Split and move policy rules to policy.d dir
This patch move away some policy rules from policy.json file and place them under a designated policy file under policy.d directory. Change-Id: I0e91c384a0d7c1ddfa1d5ea5756bf851760539ab
This commit is contained in:
parent
2082495477
commit
94e96d542d
@ -56,8 +56,7 @@ function neutron_plugin_configure_common {
|
|||||||
mkdir -p /$Q_PLUGIN_CONF_PATH
|
mkdir -p /$Q_PLUGIN_CONF_PATH
|
||||||
cp $DEST/$Q_PLUGIN_SRC_CONF_PATH/nsx.ini.sample /$Q_PLUGIN_CONF_PATH/$Q_PLUGIN_CONF_FILENAME
|
cp $DEST/$Q_PLUGIN_SRC_CONF_PATH/nsx.ini.sample /$Q_PLUGIN_CONF_PATH/$Q_PLUGIN_CONF_FILENAME
|
||||||
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d
|
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d
|
||||||
cp -v $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy/routers.json $NEUTRON_CONF_DIR/policy.d
|
cp -vr $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy.d $NEUTRON_CONF_DIR/policy.d
|
||||||
cp -v $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy/network-gateways.json $NEUTRON_CONF_DIR/policy.d
|
|
||||||
Q_DB_NAME="neutron_nsx"
|
Q_DB_NAME="neutron_nsx"
|
||||||
Q_PLUGIN_CLASS="vmware_nsxv"
|
Q_PLUGIN_CLASS="vmware_nsxv"
|
||||||
}
|
}
|
||||||
|
@ -122,8 +122,7 @@ function neutron_plugin_configure_common {
|
|||||||
mkdir -p /$Q_PLUGIN_CONF_PATH
|
mkdir -p /$Q_PLUGIN_CONF_PATH
|
||||||
cp $DEST/$Q_PLUGIN_SRC_CONF_PATH/nsx.ini.sample /$Q_PLUGIN_CONF_PATH/$Q_PLUGIN_CONF_FILENAME
|
cp $DEST/$Q_PLUGIN_SRC_CONF_PATH/nsx.ini.sample /$Q_PLUGIN_CONF_PATH/$Q_PLUGIN_CONF_FILENAME
|
||||||
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d
|
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d
|
||||||
cp -v $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy/routers.json $NEUTRON_CONF_DIR/policy.d
|
cp -vr $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy.d $NEUTRON_CONF_DIR/policy.d
|
||||||
cp -v $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy/network-gateways.json $NEUTRON_CONF_DIR/policy.d
|
|
||||||
Q_PLUGIN_CLASS="vmware_nsxv3"
|
Q_PLUGIN_CLASS="vmware_nsxv3"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
15
etc/policy.d/dynamic-routing.json
Normal file
15
etc/policy.d/dynamic-routing.json
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
{
|
||||||
|
"get_bgp_speaker": "rule:admin_only",
|
||||||
|
"create_bgp_speaker": "rule:admin_only",
|
||||||
|
"update_bgp_speaker": "rule:admin_only",
|
||||||
|
"delete_bgp_speaker": "rule:admin_only",
|
||||||
|
"get_bgp_peer": "rule:admin_only",
|
||||||
|
"create_bgp_peer": "rule:admin_only",
|
||||||
|
"update_bgp_peer": "rule:admin_only",
|
||||||
|
"delete_bgp_peer": "rule:admin_only",
|
||||||
|
"add_bgp_peer": "rule:admin_only",
|
||||||
|
"remove_bgp_peer": "rule:admin_only",
|
||||||
|
"add_gateway_network": "rule:admin_only",
|
||||||
|
"remove_gateway_network": "rule:admin_only",
|
||||||
|
"get_advertised_routes":"rule:admin_only",
|
||||||
|
}
|
7
etc/policy.d/flow-classifier.json
Normal file
7
etc/policy.d/flow-classifier.json
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
{
|
||||||
|
"create_flow_classifier": "rule:admin_only",
|
||||||
|
"update_flow_classifier": "rule:admin_only",
|
||||||
|
"delete_flow_classifier": "rule:admin_only",
|
||||||
|
"get_flow_classifier": "rule:admin_only",
|
||||||
|
}
|
||||||
|
|
50
etc/policy.d/neutron-fwaas.json
Normal file
50
etc/policy.d/neutron-fwaas.json
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
{
|
||||||
|
"shared_firewalls": "field:firewalls:shared=True",
|
||||||
|
"shared_firewall_policies": "field:firewall_policies:shared=True",
|
||||||
|
"shared_firewall_rules": "field:firewall_rules:shared=True",
|
||||||
|
|
||||||
|
"create_firewall": "",
|
||||||
|
"update_firewall": "rule:admin_or_owner",
|
||||||
|
"delete_firewall": "rule:admin_or_owner",
|
||||||
|
|
||||||
|
"create_firewall:shared": "rule:admin_only",
|
||||||
|
"update_firewall:shared": "rule:admin_only",
|
||||||
|
"delete_firewall:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"get_firewall": "rule:admin_or_owner or rule:shared_firewalls",
|
||||||
|
|
||||||
|
"shared_firewall_groups": "field:firewall_groups:shared=True",
|
||||||
|
"shared_firewall_policies": "field:firewall_policies:shared=True",
|
||||||
|
"shared_firewall_rules": "field:firewall_rules:shared=True",
|
||||||
|
|
||||||
|
"create_firewall_group": "",
|
||||||
|
"update_firewall_group": "rule:admin_or_owner",
|
||||||
|
"delete_firewall_group": "rule:admin_or_owner",
|
||||||
|
|
||||||
|
"create_firewall_group:shared": "rule:admin_only",
|
||||||
|
"update_firewall_group:shared": "rule:admin_only",
|
||||||
|
"delete_firewall_group:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"get_firewall_group": "rule:admin_or_owner or rule:shared_firewall_groups",
|
||||||
|
|
||||||
|
|
||||||
|
"create_firewall_policy": "",
|
||||||
|
"update_firewall_policy": "rule:admin_or_owner",
|
||||||
|
"delete_firewall_policy": "rule:admin_or_owner",
|
||||||
|
|
||||||
|
"create_firewall_policy:shared": "rule:admin_only",
|
||||||
|
"update_firewall_policy:shared": "rule:admin_only",
|
||||||
|
"delete_firewall_policy:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
|
||||||
|
|
||||||
|
"create_firewall_rule": "",
|
||||||
|
"update_firewall_rule": "rule:admin_or_owner",
|
||||||
|
"delete_firewall_rule": "rule:admin_or_owner",
|
||||||
|
|
||||||
|
"create_firewall_rule:shared": "rule:admin_only",
|
||||||
|
"update_firewall_rule:shared": "rule:admin_only",
|
||||||
|
"delete_firewall_rule:shared": "rule:admin_only",
|
||||||
|
|
||||||
|
"get_firewall_rule": "rule:admin_or_owner or rule:shared_firewall_rules"
|
||||||
|
}
|
23
etc/policy.d/routers.json
Normal file
23
etc/policy.d/routers.json
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
{
|
||||||
|
"create_router:distributed": "rule:admin_or_owner",
|
||||||
|
"get_router:distributed": "rule:admin_or_owner",
|
||||||
|
"update_router:distributed": "rule:admin_or_owner"
|
||||||
|
|
||||||
|
"get_router:ha": "rule:admin_only",
|
||||||
|
"create_router": "rule:regular_user",
|
||||||
|
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
|
||||||
|
"create_router:distributed": "rule:admin_only",
|
||||||
|
"create_router:ha": "rule:admin_only",
|
||||||
|
"get_router": "rule:admin_or_owner",
|
||||||
|
"get_router:distributed": "rule:admin_only",
|
||||||
|
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
|
||||||
|
"update_router:distributed": "rule:admin_only",
|
||||||
|
"update_router:ha": "rule:admin_only",
|
||||||
|
"delete_router": "rule:admin_or_owner",
|
||||||
|
|
||||||
|
"add_router_interface": "rule:admin_or_owner",
|
||||||
|
"remove_router_interface": "rule:admin_or_owner",
|
||||||
|
|
||||||
|
"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
|
||||||
|
"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
|
||||||
|
}
|
8
etc/policy.d/security-groups.json
Normal file
8
etc/policy.d/security-groups.json
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
{
|
||||||
|
"create_security_group:logging": "rule:admin_only",
|
||||||
|
"update_security_group:logging": "rule:admin_only",
|
||||||
|
"get_security_group:logging": "rule:admin_only",
|
||||||
|
"create_security_group:provider": "rule:admin_only",
|
||||||
|
"create_security_group:policy": "rule:admin_only",
|
||||||
|
"update_security_group:policy": "rule:admin_only",
|
||||||
|
}
|
@ -61,43 +61,6 @@
|
|||||||
"update_port:provider_security_groups": "rule:admin_only",
|
"update_port:provider_security_groups": "rule:admin_only",
|
||||||
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||||
|
|
||||||
"get_router:ha": "rule:admin_only",
|
|
||||||
"create_router": "rule:regular_user",
|
|
||||||
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
|
|
||||||
"create_router:distributed": "rule:admin_only",
|
|
||||||
"create_router:ha": "rule:admin_only",
|
|
||||||
"get_router": "rule:admin_or_owner",
|
|
||||||
"get_router:distributed": "rule:admin_only",
|
|
||||||
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
|
|
||||||
"update_router:distributed": "rule:admin_only",
|
|
||||||
"update_router:ha": "rule:admin_only",
|
|
||||||
"delete_router": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"add_router_interface": "rule:admin_or_owner",
|
|
||||||
"remove_router_interface": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
|
|
||||||
"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
|
|
||||||
|
|
||||||
"create_firewall": "",
|
|
||||||
"get_firewall": "rule:admin_or_owner",
|
|
||||||
"create_firewall:shared": "rule:admin_only",
|
|
||||||
"get_firewall:shared": "rule:admin_only",
|
|
||||||
"update_firewall": "rule:admin_or_owner",
|
|
||||||
"update_firewall:shared": "rule:admin_only",
|
|
||||||
"delete_firewall": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"create_firewall_policy": "",
|
|
||||||
"get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
|
|
||||||
"create_firewall_policy:shared": "rule:admin_or_owner",
|
|
||||||
"update_firewall_policy": "rule:admin_or_owner",
|
|
||||||
"delete_firewall_policy": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"create_firewall_rule": "",
|
|
||||||
"get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
|
|
||||||
"update_firewall_rule": "rule:admin_or_owner",
|
|
||||||
"delete_firewall_rule": "rule:admin_or_owner",
|
|
||||||
|
|
||||||
"create_qos_queue": "rule:admin_only",
|
"create_qos_queue": "rule:admin_only",
|
||||||
"get_qos_queue": "rule:admin_only",
|
"get_qos_queue": "rule:admin_only",
|
||||||
|
|
||||||
@ -142,31 +105,4 @@
|
|||||||
"get_service_provider": "rule:regular_user",
|
"get_service_provider": "rule:regular_user",
|
||||||
"get_lsn": "rule:admin_only",
|
"get_lsn": "rule:admin_only",
|
||||||
"create_lsn": "rule:admin_only",
|
"create_lsn": "rule:admin_only",
|
||||||
|
|
||||||
"create_security_group:logging": "rule:admin_only",
|
|
||||||
"update_security_group:logging": "rule:admin_only",
|
|
||||||
"get_security_group:logging": "rule:admin_only",
|
|
||||||
"create_security_group:provider": "rule:admin_only",
|
|
||||||
"create_port:provider_security_groups": "rule:admin_only",
|
|
||||||
"create_security_group:policy": "rule:admin_only",
|
|
||||||
"update_security_group:policy": "rule:admin_only",
|
|
||||||
|
|
||||||
"create_flow_classifier": "rule:admin_only",
|
|
||||||
"update_flow_classifier": "rule:admin_only",
|
|
||||||
"delete_flow_classifier": "rule:admin_only",
|
|
||||||
"get_flow_classifier": "rule:admin_only",
|
|
||||||
|
|
||||||
"get_bgp_speaker": "rule:admin_only",
|
|
||||||
"create_bgp_speaker": "rule:admin_only",
|
|
||||||
"update_bgp_speaker": "rule:admin_only",
|
|
||||||
"delete_bgp_speaker": "rule:admin_only",
|
|
||||||
"get_bgp_peer": "rule:admin_only",
|
|
||||||
"create_bgp_peer": "rule:admin_only",
|
|
||||||
"update_bgp_peer": "rule:admin_only",
|
|
||||||
"delete_bgp_peer": "rule:admin_only",
|
|
||||||
"add_bgp_peer": "rule:admin_only",
|
|
||||||
"remove_bgp_peer": "rule:admin_only",
|
|
||||||
"add_gateway_network": "rule:admin_only",
|
|
||||||
"remove_gateway_network": "rule:admin_only",
|
|
||||||
"get_advertised_routes":"rule:admin_only",
|
|
||||||
}
|
}
|
||||||
|
@ -1,7 +0,0 @@
|
|||||||
{
|
|
||||||
"create_router:external_gateway_info:enable_snat": "rule:admin_or_owner",
|
|
||||||
"create_router:distributed": "rule:admin_or_owner",
|
|
||||||
"get_router:distributed": "rule:admin_or_owner",
|
|
||||||
"update_router:external_gateway_info:enable_snat": "rule:admin_or_owner",
|
|
||||||
"update_router:distributed": "rule:admin_or_owner"
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user