From d599fdec599db99f3c8b73ffce18a140bae8e629 Mon Sep 17 00:00:00 2001 From: David Lyle Date: Fri, 3 Jun 2016 15:06:59 -0600 Subject: [PATCH] The neutron policy file is out of date. This patch updates it to match neutron master. Since the neutron policy was last updated, LBaaS, VPNaaS, and FWaaS, have all been moved out of the neutron repo. When that was done, apparently all policy support was removed as well. This patch retains the related policy checks matching the old policy file rules. If operators use the new policy file, the policy checks are harmless, as the definition won't be found which will result in policy.check returning True. Additionally, the get_network call for the update network view was modified to not have the subnet info populated as it's not used in the form. Change-Id: I6c40b99e88937d428a8e21fa28cdbc8a4190eb57 --- openstack_dashboard/conf/neutron_policy.json | 190 +++++++++++------- .../dashboards/admin/networks/tests.py | 12 +- .../project/networks/subnets/tables.py | 2 + .../dashboards/project/networks/tables.py | 4 +- .../dashboards/project/networks/tests.py | 13 +- .../dashboards/project/networks/views.py | 5 +- openstack_dashboard/policy.py | 1 + 7 files changed, 139 insertions(+), 88 deletions(-) diff --git a/openstack_dashboard/conf/neutron_policy.json b/openstack_dashboard/conf/neutron_policy.json index 79f0b6b33f..36b1622504 100644 --- a/openstack_dashboard/conf/neutron_policy.json +++ b/openstack_dashboard/conf/neutron_policy.json @@ -1,107 +1,140 @@ { "context_is_admin": "role:admin", - "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s", - "admin_or_network_owner": "rule:context_is_admin or project_id:%(network:project_id)s", + "owner": "tenant_id:%(tenant_id)s", + "admin_or_owner": "rule:context_is_admin or rule:owner", + "context_is_advsvc": "role:advsvc", + "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s", + "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner", "admin_only": "rule:context_is_admin", "regular_user": "", "shared": "field:networks:shared=True", "shared_firewalls": "field:firewalls:shared=True", + "shared_firewall_policies": "field:firewall_policies:shared=True", + "shared_subnetpools": "field:subnetpools:shared=True", + "shared_address_scopes": "field:address_scopes:shared=True", "external": "field:networks:router:external=True", "default": "rule:admin_or_owner", - "subnets:private:read": "rule:admin_or_owner", - "subnets:private:write": "rule:admin_or_owner", - "subnets:shared:read": "rule:regular_user", - "subnets:shared:write": "rule:admin_only", - "create_subnet": "rule:admin_or_network_owner", + "create_subnet:segment_id": "rule:admin_only", "get_subnet": "rule:admin_or_owner or rule:shared", + "get_subnet:segment_id": "rule:admin_only", "update_subnet": "rule:admin_or_network_owner", "delete_subnet": "rule:admin_or_network_owner", + "create_subnetpool": "", + "create_subnetpool:shared": "rule:admin_only", + "create_subnetpool:is_default": "rule:admin_only", + "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools", + "update_subnetpool": "rule:admin_or_owner", + "update_subnetpool:is_default": "rule:admin_only", + "delete_subnetpool": "rule:admin_or_owner", + + "create_address_scope": "", + "create_address_scope:shared": "rule:admin_only", + "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes", + "update_address_scope": "rule:admin_or_owner", + "update_address_scope:shared": "rule:admin_only", + "delete_address_scope": "rule:admin_or_owner", + "create_network": "", - "get_network": "rule:admin_or_owner or rule:shared or rule:external", + "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc", "get_network:router:external": "rule:regular_user", "get_network:segments": "rule:admin_only", "get_network:provider:network_type": "rule:admin_only", "get_network:provider:physical_network": "rule:admin_only", "get_network:provider:segmentation_id": "rule:admin_only", "get_network:queue_id": "rule:admin_only", + "get_network_ip_availabilities": "rule:admin_only", + "get_network_ip_availability": "rule:admin_only", "create_network:shared": "rule:admin_only", "create_network:router:external": "rule:admin_only", + "create_network:is_default": "rule:admin_only", "create_network:segments": "rule:admin_only", "create_network:provider:network_type": "rule:admin_only", "create_network:provider:physical_network": "rule:admin_only", "create_network:provider:segmentation_id": "rule:admin_only", "update_network": "rule:admin_or_owner", "update_network:segments": "rule:admin_only", + "update_network:shared": "rule:admin_only", "update_network:provider:network_type": "rule:admin_only", "update_network:provider:physical_network": "rule:admin_only", "update_network:provider:segmentation_id": "rule:admin_only", + "update_network:router:external": "rule:admin_only", "delete_network": "rule:admin_or_owner", + "create_segment": "rule:admin_only", + "get_segment": "rule:admin_only", + "update_segment": "rule:admin_only", + "delete_segment": "rule:admin_only", + + "network_device": "field:port:device_owner=~^network:", "create_port": "", - "create_port:mac_address": "rule:admin_or_network_owner", - "create_port:fixed_ips": "rule:admin_or_network_owner", - "create_port:port_security_enabled": "rule:admin_or_network_owner", + "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", "create_port:binding:host_id": "rule:admin_only", "create_port:binding:profile": "rule:admin_only", - "create_port:mac_learning_enabled": "rule:admin_or_network_owner", - "get_port": "rule:admin_or_owner", + "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:allowed_address_pairs": "rule:admin_or_network_owner", + "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", "get_port:queue_id": "rule:admin_only", "get_port:binding:vif_type": "rule:admin_only", - "get_port:binding:capabilities": "rule:admin_only", + "get_port:binding:vif_details": "rule:admin_only", "get_port:binding:host_id": "rule:admin_only", "get_port:binding:profile": "rule:admin_only", - "update_port": "rule:admin_or_owner", - "update_port:fixed_ips": "rule:admin_or_network_owner", - "update_port:port_security_enabled": "rule:admin_or_network_owner", + "update_port": "rule:admin_or_owner or rule:context_is_advsvc", + "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", + "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", + "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", + "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", "update_port:binding:host_id": "rule:admin_only", "update_port:binding:profile": "rule:admin_only", - "update_port:mac_learning_enabled": "rule:admin_or_network_owner", - "delete_port": "rule:admin_or_owner", + "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", + "update_port:allowed_address_pairs": "rule:admin_or_network_owner", + "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", + "get_router:ha": "rule:admin_only", + "create_router": "rule:regular_user", "create_router:external_gateway_info:enable_snat": "rule:admin_only", + "create_router:distributed": "rule:admin_only", + "create_router:ha": "rule:admin_only", + "get_router": "rule:admin_or_owner", + "get_router:distributed": "rule:admin_only", "update_router:external_gateway_info:enable_snat": "rule:admin_only", + "update_router:distributed": "rule:admin_only", + "update_router:ha": "rule:admin_only", + "delete_router": "rule:admin_or_owner", - "create_ikepolicy": "rule:admin_or_owner", - "update_ikepolicy": "rule:admin_or_owner", - "delete_ikepolicy": "rule:admin_or_owner", + "add_router_interface": "rule:admin_or_owner", + "remove_router_interface": "rule:admin_or_owner", - "create_ipsecpolicy": "rule:admin_or_owner", - "update_ipsecpolicy": "rule:admin_or_owner", - "delete_ipsecpolicy": "rule:admin_or_owner", - - "create_vpnservice": "rule:admin_or_owner", - "update_vpnservice": "rule:admin_or_owner", - "delete_vpnservice": "rule:admin_or_owner", - - "create_ipsec_site_connection": "rule:admin_or_owner", - "update_ipsec_site_connection": "rule:admin_or_owner", - "delete_ipsec_site_connection": "rule:admin_or_owner", + "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only", + "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only", "create_firewall": "", "get_firewall": "rule:admin_or_owner", "create_firewall:shared": "rule:admin_only", "get_firewall:shared": "rule:admin_only", "update_firewall": "rule:admin_or_owner", + "update_firewall:shared": "rule:admin_only", "delete_firewall": "rule:admin_or_owner", "create_firewall_policy": "", - "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls", + "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies", "create_firewall_policy:shared": "rule:admin_or_owner", "update_firewall_policy": "rule:admin_or_owner", "delete_firewall_policy": "rule:admin_or_owner", - "create_firewall_rule": "", - "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls", - "create_firewall_rule:shared": "rule:admin_or_owner", - "get_firewall_rule:shared": "rule:admin_or_owner", - "update_firewall_rule": "rule:admin_or_owner", - "delete_firewall_rule": "rule:admin_or_owner", "insert_rule": "rule:admin_or_owner", "remove_rule": "rule:admin_or_owner", + "create_firewall_rule": "", + "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls", + "update_firewall_rule": "rule:admin_or_owner", + "delete_firewall_rule": "rule:admin_or_owner", + "create_qos_queue": "rule:admin_only", "get_qos_queue": "rule:admin_only", @@ -119,40 +152,11 @@ "get_l3-agents": "rule:admin_only", "get_loadbalancer-agent": "rule:admin_only", "get_loadbalancer-pools": "rule:admin_only", - - "create_pool": "rule:admin_or_owner", - "update_pool": "rule:admin_or_owner", - "delete_pool": "rule:admin_or_owner", - - "create_vip": "rule:admin_or_owner", - "update_vip": "rule:admin_or_owner", - "delete_vip": "rule:admin_or_owner", - - "create_member": "rule:admin_or_owner", - "update_member": "rule:admin_or_owner", - "delete_member": "rule:admin_or_owner", - - "create_health_monitor": "rule:admin_or_owner", - "update_health_monitor": "rule:admin_or_owner", - "delete_health_monitor": "rule:admin_or_owner", - - "create_pool_health_monitor": "rule:admin_or_owner", - "delete_pool_health_monitor": "rule:admin_or_owner", - - "create_router": "rule:regular_user", - "get_router": "rule:admin_or_owner", - "update_router": "rule:admin_or_owner", - "add_router_interface": "rule:admin_or_owner", - "remove_router_interface": "rule:admin_or_owner", - "delete_router": "rule:admin_or_owner", - "get_router:distributed": "rule:admin_only", - "create_router:distributed": "rule:admin_only", - "update_router:distributed": "rule:admin_only", - "get_router:ha": "rule:admin_only", - "create_router:ha": "rule:admin_only", - "update_router:ha": "rule:admin_only", + "get_agent-loadbalancers": "rule:admin_only", + "get_loadbalancer-hosting-agent": "rule:admin_only", "create_floatingip": "rule:regular_user", + "create_floatingip:floating_ip_address": "rule:admin_only", "update_floatingip": "rule:admin_or_owner", "delete_floatingip": "rule:admin_or_owner", "get_floatingip": "rule:admin_or_owner", @@ -174,5 +178,45 @@ "delete_metering_label_rule": "rule:admin_only", "get_metering_label_rule": "rule:admin_only", - "get_service_provider": "rule:regular_user" + "get_service_provider": "rule:regular_user", + "get_lsn": "rule:admin_only", + "create_lsn": "rule:admin_only", + + "create_flavor": "rule:admin_only", + "update_flavor": "rule:admin_only", + "delete_flavor": "rule:admin_only", + "get_flavors": "rule:regular_user", + "get_flavor": "rule:regular_user", + "create_service_profile": "rule:admin_only", + "update_service_profile": "rule:admin_only", + "delete_service_profile": "rule:admin_only", + "get_service_profiles": "rule:admin_only", + "get_service_profile": "rule:admin_only", + + "get_policy": "rule:regular_user", + "create_policy": "rule:admin_only", + "update_policy": "rule:admin_only", + "delete_policy": "rule:admin_only", + "get_policy_bandwidth_limit_rule": "rule:regular_user", + "create_policy_bandwidth_limit_rule": "rule:admin_only", + "delete_policy_bandwidth_limit_rule": "rule:admin_only", + "update_policy_bandwidth_limit_rule": "rule:admin_only", + "get_policy_dscp_marking_rule": "rule:regular_user", + "create_policy_dscp_marking_rule": "rule:admin_only", + "delete_policy_dscp_marking_rule": "rule:admin_only", + "update_policy_dscp_marking_rule": "rule:admin_only", + "get_rule_type": "rule:regular_user", + + "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only", + "create_rbac_policy": "", + "create_rbac_policy:target_tenant": "rule:restrict_wildcard", + "update_rbac_policy": "rule:admin_or_owner", + "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner", + "get_rbac_policy": "rule:admin_or_owner", + "delete_rbac_policy": "rule:admin_or_owner", + + "create_flavor_service_profile": "rule:admin_only", + "delete_flavor_service_profile": "rule:admin_only", + "get_flavor_service_profile": "rule:regular_user", + "get_auto_allocated_topology": "rule:admin_or_owner" } diff --git a/openstack_dashboard/dashboards/admin/networks/tests.py b/openstack_dashboard/dashboards/admin/networks/tests.py index 89615027c1..d54b7a3b2a 100644 --- a/openstack_dashboard/dashboards/admin/networks/tests.py +++ b/openstack_dashboard/dashboards/admin/networks/tests.py @@ -622,8 +622,8 @@ class NetworkTests(test.BaseAdminViewTests): @test.create_stubs({api.neutron: ('network_get',)}) def test_network_update_get(self): network = self.networks.first() - api.neutron.network_get(IsA(http.HttpRequest), network.id)\ - .AndReturn(network) + api.neutron.network_get(IsA(http.HttpRequest), network.id, + expand_subnet=False).AndReturn(network) self.mox.ReplayAll() @@ -657,8 +657,8 @@ class NetworkTests(test.BaseAdminViewTests): api.neutron.network_update(IsA(http.HttpRequest), network.id, **params)\ .AndReturn(network) - api.neutron.network_get(IsA(http.HttpRequest), network.id)\ - .AndReturn(network) + api.neutron.network_get(IsA(http.HttpRequest), network.id, + expand_subnet=False).AndReturn(network) self.mox.ReplayAll() form_data = {'network_id': network.id, @@ -683,8 +683,8 @@ class NetworkTests(test.BaseAdminViewTests): api.neutron.network_update(IsA(http.HttpRequest), network.id, **params)\ .AndRaise(self.exceptions.neutron) - api.neutron.network_get(IsA(http.HttpRequest), network.id)\ - .AndReturn(network) + api.neutron.network_get(IsA(http.HttpRequest), network.id, + expand_subnet=False).AndReturn(network) self.mox.ReplayAll() form_data = {'network_id': network.id, diff --git a/openstack_dashboard/dashboards/project/networks/subnets/tables.py b/openstack_dashboard/dashboards/project/networks/subnets/tables.py index c5dc55d939..e4676b09f9 100644 --- a/openstack_dashboard/dashboards/project/networks/subnets/tables.py +++ b/openstack_dashboard/dashboards/project/networks/subnets/tables.py @@ -50,6 +50,8 @@ class SubnetPolicyTargetMixin(policy.PolicyTargetMixin): policy_target = super(SubnetPolicyTargetMixin, self)\ .get_policy_target(request, datum) network = self.table._get_network() + # neutron switched policy target values, we'll support both + policy_target["network:tenant_id"] = network.tenant_id policy_target["network:project_id"] = network.tenant_id return policy_target diff --git a/openstack_dashboard/dashboards/project/networks/tables.py b/openstack_dashboard/dashboards/project/networks/tables.py index e3cd0de19d..95b5fa6c9b 100644 --- a/openstack_dashboard/dashboards/project/networks/tables.py +++ b/openstack_dashboard/dashboards/project/networks/tables.py @@ -123,7 +123,9 @@ class CreateSubnet(policy.PolicyTargetMixin, CheckNetworkEditable, classes = ("ajax-modal",) icon = "plus" policy_rules = (("network", "create_subnet"),) - policy_target_attrs = (("network:project_id", "tenant_id"),) + # neutron has used both in their policy files, supporting both + policy_target_attrs = (("network:tenant_id", "tenant_id"), + ("network:project_id", "tenant_id"),) def allowed(self, request, datum=None): usages = quotas.tenant_quota_usages(request) diff --git a/openstack_dashboard/dashboards/project/networks/tests.py b/openstack_dashboard/dashboards/project/networks/tests.py index f74dde6e6d..5c83ff834c 100644 --- a/openstack_dashboard/dashboards/project/networks/tests.py +++ b/openstack_dashboard/dashboards/project/networks/tests.py @@ -1056,9 +1056,8 @@ class NetworkTests(test.TestCase, NetworkStubMixin): @test.create_stubs({api.neutron: ('network_get',)}) def test_network_update_get(self): network = self.networks.first() - api.neutron.network_get(IsA(http.HttpRequest), network.id)\ - .AndReturn(network) - + api.neutron.network_get(IsA(http.HttpRequest), network.id, + expand_subnet=False).AndReturn(network) self.mox.ReplayAll() url = reverse('horizon:project:networks:update', args=[network.id]) @@ -1089,8 +1088,8 @@ class NetworkTests(test.TestCase, NetworkStubMixin): admin_state_up=network.admin_state_up, shared=network.shared)\ .AndReturn(network) - api.neutron.network_get(IsA(http.HttpRequest), network.id)\ - .AndReturn(network) + api.neutron.network_get(IsA(http.HttpRequest), network.id, + expand_subnet=False).AndReturn(network) self.mox.ReplayAll() form_data = {'network_id': network.id, @@ -1107,13 +1106,13 @@ class NetworkTests(test.TestCase, NetworkStubMixin): 'network_get',)}) def test_network_update_post_exception(self): network = self.networks.first() + api.neutron.network_get(IsA(http.HttpRequest), network.id, + expand_subnet=False).AndReturn(network) api.neutron.network_update(IsA(http.HttpRequest), network.id, name=network.name, admin_state_up=network.admin_state_up, shared=False)\ .AndRaise(self.exceptions.neutron) - api.neutron.network_get(IsA(http.HttpRequest), network.id)\ - .AndReturn(network) self.mox.ReplayAll() form_data = {'network_id': network.id, diff --git a/openstack_dashboard/dashboards/project/networks/views.py b/openstack_dashboard/dashboards/project/networks/views.py index 2a74746ff2..236c6e2fa1 100644 --- a/openstack_dashboard/dashboards/project/networks/views.py +++ b/openstack_dashboard/dashboards/project/networks/views.py @@ -97,7 +97,10 @@ class UpdateView(forms.ModalFormView): def _get_object(self, *args, **kwargs): network_id = self.kwargs['network_id'] try: - return api.neutron.network_get(self.request, network_id) + # no subnet values are read or editable in this view, so + # save the subnet expansion overhead + return api.neutron.network_get(self.request, network_id, + expand_subnet=False) except Exception: redirect = self.success_url msg = _('Unable to retrieve network details.') diff --git a/openstack_dashboard/policy.py b/openstack_dashboard/policy.py index 6bcb2242c7..8f8c1733f0 100644 --- a/openstack_dashboard/policy.py +++ b/openstack_dashboard/policy.py @@ -39,6 +39,7 @@ class PolicyTargetMixin(object): """ policy_target_attrs = (("project_id", "tenant_id"), + ("tenant_id", "tenant_id"), ("user_id", "user_id"), ("domain_id", "domain_id"), ("target.project.domain_id", "domain_id"),