vmware-nsx/vmware_nsx/policies/security_group.py
Akihiro Motoki b7930ae821 Convert policy.json into policy-in-code
vmware-nsx specific policies are defined as policy-in-code.

- vmware_nsx/policies/lsn.py, qos_queue.py and maclearning.py
  are moved from the neutron repo.
- vmware_nsx/policies/providersecuritygroup.py is based on the difference
  between etc/policy.json and the old neutron policy.json
- vmware_nsx/policies/security_group.py is based on
  etc/policy.d/security-groups.json
- vmware_nsx/policies/network_gateway.py is based on
  etc/policy.d/network-gateways.json

etc/policy.d/dynamic-routing.json and etc/policy.d/neutron-fwaas.json
have no policies specific to vmware-nsx, so they can be dropped and
we can use policy-in-code definitions in neutron-fwaas and
neutron-dynamic-routing.

etc/policy.d/routers.json and flow-classifier.json cannot be
converted into policy-in-code because the default policies are
different from those defined in neutron and networking-sfc.
Note that etc/policy.d/routers.json now has policies which are
different from the default policies defined in the neutron repo.
(Others are clean up by this commit.)

This commit depends on the following patches under review:

(neutron-fwaas policy-in-code support)
Depends-On: https://review.openstack.org/527282
(neutron-dynamic-routing policy-in-code support)
Depends-On: https://review.openstack.org/625429
(networking-sfc policy-in-code support)
Depends-On: https://review.openstack.org/625431
(Drop 3rd-party plugin specific policies)
Depends-On: https://review.openstack.org/625394

Partially Implements: blueprint neutron-policy-in-code

Co-Authored-By: Michal Kelner Mishali <mkelnermishal@vmware.com>
Co-Authored-By: Adit Sarfaty <asarfaty@vmware.com>
Change-Id: I96a9dbd759d54308abbc12ce65c97b06a76453cd
2019-01-24 20:00:49 +00:00

96 lines
2.5 KiB
Python

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vmware_nsx.policies import base
rules = [
policy.DocumentedRuleDefault(
'create_security_group:logging',
base.RULE_ADMIN_ONLY,
'Create a security group with ``logging`` attribute',
[
{
'method': 'POST',
'path': '/security-groups',
},
]
),
policy.DocumentedRuleDefault(
'update_security_group:logging',
base.RULE_ADMIN_ONLY,
'Update ``logging`` attribute of a security group',
[
{
'method': 'PUT',
'path': '/security-groups/{id}',
},
]
),
policy.DocumentedRuleDefault(
'get_security_group:logging',
base.RULE_ADMIN_ONLY,
'Get ``logging`` attributes of security groups',
[
{
'method': 'GET',
'path': '/security-groups',
},
{
'method': 'GET',
'path': '/security-groups/{id}',
},
]
),
policy.DocumentedRuleDefault(
'create_security_group:provider',
base.RULE_ADMIN_ONLY,
'Create a security group with ``provider`` attribute',
[
{
'method': 'POST',
'path': '/security-groups',
},
]
),
policy.DocumentedRuleDefault(
'create_security_group:policy',
base.RULE_ADMIN_ONLY,
'Create a security group with ``policy`` attribute',
[
{
'method': 'POST',
'path': '/security-groups',
},
]
),
policy.DocumentedRuleDefault(
'update_security_group:policy',
base.RULE_ADMIN_ONLY,
'Update ``policy`` attribute of a security group',
[
{
'method': 'PUT',
'path': '/security-groups/{id}',
},
]
),
]
def list_rules():
return rules