Allow sharing of firewall rules and policies in policy.json
Updated policy for firewall_policy and firewall_rule to allow sharing among tenants. Added a new firewall sharing rule to enable this. Change-Id: I5d4d9f94fb3abffe4d1b03c46fd5b13a8a4a4f09 Fixes: bug #1217103
This commit is contained in:
parent
94ec105ce7
commit
acbf3b95fd
@ -5,6 +5,7 @@
|
||||
"admin_only": "rule:context_is_admin",
|
||||
"regular_user": "",
|
||||
"shared": "field:networks:shared=True",
|
||||
"shared_firewalls": "field:firewalls:shared=True",
|
||||
"external": "field:networks:router:external=True",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
@ -71,13 +72,13 @@
|
||||
"delete_firewall": "rule:admin_or_owner",
|
||||
|
||||
"create_firewall_policy": "",
|
||||
"get_firewall_policy": "rule:admin_or_owner",
|
||||
"get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
|
||||
"create_firewall_policy:shared": "rule:admin_or_owner",
|
||||
"update_firewall_policy": "rule:admin_or_owner",
|
||||
"delete_firewall_policy": "rule:admin_or_owner",
|
||||
|
||||
"create_firewall_rule": "",
|
||||
"get_firewall_rule": "rule:admin_or_owner",
|
||||
"get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
|
||||
"create_firewall_rule:shared": "rule:admin_or_owner",
|
||||
"get_firewall_rule:shared": "rule:admin_or_owner",
|
||||
"update_firewall_rule": "rule:admin_or_owner",
|
||||
|
@ -250,7 +250,12 @@ class NeutronPolicyTestCase(base.BaseTestCase):
|
||||
"create_something": "rule:admin_or_owner",
|
||||
"create_something:attr": "rule:admin_or_owner",
|
||||
"create_something:attr:sub_attr_1": "rule:admin_or_owner",
|
||||
"create_something:attr:sub_attr_2": "rule:admin_only"
|
||||
"create_something:attr:sub_attr_2": "rule:admin_only",
|
||||
|
||||
"get_firewall_policy": "rule:admin_or_owner or "
|
||||
"rule:shared",
|
||||
"get_firewall_rule": "rule:admin_or_owner or "
|
||||
"rule:shared"
|
||||
}.items())
|
||||
|
||||
def fakepolicyinit():
|
||||
@ -390,6 +395,18 @@ class NeutronPolicyTestCase(base.BaseTestCase):
|
||||
result = policy.enforce(self.context, action, target)
|
||||
self.assertTrue(result)
|
||||
|
||||
def test_enforce_firewall_policy_shared(self):
|
||||
action = "get_firewall_policy"
|
||||
target = {'shared': True, 'tenant_id': 'somebody_else'}
|
||||
result = policy.enforce(self.context, action, target)
|
||||
self.assertTrue(result)
|
||||
|
||||
def test_enforce_firewall_rule_shared(self):
|
||||
action = "get_firewall_rule"
|
||||
target = {'shared': True, 'tenant_id': 'somebody_else'}
|
||||
result = policy.enforce(self.context, action, target)
|
||||
self.assertTrue(result)
|
||||
|
||||
def test_enforce_tenant_id_check(self):
|
||||
# Trigger a policy with rule admin_or_owner
|
||||
action = "create_network"
|
||||
|
Loading…
x
Reference in New Issue
Block a user