diff --git a/playbooks/roles/os_neutron/defaults/main.yml b/playbooks/roles/os_neutron/defaults/main.yml index afb16cbf48..6e85a1d23c 100644 --- a/playbooks/roles/os_neutron/defaults/main.yml +++ b/playbooks/roles/os_neutron/defaults/main.yml @@ -102,11 +102,11 @@ neutron_services: neutron-linuxbridge-agent: service_name: neutron-linuxbridge-agent service_en: True - service_conf: plugins/ml2/ml2_conf.ini + service_conf: plugins/ml2/linuxbridge_agent.ini service_group: neutron_linuxbridge_agent service_rootwrap: rootwrap.d/linuxbridge-plugin.filters - config_options: --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini - config_overrides: "{{ neutron_ml2_conf_ini_overrides }}" + config_options: --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini + config_overrides: "{{ neutron_linuxbridge_agent_ini_overrides }}" config_type: "ini" neutron-metadata-agent: service_name: neutron-metadata-agent @@ -140,14 +140,14 @@ neutron_services: config_options: --config-file /etc/neutron/neutron.conf --config-file "/etc/neutron/{{ neutron_plugins[neutron_plugin_type].plugin_ini }}" ## Drivers -neutron_driver_network_scheduler: neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler +neutron_driver_network_scheduler: neutron.scheduler.dhcp_agent_scheduler.WeightScheduler neutron_driver_router_scheduler: neutron.scheduler.l3_agent_scheduler.LeastRoutersScheduler neutron_driver_loadbalancer_pool_scheduler: neutron.services.loadbalancer.agent_scheduler.ChanceScheduler neutron_driver_interface: neutron.agent.linux.interface.BridgeInterfaceDriver neutron_driver_metering: neutron.services.metering.drivers.iptables.iptables_driver.IptablesMeteringDriver neutron_driver_dhcp: neutron.agent.linux.dhcp.Dnsmasq neutron_driver_notification: neutron.openstack.common.notifier.rpc_notifier -neutron_driver_quota: neutron.db.quota_db.DbQuotaDriver +neutron_driver_quota: neutron.db.quota.driver.DbQuotaDriver neutron_driver_firewall: neutron.agent.linux.iptables_firewall.IptablesFirewallDriver ## Quotas @@ -218,9 +218,6 @@ neutron_agent_polling_interval: 5 neutron_report_interval: "{{ neutron_agent_down_time | int / 2 | int }}" neutron_network_device_mtu: 1450 -# L3 configuration options -neutron_l3_router_delete_namespaces: True - # L3HA configuration options. neutron_ha_vrrp_advert_int: 2 neutron_ha_vrrp_auth_password: None @@ -274,7 +271,6 @@ neutron_vxlan_group: "" neutron_vxlan_enabled: true neutron_dhcp_domain: openstacklocal -neutron_dhcp_delete_namespaces: True # Comma-separated list of DNS servers which will be used by dnsmasq as forwarders. neutron_dnsmasq_dns_servers: "" # Limit number of leases to prevent a denial-of-service. @@ -350,3 +346,4 @@ neutron_dnsmasq_neutron_conf_overrides: {} neutron_l3_agent_ini_overrides: {} neutron_metadata_agent_ini_overrides: {} neutron_metering_agent_ini_overrides: {} +neutron_linuxbridge_agent_ini_overrides: {} diff --git a/playbooks/roles/os_neutron/templates/rootwrap.d/debug.filters.j2 b/playbooks/roles/os_neutron/files/rootwrap.d/debug.filters similarity index 66% rename from playbooks/roles/os_neutron/templates/rootwrap.d/debug.filters.j2 rename to playbooks/roles/os_neutron/files/rootwrap.d/debug.filters index b61d960178..8d72ce2b1e 100644 --- a/playbooks/roles/os_neutron/templates/rootwrap.d/debug.filters.j2 +++ b/playbooks/roles/os_neutron/files/rootwrap.d/debug.filters @@ -10,5 +10,9 @@ # This is needed because we should ping # from inside a namespace which requires root +# _alt variants allow to match -c and -w in any order +# (used by NeutronDebugAgent.ping_all) ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+ +ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+ ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+ +ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+ \ No newline at end of file diff --git a/playbooks/roles/os_neutron/templates/rootwrap.d/dhcp.filters.j2 b/playbooks/roles/os_neutron/files/rootwrap.d/dhcp.filters similarity index 85% rename from playbooks/roles/os_neutron/templates/rootwrap.d/dhcp.filters.j2 rename to playbooks/roles/os_neutron/files/rootwrap.d/dhcp.filters index 07bac489e2..156c9cfa54 100644 --- a/playbooks/roles/os_neutron/templates/rootwrap.d/dhcp.filters.j2 +++ b/playbooks/roles/os_neutron/files/rootwrap.d/dhcp.filters @@ -23,10 +23,6 @@ dhcp_release: CommandFilter, dhcp_release, root # metadata proxy metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root -# If installed from source (say, by devstack), the prefix will be -# /usr/local instead of /usr/bin. - -metadata_proxy_local: CommandFilter, {{ neutron_bin }}/neutron-ns-metadata-proxy, root # RHEL invocation of the metadata proxy will report /usr/bin/python kill_metadata: KillFilter, root, python, -9 kill_metadata7: KillFilter, root, python2.7, -9 diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/dibbler.filters b/playbooks/roles/os_neutron/files/rootwrap.d/dibbler.filters new file mode 100644 index 0000000000..eea55252f3 --- /dev/null +++ b/playbooks/roles/os_neutron/files/rootwrap.d/dibbler.filters @@ -0,0 +1,16 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# Filters for the dibbler-based reference implementation of the pluggable +# Prefix Delegation driver. Other implementations using an alternative agent +# should include a similar filter in this folder. + +# prefix_delegation_agent +dibbler-client: CommandFilter, dibbler-client, root diff --git a/playbooks/roles/os_neutron/templates/rootwrap.d/nec-plugin.filters.j2 b/playbooks/roles/os_neutron/files/rootwrap.d/ebtables.filters similarity index 80% rename from playbooks/roles/os_neutron/templates/rootwrap.d/nec-plugin.filters.j2 rename to playbooks/roles/os_neutron/files/rootwrap.d/ebtables.filters index 89c4cfe355..8e810e7b55 100644 --- a/playbooks/roles/os_neutron/templates/rootwrap.d/nec-plugin.filters.j2 +++ b/playbooks/roles/os_neutron/files/rootwrap.d/ebtables.filters @@ -8,5 +8,4 @@ [Filters] -# nec_neutron_agent -ovs-vsctl: CommandFilter, ovs-vsctl, root +ebtables: CommandFilter, ebtables, root diff --git a/playbooks/roles/os_neutron/templates/rootwrap.d/ipset-firewall.filters.j2 b/playbooks/roles/os_neutron/files/rootwrap.d/ipset-firewall.filters similarity index 100% rename from playbooks/roles/os_neutron/templates/rootwrap.d/ipset-firewall.filters.j2 rename to playbooks/roles/os_neutron/files/rootwrap.d/ipset-firewall.filters diff --git a/playbooks/roles/os_neutron/templates/rootwrap.d/iptables-firewall.filters.j2 b/playbooks/roles/os_neutron/files/rootwrap.d/iptables-firewall.filters similarity index 100% rename from playbooks/roles/os_neutron/templates/rootwrap.d/iptables-firewall.filters.j2 rename to playbooks/roles/os_neutron/files/rootwrap.d/iptables-firewall.filters diff --git a/playbooks/roles/os_neutron/templates/rootwrap.d/l3.filters.j2 b/playbooks/roles/os_neutron/files/rootwrap.d/l3.filters similarity index 89% rename from playbooks/roles/os_neutron/templates/rootwrap.d/l3.filters.j2 rename to playbooks/roles/os_neutron/files/rootwrap.d/l3.filters index 9f09f32830..0fdf60cd1e 100644 --- a/playbooks/roles/os_neutron/templates/rootwrap.d/l3.filters.j2 +++ b/playbooks/roles/os_neutron/files/rootwrap.d/l3.filters @@ -18,10 +18,6 @@ radvd: CommandFilter, radvd, root # metadata proxy metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root -# If installed from source (say, by devstack), the prefix will be -# /usr/local instead of /usr/bin. - -metadata_proxy_local: CommandFilter, {{ neutron_bin }}/neutron-ns-metadata-proxy, root # RHEL invocation of the metadata proxy will report /usr/bin/python kill_metadata: KillFilter, root, python, -9 kill_metadata7: KillFilter, root, python2.7, -9 diff --git a/playbooks/roles/os_neutron/templates/rootwrap.d/lbaas-haproxy.filters.j2 b/playbooks/roles/os_neutron/files/rootwrap.d/lbaas-haproxy.filters similarity index 100% rename from playbooks/roles/os_neutron/templates/rootwrap.d/lbaas-haproxy.filters.j2 rename to playbooks/roles/os_neutron/files/rootwrap.d/lbaas-haproxy.filters diff --git a/playbooks/roles/os_neutron/templates/rootwrap.d/linuxbridge-plugin.filters.j2 b/playbooks/roles/os_neutron/files/rootwrap.d/linuxbridge-plugin.filters similarity index 100% rename from playbooks/roles/os_neutron/templates/rootwrap.d/linuxbridge-plugin.filters.j2 rename to playbooks/roles/os_neutron/files/rootwrap.d/linuxbridge-plugin.filters diff --git a/playbooks/roles/os_neutron/templates/rootwrap.d/openvswitch-plugin.filters.j2 b/playbooks/roles/os_neutron/files/rootwrap.d/openvswitch-plugin.filters similarity index 92% rename from playbooks/roles/os_neutron/templates/rootwrap.d/openvswitch-plugin.filters.j2 rename to playbooks/roles/os_neutron/files/rootwrap.d/openvswitch-plugin.filters index ed7f1ce78c..c738733bb4 100644 --- a/playbooks/roles/os_neutron/templates/rootwrap.d/openvswitch-plugin.filters.j2 +++ b/playbooks/roles/os_neutron/files/rootwrap.d/openvswitch-plugin.filters @@ -12,6 +12,7 @@ # unclear whether both variants are necessary, but I'm transliterating # from the old mechanism ovs-vsctl: CommandFilter, ovs-vsctl, root +# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl ovs-ofctl: CommandFilter, ovs-ofctl, root kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9 ovsdb-client: CommandFilter, ovsdb-client, root diff --git a/playbooks/roles/os_neutron/files/rootwrap.d/vpnaas.filters b/playbooks/roles/os_neutron/files/rootwrap.d/vpnaas.filters new file mode 100644 index 0000000000..d834404a35 --- /dev/null +++ b/playbooks/roles/os_neutron/files/rootwrap.d/vpnaas.filters @@ -0,0 +1,17 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root +ipsec: CommandFilter, ipsec, root +strongswan: CommandFilter, strongswan, root +neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root +neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root +chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/ipsec.secrets diff --git a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml index d6745f79ba..c8513e195c 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_post_install.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_post_install.yml @@ -79,34 +79,34 @@ when: - item.value.service_en | bool - item.value.service_conf is defined - - inventory_hostname in groups['neutron_agents_container'] + - (inventory_hostname in groups['neutron_agents_container'] or + inventory_hostname in groups['neutron_linuxbridge_agent']) tags: - neutron-config - name: Drop neutron Configs - template: + copy: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: "{{ neutron_system_user_name }}" group: "{{ neutron_system_group_name }}" with_items: - - { src: "rootwrap.d/debug.filters.j2", dest: "/etc/neutron/rootwrap.d/debug.filters" } - - { src: "rootwrap.d/ipset-firewall.filters.j2", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" } - - { src: "rootwrap.d/iptables-firewall.filters.j2", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" } - - { src: "rootwrap.d/nec-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/nec-plugin.filters" } - - { src: "rootwrap.d/openvswitch-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" } - - { src: "rootwrap.d/ryu-plugin.filters.j2", dest: "/etc/neutron/rootwrap.d/ryu-plugin.filters" } - - { src: "rootwrap.d/lbaas-haproxy.filters.j2", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" } - - { src: "rootwrap.d/vpnaas.filters.j2", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" } - - { src: "rootwrap.d/ebtables.filters.j2", dest: "/etc/neutron/rootwrap.d/ebtables.filters" } + - { src: "rootwrap.d/debug.filters", dest: "/etc/neutron/rootwrap.d/debug.filters" } + - { src: "rootwrap.d/dibbler.filters", dest: "/etc/neutron/rootwrap.d/dibbler.filters" } + - { src: "rootwrap.d/ipset-firewall.filters", dest: "/etc/neutron/rootwrap.d/ipset-firewall.filters" } + - { src: "rootwrap.d/iptables-firewall.filters", dest: "/etc/neutron/rootwrap.d/iptables-firewall.filters" } + - { src: "rootwrap.d/openvswitch-plugin.filters", dest: "/etc/neutron/rootwrap.d/openvswitch-plugin.filters" } + - { src: "rootwrap.d/lbaas-haproxy.filters", dest: "/etc/neutron/rootwrap.d/lbaas-haproxy.filters" } + - { src: "rootwrap.d/vpnaas.filters", dest: "/etc/neutron/rootwrap.d/vpnaas.filters" } + - { src: "rootwrap.d/ebtables.filters", dest: "/etc/neutron/rootwrap.d/ebtables.filters" } notify: - Restart neutron services tags: - neutron-config - name: Drop neutron agent filters - template: - src: "{{ item.value.service_rootwrap }}.j2" + copy: + src: "{{ item.value.service_rootwrap }}" dest: "/etc/neutron/{{ item.value.service_rootwrap }}" owner: "{{ neutron_system_user_name }}" group: "{{ neutron_system_group_name }}" diff --git a/playbooks/roles/os_neutron/templates/api-paste.ini.j2 b/playbooks/roles/os_neutron/templates/api-paste.ini.j2 index 780853da8f..4fb3ddbae3 100644 --- a/playbooks/roles/os_neutron/templates/api-paste.ini.j2 +++ b/playbooks/roles/os_neutron/templates/api-paste.ini.j2 @@ -9,10 +9,10 @@ noauth = request_id catch_errors extensions neutronapiapp_v2_0 keystone = request_id catch_errors authtoken keystonecontext extensions neutronapiapp_v2_0 [filter:request_id] -paste.filter_factory = oslo.middleware:RequestId.factory +paste.filter_factory = oslo_middleware:RequestId.factory [filter:catch_errors] -paste.filter_factory = oslo.middleware:CatchErrors.factory +paste.filter_factory = oslo_middleware:CatchErrors.factory [filter:keystonecontext] paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory @@ -27,4 +27,4 @@ paste.filter_factory = neutron.api.extensions:plugin_aware_extension_middleware_ paste.app_factory = neutron.api.versions:Versions.factory [app:neutronapiapp_v2_0] -paste.app_factory = neutron.api.v2.router:APIRouter.factory \ No newline at end of file +paste.app_factory = neutron.api.v2.router:APIRouter.factory diff --git a/playbooks/roles/os_neutron/templates/dhcp_agent.ini.j2 b/playbooks/roles/os_neutron/templates/dhcp_agent.ini.j2 index 52dce45029..5cddf98895 100644 --- a/playbooks/roles/os_neutron/templates/dhcp_agent.ini.j2 +++ b/playbooks/roles/os_neutron/templates/dhcp_agent.ini.j2 @@ -24,7 +24,3 @@ dnsmasq_lease_max = {{ neutron_dnsmasq_lease_max }} # Metadata enable_isolated_metadata = True - -# Delete defunct namespaces -dhcp_delete_namespaces = {{ neutron_dhcp_delete_namespaces }} - diff --git a/playbooks/roles/os_neutron/templates/l3_agent.ini.j2 b/playbooks/roles/os_neutron/templates/l3_agent.ini.j2 index 10022484fa..2f87106581 100644 --- a/playbooks/roles/os_neutron/templates/l3_agent.ini.j2 +++ b/playbooks/roles/os_neutron/templates/l3_agent.ini.j2 @@ -5,7 +5,9 @@ verbose = {{ verbose }} debug = {{ debug }} -handle_internal_only_routers = True +# While this option is deprecated in Liberty, if we remove it then it takes +# a default value of 'br-ex', which we do not want. We therefore leave it +# in place for now and can remove it in Mitaka. external_network_bridge = {{ neutron_external_network_bridge }} gateway_external_network_id = {{ neutron_gateway_external_network_id }} @@ -36,6 +38,3 @@ send_arp_for_ha = 3 # Metadata enable_metadata_proxy = True - -# Delete defunct namespaces -router_delete_namespaces = {{ neutron_l3_router_delete_namespaces }} diff --git a/playbooks/roles/os_neutron/templates/neutron.conf.j2 b/playbooks/roles/os_neutron/templates/neutron.conf.j2 index b43d485a88..e62b46dbb5 100644 --- a/playbooks/roles/os_neutron/templates/neutron.conf.j2 +++ b/playbooks/roles/os_neutron/templates/neutron.conf.j2 @@ -8,7 +8,6 @@ verbose = {{ verbose }} debug = {{ debug }} fatal_deprecations = {{ neutron_fatal_deprecations }} -use_syslog = False log_file = /var/log/neutron/neutron.log {% if inventory_hostname in groups['neutron_server'] %} @@ -69,7 +68,7 @@ nova_url = {{ nova_service_adminurl|replace('/%(tenant_id)s', '') }} ## Rpc all rpc_backend = {{ neutron_rpc_backend }} -rpc_thread_pool_size = {{ neutron_rpc_thread_pool_size }} +executor__thread_pool_size = {{ neutron_rpc_thread_pool_size }} rpc_conn_pool_size = {{ neutron_rpc_conn_pool_size }} rpc_response_timeout = {{ neutron_rpc_response_timeout }} diff --git a/playbooks/roles/os_neutron/templates/plugins/ml2/linuxbridge_agent.ini.j2 b/playbooks/roles/os_neutron/templates/plugins/ml2/linuxbridge_agent.ini.j2 new file mode 100644 index 0000000000..d471e3bb8e --- /dev/null +++ b/playbooks/roles/os_neutron/templates/plugins/ml2/linuxbridge_agent.ini.j2 @@ -0,0 +1,32 @@ +# {{ ansible_managed }} + +# Linux bridge agent physical interface mappings +[linux_bridge] + +{% if neutron_provider_networks.network_mappings is defined %} +physical_interface_mappings = {{ neutron_provider_networks.network_mappings }} +{% endif %} + +# Linux bridge agent VXLAN networks +[vxlan] + +{% if neutron_vxlan_enabled | bool %} +enable_vxlan = True +vxlan_group = {{ neutron_vxlan_group }} +# VXLAN local tunnel endpoint +local_ip = {{ neutron_local_ip }} +l2_population = {{ neutron_l2_population }} + +{% else %} + +# Disable VXLAN for deployments with only flat or VLAN networks +enable_vxlan = False +{% endif %} + +# Agent +[agent] + +# Security groups +[securitygroup] +firewall_driver = {{ neutron_driver_firewall }} +enable_security_group = True diff --git a/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 b/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 index 72edb64c1a..5aae8132e4 100644 --- a/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 +++ b/playbooks/roles/os_neutron/templates/plugins/ml2/ml2_conf.ini.j2 @@ -1,12 +1,11 @@ # {{ ansible_managed }} -{% if inventory_hostname in groups['neutron_server'] %} - # ML2 general [ml2] type_drivers = {{ neutron_ml2_drivers_type }} tenant_network_types = {{ neutron_provider_networks.network_types }} mechanism_drivers = {{ neutron_ml2_mechanism_drivers }} +extension_drivers = port_security path_mtu = 0 segment_mtu = 0 @@ -33,53 +32,9 @@ network_vlan_ranges = {{ neutron_provider_networks.network_vlan_ranges }} vxlan_group = {{ neutron_vxlan_group }} vni_ranges = {{ neutron_provider_networks.network_vxlan_ranges }} -{% endif %} -{% endif %} - -{% if inventory_hostname in groups['neutron_linuxbridge_agent'] %} - -# Linux bridge agent VXLAN networks -[vxlan] - -{% if neutron_vxlan_enabled | bool %} - -enable_vxlan = True -vxlan_group = {{ neutron_vxlan_group }} - -# VXLAN local tunnel endpoint -local_ip = {{ neutron_local_ip }} - -l2_population = {{ neutron_l2_population }} - -{% else %} - -# Disable VXLAN for deployments with only flat or VLAN networks -enable_vxlan = False - -{% endif %} - -{% if neutron_provider_networks.network_mappings is defined %} - -# Linux bridge agent physical interface mappings -[linux_bridge] -physical_interface_mappings = {{ neutron_provider_networks.network_mappings }} - -{% endif %} - -# Agent -[agent] -# TODO: Allow this to be the default of True once the upstream issue -# with access through floating IP's is fixed (odyssey4me re: liberty-2) -prevent_arp_spoofing = False - -# L2 population -[l2pop] -agent_boot_time = 180 - {% endif %} # Security groups [securitygroup] enable_security_group = True enable_ipset = True -firewall_driver = {{ neutron_driver_firewall }} diff --git a/playbooks/roles/os_neutron/templates/policy.json.j2 b/playbooks/roles/os_neutron/templates/policy.json.j2 index ae46bc2cd4..4aab8d5190 100644 --- a/playbooks/roles/os_neutron/templates/policy.json.j2 +++ b/playbooks/roles/os_neutron/templates/policy.json.j2 @@ -1,14 +1,17 @@ { "context_is_admin": "role:admin", - "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s", + "owner": "tenant_id:%(tenant_id)s", + "admin_or_owner": "rule:context_is_admin or rule:owner", "context_is_advsvc": "role:advsvc", "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s", + "admin_owner_or_network_owner": "rule:admin_or_network_owner or rule:owner", "admin_only": "rule:context_is_admin", "regular_user": "", "shared": "field:networks:shared=True", "shared_firewalls": "field:firewalls:shared=True", "shared_firewall_policies": "field:firewall_policies:shared=True", "shared_subnetpools": "field:subnetpools:shared=True", + "shared_address_scopes": "field:address_scopes:shared=True", "external": "field:networks:router:external=True", "default": "rule:admin_or_owner", @@ -23,6 +26,13 @@ "update_subnetpool": "rule:admin_or_owner", "delete_subnetpool": "rule:admin_or_owner", + "create_address_scope": "", + "create_address_scope:shared": "rule:admin_only", + "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes", + "update_address_scope": "rule:admin_or_owner", + "update_address_scope:shared": "rule:admin_only", + "delete_address_scope": "rule:admin_or_owner", + "create_network": "", "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc", "get_network:router:external": "rule:regular_user", @@ -46,27 +56,32 @@ "update_network:router:external": "rule:admin_only", "delete_network": "rule:admin_or_owner", + "network_device": "field:port:device_owner=~^network:", "create_port": "", + "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc", "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc", "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc", "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", "create_port:binding:host_id": "rule:admin_only", "create_port:binding:profile": "rule:admin_only", "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", - "get_port": "rule:admin_or_owner or rule:context_is_advsvc", + "create_port:allowed_address_pairs": "rule:admin_or_network_owner", + "get_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc", "get_port:queue_id": "rule:admin_only", "get_port:binding:vif_type": "rule:admin_only", "get_port:binding:vif_details": "rule:admin_only", "get_port:binding:host_id": "rule:admin_only", "get_port:binding:profile": "rule:admin_only", "update_port": "rule:admin_or_owner or rule:context_is_advsvc", + "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc", "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc", "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", "update_port:binding:host_id": "rule:admin_only", "update_port:binding:profile": "rule:admin_only", "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", - "delete_port": "rule:admin_or_owner or rule:context_is_advsvc", + "update_port:allowed_address_pairs": "rule:admin_or_network_owner", + "delete_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc", "get_router:ha": "rule:admin_only", "create_router": "rule:regular_user", @@ -100,6 +115,9 @@ "update_firewall_policy": "rule:admin_or_owner", "delete_firewall_policy": "rule:admin_or_owner", + "insert_rule": "rule:admin_or_owner", + "remove_rule": "rule:admin_or_owner", + "create_firewall_rule": "", "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls", "update_firewall_rule": "rule:admin_or_owner", @@ -150,5 +168,34 @@ "get_service_provider": "rule:regular_user", "get_lsn": "rule:admin_only", - "create_lsn": "rule:admin_only" + "create_lsn": "rule:admin_only", + + "create_flavor": "rule:admin_only", + "update_flavor": "rule:admin_only", + "delete_flavor": "rule:admin_only", + "get_flavors": "rule:regular_user", + "get_flavor": "rule:regular_user", + "create_service_profile": "rule:admin_only", + "update_service_profile": "rule:admin_only", + "delete_service_profile": "rule:admin_only", + "get_service_profiles": "rule:admin_only", + "get_service_profile": "rule:admin_only", + + "get_policy": "rule:regular_user", + "create_policy": "rule:admin_only", + "update_policy": "rule:admin_only", + "delete_policy": "rule:admin_only", + "get_policy_bandwidth_limit_rule": "rule:regular_user", + "create_policy_bandwidth_limit_rule": "rule:admin_only", + "delete_policy_bandwidth_limit_rule": "rule:admin_only", + "update_policy_bandwidth_limit_rule": "rule:admin_only", + "get_rule_type": "rule:regular_user", + + "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only", + "create_rbac_policy": "", + "create_rbac_policy:target_tenant": "rule:restrict_wildcard", + "update_rbac_policy": "rule:admin_or_owner", + "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner", + "get_rbac_policy": "rule:admin_or_owner", + "delete_rbac_policy": "rule:admin_or_owner" } diff --git a/playbooks/roles/os_neutron/templates/rootwrap.d/ebtables.filters.j2 b/playbooks/roles/os_neutron/templates/rootwrap.d/ebtables.filters.j2 deleted file mode 100644 index 2c3c338db4..0000000000 --- a/playbooks/roles/os_neutron/templates/rootwrap.d/ebtables.filters.j2 +++ /dev/null @@ -1,13 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# neutron/agent/linux/ebtables_driver.py -ebtables: CommandFilter, ebtables, root -ebtablesEnv: EnvFilter, ebtables, root, EBTABLES_ATOMIC_FILE= diff --git a/playbooks/roles/os_neutron/templates/rootwrap.d/ryu-plugin.filters.j2 b/playbooks/roles/os_neutron/templates/rootwrap.d/ryu-plugin.filters.j2 deleted file mode 100644 index 0a70b8bc95..0000000000 --- a/playbooks/roles/os_neutron/templates/rootwrap.d/ryu-plugin.filters.j2 +++ /dev/null @@ -1,21 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# ryu-agent -# unclear whether both variants are necessary, but I'm transliterating -# from the old mechanism - -# neutron/plugins/ryu/agent/ryu_neutron_agent.py: -# "ovs-vsctl", "--timeout=2", ... -ovs-vsctl: CommandFilter, ovs-vsctl, root - -# neutron/plugins/ryu/agent/ryu_neutron_agent.py: -# "xe", "vif-param-get", ... -xe: CommandFilter, xe, root diff --git a/playbooks/roles/os_neutron/templates/rootwrap.d/vpnaas.filters.j2 b/playbooks/roles/os_neutron/templates/rootwrap.d/vpnaas.filters.j2 deleted file mode 100644 index 7848136b9f..0000000000 --- a/playbooks/roles/os_neutron/templates/rootwrap.d/vpnaas.filters.j2 +++ /dev/null @@ -1,13 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -ip: IpFilter, ip, root -ip_exec: IpNetnsExecFilter, ip, root -openswan: CommandFilter, ipsec, root