Split and move policy rules to policy.d dir

This patch move away some policy rules from policy.json file and place
them under a designated policy file under policy.d directory.

Change-Id: I0e91c384a0d7c1ddfa1d5ea5756bf851760539ab
This commit is contained in:
Roey Chen 2017-06-01 02:04:57 -07:00 committed by Adit Sarfaty
parent 2082495477
commit 94e96d542d
10 changed files with 105 additions and 75 deletions

View File

@ -56,8 +56,7 @@ function neutron_plugin_configure_common {
mkdir -p /$Q_PLUGIN_CONF_PATH mkdir -p /$Q_PLUGIN_CONF_PATH
cp $DEST/$Q_PLUGIN_SRC_CONF_PATH/nsx.ini.sample /$Q_PLUGIN_CONF_PATH/$Q_PLUGIN_CONF_FILENAME cp $DEST/$Q_PLUGIN_SRC_CONF_PATH/nsx.ini.sample /$Q_PLUGIN_CONF_PATH/$Q_PLUGIN_CONF_FILENAME
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d
cp -v $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy/routers.json $NEUTRON_CONF_DIR/policy.d cp -vr $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy.d $NEUTRON_CONF_DIR/policy.d
cp -v $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy/network-gateways.json $NEUTRON_CONF_DIR/policy.d
Q_DB_NAME="neutron_nsx" Q_DB_NAME="neutron_nsx"
Q_PLUGIN_CLASS="vmware_nsxv" Q_PLUGIN_CLASS="vmware_nsxv"
} }

View File

@ -122,8 +122,7 @@ function neutron_plugin_configure_common {
mkdir -p /$Q_PLUGIN_CONF_PATH mkdir -p /$Q_PLUGIN_CONF_PATH
cp $DEST/$Q_PLUGIN_SRC_CONF_PATH/nsx.ini.sample /$Q_PLUGIN_CONF_PATH/$Q_PLUGIN_CONF_FILENAME cp $DEST/$Q_PLUGIN_SRC_CONF_PATH/nsx.ini.sample /$Q_PLUGIN_CONF_PATH/$Q_PLUGIN_CONF_FILENAME
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d
cp -v $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy/routers.json $NEUTRON_CONF_DIR/policy.d cp -vr $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy.d $NEUTRON_CONF_DIR/policy.d
cp -v $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy/network-gateways.json $NEUTRON_CONF_DIR/policy.d
Q_PLUGIN_CLASS="vmware_nsxv3" Q_PLUGIN_CLASS="vmware_nsxv3"
} }

View File

@ -0,0 +1,15 @@
{
"get_bgp_speaker": "rule:admin_only",
"create_bgp_speaker": "rule:admin_only",
"update_bgp_speaker": "rule:admin_only",
"delete_bgp_speaker": "rule:admin_only",
"get_bgp_peer": "rule:admin_only",
"create_bgp_peer": "rule:admin_only",
"update_bgp_peer": "rule:admin_only",
"delete_bgp_peer": "rule:admin_only",
"add_bgp_peer": "rule:admin_only",
"remove_bgp_peer": "rule:admin_only",
"add_gateway_network": "rule:admin_only",
"remove_gateway_network": "rule:admin_only",
"get_advertised_routes":"rule:admin_only",
}

View File

@ -0,0 +1,7 @@
{
"create_flow_classifier": "rule:admin_only",
"update_flow_classifier": "rule:admin_only",
"delete_flow_classifier": "rule:admin_only",
"get_flow_classifier": "rule:admin_only",
}

View File

@ -0,0 +1,50 @@
{
"shared_firewalls": "field:firewalls:shared=True",
"shared_firewall_policies": "field:firewall_policies:shared=True",
"shared_firewall_rules": "field:firewall_rules:shared=True",
"create_firewall": "",
"update_firewall": "rule:admin_or_owner",
"delete_firewall": "rule:admin_or_owner",
"create_firewall:shared": "rule:admin_only",
"update_firewall:shared": "rule:admin_only",
"delete_firewall:shared": "rule:admin_only",
"get_firewall": "rule:admin_or_owner or rule:shared_firewalls",
"shared_firewall_groups": "field:firewall_groups:shared=True",
"shared_firewall_policies": "field:firewall_policies:shared=True",
"shared_firewall_rules": "field:firewall_rules:shared=True",
"create_firewall_group": "",
"update_firewall_group": "rule:admin_or_owner",
"delete_firewall_group": "rule:admin_or_owner",
"create_firewall_group:shared": "rule:admin_only",
"update_firewall_group:shared": "rule:admin_only",
"delete_firewall_group:shared": "rule:admin_only",
"get_firewall_group": "rule:admin_or_owner or rule:shared_firewall_groups",
"create_firewall_policy": "",
"update_firewall_policy": "rule:admin_or_owner",
"delete_firewall_policy": "rule:admin_or_owner",
"create_firewall_policy:shared": "rule:admin_only",
"update_firewall_policy:shared": "rule:admin_only",
"delete_firewall_policy:shared": "rule:admin_only",
"get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
"create_firewall_rule": "",
"update_firewall_rule": "rule:admin_or_owner",
"delete_firewall_rule": "rule:admin_or_owner",
"create_firewall_rule:shared": "rule:admin_only",
"update_firewall_rule:shared": "rule:admin_only",
"delete_firewall_rule:shared": "rule:admin_only",
"get_firewall_rule": "rule:admin_or_owner or rule:shared_firewall_rules"
}

23
etc/policy.d/routers.json Normal file
View File

@ -0,0 +1,23 @@
{
"create_router:distributed": "rule:admin_or_owner",
"get_router:distributed": "rule:admin_or_owner",
"update_router:distributed": "rule:admin_or_owner"
"get_router:ha": "rule:admin_only",
"create_router": "rule:regular_user",
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
"create_router:distributed": "rule:admin_only",
"create_router:ha": "rule:admin_only",
"get_router": "rule:admin_or_owner",
"get_router:distributed": "rule:admin_only",
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
"update_router:distributed": "rule:admin_only",
"update_router:ha": "rule:admin_only",
"delete_router": "rule:admin_or_owner",
"add_router_interface": "rule:admin_or_owner",
"remove_router_interface": "rule:admin_or_owner",
"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
}

View File

@ -0,0 +1,8 @@
{
"create_security_group:logging": "rule:admin_only",
"update_security_group:logging": "rule:admin_only",
"get_security_group:logging": "rule:admin_only",
"create_security_group:provider": "rule:admin_only",
"create_security_group:policy": "rule:admin_only",
"update_security_group:policy": "rule:admin_only",
}

View File

@ -61,43 +61,6 @@
"update_port:provider_security_groups": "rule:admin_only", "update_port:provider_security_groups": "rule:admin_only",
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc", "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
"get_router:ha": "rule:admin_only",
"create_router": "rule:regular_user",
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
"create_router:distributed": "rule:admin_only",
"create_router:ha": "rule:admin_only",
"get_router": "rule:admin_or_owner",
"get_router:distributed": "rule:admin_only",
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
"update_router:distributed": "rule:admin_only",
"update_router:ha": "rule:admin_only",
"delete_router": "rule:admin_or_owner",
"add_router_interface": "rule:admin_or_owner",
"remove_router_interface": "rule:admin_or_owner",
"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
"create_firewall": "",
"get_firewall": "rule:admin_or_owner",
"create_firewall:shared": "rule:admin_only",
"get_firewall:shared": "rule:admin_only",
"update_firewall": "rule:admin_or_owner",
"update_firewall:shared": "rule:admin_only",
"delete_firewall": "rule:admin_or_owner",
"create_firewall_policy": "",
"get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
"create_firewall_policy:shared": "rule:admin_or_owner",
"update_firewall_policy": "rule:admin_or_owner",
"delete_firewall_policy": "rule:admin_or_owner",
"create_firewall_rule": "",
"get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
"update_firewall_rule": "rule:admin_or_owner",
"delete_firewall_rule": "rule:admin_or_owner",
"create_qos_queue": "rule:admin_only", "create_qos_queue": "rule:admin_only",
"get_qos_queue": "rule:admin_only", "get_qos_queue": "rule:admin_only",
@ -142,31 +105,4 @@
"get_service_provider": "rule:regular_user", "get_service_provider": "rule:regular_user",
"get_lsn": "rule:admin_only", "get_lsn": "rule:admin_only",
"create_lsn": "rule:admin_only", "create_lsn": "rule:admin_only",
"create_security_group:logging": "rule:admin_only",
"update_security_group:logging": "rule:admin_only",
"get_security_group:logging": "rule:admin_only",
"create_security_group:provider": "rule:admin_only",
"create_port:provider_security_groups": "rule:admin_only",
"create_security_group:policy": "rule:admin_only",
"update_security_group:policy": "rule:admin_only",
"create_flow_classifier": "rule:admin_only",
"update_flow_classifier": "rule:admin_only",
"delete_flow_classifier": "rule:admin_only",
"get_flow_classifier": "rule:admin_only",
"get_bgp_speaker": "rule:admin_only",
"create_bgp_speaker": "rule:admin_only",
"update_bgp_speaker": "rule:admin_only",
"delete_bgp_speaker": "rule:admin_only",
"get_bgp_peer": "rule:admin_only",
"create_bgp_peer": "rule:admin_only",
"update_bgp_peer": "rule:admin_only",
"delete_bgp_peer": "rule:admin_only",
"add_bgp_peer": "rule:admin_only",
"remove_bgp_peer": "rule:admin_only",
"add_gateway_network": "rule:admin_only",
"remove_gateway_network": "rule:admin_only",
"get_advertised_routes":"rule:admin_only",
} }

View File

@ -1,7 +0,0 @@
{
"create_router:external_gateway_info:enable_snat": "rule:admin_or_owner",
"create_router:distributed": "rule:admin_or_owner",
"get_router:distributed": "rule:admin_or_owner",
"update_router:external_gateway_info:enable_snat": "rule:admin_or_owner",
"update_router:distributed": "rule:admin_or_owner"
}