1 # Copyright (c) 2015 Mirantis, Inc.
4 # Licensed under the Apache License, Version 2.0 (the "License"); you may
5 # not use this file except in compliance with the License. You may obtain
6 # a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 # License for the specific language governing permissions and limitations
15 from oslo_config import cfg
17 from neutron._i18n import _
18 from neutron.api import extensions
19 from neutron.api.v2 import attributes as attr
20 from neutron.api.v2 import base
21 from neutron.common import exceptions as n_exc
22 from neutron.db import rbac_db_models
23 from neutron import manager
24 from neutron.quota import resource_registry
27 class RbacPolicyNotFound(n_exc.NotFound):
28 message = _("RBAC policy of type %(object_type)s with ID %(id)s not found")
31 class RbacPolicyInUse(n_exc.Conflict):
32 message = _("RBAC policy on object %(object_id)s cannot be removed "
33 "because other objects depend on it.\nDetails: %(details)s")
36 def convert_valid_object_type(otype):
37 normalized = otype.strip().lower()
38 if normalized in rbac_db_models.get_type_model_map():
40 msg = _("'%s' is not a valid RBAC object type") % otype
41 raise n_exc.InvalidInput(error_message=msg)
44 RESOURCE_NAME = 'rbac_policy'
45 RESOURCE_COLLECTION = 'rbac_policies'
47 RESOURCE_ATTRIBUTE_MAP = {
48 RESOURCE_COLLECTION: {
49 'id': {'allow_post': False, 'allow_put': False,
50 'validate': {'type:uuid': None},
51 'is_visible': True, 'primary_key': True},
52 'object_type': {'allow_post': True, 'allow_put': False,
53 'convert_to': convert_valid_object_type,
54 'is_visible': True, 'default': None,
55 'enforce_policy': True},
56 'object_id': {'allow_post': True, 'allow_put': False,
57 'validate': {'type:uuid': None},
58 'is_visible': True, 'default': None,
59 'enforce_policy': True},
60 'target_tenant': {'allow_post': True, 'allow_put': True,
61 'is_visible': True, 'enforce_policy': True,
63 'tenant_id': {'allow_post': True, 'allow_put': False,
64 'required_by_policy': True, 'is_visible': True},
65 'action': {'allow_post': True, 'allow_put': False,
66 # action depends on type so validation has to occur in
68 'validate': {'type:string': attr.DESCRIPTION_MAX_LEN},
74 cfg.IntOpt('quota_rbac_policy', default=10,
75 deprecated_name='quota_rbac_entry',
76 help=_('Default number of RBAC entries allowed per tenant. '
77 'A negative value means unlimited.'))
79 cfg.CONF.register_opts(rbac_quota_opts, 'QUOTAS')
82 class Rbac(extensions.ExtensionDescriptor):
83 """RBAC policy support."""
87 return "RBAC Policies"
91 return 'rbac-policies'
94 def get_description(cls):
95 return ("Allows creation and modification of policies that control "
96 "tenant access to resources.")
100 return "2015-06-17T12:15:12-00:00"
103 def get_resources(cls):
104 """Returns Ext Resources."""
105 plural_mappings = {'rbac_policies': 'rbac_policy'}
106 attr.PLURALS.update(plural_mappings)
107 plugin = manager.NeutronManager.get_plugin()
108 params = RESOURCE_ATTRIBUTE_MAP['rbac_policies']
109 collection_name = 'rbac-policies'
110 resource_name = 'rbac_policy'
111 resource_registry.register_resource_by_name(resource_name)
112 controller = base.create_resource(collection_name, resource_name,
113 plugin, params, allow_bulk=True,
114 allow_pagination=False,
116 return [extensions.ResourceExtension(collection_name, controller,
119 def get_extended_resources(self, version):
121 return RESOURCE_ATTRIBUTE_MAP