Add support for mano roles

Signed-off-by: Philip Joseph <philip.joseph@riftio.com>

diff --git a/common/python/rift/mano/utils/project.py b/common/python/rift/mano/utils/project.py
index 2609519..a57feaa 100644 (file)
--- a/common/python/rift/mano/utils/project.py
+++ b/common/python/rift/mano/utils/project.py
@@ -536,7 +536,7 @@ class ProjectDtsHandler(object):
 
             elif action == rwdts.QueryAction.UPDATE:
                 if name in self.projects:
-                    scratch["projects"]["updated"].append(name, msg)
+                    scratch["projects"]["updated"].append((name, msg))
                 else:
                     self._log.debug("Project {}: Invoking on_prepare add request".
                                     format(name))

diff --git a/models/plugins/yang/CMakeLists.txt b/models/plugins/yang/CMakeLists.txt
index 998ecb2..48a3698 100644 (file)
--- a/models/plugins/yang/CMakeLists.txt
+++ b/models/plugins/yang/CMakeLists.txt
@@ -44,6 +44,9 @@ rift_add_yang_target(
   COMPONENT ${PKG_LONG_NAME}
   LIBRARIES
     rwprojectmano_yang_gen
+  ASSOCIATED_FILES
+    project-vnfd.role.xml
+    project-nsd.role.xml
   )
 
 rift_add_yang_target(

diff --git a/models/plugins/yang/project-nsd.role.xml b/models/plugins/yang/project-nsd.role.xml
new file mode 100644 (file)
index 0000000..1d52f77
--- /dev/null
+++ b/models/plugins/yang/project-nsd.role.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" ?>
+<config xmlns="http://riftio.com/ns/riftware-1.0/rw-rbac-role-def">
+  <role-definition>
+    <role>rw-project-mano:catalog-oper</role>
+    <keys-role>rw-project:project-role</keys-role>
+    <authorize>
+      <permissions>read execute</permissions>
+      <path>/rw-project:project/project-nsd:nsd-catalog</path>
+    </authorize>
+  </role-definition>
+
+  <role-definition>
+    <role>rw-project-mano:catalog-admin</role>
+    <keys-role>rw-project:project-role</keys-role>
+    <authorize>
+      <permissions>create read update delete execute</permissions>
+      <path>/rw-project:project/project-nsd:nsd-catalog</path>
+    </authorize>
+  </role-definition>
+</config>

diff --git a/models/plugins/yang/project-vnfd.role.xml b/models/plugins/yang/project-vnfd.role.xml
new file mode 100644 (file)
index 0000000..a9b2a7b
--- /dev/null
+++ b/models/plugins/yang/project-vnfd.role.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" ?>
+<config xmlns="http://riftio.com/ns/riftware-1.0/rw-rbac-role-def">
+  <role-definition>
+    <role>rw-project-mano:catalog-oper</role>
+    <keys-role>rw-project:project-role</keys-role>
+    <authorize>
+      <permissions>read execute</permissions>
+      <path>/rw-project:project/project-vnfd:vnfd-catalog</path>
+    </authorize>
+  </role-definition>
+
+  <role-definition>
+    <role>rw-project-mano:catalog-admin</role>
+    <keys-role>rw-project:project-role</keys-role>
+    <authorize>
+      <permissions>create read update delete execute</permissions>
+      <path>/rw-project:project/project-vnfd:vnfd-catalog</path>
+    </authorize>
+  </role-definition>
+</config>

diff --git a/rwlaunchpad/plugins/rwnsm/rift/tasklets/rwnsmtasklet/rwnsmtasklet.py b/rwlaunchpad/plugins/rwnsm/rift/tasklets/rwnsmtasklet/rwnsmtasklet.py
index 2b0c57b..4a67bdc 100755 (executable)
--- a/rwlaunchpad/plugins/rwnsm/rift/tasklets/rwnsmtasklet/rwnsmtasklet.py
+++ b/rwlaunchpad/plugins/rwnsm/rift/tasklets/rwnsmtasklet/rwnsmtasklet.py
@@ -3653,7 +3653,7 @@ class VnfrDtsHandler(object):
 
             schema = VnfrYang.YangData_RwProject_Project_VnfrCatalog_Vnfr.schema()
             path_entry = schema.keyspec_to_entry(ks_path)
-            if path_entry.key00.id not in self._nsm._vnfrs:
+            if not path_entry or (path_entry.key00.id not in self._nsm._vnfrs):
                 # Check if this is a monitoring param xpath
                 if 'vnfr:monitoring-param' not in xpath:
                     self._log.error("%s request for non existent record path %s",

diff --git a/rwlaunchpad/plugins/rwvnfm/rift/tasklets/rwvnfmtasklet/rwvnfmtasklet.py b/rwlaunchpad/plugins/rwvnfm/rift/tasklets/rwvnfmtasklet/rwvnfmtasklet.py
index cca5031..253094f 100755 (executable)
--- a/rwlaunchpad/plugins/rwvnfm/rift/tasklets/rwvnfmtasklet/rwvnfmtasklet.py
+++ b/rwlaunchpad/plugins/rwvnfm/rift/tasklets/rwvnfmtasklet/rwvnfmtasklet.py
@@ -2042,7 +2042,7 @@ class VnfdDtsHandler(object):
     def deregister(self):
         '''De-register from DTS'''
         self._log.debug("De-register VNFD DTS handler for project {}".
-                        format(self._project))
+                        format(self._vnfm._project.name))
         if self._regh:
             self._regh.deregister()
             self._regh = None
@@ -2113,7 +2113,7 @@ class VcsComponentDtsHandler(object):
     def deregister(self):
         '''De-register from DTS'''
         self._log.debug("De-register VCS DTS handler for project {}".
-                        format(self._project))
+                        format(self._vnfm._project))
         if self._regh:
             self._regh.deregister()
             self._regh = None
@@ -2454,7 +2454,7 @@ class VnfdRefCountDtsHandler(object):
     def deregister(self):
         '''De-register from DTS'''
         self._log.debug("De-register VNFD Ref DTS handler for project {}".
-                        format(self._project))
+                        format(self._vnfm._project))
         if self._regh:
             self._regh.deregister()
             self._regh = None

diff --git a/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py b/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py
index ea3674a..694a704 100644 (file)
--- a/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py
+++ b/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py
@@ -49,8 +49,8 @@ from rift.mano.utils.project import (
 
 
 MANO_PROJECT_ROLES = [
-            'rw-project-mano:mano-oper',
-            'rw-project-mano:mano-admin',
+            'rw-project-mano:catalog-oper',
+            'rw-project-mano:catalog-admin',
 ]
 
 
@@ -80,6 +80,8 @@ class ProjectConfigSubscriber(object):
 
     def delete_user(self, cfg):
         user = User().pb(cfg)
+        self._log.error("Delete user {} for project {}".
+                        format(user.key, self.project_name))
         if user.key in self.users:
             roles = self.users[user.key]
             for role_key in list(roles):
@@ -88,6 +90,8 @@ class ProjectConfigSubscriber(object):
 
     def update_user(self, cfg):
         user = User().pb(cfg)
+        self._log.debug("Update user {} for project {}".
+                        format(user.key, self.project_name))
         cfg_roles = {}
         for cfg_role in cfg.mano_role:
             r = self.role_inst(cfg_role)
@@ -106,6 +110,8 @@ class ProjectConfigSubscriber(object):
                 self.update_role(user, cfg_roles[role_key])
 
     def delete_role(self, user, role_key):
+        self._log.error("Delete role {} for user {}".
+                        format(role_key, user.key))
         user_key = user.key
 
         try:
@@ -119,6 +125,8 @@ class ProjectConfigSubscriber(object):
             self.pub.delete_role(role_key, user_key)
 
     def update_role(self, user, role):
+        self._log.debug("Update role {} for user {}".
+                        format(role.role, user.key))
         user_key = user.key
 
         try:
@@ -237,6 +245,7 @@ class ProjectConfigSubscriber(object):
     def deregister(self):
         self._log.debug("De-registering DTS handler for project {}".
                         format(self.project_name))
+
         if self._reg:
             self._reg.deregister()
             self._reg = None
@@ -276,10 +285,25 @@ class RoleConfigPublisher(rift.tasklets.DtsConfigPublisher):
             self.create_project_role(role)
 
     def create_project_role(self, role):
+        self.log.error("Create project role for {}: {}".
+                       format(self.project_name, role.role))
         xpath = self.role_xpath(role.key)
         pb_role = self.pb_role(role)
         self._regh.update_element(xpath, pb_role)
 
+    def delete_project_roles(self):
+        for name in self.proj_roles:
+            role = RoleKeys()
+            role.role = name
+            role.keys = self.project_name
+            self.delete_project_role(role)
+
+    def delete_project_role(self, role):
+        self.log.error("Delete project role for {}: {}".
+                       format(self.project_name, role.role))
+        xpath = self.role_xpath(role.key)
+        self._regh.delete_element(xpath)
+
     def create_role(self, role_key, user_key):
         return  RoleKeysUsers(role_key, user_key)
 
@@ -288,6 +312,7 @@ class RoleConfigPublisher(rift.tasklets.DtsConfigPublisher):
         pbRole = self.rbac_int.create_role()
         pbRole.role = role.role
         pbRole.keys = role.keys
+        pbRole.state_machine.state = role.state.name
 
         return pbRole
 
@@ -322,12 +347,16 @@ class RoleConfigPublisher(rift.tasklets.DtsConfigPublisher):
             role.add_user(user)
             update = False
 
-        user.state = StateMachine.new
+        if update:
+            user.state = StateMachine.new
+        else:
+            user.state = StateMachine.new
 
         xpath = self.role_xpath(role_key)
+        self.log.debug("update role: {} user: {} ".format(role_key, user_key))
+
 
         pb_role_user = self.pb_role_user(role, user)
-        self.log.debug("add_update_role: xpath:{} pb_role:{}".format(xpath, pb_role_user))
 
         self._regh.update_element(xpath, pb_role_user)
 
@@ -340,13 +369,13 @@ class RoleConfigPublisher(rift.tasklets.DtsConfigPublisher):
 
         user.state = StateMachine.delete
         xpath = self.role_xpath(role_key)
-        self.log.debug("deleting role: {} user: {} ".format(role_key, user_key))
+        self.log.error("deleting role: {} user: {} ".format(role_key, user_key))
 
         pb_role = self.pb_role_user(role, user)
         self._regh.update_element(xpath, pb_role)
 
     def do_prepare(self, xact_info, action, ks_path, msg):
-        """Handle on_prepare.  To be overridden by Concreate Publisher Handler
+        """Handle on_prepare.
         """
         self.log.debug("do_prepare: action: {}, path: {} ks_path, msg: {}".format(action, ks_path, msg))
 
@@ -371,5 +400,6 @@ class RoleConfigPublisher(rift.tasklets.DtsConfigPublisher):
 
     def deregister(self):
         if self._regh:
+            self.delete_project_roles()
             self._regh.deregister()
             self._regh = None

diff --git a/rwprojectmano/plugins/yang/CMakeLists.txt b/rwprojectmano/plugins/yang/CMakeLists.txt
index 00e5110..d99f941 100644 (file)
--- a/rwprojectmano/plugins/yang/CMakeLists.txt
+++ b/rwprojectmano/plugins/yang/CMakeLists.txt
@@ -24,4 +24,3 @@ rift_add_yang_target(
   LIBRARIES
     rw_project_yang_gen
   )
-

diff --git a/rwprojectmano/plugins/yang/rw-project-mano.yang b/rwprojectmano/plugins/yang/rw-project-mano.yang
index 1369058..34d438c 100644 (file)
--- a/rwprojectmano/plugins/yang/rw-project-mano.yang
+++ b/rwprojectmano/plugins/yang/rw-project-mano.yang
@@ -45,6 +45,23 @@ module rw-project-mano
       "Derived from earlier versions of base YANG files";
   }
 
+  identity catalog-oper {
+    base rw-project:project-role;
+    description
+      "The catalog-oper Role has read permission to the VNFD and NSD
+      catalogs within a Project.  The catalog-oper Role may also have
+      execute permission to specific non-mutating RPCs.";
+  }
+
+  identity catalog-admin {
+    base rw-project:project-role;
+    description
+      "The catalog-admin Role has full CRUDX permissions to the VNFD
+      and NSD catalogs within a Project.  The catalog-admin Role does
+      not provide general CRUDX permissions to the Project as a whole,
+      nor to the RIFT.ware platform in general.";
+  }
+
   augment /rw-project:project/rw-project:project-config/rw-project:user {
     description
       "Configuration for MANO application-specific Roles.";