Skip to content

Commit d78d001

Browse files
tobias-urdinralonsoh
authored andcommitted
Allow service role to create/update port device_id
The ``device_id`` field on ports is used by other OpenStack projects to save what resource is using a port and for these OpenStack projects to support the Secure RBAC community goal they need to be able to update this field. This is required for OpenStack projects such as Nova that tracks instance UUID in device_id on a port and Octavia that also uses the device_id field. This allows the ``service`` role to update the device_id field and doesn't touch any existing policies that already exist for the field. Conflicts: neutron/tests/unit/conf/policies/test_port.py Related-Bug: #2105502 Closes-Bug: #2107039 Change-Id: I227416a7420412a39e450352915eff5967172c64 (cherry picked from commit c981cfd) Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
1 parent c6c4e14 commit d78d001

3 files changed

Lines changed: 123 additions & 0 deletions

File tree

neutron/conf/policies/port.py

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,20 @@
8181
deprecated_reason=DEPRECATED_REASON,
8282
deprecated_since=versionutils.deprecated.WALLABY)
8383
),
84+
policy.DocumentedRuleDefault(
85+
name='create_port:device_id',
86+
check_str=neutron_policy.policy_or(
87+
base.ADMIN_OR_PROJECT_MEMBER,
88+
base.SERVICE),
89+
scope_types=['project'],
90+
description='Specify ``device_id`` attribute when creating a port',
91+
operations=ACTION_POST,
92+
deprecated_rule=policy.DeprecatedRule(
93+
name='create_port:device_id',
94+
check_str=neutron_policy.RULE_ANY,
95+
deprecated_reason=DEPRECATED_REASON,
96+
deprecated_since=versionutils.deprecated.WALLABY)
97+
),
8498
policy.DocumentedRuleDefault(
8599
name='create_port:device_owner',
86100
check_str=neutron_policy.policy_or(
@@ -460,6 +474,20 @@
460474
deprecated_reason=DEPRECATED_REASON,
461475
deprecated_since=versionutils.deprecated.WALLABY)
462476
),
477+
policy.DocumentedRuleDefault(
478+
name='update_port:device_id',
479+
check_str=neutron_policy.policy_or(
480+
base.ADMIN_OR_PROJECT_MEMBER,
481+
base.SERVICE),
482+
scope_types=['project'],
483+
description='Update ``device_id`` attribute of a port',
484+
operations=ACTION_PUT,
485+
deprecated_rule=policy.DeprecatedRule(
486+
name='update_port:device_id',
487+
check_str=neutron_policy.RULE_ANY,
488+
deprecated_reason=DEPRECATED_REASON,
489+
deprecated_since=versionutils.deprecated.WALLABY)
490+
),
463491
policy.DocumentedRuleDefault(
464492
name='update_port:device_owner',
465493
check_str=neutron_policy.policy_or(

neutron/tests/unit/conf/policies/test_port.py

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,16 @@ def test_create_port(self):
7575
base_policy.InvalidScope,
7676
policy.enforce, self.context, 'create_port', self.alt_target)
7777

78+
def test_create_port_with_device_id(self):
79+
self.assertRaises(
80+
base_policy.InvalidScope,
81+
policy.enforce, self.context, 'create_port:device_id',
82+
self.target)
83+
self.assertRaises(
84+
base_policy.InvalidScope,
85+
policy.enforce, self.context, 'create_port:device_id',
86+
self.alt_target)
87+
7888
def test_create_port_with_device_owner(self):
7989
self.assertRaises(
8090
base_policy.InvalidScope,
@@ -283,6 +293,16 @@ def test_update_port(self):
283293
base_policy.InvalidScope,
284294
policy.enforce, self.context, 'update_port', self.alt_target)
285295

296+
def test_update_port_with_device_id(self):
297+
self.assertRaises(
298+
base_policy.InvalidScope,
299+
policy.enforce, self.context, 'update_port:device_id',
300+
self.target)
301+
self.assertRaises(
302+
base_policy.InvalidScope,
303+
policy.enforce, self.context, 'update_port:device_id',
304+
self.alt_target)
305+
286306
def test_update_port_with_device_owner(self):
287307
self.assertRaises(
288308
base_policy.InvalidScope,
@@ -454,6 +474,14 @@ def test_create_port(self):
454474
self.assertTrue(
455475
policy.enforce(self.context, 'create_port', self.alt_target))
456476

477+
def test_create_port_with_device_id(self):
478+
self.assertTrue(
479+
policy.enforce(self.context, 'create_port:device_id',
480+
self.target))
481+
self.assertTrue(
482+
policy.enforce(self.context, 'create_port:device_id',
483+
self.alt_target))
484+
457485
def test_create_port_with_device_owner(self):
458486
target = self.target.copy()
459487
target['device_owner'] = 'network:test'
@@ -663,6 +691,14 @@ def test_update_port(self):
663691
self.assertTrue(
664692
policy.enforce(self.context, 'update_port', self.alt_target))
665693

694+
def test_update_port_with_device_id(self):
695+
self.assertTrue(
696+
policy.enforce(self.context, 'update_port:device_id',
697+
self.target))
698+
self.assertTrue(
699+
policy.enforce(self.context, 'update_port:device_id',
700+
self.alt_target))
701+
666702
def test_update_port_with_device_owner(self):
667703
target = self.target.copy()
668704
target['device_owner'] = 'network:test'
@@ -822,6 +858,15 @@ def test_create_port(self):
822858
base_policy.PolicyNotAuthorized,
823859
policy.enforce, self.context, 'create_port', self.alt_target)
824860

861+
def test_create_port_with_device_id(self):
862+
self.assertTrue(
863+
policy.enforce(self.context, 'create_port:device_id',
864+
self.target))
865+
self.assertRaises(
866+
base_policy.PolicyNotAuthorized,
867+
policy.enforce, self.context, 'create_port:device_id',
868+
self.alt_target)
869+
825870
def test_create_port_with_device_owner(self):
826871
target = self.target.copy()
827872
target['device_owner'] = 'network:test'
@@ -1062,6 +1107,14 @@ def test_update_port(self):
10621107
base_policy.PolicyNotAuthorized,
10631108
policy.enforce, self.context, 'update_port', self.alt_target)
10641109

1110+
def test_update_port_with_device_id(self):
1111+
self.assertTrue(
1112+
policy.enforce(self.context, 'update_port:device_id', self.target))
1113+
self.assertRaises(
1114+
base_policy.PolicyNotAuthorized,
1115+
policy.enforce, self.context, 'update_port:device_id',
1116+
self.alt_target)
1117+
10651118
def test_update_port_with_device_owner(self):
10661119
target = self.target.copy()
10671120
target['device_owner'] = 'network:test'
@@ -1438,6 +1491,16 @@ def test_create_port_with_device_owner(self):
14381491
policy.enforce, self.context, 'create_port:device_owner',
14391492
alt_target)
14401493

1494+
def test_create_port_with_device_id(self):
1495+
self.assertRaises(
1496+
base_policy.PolicyNotAuthorized,
1497+
policy.enforce, self.context, 'create_port:device_id',
1498+
self.target)
1499+
self.assertRaises(
1500+
base_policy.PolicyNotAuthorized,
1501+
policy.enforce, self.context, 'create_port:device_id',
1502+
self.alt_target)
1503+
14411504
def test_create_port_with_mac_address(self):
14421505
self.assertRaises(
14431506
base_policy.PolicyNotAuthorized,
@@ -1646,6 +1709,16 @@ def test_update_port_with_fixed_ips_and_subnet_id(self):
16461709
self.context, 'update_port:fixed_ips:subnet_id',
16471710
self.alt_target)
16481711

1712+
def test_update_port_with_device_id(self):
1713+
self.assertRaises(
1714+
base_policy.PolicyNotAuthorized,
1715+
policy.enforce, self.context, 'update_port:device_id',
1716+
self.target)
1717+
self.assertRaises(
1718+
base_policy.PolicyNotAuthorized,
1719+
policy.enforce, self.context, 'update_port:device_id',
1720+
self.alt_target)
1721+
16491722
def test_update_port_with_binding_vnic_type(self):
16501723
self.assertRaises(
16511724
base_policy.PolicyNotAuthorized,
@@ -1683,6 +1756,14 @@ def test_create_port(self):
16831756
self.assertTrue(
16841757
policy.enforce(self.context, 'create_port', self.target))
16851758

1759+
def test_create_port_with_device_id(self):
1760+
self.assertTrue(
1761+
policy.enforce(self.context, 'create_port:device_id',
1762+
self.target))
1763+
self.assertTrue(
1764+
policy.enforce(self.context, 'create_port:device_id',
1765+
self.alt_target))
1766+
16861767
def test_create_port_with_device_owner(self):
16871768
self.assertTrue(
16881769
policy.enforce(
@@ -1791,6 +1872,14 @@ def test_update_port(self):
17911872
self.assertTrue(
17921873
policy.enforce(self.context, 'update_port', self.target))
17931874

1875+
def test_update_port_with_device_id(self):
1876+
self.assertTrue(
1877+
policy.enforce(self.context, 'update_port:device_id',
1878+
self.target))
1879+
self.assertTrue(
1880+
policy.enforce(self.context, 'update_port:device_id',
1881+
self.alt_target))
1882+
17941883
def test_update_port_with_device_owner(self):
17951884
self.assertTrue(
17961885
policy.enforce(
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
---
2+
features:
3+
- |
4+
Added ``service`` role to the ``create_port:device_id`` and
5+
``update_port:device_id`` policies to allow service users
6+
for other OpenStack projects to complete Secure RBAC.

0 commit comments

Comments
 (0)