Add support for mano roles
Signed-off-by: Philip Joseph <philip.joseph@riftio.com>
diff --git a/common/python/rift/mano/utils/project.py b/common/python/rift/mano/utils/project.py
index 2609519..a57feaa 100644
--- a/common/python/rift/mano/utils/project.py
+++ b/common/python/rift/mano/utils/project.py
@@ -536,7 +536,7 @@
elif action == rwdts.QueryAction.UPDATE:
if name in self.projects:
- scratch["projects"]["updated"].append(name, msg)
+ scratch["projects"]["updated"].append((name, msg))
else:
self._log.debug("Project {}: Invoking on_prepare add request".
format(name))
diff --git a/models/plugins/yang/CMakeLists.txt b/models/plugins/yang/CMakeLists.txt
index 998ecb2..48a3698 100644
--- a/models/plugins/yang/CMakeLists.txt
+++ b/models/plugins/yang/CMakeLists.txt
@@ -44,6 +44,9 @@
COMPONENT ${PKG_LONG_NAME}
LIBRARIES
rwprojectmano_yang_gen
+ ASSOCIATED_FILES
+ project-vnfd.role.xml
+ project-nsd.role.xml
)
rift_add_yang_target(
diff --git a/models/plugins/yang/project-nsd.role.xml b/models/plugins/yang/project-nsd.role.xml
new file mode 100644
index 0000000..1d52f77
--- /dev/null
+++ b/models/plugins/yang/project-nsd.role.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" ?>
+<config xmlns="http://riftio.com/ns/riftware-1.0/rw-rbac-role-def">
+ <role-definition>
+ <role>rw-project-mano:catalog-oper</role>
+ <keys-role>rw-project:project-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/project-nsd:nsd-catalog</path>
+ </authorize>
+ </role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:catalog-admin</role>
+ <keys-role>rw-project:project-role</keys-role>
+ <authorize>
+ <permissions>create read update delete execute</permissions>
+ <path>/rw-project:project/project-nsd:nsd-catalog</path>
+ </authorize>
+ </role-definition>
+</config>
diff --git a/models/plugins/yang/project-vnfd.role.xml b/models/plugins/yang/project-vnfd.role.xml
new file mode 100644
index 0000000..a9b2a7b
--- /dev/null
+++ b/models/plugins/yang/project-vnfd.role.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" ?>
+<config xmlns="http://riftio.com/ns/riftware-1.0/rw-rbac-role-def">
+ <role-definition>
+ <role>rw-project-mano:catalog-oper</role>
+ <keys-role>rw-project:project-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/project-vnfd:vnfd-catalog</path>
+ </authorize>
+ </role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:catalog-admin</role>
+ <keys-role>rw-project:project-role</keys-role>
+ <authorize>
+ <permissions>create read update delete execute</permissions>
+ <path>/rw-project:project/project-vnfd:vnfd-catalog</path>
+ </authorize>
+ </role-definition>
+</config>
diff --git a/rwlaunchpad/plugins/rwnsm/rift/tasklets/rwnsmtasklet/rwnsmtasklet.py b/rwlaunchpad/plugins/rwnsm/rift/tasklets/rwnsmtasklet/rwnsmtasklet.py
index 2b0c57b..4a67bdc 100755
--- a/rwlaunchpad/plugins/rwnsm/rift/tasklets/rwnsmtasklet/rwnsmtasklet.py
+++ b/rwlaunchpad/plugins/rwnsm/rift/tasklets/rwnsmtasklet/rwnsmtasklet.py
@@ -3653,7 +3653,7 @@
schema = VnfrYang.YangData_RwProject_Project_VnfrCatalog_Vnfr.schema()
path_entry = schema.keyspec_to_entry(ks_path)
- if path_entry.key00.id not in self._nsm._vnfrs:
+ if not path_entry or (path_entry.key00.id not in self._nsm._vnfrs):
# Check if this is a monitoring param xpath
if 'vnfr:monitoring-param' not in xpath:
self._log.error("%s request for non existent record path %s",
diff --git a/rwlaunchpad/plugins/rwvnfm/rift/tasklets/rwvnfmtasklet/rwvnfmtasklet.py b/rwlaunchpad/plugins/rwvnfm/rift/tasklets/rwvnfmtasklet/rwvnfmtasklet.py
index cca5031..253094f 100755
--- a/rwlaunchpad/plugins/rwvnfm/rift/tasklets/rwvnfmtasklet/rwvnfmtasklet.py
+++ b/rwlaunchpad/plugins/rwvnfm/rift/tasklets/rwvnfmtasklet/rwvnfmtasklet.py
@@ -2042,7 +2042,7 @@
def deregister(self):
'''De-register from DTS'''
self._log.debug("De-register VNFD DTS handler for project {}".
- format(self._project))
+ format(self._vnfm._project.name))
if self._regh:
self._regh.deregister()
self._regh = None
@@ -2113,7 +2113,7 @@
def deregister(self):
'''De-register from DTS'''
self._log.debug("De-register VCS DTS handler for project {}".
- format(self._project))
+ format(self._vnfm._project))
if self._regh:
self._regh.deregister()
self._regh = None
@@ -2454,7 +2454,7 @@
def deregister(self):
'''De-register from DTS'''
self._log.debug("De-register VNFD Ref DTS handler for project {}".
- format(self._project))
+ format(self._vnfm._project))
if self._regh:
self._regh.deregister()
self._regh = None
diff --git a/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py b/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py
index ea3674a..694a704 100644
--- a/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py
+++ b/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py
@@ -49,8 +49,8 @@
MANO_PROJECT_ROLES = [
- 'rw-project-mano:mano-oper',
- 'rw-project-mano:mano-admin',
+ 'rw-project-mano:catalog-oper',
+ 'rw-project-mano:catalog-admin',
]
@@ -80,6 +80,8 @@
def delete_user(self, cfg):
user = User().pb(cfg)
+ self._log.error("Delete user {} for project {}".
+ format(user.key, self.project_name))
if user.key in self.users:
roles = self.users[user.key]
for role_key in list(roles):
@@ -88,6 +90,8 @@
def update_user(self, cfg):
user = User().pb(cfg)
+ self._log.debug("Update user {} for project {}".
+ format(user.key, self.project_name))
cfg_roles = {}
for cfg_role in cfg.mano_role:
r = self.role_inst(cfg_role)
@@ -106,6 +110,8 @@
self.update_role(user, cfg_roles[role_key])
def delete_role(self, user, role_key):
+ self._log.error("Delete role {} for user {}".
+ format(role_key, user.key))
user_key = user.key
try:
@@ -119,6 +125,8 @@
self.pub.delete_role(role_key, user_key)
def update_role(self, user, role):
+ self._log.debug("Update role {} for user {}".
+ format(role.role, user.key))
user_key = user.key
try:
@@ -237,6 +245,7 @@
def deregister(self):
self._log.debug("De-registering DTS handler for project {}".
format(self.project_name))
+
if self._reg:
self._reg.deregister()
self._reg = None
@@ -276,10 +285,25 @@
self.create_project_role(role)
def create_project_role(self, role):
+ self.log.error("Create project role for {}: {}".
+ format(self.project_name, role.role))
xpath = self.role_xpath(role.key)
pb_role = self.pb_role(role)
self._regh.update_element(xpath, pb_role)
+ def delete_project_roles(self):
+ for name in self.proj_roles:
+ role = RoleKeys()
+ role.role = name
+ role.keys = self.project_name
+ self.delete_project_role(role)
+
+ def delete_project_role(self, role):
+ self.log.error("Delete project role for {}: {}".
+ format(self.project_name, role.role))
+ xpath = self.role_xpath(role.key)
+ self._regh.delete_element(xpath)
+
def create_role(self, role_key, user_key):
return RoleKeysUsers(role_key, user_key)
@@ -288,6 +312,7 @@
pbRole = self.rbac_int.create_role()
pbRole.role = role.role
pbRole.keys = role.keys
+ pbRole.state_machine.state = role.state.name
return pbRole
@@ -322,12 +347,16 @@
role.add_user(user)
update = False
- user.state = StateMachine.new
+ if update:
+ user.state = StateMachine.new
+ else:
+ user.state = StateMachine.new
xpath = self.role_xpath(role_key)
+ self.log.debug("update role: {} user: {} ".format(role_key, user_key))
+
pb_role_user = self.pb_role_user(role, user)
- self.log.debug("add_update_role: xpath:{} pb_role:{}".format(xpath, pb_role_user))
self._regh.update_element(xpath, pb_role_user)
@@ -340,13 +369,13 @@
user.state = StateMachine.delete
xpath = self.role_xpath(role_key)
- self.log.debug("deleting role: {} user: {} ".format(role_key, user_key))
+ self.log.error("deleting role: {} user: {} ".format(role_key, user_key))
pb_role = self.pb_role_user(role, user)
self._regh.update_element(xpath, pb_role)
def do_prepare(self, xact_info, action, ks_path, msg):
- """Handle on_prepare. To be overridden by Concreate Publisher Handler
+ """Handle on_prepare.
"""
self.log.debug("do_prepare: action: {}, path: {} ks_path, msg: {}".format(action, ks_path, msg))
@@ -371,5 +400,6 @@
def deregister(self):
if self._regh:
+ self.delete_project_roles()
self._regh.deregister()
self._regh = None
diff --git a/rwprojectmano/plugins/yang/CMakeLists.txt b/rwprojectmano/plugins/yang/CMakeLists.txt
index 00e5110..d99f941 100644
--- a/rwprojectmano/plugins/yang/CMakeLists.txt
+++ b/rwprojectmano/plugins/yang/CMakeLists.txt
@@ -24,4 +24,3 @@
LIBRARIES
rw_project_yang_gen
)
-
diff --git a/rwprojectmano/plugins/yang/rw-project-mano.yang b/rwprojectmano/plugins/yang/rw-project-mano.yang
index 1369058..34d438c 100644
--- a/rwprojectmano/plugins/yang/rw-project-mano.yang
+++ b/rwprojectmano/plugins/yang/rw-project-mano.yang
@@ -45,6 +45,23 @@
"Derived from earlier versions of base YANG files";
}
+ identity catalog-oper {
+ base rw-project:project-role;
+ description
+ "The catalog-oper Role has read permission to the VNFD and NSD
+ catalogs within a Project. The catalog-oper Role may also have
+ execute permission to specific non-mutating RPCs.";
+ }
+
+ identity catalog-admin {
+ base rw-project:project-role;
+ description
+ "The catalog-admin Role has full CRUDX permissions to the VNFD
+ and NSD catalogs within a Project. The catalog-admin Role does
+ not provide general CRUDX permissions to the Project as a whole,
+ nor to the RIFT.ware platform in general.";
+ }
+
augment /rw-project:project/rw-project:project-config/rw-project:user {
description
"Configuration for MANO application-specific Roles.";