rwsdn_yang
rwprojectmano_yang
mano-types_yang
+ ASSOCIATED_FILES
+ rw-cloud.role.xml
+ rw-sdn.role.xml
)
rift_add_yang_target(
DEPENDS
rwcal_yang
rwprojectmano_yang
+ ASSOCIATED_FILES
+ rw-config-agent.role.xml
)
--- /dev/null
+<?xml version="1.0" ?>
+<config xmlns="http://riftio.com/ns/riftware-1.0/rw-rbac-role-def">
+ <key-definition>
+ <role>rw-project-mano:rw-cloud-role</role>
+ <key-set>
+ <name>project-name</name>
+ <path>/rw-cloud:update-cloud-status/rw-cloud:project-name</path>
+ </key-set>
+ </key-definition>
+
+ <role-definition>
+ <role>rw-project-mano:account-oper</role>
+ <keys-role>rw-project-mano:rw-cloud-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/rw-cloud:cloud</path>
+ </authorize>
+ </role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-admin</role>
+ <keys-role>rw-project-mano:rw-cloud-role</keys-role>
+ <authorize>
+ <permissions>create read update delete execute</permissions>
+ <path>/rw-project:project/rw-cloud:cloud</path>
+ <path>/rw-cloud:update-cloud-status</path>
+ </authorize>
+ </role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-admin</role>
+ <keys-role>rw-project-mano:rw-cloud-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/rw-cloud:cloud</path>
+ </authorize>
+ </role-definition>
+</config>
--- /dev/null
+<?xml version="1.0" ?>
+<config xmlns="http://riftio.com/ns/riftware-1.0/rw-rbac-role-def">
+ <key-definition>
+ <role>rw-project-mano:rw-config-agent-role</role>
+ <key-set>
+ <name>project-name</name>
+ <path>/rw-config-agent:update-cfg-agent-status/rw-config-agent:project-name</path>
+ </key-set>
+ </key-definition>
+
+ <role-definition>
+ <role>rw-project-mano:account-oper</role>
+ <keys-role>rw-project-mano:rw-config-agent-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/rw-config-agent:config-agent</path>
+ </authorize>
+ </role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-admin</role>
+ <keys-role>rw-project-mano:rw-config-agent-role</keys-role>
+ <authorize>
+ <permissions>create read update delete execute</permissions>
+ <path>/rw-project:project/rw-config-agent:config-agent</path>
+ <path>/rw-config-agent:update-cfg-agent-status</path>
+ </authorize>
+ </role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-admin</role>
+ <keys-role>rw-project-mano:rw-config-agent-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/rw-config-agent:config-agent</path>
+ </authorize>
+ </role-definition>
+</config>
--- /dev/null
+<?xml version="1.0" ?>
+<config xmlns="http://riftio.com/ns/riftware-1.0/rw-rbac-role-def">
+ <key-definition>
+ <role>rw-project-mano:rw-sdn-role</role>
+ <key-set>
+ <name>project-name</name>
+ <path>/rw-sdn:update-sdn-status/rw-sdn:project-name</path>
+ </key-set>
+ </key-definition>
+
+ <role-definition>
+ <role>rw-project-mano:account-oper</role>
+ <keys-role>rw-project-mano:rw-sdn-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/rw-sdn:sdn</path>
+ </authorize>
+ </role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:account-admin</role>
+ <keys-role>rw-project-mano:rw-sdn-role</keys-role>
+ <authorize>
+ <permissions>create read update delete execute</permissions>
+ <path>/rw-project:project/rw-sdn:sdn</path>
+ <path>/rw-sdn:update-sdn-status</path>
+ </authorize>
+ </role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-admin</role>
+ <keys-role>rw-project-mano:rw-sdn-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/rw-sdn:sdn</path>
+ </authorize>
+ </role-definition>
+</config>
COMPONENT ${PKG_LONG_NAME}
LIBRARIES
rwprojectmano_yang_gen
- ASSOCIATED_FILES
- project-vnfd.role.xml
- project-nsd.role.xml
)
rift_add_yang_target(
rwcloud_yang
rwconfig_agent_yang
rwprojectmano_yang
+ ASSOCIATED_FILES
+ project-vnfd.role.xml
+ project-nsd.role.xml
+ vnfr.role.xml
+ rw-vnfr.role.xml
+ vlr.role.xml
+ nsr.role.xml
)
#rift_gen_yang_tree(mano-pyang-trees
--- /dev/null
+<?xml version="1.0" ?>
+<config xmlns="http://riftio.com/ns/riftware-1.0/rw-rbac-role-def">
+ <key-definition>
+ <role>rw-project-mano:nsr-role</role>
+ <key-set>
+ <name>project-name</name>
+ <path>/nsr:exec-scale-out/nsr:project-name</path>
+ <path>/nsr:exec-scale-in/nsr:project-name</path>
+ <path>/nsr:exec-ns-service-primitive/nsr:project-name</path>
+ <path>/nsr:get-ns-service-primitive-values/nsr:project-name</path>
+ <path>/nsr:start-network-service/nsr:project-name</path>
+ </key-set>
+ </key-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-oper</role>
+ <keys-role>rw-project-mano:nsr-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/nsr:ns-instance-config</path>
+ <path>/rw-project:project/nsr:ns-instance-opdata</path>
+ </authorize>
+ </role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-admin</role>
+ <keys-role>rw-project-mano:nsr-role</keys-role>
+ <authorize>
+ <permissions>create read update delete execute</permissions>
+ <path>/rw-project:project/nsr:ns-instance-config</path>
+ <path>/rw-project:project/nsr:ns-instance-opdata</path>
+ <path>/nsr:exec-scale-out</path>
+ <path>/nsr:exec-scale-in</path>
+ <path>/nsr:exec-ns-service-primitive</path>
+ <path>/nsr:get-ns-service-primitive-values</path>
+ <path>/nsr:start-network-service</path>
+ </authorize>
+ </role-definition>
+</config>
<?xml version="1.0" ?>
<config xmlns="http://riftio.com/ns/riftware-1.0/rw-rbac-role-def">
+ <key-definition>
+ <role>rw-project-mano:project-nsd-role</role>
+ <key-set>
+ <name>project-name</name>
+ </key-set>
+ </key-definition>
+
<role-definition>
<role>rw-project-mano:catalog-oper</role>
- <keys-role>rw-project:project-role</keys-role>
+ <keys-role>rw-project-mano:project-nsd-role</keys-role>
<authorize>
<permissions>read execute</permissions>
<path>/rw-project:project/project-nsd:nsd-catalog</path>
<role-definition>
<role>rw-project-mano:catalog-admin</role>
- <keys-role>rw-project:project-role</keys-role>
+ <keys-role>rw-project-mano:project-nsd-role</keys-role>
<authorize>
<permissions>create read update delete execute</permissions>
<path>/rw-project:project/project-nsd:nsd-catalog</path>
</authorize>
</role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-admin</role>
+ <keys-role>rw-project-mano:project-nsd-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/project-nsd:nsd-catalog</path>
+ </authorize>
+ </role-definition>
</config>
<?xml version="1.0" ?>
<config xmlns="http://riftio.com/ns/riftware-1.0/rw-rbac-role-def">
+ <key-definition>
+ <role>rw-project-mano:project-vnfd-role</role>
+ <key-set>
+ <name>project-name</name>
+ </key-set>
+ </key-definition>
+
<role-definition>
<role>rw-project-mano:catalog-oper</role>
- <keys-role>rw-project:project-role</keys-role>
+ <keys-role>rw-project-mano:project-vnfd-role</keys-role>
<authorize>
<permissions>read execute</permissions>
<path>/rw-project:project/project-vnfd:vnfd-catalog</path>
<role-definition>
<role>rw-project-mano:catalog-admin</role>
- <keys-role>rw-project:project-role</keys-role>
+ <keys-role>rw-project-mano:project-vnfd-role</keys-role>
<authorize>
<permissions>create read update delete execute</permissions>
<path>/rw-project:project/project-vnfd:vnfd-catalog</path>
</authorize>
</role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-admin</role>
+ <keys-role>rw-project-mano:project-vnfd-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/project-vnfd:vnfd-catalog</path>
+ </authorize>
+ </role-definition>
</config>
--- /dev/null
+<?xml version="1.0" ?>
+<config xmlns="http://riftio.com/ns/riftware-1.0/rw-rbac-role-def">
+ <key-definition>
+ <role>rw-project-mano:rw-vnfr-role</role>
+ <key-set>
+ <name>project-name</name>
+ </key-set>
+ </key-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-oper</role>
+ <keys-role>rw-project-mano:rw-vnfr-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/rw-vnfr:vnfr-console</path>
+ </authorize>
+ </role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-admin</role>
+ <keys-role>rw-project-mano:rw-vnfr-role</keys-role>
+ <authorize>
+ <permissions>create read update delete execute</permissions>
+ <path>/rw-project:project/rw-vnfr:vnfr-console</path>
+ </authorize>
+ </role-definition>
+</config>
--- /dev/null
+<?xml version="1.0" ?>
+<config xmlns="http://riftio.com/ns/riftware-1.0/rw-rbac-role-def">
+ <key-definition>
+ <role>rw-project-mano:vlr-role</role>
+ <key-set>
+ <name>project-name</name>
+ </key-set>
+ </key-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-oper</role>
+ <keys-role>rw-project-mano:vlr-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/vlr:vlr-catalog</path>
+ </authorize>
+ </role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-admin</role>
+ <keys-role>rw-project-mano:vlr-role</keys-role>
+ <authorize>
+ <permissions>create read update delete execute</permissions>
+ <path>/rw-project:project/vlr:vlr-catalog</path>
+ </authorize>
+ </role-definition>
+</config>
--- /dev/null
+<?xml version="1.0" ?>
+<config xmlns="http://riftio.com/ns/riftware-1.0/rw-rbac-role-def">
+ <key-definition>
+ <role>rw-project-mano:vnfr-role</role>
+ <key-set>
+ <name>project-name</name>
+ <path>/rw-project:project/rw-project:name</path>
+ <path>/vnfr:create-alarm/vnfr:project-name</path>
+ <path>/vnfr:destroy-alarm/vnfr:project-name</path>
+ </key-set>
+ </key-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-oper</role>
+ <keys-role>rw-project-mano:vnfr-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/vnfr:vnfr-catalog</path>
+ </authorize>
+ </role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-admin</role>
+ <keys-role>rw-project-mano:vnfr-role</keys-role>
+ <authorize>
+ <permissions>create read update delete execute</permissions>
+ <path>/rw-project:project/vnfr:vnfr-catalog</path>
+ <path>/vnfr:create-alarm</path>
+ <path>/vnfr:destroy-alarm</path>
+ </authorize>
+ </role-definition>
+</config>
rwprojectmano_yang_gen
DEPENDS
rwprojectmano_yang
+ ASSOCIATED_FILES
+ rw-launchpad.role.xml
)
--- /dev/null
+<?xml version="1.0" ?>
+<config xmlns="http://riftio.com/ns/riftware-1.0/rw-rbac-role-def">
+ <key-definition>
+ <role>rw-project-mano:rw-launchpad-role</role>
+ <key-set>
+ <name>project-name</name>
+ </key-set>
+ </key-definition>
+
+ <role-definition>
+ <role>rw-project-mano:account-oper</role>
+ <keys-role>rw-project-mano:rw-launchpad-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/rw-launchpad:datacenters</path>
+ <path>/rw-project:project/rw-launchpad:resource-orchestrator</path>
+ </authorize>
+ </role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:account-admin</role>
+ <keys-role>rw-project-mano:rw-launchpad-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/rw-launchpad:datacenters</path>
+ <path>/rw-project:project/rw-launchpad:resource-orchestrator</path>
+ </authorize>
+ </role-definition>
+
+ <role-definition>
+ <role>rw-project-mano:lcm-admin</role>
+ <keys-role>rw-project-mano:rw-launchpad-role</keys-role>
+ <authorize>
+ <permissions>read execute</permissions>
+ <path>/rw-project:project/rw-launchpad:datacenters</path>
+ </authorize>
+ </role-definition>
+</config>
import gi
gi.require_version('RwDts', '1.0')
+gi.require_version('RwProjectManoYang', '1.0')
from gi.repository import (
RwDts as rwdts,
ProtobufC,
RwTypes,
+ RwProjectManoYang,
)
import rift.tasklets
)
+MANO_PROJECT_ROLES = [
+ { 'mano-role':"rw-project-mano:catalog-oper",
+ 'description':("The catalog-oper Role has read permission to nsd-catalog "
+ "and vnfd-catalog under specific Projects, "
+ "as identified by /rw-project:project/rw-project:name. The "
+ "catatlog-oper Role may also have execute permission to specific "
+ "non-mutating RPCs. This Role is intended for read-only access to "
+ "catalogs under a specific project.") },
+
+ { 'mano-role':"rw-project-mano:catalog-admin",
+ 'description':("The catalog-admin Role has full CRUDX permissions to vnfd and nsd "
+ "catalogs under specific Projects, as identified by "
+ "/rw-project:project/rw-project:name.") },
+
+ { 'mano-role':"rw-project-mano:lcm-oper",
+ 'description':("The lcm-oper Role has read permission to the VL, VNF and NS "
+ "records within a Project. The lcm-oper Role may also have "
+ "execute permission to specific non-mutating RPCs.") },
+
+ { 'mano-role':"rw-project-mano:lcm-admin",
+ 'description':("The lcm-admin Role has full CRUDX permissions to the VL, VNF "
+ "and NS records within a Project. The lcm-admin Role does "
+ "not provide general CRUDX permissions to the Project as a whole, "
+ "nor to the RIFT.ware platform in general.") },
+
+ { 'mano-role':"rw-project-mano:account-oper",
+ 'description':("The account-oper Role has read permission to the VIM, SDN, VCA "
+ "and RO accounts within a Project. The account-oper Role may also have "
+ "execute permission to specific non-mutating RPCs.") },
+
+ { 'mano-role':"rw-project-mano:account-admin",
+ 'description':("The account-admin Role has full CRUDX permissions to the VIM, SDN, VCA "
+ "and RO accounts within a Project. The account-admin Role does "
+ "not provide general CRUDX permissions to the Project as a whole, "
+ "nor to the RIFT.ware platform in general.") },
+]
+
+
class ProjectDtsHandler(object):
XPATH = "C,/{}".format(NS_PROJECT)
def register(self):
self.project_cfg_handler.register()
+
+
+class ProjectStateRolePublisher(rift.tasklets.DtsConfigPublisher):
+
+ def __init__(self, tasklet):
+ super().__init__(tasklet)
+ self.proj_state = RwProjectManoYang.YangData_RwProject_Project_ProjectState()
+ self.projects = set()
+ self.roles = MANO_PROJECT_ROLES
+
+ def get_xpath(self):
+ return "D,/rw-project:project/rw-project:project-state/rw-project-mano:mano-role"
+
+ def role_xpath(self, project, role):
+ return "/rw-project:project[rw-project:name='{}']".format(project) + \
+ "/rw-project:project-state/rw-project-mano:mano-role" + \
+ "[rw-project-mano:role='{}']".format(role['mano-role'])
+
+ def pb_role(self, role):
+ pbRole = self.proj_state.create_mano_role()
+ pbRole.role = role['mano-role']
+ pbRole.description = role['description']
+ return pbRole
+
+ def publish_roles(self, project):
+ if not project in self.projects:
+ self.projects.add(project)
+ for role in self.roles:
+ xpath = self.role_xpath(project, role)
+ pb_role = self.pb_role(role)
+ self.log.debug("publishing xpath:{}".format(xpath))
+ self._regh.update_element(xpath, pb_role)
+
+ def unpublish_roles(self, project):
+ if project in self.projects:
+ self.projects.remove(project)
+ for role in self.roles:
+ xpath = self.role_xpath(project, role)
+ self.log.debug("unpublishing xpath:{}".format(xpath))
+ self._regh.delete_element(xpath)
)
import rift.tasklets
-#TODO: Fix once merged to latest platform
from rift.tasklets.rwproject.project import (
StateMachine,
User,
)
-MANO_PROJECT_ROLES = [
- 'rw-project-mano:catalog-oper',
- 'rw-project-mano:catalog-admin',
-]
+from .projectmano import MANO_PROJECT_ROLES
class ProjectConfigSubscriber(object):
self.project_name = project.name
self.rbac_int = RwRbacInternalYang.YangData_RwRbacInternal_RwRbacInternal()
self.roles = {}
- self.proj_roles = MANO_PROJECT_ROLES
+ self.proj_roles = [role['mano-role'] for role in MANO_PROJECT_ROLES]
self.proj_roles_published = False
def get_xpath(self):
from .projectmano import (
ProjectHandler,
+ ProjectStateRolePublisher,
)
from .rolesmano import (
def register (self):
self._log.info("Initializing the ProjectMgrMano for %s", self.name)
yield from self.project_sub.register()
+ self.tasklet.project_state_role_pub.publish_roles(self.name)
def deregister(self):
self._log.debug("De-register project %s", self.name)
+ self.tasklet.project_state_role_pub.unpublish_roles(self.name)
self.project_sub.deregister()
try:
self.log.info("Registering for Project Config")
self.project_handler = ProjectHandler(self, ProjectMgrManoProject)
-
self.project_handler.register()
+ self.project_state_role_pub = ProjectStateRolePublisher(self)
+ yield from self.project_state_role_pub.register()
+
except Exception as e:
self.log.exception("Registering for project failed: {}".format(e))
--- /dev/null
+/*
+ *
+ * Copyright 2017 RIFT.IO Inc
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+module rw-project-mano-tailf
+{
+ namespace "http://riftio.com/ns/riftware-1.0/rw-project-mano-tailf";
+ prefix "rw-project-mano-tailf";
+
+ import rw-project {
+ prefix "rw-project";
+ }
+
+ import tailf-common {
+ prefix tailf;
+ }
+
+ import rw-project-mano {
+ prefix "rw-project-mano";
+ }
+
+ revision 2017-04-04 {
+ description
+ "Initial revision.";
+ }
+
+ tailf:annotate "/rw-project:project/rw-project:project-state/rw-project-mano:mano-role" {
+ tailf:callpoint rw_callpoint;
+ }
+}
nor to the RIFT.ware platform in general.";
}
+ identity lcm-oper {
+ base rw-project:project-role;
+ description
+ "The lcm-oper Role has read permission to the VL, VNF and NS
+ records within a Project. The lcm-oper Role may also have
+ execute permission to specific non-mutating RPCs.";
+ }
+
+ identity lcm-admin {
+ base rw-project:project-role;
+ description
+ "The lcm-admin Role has full CRUDX permissions to the VL, VNF
+ and NS records within a Project. The lcm-admin Role does
+ not provide general CRUDX permissions to the Project as a whole,
+ nor to the RIFT.ware platform in general.";
+ }
+
+ identity account-oper {
+ base rw-project:project-role;
+ description
+ "The account-oper Role has read permission to the VIM, SDN, VCA
+ and RO accounts within a Project. The account-oper Role may also have
+ execute permission to specific non-mutating RPCs.";
+ }
+
+ identity account-admin {
+ base rw-project:project-role;
+ description
+ "The account-admin Role has full CRUDX permissions to the VIM, SDN, VCA
+ and RO accounts within a Project. The account-admin Role does
+ not provide general CRUDX permissions to the Project as a whole,
+ nor to the RIFT.ware platform in general.";
+ }
+
augment /rw-project:project/rw-project:project-config/rw-project:user {
description
"Configuration for MANO application-specific Roles.";
projects / osm / SO.git / commitdiff