Allow sharing of firewall rules and policies in policy.json

author Dan Florea <dflorea@cisco.com>

Wed, 21 Aug 2013 19:30:18 +0000 (12:30 -0700)

committer Dan Florea <dflorea@cisco.com>

Fri, 13 Sep 2013 14:26:22 +0000 (07:26 -0700)
author Dan Florea <dflorea@cisco.com>
Wed, 21 Aug 2013 19:30:18 +0000 (12:30 -0700)
committer Dan Florea <dflorea@cisco.com>
Fri, 13 Sep 2013 14:26:22 +0000 (07:26 -0700)
diff --git a/etc/policy.json b/etc/policy.json

index 78dd1e4c7914919fa81b3fd07d083ea9ec74b7c7..3d60dcdc9946dc347576ed162e6d95a782a28a7d 100644 (file)
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -5,6 +5,7 @@
      "admin_only": "rule:context_is_admin",
      "regular_user": "",
      "shared": "field:networks:shared=True",
+    "shared_firewalls": "field:firewalls:shared=True",
      "external": "field:networks:router:external=True",
      "default": "rule:admin_or_owner",
  
@@ -71,13 +72,13 @@
      "delete_firewall": "rule:admin_or_owner",
  
      "create_firewall_policy": "",
-    "get_firewall_policy": "rule:admin_or_owner",
+    "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
      "create_firewall_policy:shared": "rule:admin_or_owner",
      "update_firewall_policy": "rule:admin_or_owner",
      "delete_firewall_policy": "rule:admin_or_owner",
  
      "create_firewall_rule": "",
-    "get_firewall_rule": "rule:admin_or_owner",
+    "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
      "create_firewall_rule:shared": "rule:admin_or_owner",
      "get_firewall_rule:shared": "rule:admin_or_owner",
      "update_firewall_rule": "rule:admin_or_owner",
diff --git a/neutron/tests/unit/test_policy.py b/neutron/tests/unit/test_policy.py

index d602cd93cbf1043fb8ea03439782f5042035b888..22a7ccad6ac0e6f834c2092a77909cb961c16787 100644 (file)
--- a/neutron/tests/unit/test_policy.py
+++ b/neutron/tests/unit/test_policy.py
@@ -250,7 +250,12 @@ class NeutronPolicyTestCase(base.BaseTestCase):
              "create_something": "rule:admin_or_owner",
              "create_something:attr": "rule:admin_or_owner",
              "create_something:attr:sub_attr_1": "rule:admin_or_owner",
-            "create_something:attr:sub_attr_2": "rule:admin_only"
+            "create_something:attr:sub_attr_2": "rule:admin_only",
+
+            "get_firewall_policy": "rule:admin_or_owner or "
+                            "rule:shared",
+            "get_firewall_rule": "rule:admin_or_owner or "
+                            "rule:shared"
          }.items())
  
          def fakepolicyinit():
@@ -390,6 +395,18 @@ class NeutronPolicyTestCase(base.BaseTestCase):
          result = policy.enforce(self.context, action, target)
          self.assertTrue(result)
  
+    def test_enforce_firewall_policy_shared(self):
+        action = "get_firewall_policy"
+        target = {'shared': True, 'tenant_id': 'somebody_else'}
+        result = policy.enforce(self.context, action, target)
+        self.assertTrue(result)
+
+    def test_enforce_firewall_rule_shared(self):
+        action = "get_firewall_rule"
+        target = {'shared': True, 'tenant_id': 'somebody_else'}
+        result = policy.enforce(self.context, action, target)
+        self.assertTrue(result)
+
      def test_enforce_tenant_id_check(self):
          # Trigger a policy with rule admin_or_owner
          action = "create_network"
author	Dan Florea <dflorea@cisco.com>
	Wed, 21 Aug 2013 19:30:18 +0000 (12:30 -0700)
committer	Dan Florea <dflorea@cisco.com>
	Fri, 13 Sep 2013 14:26:22 +0000 (07:26 -0700)
etc/policy.json		patch \| blob \| history
neutron/tests/unit/test_policy.py		patch \| blob \| history