From 94e96d542d8053dc9acc85ea36e4ba673f8b826f Mon Sep 17 00:00:00 2001
From: Roey Chen <roeyc@vmware.com>
Date: Thu, 1 Jun 2017 02:04:57 -0700
Subject: [PATCH] Split and move policy rules to policy.d dir

This patch move away some policy rules from policy.json file and place
them under a designated policy file under policy.d directory.

Change-Id: I0e91c384a0d7c1ddfa1d5ea5756bf851760539ab
---
 devstack/lib/vmware_nsx_v                     |  3 +-
 devstack/lib/vmware_nsx_v3                    |  3 +-
 etc/policy.d/dynamic-routing.json             | 15 +++++
 etc/policy.d/flow-classifier.json             |  7 ++
 .../network-gateways.json                     |  0
 etc/policy.d/neutron-fwaas.json               | 50 +++++++++++++++
 etc/policy.d/routers.json                     | 23 +++++++
 etc/policy.d/security-groups.json             |  8 +++
 etc/policy.json                               | 64 -------------------
 etc/policy/routers.json                       |  7 --
 10 files changed, 105 insertions(+), 75 deletions(-)
 create mode 100644 etc/policy.d/dynamic-routing.json
 create mode 100644 etc/policy.d/flow-classifier.json
 rename etc/{policy => policy.d}/network-gateways.json (100%)
 create mode 100644 etc/policy.d/neutron-fwaas.json
 create mode 100644 etc/policy.d/routers.json
 create mode 100644 etc/policy.d/security-groups.json
 delete mode 100644 etc/policy/routers.json

diff --git a/devstack/lib/vmware_nsx_v b/devstack/lib/vmware_nsx_v
index cf23f5466b..cbceebea38 100644
--- a/devstack/lib/vmware_nsx_v
+++ b/devstack/lib/vmware_nsx_v
@@ -56,8 +56,7 @@ function neutron_plugin_configure_common {
     mkdir -p /$Q_PLUGIN_CONF_PATH
     cp $DEST/$Q_PLUGIN_SRC_CONF_PATH/nsx.ini.sample /$Q_PLUGIN_CONF_PATH/$Q_PLUGIN_CONF_FILENAME
     sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d
-    cp -v $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy/routers.json $NEUTRON_CONF_DIR/policy.d
-    cp -v $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy/network-gateways.json $NEUTRON_CONF_DIR/policy.d
+    cp -vr $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy.d $NEUTRON_CONF_DIR/policy.d
     Q_DB_NAME="neutron_nsx"
     Q_PLUGIN_CLASS="vmware_nsxv"
 }
diff --git a/devstack/lib/vmware_nsx_v3 b/devstack/lib/vmware_nsx_v3
index c400909254..3bab711207 100644
--- a/devstack/lib/vmware_nsx_v3
+++ b/devstack/lib/vmware_nsx_v3
@@ -122,8 +122,7 @@ function neutron_plugin_configure_common {
     mkdir -p /$Q_PLUGIN_CONF_PATH
     cp $DEST/$Q_PLUGIN_SRC_CONF_PATH/nsx.ini.sample /$Q_PLUGIN_CONF_PATH/$Q_PLUGIN_CONF_FILENAME
     sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d
-    cp -v $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy/routers.json $NEUTRON_CONF_DIR/policy.d
-    cp -v $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy/network-gateways.json $NEUTRON_CONF_DIR/policy.d
+    cp -vr $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy.d $NEUTRON_CONF_DIR/policy.d
     Q_PLUGIN_CLASS="vmware_nsxv3"
 }
 
diff --git a/etc/policy.d/dynamic-routing.json b/etc/policy.d/dynamic-routing.json
new file mode 100644
index 0000000000..70d684f68c
--- /dev/null
+++ b/etc/policy.d/dynamic-routing.json
@@ -0,0 +1,15 @@
+{
+    "get_bgp_speaker": "rule:admin_only",
+    "create_bgp_speaker": "rule:admin_only",
+    "update_bgp_speaker": "rule:admin_only",
+    "delete_bgp_speaker": "rule:admin_only",
+    "get_bgp_peer": "rule:admin_only",
+    "create_bgp_peer": "rule:admin_only",
+    "update_bgp_peer": "rule:admin_only",
+    "delete_bgp_peer": "rule:admin_only",
+    "add_bgp_peer": "rule:admin_only",
+    "remove_bgp_peer": "rule:admin_only",
+    "add_gateway_network": "rule:admin_only",
+    "remove_gateway_network": "rule:admin_only",
+    "get_advertised_routes":"rule:admin_only",
+}
diff --git a/etc/policy.d/flow-classifier.json b/etc/policy.d/flow-classifier.json
new file mode 100644
index 0000000000..39ac8b707a
--- /dev/null
+++ b/etc/policy.d/flow-classifier.json
@@ -0,0 +1,7 @@
+{
+    "create_flow_classifier": "rule:admin_only",
+    "update_flow_classifier": "rule:admin_only",
+    "delete_flow_classifier": "rule:admin_only",
+    "get_flow_classifier": "rule:admin_only",
+}
+
diff --git a/etc/policy/network-gateways.json b/etc/policy.d/network-gateways.json
similarity index 100%
rename from etc/policy/network-gateways.json
rename to etc/policy.d/network-gateways.json
diff --git a/etc/policy.d/neutron-fwaas.json b/etc/policy.d/neutron-fwaas.json
new file mode 100644
index 0000000000..2e6e05b7d0
--- /dev/null
+++ b/etc/policy.d/neutron-fwaas.json
@@ -0,0 +1,50 @@
+{
+    "shared_firewalls": "field:firewalls:shared=True",
+    "shared_firewall_policies": "field:firewall_policies:shared=True",
+    "shared_firewall_rules": "field:firewall_rules:shared=True",
+
+    "create_firewall": "",
+    "update_firewall": "rule:admin_or_owner",
+    "delete_firewall": "rule:admin_or_owner",
+
+    "create_firewall:shared": "rule:admin_only",
+    "update_firewall:shared": "rule:admin_only",
+    "delete_firewall:shared": "rule:admin_only",
+
+    "get_firewall": "rule:admin_or_owner or rule:shared_firewalls",
+
+    "shared_firewall_groups": "field:firewall_groups:shared=True",
+    "shared_firewall_policies": "field:firewall_policies:shared=True",
+    "shared_firewall_rules": "field:firewall_rules:shared=True",
+
+    "create_firewall_group": "",
+    "update_firewall_group": "rule:admin_or_owner",
+    "delete_firewall_group": "rule:admin_or_owner",
+
+    "create_firewall_group:shared": "rule:admin_only",
+    "update_firewall_group:shared": "rule:admin_only",
+    "delete_firewall_group:shared": "rule:admin_only",
+
+    "get_firewall_group": "rule:admin_or_owner or rule:shared_firewall_groups",
+
+
+    "create_firewall_policy": "",
+    "update_firewall_policy": "rule:admin_or_owner",
+    "delete_firewall_policy": "rule:admin_or_owner",
+
+    "create_firewall_policy:shared": "rule:admin_only",
+    "update_firewall_policy:shared": "rule:admin_only",
+    "delete_firewall_policy:shared": "rule:admin_only",
+
+    "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
+
+    "create_firewall_rule": "",
+    "update_firewall_rule": "rule:admin_or_owner",
+    "delete_firewall_rule": "rule:admin_or_owner",
+
+    "create_firewall_rule:shared": "rule:admin_only",
+    "update_firewall_rule:shared": "rule:admin_only",
+    "delete_firewall_rule:shared": "rule:admin_only",
+
+    "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewall_rules"
+}
diff --git a/etc/policy.d/routers.json b/etc/policy.d/routers.json
new file mode 100644
index 0000000000..24ae482c75
--- /dev/null
+++ b/etc/policy.d/routers.json
@@ -0,0 +1,23 @@
+{
+    "create_router:distributed": "rule:admin_or_owner",
+    "get_router:distributed": "rule:admin_or_owner",
+    "update_router:distributed": "rule:admin_or_owner"
+
+    "get_router:ha": "rule:admin_only",
+    "create_router": "rule:regular_user",
+    "create_router:external_gateway_info:enable_snat": "rule:admin_only",
+    "create_router:distributed": "rule:admin_only",
+    "create_router:ha": "rule:admin_only",
+    "get_router": "rule:admin_or_owner",
+    "get_router:distributed": "rule:admin_only",
+    "update_router:external_gateway_info:enable_snat": "rule:admin_only",
+    "update_router:distributed": "rule:admin_only",
+    "update_router:ha": "rule:admin_only",
+    "delete_router": "rule:admin_or_owner",
+
+    "add_router_interface": "rule:admin_or_owner",
+    "remove_router_interface": "rule:admin_or_owner",
+
+    "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
+    "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
+}
diff --git a/etc/policy.d/security-groups.json b/etc/policy.d/security-groups.json
new file mode 100644
index 0000000000..4d5d361d1d
--- /dev/null
+++ b/etc/policy.d/security-groups.json
@@ -0,0 +1,8 @@
+{
+    "create_security_group:logging": "rule:admin_only",
+    "update_security_group:logging": "rule:admin_only",
+    "get_security_group:logging": "rule:admin_only",
+    "create_security_group:provider": "rule:admin_only",
+    "create_security_group:policy": "rule:admin_only",
+    "update_security_group:policy": "rule:admin_only",
+}
diff --git a/etc/policy.json b/etc/policy.json
index 491de020dd..5b62293926 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -61,43 +61,6 @@
     "update_port:provider_security_groups": "rule:admin_only",
     "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
 
-    "get_router:ha": "rule:admin_only",
-    "create_router": "rule:regular_user",
-    "create_router:external_gateway_info:enable_snat": "rule:admin_only",
-    "create_router:distributed": "rule:admin_only",
-    "create_router:ha": "rule:admin_only",
-    "get_router": "rule:admin_or_owner",
-    "get_router:distributed": "rule:admin_only",
-    "update_router:external_gateway_info:enable_snat": "rule:admin_only",
-    "update_router:distributed": "rule:admin_only",
-    "update_router:ha": "rule:admin_only",
-    "delete_router": "rule:admin_or_owner",
-
-    "add_router_interface": "rule:admin_or_owner",
-    "remove_router_interface": "rule:admin_or_owner",
-
-    "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
-    "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
-
-    "create_firewall": "",
-    "get_firewall": "rule:admin_or_owner",
-    "create_firewall:shared": "rule:admin_only",
-    "get_firewall:shared": "rule:admin_only",
-    "update_firewall": "rule:admin_or_owner",
-    "update_firewall:shared": "rule:admin_only",
-    "delete_firewall": "rule:admin_or_owner",
-
-    "create_firewall_policy": "",
-    "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
-    "create_firewall_policy:shared": "rule:admin_or_owner",
-    "update_firewall_policy": "rule:admin_or_owner",
-    "delete_firewall_policy": "rule:admin_or_owner",
-
-    "create_firewall_rule": "",
-    "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
-    "update_firewall_rule": "rule:admin_or_owner",
-    "delete_firewall_rule": "rule:admin_or_owner",
-
     "create_qos_queue": "rule:admin_only",
     "get_qos_queue": "rule:admin_only",
 
@@ -142,31 +105,4 @@
     "get_service_provider": "rule:regular_user",
     "get_lsn": "rule:admin_only",
     "create_lsn": "rule:admin_only",
-
-    "create_security_group:logging": "rule:admin_only",
-    "update_security_group:logging": "rule:admin_only",
-    "get_security_group:logging": "rule:admin_only",
-    "create_security_group:provider": "rule:admin_only",
-    "create_port:provider_security_groups": "rule:admin_only",
-    "create_security_group:policy": "rule:admin_only",
-    "update_security_group:policy": "rule:admin_only",
-
-    "create_flow_classifier": "rule:admin_only",
-    "update_flow_classifier": "rule:admin_only",
-    "delete_flow_classifier": "rule:admin_only",
-    "get_flow_classifier": "rule:admin_only",
-
-    "get_bgp_speaker": "rule:admin_only",
-    "create_bgp_speaker": "rule:admin_only",
-    "update_bgp_speaker": "rule:admin_only",
-    "delete_bgp_speaker": "rule:admin_only",
-    "get_bgp_peer": "rule:admin_only",
-    "create_bgp_peer": "rule:admin_only",
-    "update_bgp_peer": "rule:admin_only",
-    "delete_bgp_peer": "rule:admin_only",
-    "add_bgp_peer": "rule:admin_only",
-    "remove_bgp_peer": "rule:admin_only",
-    "add_gateway_network": "rule:admin_only",
-    "remove_gateway_network": "rule:admin_only",
-    "get_advertised_routes":"rule:admin_only",
 }
diff --git a/etc/policy/routers.json b/etc/policy/routers.json
deleted file mode 100644
index 48665dba83..0000000000
--- a/etc/policy/routers.json
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-    "create_router:external_gateway_info:enable_snat": "rule:admin_or_owner",
-    "create_router:distributed": "rule:admin_or_owner",
-    "get_router:distributed": "rule:admin_or_owner",
-    "update_router:external_gateway_info:enable_snat": "rule:admin_or_owner",
-    "update_router:distributed": "rule:admin_or_owner"
-}