conn_pool_size }}
 rpc_response_timeout = {{ neutron_rpc_response_timeout }}

--- a/templates/plugins/ml2/linuxbridge_agent.ini.j2
+++ b/templates/plugins/ml2/linuxbridge_agent.ini.j2
@ -0,0 +1,32 @@
+# {{ ansible_managed }}
+
+# Linux bridge agent physical interface mappings
+[linux_bridge]
+
+{% if neutron_provider_networks.network_mappings is defined %}
+physical_interface_mappings = {{ neutron_provider_networks.network_mappings }}
+{% endif %}
+
+# Linux bridge agent VXLAN networks
+[vxlan]
+
+{% if neutron_vxlan_enabled | bool %}
+enable_vxlan = True
+vxlan_group = {{ neutron_vxlan_group }}
+# VXLAN local tunnel endpoint
+local_ip = {{ neutron_local_ip }}
+l2_population = {{ neutron_l2_population }}
+
+{% else %}
+
+# Disable VXLAN for deployments with only flat or VLAN networks
+enable_vxlan = False
+{% endif %}
+
+# Agent
+[agent]
+
+# Security groups
+[securitygroup]
+firewall_driver = {{ neutron_driver_firewall }}
+enable_security_group = True
--- a/templates/plugins/ml2/ml2_conf.ini.j2
+++ b/templates/plugins/ml2/ml2_conf.ini.j2
@ -1,12 +1,11 @@
 # {{ ansible_managed }}

-{% if inventory_hostname in groups['neutron_server'] %}
-
 # ML2 general
 [ml2]
 type_drivers = {{ neutron_ml2_drivers_type }}
 tenant_network_types = {{ neutron_provider_networks.network_types }}
 mechanism_drivers = {{ neutron_ml2_mechanism_drivers }}
+extension_drivers = port_security
 path_mtu = 0
 segment_mtu = 0

@ -33,53 +32,9 @@ network_vlan_ranges = {{ neutron_provider_networks.network_vlan_ranges }}
 vxlan_group = {{ neutron_vxlan_group }}
 vni_ranges = {{ neutron_provider_networks.network_vxlan_ranges }}

-{% endif %}
-{% endif %}
-
-{% if inventory_hostname in groups['neutron_linuxbridge_agent'] %}
-
-# Linux bridge agent VXLAN networks
-[vxlan]
-
-{% if neutron_vxlan_enabled | bool %}
-
-enable_vxlan = True
-vxlan_group = {{ neutron_vxlan_group }}
-
-# VXLAN local tunnel endpoint
-local_ip = {{ neutron_local_ip }}
-
-l2_population = {{ neutron_l2_population }}
-
-{% else %}
-
-# Disable VXLAN for deployments with only flat or VLAN networks
-enable_vxlan = False
-
-{% endif %}
-
-{% if neutron_provider_networks.network_mappings is defined %}
-
-# Linux bridge agent physical interface mappings
-[linux_bridge]
-physical_interface_mappings = {{ neutron_provider_networks.network_mappings }}
-
-{% endif %}
-
-# Agent
-[agent]
-# TODO: Allow this to be the default of True once the upstream issue
-# with access through floating IP's is fixed (odyssey4me re: liberty-2)
-prevent_arp_spoofing = False
-
-# L2 population
-[l2pop]
-agent_boot_time = 180
-
 {% endif %}

 # Security groups
 [securitygroup]
 enable_security_group = True
 enable_ipset = True
-firewall_driver = {{ neutron_driver_firewall }}
--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@ -1,14 +1,17 @@
 {
    "context_is_admin":  "role:admin",
-    "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
+    "owner": "tenant_id:%(tenant_id)s",
+    "admin_or_owner": "rule:context_is_admin or rule:owner",
    "context_is_advsvc":  "role:advsvc",
    "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
+    "admin_owner_or_network_owner": "rule:admin_or_network_owner or rule:owner",
    "admin_only": "rule:context_is_admin",
    "regular_user": "",
    "shared": "field:networks:shared=True",
    "shared_firewalls": "field:firewalls:shared=True",
    "shared_firewall_policies": "field:firewall_policies:shared=True",
    "shared_subnetpools": "field:subnetpools:shared=True",
+    "shared_address_scopes": "field:address_scopes:shared=True",
    "external": "field:networks:router:external=True",
    "default": "rule:admin_or_owner",

@ -23,6 +26,13 @@
    "update_subnetpool": "rule:admin_or_owner",
    "delete_subnetpool": "rule:admin_or_owner",

+    "create_address_scope": "",
+    "create_address_scope:shared": "rule:admin_only",
+    "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
+    "update_address_scope": "rule:admin_or_owner",
+    "update_address_scope:shared": "rule:admin_only",
+    "delete_address_scope": "rule:admin_or_owner",
+
    "create_network": "",
    "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
    "get_network:router:external": "rule:regular_user",
@ -46,27 +56,32 @@
    "update_network:router:external": "rule:admin_only",
    "delete_network": "rule:admin_or_owner",

+    "network_device": "field:port:device_owner=~^network:",
    "create_port": "",
+    "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
    "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
    "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
    "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
    "create_port:binding:host_id": "rule:admin_only",
    "create_port:binding:profile": "rule:admin_only",
    "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
-    "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
+    "get_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
    "get_port:queue_id": "rule:admin_only",
    "get_port:binding:vif_type": "rule:admin_only",
    "get_port:binding:vif_details": "rule:admin_only",
    "get_port:binding:host_id": "rule:admin_only",
    "get_port:binding:profile": "rule:admin_only",
    "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
    "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
    "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
    "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
    "update_port:binding:host_id": "rule:admin_only",
    "update_port:binding:profile": "rule:admin_only",
    "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
-    "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
+    "delete_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",

    "get_router:ha": "rule:admin_only",
    "create_router": "rule:regular_user",
@ -100,6 +115,9 @@
    "update_firewall_policy": "rule:admin_or_owner",
    "delete_firewall_policy": "rule:admin_or_owner",

+    "insert_rule": "rule:admin_or_owner",
+    "remove_rule": "rule:admin_or_owner",
+
    "create_firewall_rule": "",
    "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
    "update_firewall_rule": "rule:admin_or_owner",
@ -150,5 +168,34 @@

    "get_service_provider": "rule:regular_user",
    "get_lsn": "rule:admin_only",
-    "create_lsn": "rule:admin_only"
+    "create_lsn": "rule:admin_only",
+
+    "create_flavor": "rule:admin_only",
+    "update_flavor": "rule:admin_only",
+    "delete_flavor": "rule:admin_only",
+    "get_flavors": "rule:regular_user",
+    "get_flavor": "rule:regular_user",
+    "create_service_profile": "rule:admin_only",
+    "update_service_profile": "rule:admin_only",
+    "delete_service_profile": "rule:admin_only",
+    "get_service_profiles": "rule:admin_only",
+    "get_service_profile": "rule:admin_only",
+
+    "get_policy": "rule:regular_user",
+    "create_policy": "rule:admin_only",
+    "update_policy": "rule:admin_only",
+    "delete_policy": "rule:admin_only",
+    "get_policy_bandwidth_limit_rule": "rule:regular_user",
+    "create_policy_bandwidth_limit_rule": "rule:admin_only",
+    "delete_policy_bandwidth_limit_rule": "rule:admin_only",
+    "update_policy_bandwidth_limit_rule": "rule:admin_only",
+    "get_rule_type": "rule:regular_user",
+
+    "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
+    "create_rbac_policy": "",
+    "create_rbac_policy:target_tenant": "rule:restrict_wildcard",
+    "update_rbac_policy": "rule:admin_or_owner",
+    "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
+    "get_rbac_policy": "rule:admin_or_owner",
+    "delete_rbac_policy": "rule:admin_or_owner"
 }
--- a/templates/rootwrap.d/ebtables.filters.j2
+++ b/templates/rootwrap.d/ebtables.filters.j2
@ -1,13 +0,0 @@
-# neutron-rootwrap command filters for nodes on which neutron is
-# expected to control network
-#
-# This file should be owned by (and only-writeable by) the root user
-
-# format seems to be
-# cmd-name: filter-name, raw-command, user, args
-
-[Filters]
-
-# neutron/agent/linux/ebtables_driver.py
-ebtables: CommandFilter, ebtables, root
-ebtablesEnv: EnvFilter, ebtables, root, EBTABLES_ATOMIC_FILE=
--- a/templates/rootwrap.d/ryu-plugin.filters.j2
+++ b/templates/rootwrap.d/ryu-plugin.filters.j2
@ -1,21 +0,0 @@
-# neutron-rootwrap command filters for nodes on which neutron is
-# expected to control network
-#
-# This file should be owned by (and only-writeable by) the root user
-
-# format seems to be
-# cmd-name: filter-name, raw-command, user, args
-
-[Filters]
-
-# ryu-agent
-# unclear whether both variants are necessary, but I'm transliterating
-# from the old mechanism
-
-# neutron/plugins/ryu/agent/ryu_neutron_agent.py:
-#   "ovs-vsctl", "--timeout=2", ...
-ovs-vsctl: CommandFilter, ovs-vsctl, root
-
-# neutron/plugins/ryu/agent/ryu_neutron_agent.py:
-#   "xe", "vif-param-get", ...
-xe: CommandFilter, xe, root
--- a/templates/rootwrap.d/vpnaas.filters.j2
+++ b/templates/rootwrap.d/vpnaas.filters.j2
@ -1,13 +0,0 @@
-# neutron-rootwrap command filters for nodes on which neutron is
-# expected to control network
-#
-# This file should be owned by (and only-writeable by) the root user
-
-# format seems to be
-# cmd-name: filter-name, raw-command, user, args
-
-[Filters]
-
-ip: IpFilter, ip, root
-ip_exec: IpNetnsExecFilter, ip, root
-openswan: CommandFilter, ipsec, root