71 Commits

Author SHA1 Message Date
James Arendt
6bc53cc7f8 Fix Neutron flavor framework
Make flavor service profile store actual driver instead of
hardcoded dummy driver.  Ensure service type on flavor persisted.

Raise ServiceProfileDriverNotFound if non-empty driver is not part
of ServiceTypeManager providers.

Raise ServiceProfileEmpty if profile has neither a driver nor
any metainfo.

Raise InvalidFlavorServiceType if invalid service type passed.

Show flavors associated with a profile, not just profiles associated
with a flavor, to ease diagnosis when ServiceProfileInUse raised.

Create method to extract provider given a flavor for use with
neutron-lbaas plus tests.

Ensure various boolean forms accepted for enabled flag.

To enable in DevStack, add to local.conf:
enable_plugin neutron https://git.openstack.org/openstack/neutron
enable_service q-flavors

Add associated unit tests. Fix tempest api test that used invalid
LOADBALANCERS service type.

Change-Id: I5c22ab655a8e2a2e586c10eae9de9b72db49755f
Implements: blueprint neutron-flavor-framework
2015-11-19 11:27:05 -08:00
John Davidge
6ee91e56c8 Replace subnetpool config options with admin-only API
This patch adds a new boolean 'is_default' property to subnetpools. This
allows the admin to set the default v4/v6 subnetpools via the API rather
than the existing neutron.conf options - which are deprecated by this patch.

Only one subnetpool per IP family can be set to default.

DocImpact
ApiImpact

Co-Authored-By: Carl Baldwin <carl@ecbaldwin.net>

Change-Id: I5daba2347cfb91fac0b155b2c1b459ee7d9e4505
Closes-Bug: 1501328
2015-11-06 17:16:31 +00:00
Kevin Benton
bbca973986 Stop device_owner from being set to 'network:*'
This patch adjusts the FieldCheck class in the policy engine to
allow a regex rule. It then leverages that to prevent users from
setting the device_owner field to anything that starts with
'network:' on networks which they do not own.

This policy adjustment is necessary because any ports with a
device_owner that starts with 'network:' will not have any security
group rules applied because it is assumed they are trusted network
devices (e.g. router ports, DHCP ports, etc). These security rules
include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
and IP headers.

Without this policy adjustment, tenants can abuse this trust when
connected to a shared network with other tenants by setting their
VM port's device_owner field to 'network:<anything>' and hijack other
tenants' traffic via DHCP spoofing or MAC/IP spoofing.

Closes-Bug: #1489111
Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9
2015-09-08 15:00:13 +00:00
gong yong sheng
20459979e0 Add empty policy rule to get_rule_type action
Without this empty policy rule, get_rule_type will use default, which
will demand admin role or tenant_id in object. but rule_type has no
tenant_id in its body.

Change-Id: I92b1222fbcdc2efd13ca6f586cfefefc55b59189
Closes-bug: #1487324
2015-08-24 17:43:08 +08:00
Kevin Benton
4595899f7f Neutron RBAC API and network support
This adds the new API endpoint to create, update, and delete
role-based access control entries. These entries enable tenants
to grant access to other tenants to perform an action on an object
they do not own.

This was previously done using a single 'shared' flag; however, this
was too coarse because an object would either be private to a tenant
or it would be shared with every tenant.

In addition to introducing the API, this patch also adds support to
for the new entries in Neutron networks. This means tenants can now
share their networks with specific tenants as long as they know the
tenant ID.

This feature is backwards-compatible with the previous 'shared'
attribute in the API. So if a deployer doesn't want this new feature
enabled, all of the RBAC operations can be blocked in policy.json and
networks can still be globally shared in the legacy manner.

Even though this feature is referred to as role-based access control,
this first version only supports sharing networks with specific
tenant IDs because Neutron currently doesn't have integration with
Keystone to handle changes in a tenant's roles/groups/etc.

DocImpact
APIImpact

Change-Id: Ib90e2a931df068f417faf26e9c3780dc3c468867
Partially-Implements: blueprint rbac-networks
2015-08-20 20:00:17 -07:00
Miguel Angel Ajo
6d6980903c Fix tenant access to qos policies
fix policy.json to not allow tenants to create policies or rules
by default and allow tenants attach ports and networks to policies,
please note that policy access is checked in the QoSPolicy neutron
object in such case.

Closes-Bug: #1485858

Change-Id: Ide1cd30979f99612fe89dddf3dc0e029d3f4d34a
2015-08-19 04:58:41 +00:00
Ihar Hrachyshka
d3708de0cb Merge remote-tracking branch 'origin/feature/qos' into merge-branch
Also applied the following fixes:

===

1. cleaned up some pylint failures that were not spotted before:

Module neutron.objects.qos.policy: Metaclass class method __new__ should
have 'mcs' as first argument

Module neutron.objects.qos.rule: Lambda may not be necessary

===

2. Revert "Introduce the AFTER_READ callback for ports and networks"

This reverts commit e3dba1424114575581c153e02227282e036ad0a2.

We don't use callbacks to extend resources anymore, instead relying on
ml2 extension drivers. No need for the patch to achieve QoS, and it also
breaks test_delete_subnet_with_callback that was added in master
recently.

===

3. updated requirements.txt and test-requirements.txt based on:

https://review.openstack.org/#/c/204398/

to avoid requirements gate checks failing due to incompatible
requirements comparing to global-requirements.txt

Change-Id: I744ab2d8327a428a5467f2d07d073a5f8c333520
2015-07-23 11:48:57 +02:00
Eugene Nikanorov
e0eed14a1e Flavor Framework implementation
This patch introduces API and DB plugin for flavor framework.
API adds Flavors and Service Profiles which are resources
available only for admins to operate.

This framework then should be leveraged by advanced services.

Included tempest API tests in neutron tree

Implements: blueprint neutron-flavor-framework
Change-Id: I99ba0ce520ae3d8696eca5c994777c7d5ba3d4b1
Co-Authored-By: Doug Wiegley <dougw@a10networks.com>
Co-Authored-By: Madhusudhan Kandadai <madhusudhan.kandadai@hp.com>
2015-07-16 09:07:41 -07:00
Ihar Hrachyshka
2fed2617cd Merge remote-tracking branch 'origin/feature/qos' into merge-branch
Change-Id: I7f2342d62634f5b4af3a083cc1aaff46efe28519
2015-07-07 16:01:17 +02:00
vikram.choudhary
cbd95318ad Support Basic Address Scope CRUD as extensions
This patch adds the support for basic address scope CRUD.
Subsequent patches will be added to use this address scope
on subnet pools.

DocImpact
APIImpact

Co-Authored-By: Ryan Tidwell <rktidwell85@gmail.com>
Co-Authored-By: Numan Siddique <nusiddiq@redhat.com>
Change-Id: Icabdd22577cfda0e1fbf6042e4b05b8080e54fdb
Partially-implements:  blueprint address-scopes
2015-07-02 13:49:06 +05:30
Miguel Angel Ajo
96d1cb1ae2 Create the QoS API extension stub
This patch introduces the QoS API extension, in a basic
form where we could, in combination with the service plugin
stub, start creating some experimental test jobs that install
the service plugin.

Please not that URL mapping is not fully according to spec,
neither it does include any testing. We need to work that out.

blueprint quantum-qos-api
Change-Id: I86e8048e2d9b84690dbede9a94cfc884985069c5
2015-06-29 17:50:43 +03:00
Yushiro FURUKAWA
f1b4dfd52b Add missed actions into policy.json
This patch adds following actions into policy.json.

  1. v2.0/fw/firewall_policies/{firewall_policy_id}/insert_rule
  2. v2.0/fw/firewall_policies/{firewall_policy_id}/remove_rule

Closes-Bug: #1439383
Change-Id: I8051a97852f0f1f21bf266c16a477a5e2fd32062
2015-05-08 07:29:04 +09:00
Kevin Benton
927399c011 Block allowed address pairs on other tenants' net
Don't allow tenants to use the allowed address pairs extension
when they are attaching a port to a network that does not belong
to them.

This is done because allowed address pairs can allow things like
ARP spoofing and all tenants attached to a shared network might not
implicitly trust each other.

Change-Id: Ie6c3e8ad04103804e40f2b043202387385e62ca5
Closes-Bug: #1447242
2015-04-21 11:28:59 -07:00
Ryan Tidwell
6f610d2d87 Basic subnetpool CRUD
Enable creating, reading, updating, and deleting subnet pools via REST API.
Includes required changes to REST, model, alembic migrations, and unit tests.
Subnet pools carry a list of IPv4 or IPv6 prefixes from which a subnet can be
allocated. This will enable tenants to request a subnet from a pool rather
than being forced to explicitly provide their own CIDR's for their subnets.
This change simply enables managing the lifecycle of a subnet pool and does
not yet enable allocation of subnet prefixes from a pool.

Subnet pools can have their prefix bounds (min, max, default), name, and
prefix list updated. Changes to prefix bounds do not alter existing
allocations and will not be blocked by existing allocations. Prefix lists can
only be appended to. Prefixes cannot be removed from the pool once added.

ApiImpact
Partially-Implements: blueprint subnet-allocation
Change-Id: I88c6b15aab258069758f1a9423d6616ceb4a33c4
2015-03-18 22:53:50 -07:00
Sumit Naiksatam
668be7e869 Fix retrieval of shared firewall_policies
Incorrect rule in the policy.json prevents the visibility
of shared firewall_policies.

Change-Id: I6541d363f1ca4ae89b9dddab41a8f20522e50df8
Closes-bug: 1426586
2015-02-27 15:41:59 -08:00
Brandon Logan
6ddd58a46b Added a policy for retrieving the agent hosting a load balancer
LBaaS V2 needs a separate policy from V1 that will allow only an admin
to retrieve the agent hosting a particular load balancer.

Change-Id: Ida9c3ce15cf14431072d5505396bca11aa92b276
2015-02-26 11:03:28 -06:00
Brandon Logan
572aaa8abd Added policy for lbaas v2 agent extension resource
Adding get_agent-loadbalancers policy only because v2 can
reuse the get_loadbalancer-agent policy from v1.
get_loadbalancer-pools doesn't make sense as a policy for
v2 because pools are no longer the root object.

Change-Id: Ic9179ef0a95b91d1b7662537fffeb0a949efc925
2015-02-11 14:57:26 -06:00
ChuckC
cf99eb988e Allow port mac_address to be modified
With ironic servers, a NIC can fail and be replaced with one that has a
different mac.  The corresponding neutron port needs to be updated with
the new mac address so the NIC can be guaranteed to retain the same IP
address.

This change enables this feature in the ml2 plugin.  There may need to
be changes to other plugins to disable or complete the implementation of
this feature.

Closes-Bug: #1341268
Partially-implements: blueprint allow-mac-to-be-updated
APIImpact: Ports
DocImpact: minor port update api change
Change-Id: I1864c0882cda7eddc9ced519ed3f96c91b2b63f3
2015-01-29 15:00:21 -08:00
Jenkins
a46af7629c Merge "Allow setting a tenant router's external IP" 2014-12-30 00:07:14 +00:00
fujioka yuuichi
e4f5b0d986 Allow to specify IP address of floating ip
IP address of floating ip will be automatically allocated.
There are cases where users need to specify a floating IP address.
This patch addresses the problem.

The feature is limited by "create_floatingip:floating_ip_address" in
"policy.json".
By default, it needs an admin role.

DocImpact
APIImpact

Implements: blueprint allow-specific-floating-ip-address

Change-Id: Iba64a0f0a38ca5eb39c605e121a12c956637b96c
2014-12-26 02:25:00 +00:00
Kevin Benton
66f5eadec0 Allow setting a tenant router's external IP
Adds an external_ip option to the router creation
and update operations to set the IP address the router
will try to use as its fixed IP on the external network
it's attached to. By default this is restricted to an
admin-only operation by policy.json.

DocImpact
ApiImpact

Implements: blueprint specify-router-ext-ip
Closes-Bug: #1188427
Change-Id: Iba7c606eea48181fc10e9d0d5dc667e6f48f37de
2014-12-19 02:04:02 -08:00
Kyle Mestery
d4f00659eb Add advsvc role to neutron policy file
Add in a default "advsvc" user and the logic in the Neutron policy
infrastructure which will allow this user to create/get/update/delete
ports on other tenants networks, as well as view other tenants
networks. This is for the use case of letting advanced services have
a user to put ports on other tenants networks. By default, we do not
define any roles for the policy "context_is_advsvc", but rely on
operators to specify the likely value of "role advsvc".

DocImpact

Closes-Bug: #1331836

Change-Id: I94cb3383eb1fed793934719603f888dbbdbbd85a
Co-Authored-By: Susanne Balle <sleipnir012@gmail.com>
2014-10-27 12:49:27 +00:00
Sylvain Afchain
5730d87c26 Add L3 VRRP HA base classes
Add L3 HA base classes on the plugin side. A new admin-only ha
attribute is added to the API router resource. Conversion from
or to HA router is possible. Each tenant gets a single network
used for HA traffic. The tenant_id for that network is set to
'' so that it isn't visible via the CLI or GUI. A new table
is added to map a tenant to its HA network. Specific HA
attributes are added to the extra router attributes table.
Finally, each HA router gets a port on the HA network, per
l3 agent it is scheduled on. A new table is added to track
these bindings. A new table is added in order to track
VRID allocations.

DVR integration is not expected to work. Any issues will
be reported as bugs and handled after the feature merges.
Migrating a router to HA or from HA works server side
but is not expected to work (Yet) agent side. This will be
dealt with as a bug in the future.

DocImpact
Partially-implements: blueprint l3-high-availability
Change-Id: I9d935cf5e0c231e8cb7af5f61b9a9fc552c3521e
Co-Authored-By: Assaf Muller <amuller@redhat.com>
2014-09-10 12:06:13 +00:00
Salvatore
1cad794156 Remove old policies from policy.json
They're confused, misleading, and most importantly unused.

Change-Id: I22130ce3147617f8fb7baba7a50bada128d40e08
Closes-Bug: #1362618
2014-08-28 20:29:13 +02:00
Elena Ezhova
971747f4f2 Fix policy rules for adding and removing router interfaces
Currently "add_router_interface" and "remove_router_interface"
policy rules have the "update_router" prefix and thus are never
enforced. Removing the prefix activates the rules.

Also moved some rules, so that all router-related rules are
now grouped together.

Closes-Bug: 1356678
Change-Id: Ib6cc45f2c6d0c7ae394274d6196262529b9fd855
2014-08-21 18:48:31 +04:00
Elena Ezhova
dc44496094 Add rule for updating network's router:external attribute
Set admin_only rule for update_network:router:external in policy.json

Also, change the default value of router:external from attr.ATTR_NOT_SPECIFIED
to False, because each time we try to get or update a network the dict with
its attributes is extended by _extend_network_dict_l3 function which adds
router:external=False to the dict if this attribute is not specified.
Thus, if the default value is not specified, router:external is considered
to be updated in any case and the policy rule is applied.

Change-Id: I899d98c7d8c9d9863ac5d8f992b6a2d507ec4482
Closes-Bug: 1338880
2014-07-22 12:27:14 +04:00
Swaminathan Vasudevan
1caa51ea68 Add L3 Extension for Distributed Routers
This patch introduces the model and extension
framework for implementing distributed virtual
routing on top of Open vSwitch.

A new admin-only 'distributed' (as opposed to a
'centralized' or legacy-mode) attribute is added
to the API router resource. It is possible to convert
an existing (centralized) router to a distributed
one; the opposite conversion, even though allowed by
the API, may not be honored by the underlying
plugin implementation and an appropriate error will
be reported.

When creating a router (regardless of the user role),
Neutron will rely on a system wide configuration, whose
default currently allows to create 'centralized' routers.

Tests are added for basic unit coverage; when the first
building blocks for neutron-testing-refactor
are complete, functional testing will be added.
This is because we should be moving away from how
extension tests have been done up until now.

Partially-implements: blueprint neutron-ovs-dvr

DocImpact

Change-Id: I7227fbe2718eba6665a5afb5dcaaaa77b341091f
Authored-by:    Swaminathan Vasudevan <swaminathan.vasudevan@hp.com>
Co-Authored-By: Armando Migliaccio <armamig@gmail.com>
2014-07-16 07:33:43 -07:00
Eugene Nikanorov
0f7cfee155 Disallow regular user to update firewall's shared attribute
Shared firewalls should only be operable by  admins.
Currently only admin can provide shared attribute at firewall creation,
so update_firewall should be consistent with that as well.

Change-Id: I093743514637824207b375d724404d51f778d012
Closes-Bug: #1323322
2014-05-28 17:37:17 +04:00
Salvatore Orlando
9b2b5e1482 Perform policy checks only once on list responses
The policy engine is currently being called for every attribute
of every resource to be returned by a list response. This is
harming the API performance; moreover such a high number of checks
is also unnecessary.

This patch therefore slightly changes the API logic so that list
response first determine the list of attributes which should be
returned querying the policy engine and then use this list for
all resource items to be returned.

To this aim a few methods in base.py needed to be refactored.
This patch also removes the routine check_if_exists from policy.py
and the related PolicyNotFound exception.

Finally, this patch also removes unnecessary admin_or_owner rules
when applied to attributes. This kind of rule indeed has no effect
anyway because of Neutron's ownership checks. The rules were removed
because this change won't allow anymore for having attribute-level
policies whose evaluation result depends on the resource value.

Implements blueprint faster-list-responses

Change-Id: I21b8273add5d5984f512ad94af5a99cf0b0a5d93
2014-05-06 03:52:29 -07:00
Bob Kukura
be8a068943 Replace binding:capabilities with binding:vif_details
In addition to binding:vif_type, the neutron core plugin needs to
supply various information to nova's VIF driver, such as VIF security
details and PCI details when SR-IOV is being used. This information is
read-only, requires admin privileges, and is not intended for normal
users. Rather than add separate mechanisms throughout the stack for
each such requirement, the binding:capabilities port attibute, which
is a dictionary and is not currently not used by nova, is renamed to
binding:vif_details to serve as a general-purpose mechanism for
supplying binding-specific details to the VIF driver.

This patch does not remove or replace the CAP_PORT_FILTER boolean
previously used in binding:capabilities. A separate patch should
implement the specific key/value pairs carried by binding:vif_details
to implement VIF security. Another patch will implement the key/value
pairs needed for SR-IOV.

The ML2 plugin now allows the bound mechanism driver to supply the
binding:vif_details dictionary content, instead of just the
CAP_PORT_FILTER boolean previously carried by the binding:capabilities
attribute.

DocImpact: Need to update portbinding extension API, but no impact on
user or administrator documentation.

Implements: blueprint vif-details
Related-Bug: 1112912
Change-Id: I34be746fcfa73c70f72b4f9add8eff3ac88c723f
2014-02-23 22:56:45 -05:00
Irena Berezovsky
9623e6c967 Add support to request vnic type on port
This patch adds support for requested vnic_type to be plugged to neutron port to ML2 plugin.
This patch contains:
1. New attribute 'binding:vnic_type' added to port binding extension.
   Possible values are 'direct', 'macvtap' and 'normal'.
   'binding:vnic_type' is allowed to be defined on port creation or changed
   on port update by admin or tenant user.
   'binding:vnic_type' can be also skipped in port defintion
2. Management of vnic_type by ML2 plugin, assuming default
vnic_type=normal
3. Add 'vnic_type' to ml2_port_bindings DB table
4. Add supported vnic_types for MechanismDrivers that are capable to bind
port.
5. Add DB migration script for ml2_vnic_type.

DocImpact: Need to update portbindings API docs and include in SR-IOV user docs

Change-Id: Ic88708fa9ece742f807c1d09bb49e499f99bd092
Implements: blueprint ml2-request-vnic-type
2014-02-20 07:29:38 +02:00
armando-migliaccio
deef3471cb Add migration support from agent to NSX dhcp/metadata services
This is feature patch (3 of 3) that introduces support for
transitioning existing NSX-based deployments from the agent
based model of providing dhcp and metadata proxy services
to the new agentless based mode. In 'combined' mode, existing
networks will still be served by the existing infrastructure,
whereas new networks will be served by the new infrastructure.

Networks may be migrated to the model using a new CLI tool
provided, called 'neutron-nsx-manage'. Currently the tool
provides two admin-only commands:

  neutron-nsx-manage net-report <net-id-or-name>

This will check that the network can be migrated and returns
the resources currently in use. And:

  neutron-nsx-manage net-migrate <net-id-or-name>

This will move the network over the new model and deallocate
resources from the agent. Once a network has been migrated
there is no turning back.

Completes-blueprint nsx-integrated-services

Change-Id: I37c9aa0e76124e1023899106406de7be6714c24d
2014-02-10 17:27:14 -08:00
Stephen Ma
e4836bd08c Disallow non-admin users update net's shared attribute
Currently non-admin user cannot create a network with
shared=True. But the user can create the network and then
change the shared attribute to True.

This patch will no longer allow non-admin user to update a
network's shared value to True.

Change-Id: Id596ee399c56b9882efab97a89dbf7d14c5cf7f4
Closes-Bug: 1268823
2014-01-28 05:48:34 +00:00
Jenkins
bf7a8951d6 Merge "Allow sharing of firewall rules and policies in policy.json" 2013-09-26 21:44:39 +00:00
Eugene Nikanorov
3726f0fb48 Allow non-admin user to list service providers
Add get_service_provider rule to policy.json

Change-Id: If4f8103231694fbf79088f7a95a277d68eecce0f
Closes-Bug: #1227697
2013-09-19 18:13:44 +04:00
Dan Florea
fef1ced970 Allow sharing of firewall rules and policies in policy.json
Updated policy for firewall_policy and firewall_rule to allow sharing
among tenants. Added a new firewall sharing rule to enable this.

Change-Id: I5d4d9f94fb3abffe4d1b03c46fd5b13a8a4a4f09
Fixes: bug #1217103
2013-09-13 07:26:22 -07:00
Akihiro MOTOKI
c06550e6fe Disallow non-admin to specify binding:profile
Change-Id: Iefa4b251f3b0a373fb9b2b7d576e14d58afece59
Fixes-Bug: #1214873
2013-08-22 11:36:58 +09:00
Aaron Rosen
d16e185d34 Add multiple provider network extension
The following commit adds the ability to associate multiple
different provider networks on a single network.

Implements blueprint map-networks-to-multiple-provider-networks

Change-Id: I3c70fb2426899f728a401566debab7f66e7246bc
2013-08-20 10:30:08 -07:00
Sylvain Afchain
81156e4a39 Add metering extension and base class
This a part of the blueprint bandwidth-router-label

This patch initiates the blueprint by adding base class
to associate labels and metering rules to tenant's routers.

Change-Id: Ia93b49d881e79c3291730cff7b80f26c56fedb48
2013-08-14 14:32:46 +02:00
Abhishek Raut
b49cc5b771 Add support for the Nexus 1000V into the Cisco Plugin.
This will enable the Cisco Nexus 1000V to integrate with the Cisco plugin
and be used to drive the realization of Neutron constructs.
Network profile and Policy profile are introduced as extended neutron
resources, while n1kv:profile_id is introduced as an extended attribute
for network and port objects. Necessary changes to the Cisco plugin are
made to accomodate Nexus 1000V as a configurable vswitch plugin.

Implements: blueprint cisco-plugin-n1k-support
Change-Id: I951e10c57d74c935fca8754c0e21e1ac9df35704
2013-08-09 16:56:54 -07:00
snaiksat
a5a88c7ed3 Firewall as a Service (FWaaS) APIs and DB Model
Implements: blueprint quantum-fwaas

blueprint: quantum-fwaas-plugin

This is the first iteration of the FWaaS implementation and
is geared towards implementing the model that will be
required to at least address the reference implementation.

This iteration will not include implementation of the following
features:
* grouping or dynamic objects
* application/service objects

Change-Id: I57a62d6e9d3f1e6c4dd44cd5c745710a3d9e488e
2013-07-29 22:06:50 -07:00
Eugene Nikanorov
1b36e20771 Service Type Framework refactoring
implements blueprint service-type-framework-cleanup

* Defines logic and API for ServiceProvider - read-only entity
that admins provide in configuration and which is stored in memory
* ServiceType entity which maps to ServiceOfferings in new terms
is removed for now.
* Routed service insertion fixed to not to refer to service providers.
* In case configuration changes and some service providers are removed
then the resources must be cleanup in a special way (undeploy logical
resources). This is a matter of future work
* Add migration.

Change-Id: I400ad8f544ec8bdc7d2efb597c995f284ff05829
2013-07-25 21:47:30 +04:00
Yong Sheng Gong
1c8e5f1d3b remove "get_agents" rule in policy.json
Bug #1200933

keep the current API behaviour due to compatibility
and leave list op authz in new API version.

Change-Id: Ia0a9b8738fa8ffe913d2e2b1ef28232abb18340d
2013-07-23 11:09:45 +08:00
Oleg Bondarev
da65fe6951 Add agent scheduling for LBaaS namespace agent
- adds simple chance scheduling on create pool operation
- adds PoolsLoadbalancerAgentBinding db table
- adds lbaas_agentscheduler extension to list pools hosted by a particular agent
  and to get an agent hosting a particular pool
- adds agent notifiers mapping to AgentSchedulerDbMixin to make it easier
  for services to add their agent notifiers to the core plugin

Implements blueprint lbaas-agent-scheduler
Change-Id: Id98649fd5c7873dcd5be1a2b117b8bed25f06cc2
2013-07-19 13:25:04 +04:00
Salvatore Orlando
7ce9bc96ab Enable policy control over external_gateway_info sub-attributes
Part 2 of blueprint l3-ext-gw-modes

This patch extends the logic for building policy rule matches in order to
include sub-attributes as well. This logic will be leveraged by the
ext-gw-mode api extension.

Change-Id: I7f46a395597b71bb1c5110aa4e792a04a5010d4c
2013-07-16 17:52:27 +02:00
Jenkins
489f5b59b6 Merge "Reduce plugin accesses from policy engine" 2013-06-15 01:44:42 +00:00
armando-migliaccio
82ccdf893e Add API mac learning extension for NVP
This commit adds an API extension for NVP where the
NVP supported mac learning feature can be switched
on/off for a specific port. The attribute can be
True or False or omitted altogether.

Implements blueprint nvp-mac-learning-extension

Change-Id: I9173c7dfe0cf4a9ee7b0605722ce7fa01708f5ba
2013-06-06 10:14:33 -07:00
Aaron Rosen
6f9fdcb3a1 Add L3 resources to policy.json
This patch adds the l3 resources to policy.json. I tested changing the
rule to rule:admin_only for all the resources added and they were
enforced as expected.

Fixes bug 1186077

Change-Id: Ib5e2879165d9dc6416be4c96c62d6e49452d3be5
2013-05-30 21:09:41 -07:00
Salvatore Orlando
27bdfcab29 Reduce plugin accesses from policy engine
Bug 1179745

This patch introduces a new type of check whose aim is to fetch
the parent resource's owner only when a rule that explicitly needs
it needs to be checked.

Change-Id: I1ff429eb3f92b35bcb9b4c4e01b65f8c0a595f48
2013-05-29 00:14:19 +02:00
Salvatore Orlando
13f9e02a64 Remove calls to policy.check from plugin logic
Blueprint make-authz-orthogonal

This patch implements part #3 of this blueprint, according to its
specification.
It does so by allowing the view generator in the API layer to strip
off fields which do not satify authorization policies.
Also, some checks in unit tests for plugins relied on the
capability of the plugin to invoke directly the policy engine.
This checks have been removed and replaced by equivalent unit tests.
Finally, this patch required changes to most test cases for API
extensions in order to ensure the resource attribute map was
updated with the extension's attributes

Change-Id: I1ef94a8a628d34697254b68d7a539bd1c636876e
2013-05-15 01:49:34 +02:00