From: Philip Joseph Date: Mon, 3 Apr 2017 13:23:53 +0000 (+0530) Subject: Add support for mano roles X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=1426e5b05708a920168596498000304c6bc3cd49;p=osm%2FSO.git Add support for mano roles Signed-off-by: Philip Joseph --- diff --git a/common/python/rift/mano/utils/project.py b/common/python/rift/mano/utils/project.py index 2609519a..a57feaa1 100644 --- a/common/python/rift/mano/utils/project.py +++ b/common/python/rift/mano/utils/project.py @@ -536,7 +536,7 @@ class ProjectDtsHandler(object): elif action == rwdts.QueryAction.UPDATE: if name in self.projects: - scratch["projects"]["updated"].append(name, msg) + scratch["projects"]["updated"].append((name, msg)) else: self._log.debug("Project {}: Invoking on_prepare add request". format(name)) diff --git a/models/plugins/yang/CMakeLists.txt b/models/plugins/yang/CMakeLists.txt index 998ecb2d..48a36983 100644 --- a/models/plugins/yang/CMakeLists.txt +++ b/models/plugins/yang/CMakeLists.txt @@ -44,6 +44,9 @@ rift_add_yang_target( COMPONENT ${PKG_LONG_NAME} LIBRARIES rwprojectmano_yang_gen + ASSOCIATED_FILES + project-vnfd.role.xml + project-nsd.role.xml ) rift_add_yang_target( diff --git a/models/plugins/yang/project-nsd.role.xml b/models/plugins/yang/project-nsd.role.xml new file mode 100644 index 00000000..1d52f770 --- /dev/null +++ b/models/plugins/yang/project-nsd.role.xml @@ -0,0 +1,20 @@ + + + + rw-project-mano:catalog-oper + rw-project:project-role + + read execute + /rw-project:project/project-nsd:nsd-catalog + + + + + rw-project-mano:catalog-admin + rw-project:project-role + + create read update delete execute + /rw-project:project/project-nsd:nsd-catalog + + + diff --git a/models/plugins/yang/project-vnfd.role.xml b/models/plugins/yang/project-vnfd.role.xml new file mode 100644 index 00000000..a9b2a7b8 --- /dev/null +++ b/models/plugins/yang/project-vnfd.role.xml @@ -0,0 +1,20 @@ + + + + rw-project-mano:catalog-oper + rw-project:project-role + + read execute + /rw-project:project/project-vnfd:vnfd-catalog + + + + + rw-project-mano:catalog-admin + rw-project:project-role + + create read update delete execute + /rw-project:project/project-vnfd:vnfd-catalog + + + diff --git a/rwlaunchpad/plugins/rwnsm/rift/tasklets/rwnsmtasklet/rwnsmtasklet.py b/rwlaunchpad/plugins/rwnsm/rift/tasklets/rwnsmtasklet/rwnsmtasklet.py index 2b0c57bd..4a67bdc6 100755 --- a/rwlaunchpad/plugins/rwnsm/rift/tasklets/rwnsmtasklet/rwnsmtasklet.py +++ b/rwlaunchpad/plugins/rwnsm/rift/tasklets/rwnsmtasklet/rwnsmtasklet.py @@ -3653,7 +3653,7 @@ class VnfrDtsHandler(object): schema = VnfrYang.YangData_RwProject_Project_VnfrCatalog_Vnfr.schema() path_entry = schema.keyspec_to_entry(ks_path) - if path_entry.key00.id not in self._nsm._vnfrs: + if not path_entry or (path_entry.key00.id not in self._nsm._vnfrs): # Check if this is a monitoring param xpath if 'vnfr:monitoring-param' not in xpath: self._log.error("%s request for non existent record path %s", diff --git a/rwlaunchpad/plugins/rwvnfm/rift/tasklets/rwvnfmtasklet/rwvnfmtasklet.py b/rwlaunchpad/plugins/rwvnfm/rift/tasklets/rwvnfmtasklet/rwvnfmtasklet.py index cca50319..253094f3 100755 --- a/rwlaunchpad/plugins/rwvnfm/rift/tasklets/rwvnfmtasklet/rwvnfmtasklet.py +++ b/rwlaunchpad/plugins/rwvnfm/rift/tasklets/rwvnfmtasklet/rwvnfmtasklet.py @@ -2042,7 +2042,7 @@ class VnfdDtsHandler(object): def deregister(self): '''De-register from DTS''' self._log.debug("De-register VNFD DTS handler for project {}". - format(self._project)) + format(self._vnfm._project.name)) if self._regh: self._regh.deregister() self._regh = None @@ -2113,7 +2113,7 @@ class VcsComponentDtsHandler(object): def deregister(self): '''De-register from DTS''' self._log.debug("De-register VCS DTS handler for project {}". - format(self._project)) + format(self._vnfm._project)) if self._regh: self._regh.deregister() self._regh = None @@ -2454,7 +2454,7 @@ class VnfdRefCountDtsHandler(object): def deregister(self): '''De-register from DTS''' self._log.debug("De-register VNFD Ref DTS handler for project {}". - format(self._project)) + format(self._vnfm._project)) if self._regh: self._regh.deregister() self._regh = None diff --git a/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py b/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py index ea3674a4..694a704d 100644 --- a/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py +++ b/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py @@ -49,8 +49,8 @@ from rift.mano.utils.project import ( MANO_PROJECT_ROLES = [ - 'rw-project-mano:mano-oper', - 'rw-project-mano:mano-admin', + 'rw-project-mano:catalog-oper', + 'rw-project-mano:catalog-admin', ] @@ -80,6 +80,8 @@ class ProjectConfigSubscriber(object): def delete_user(self, cfg): user = User().pb(cfg) + self._log.error("Delete user {} for project {}". + format(user.key, self.project_name)) if user.key in self.users: roles = self.users[user.key] for role_key in list(roles): @@ -88,6 +90,8 @@ class ProjectConfigSubscriber(object): def update_user(self, cfg): user = User().pb(cfg) + self._log.debug("Update user {} for project {}". + format(user.key, self.project_name)) cfg_roles = {} for cfg_role in cfg.mano_role: r = self.role_inst(cfg_role) @@ -106,6 +110,8 @@ class ProjectConfigSubscriber(object): self.update_role(user, cfg_roles[role_key]) def delete_role(self, user, role_key): + self._log.error("Delete role {} for user {}". + format(role_key, user.key)) user_key = user.key try: @@ -119,6 +125,8 @@ class ProjectConfigSubscriber(object): self.pub.delete_role(role_key, user_key) def update_role(self, user, role): + self._log.debug("Update role {} for user {}". + format(role.role, user.key)) user_key = user.key try: @@ -237,6 +245,7 @@ class ProjectConfigSubscriber(object): def deregister(self): self._log.debug("De-registering DTS handler for project {}". format(self.project_name)) + if self._reg: self._reg.deregister() self._reg = None @@ -276,10 +285,25 @@ class RoleConfigPublisher(rift.tasklets.DtsConfigPublisher): self.create_project_role(role) def create_project_role(self, role): + self.log.error("Create project role for {}: {}". + format(self.project_name, role.role)) xpath = self.role_xpath(role.key) pb_role = self.pb_role(role) self._regh.update_element(xpath, pb_role) + def delete_project_roles(self): + for name in self.proj_roles: + role = RoleKeys() + role.role = name + role.keys = self.project_name + self.delete_project_role(role) + + def delete_project_role(self, role): + self.log.error("Delete project role for {}: {}". + format(self.project_name, role.role)) + xpath = self.role_xpath(role.key) + self._regh.delete_element(xpath) + def create_role(self, role_key, user_key): return RoleKeysUsers(role_key, user_key) @@ -288,6 +312,7 @@ class RoleConfigPublisher(rift.tasklets.DtsConfigPublisher): pbRole = self.rbac_int.create_role() pbRole.role = role.role pbRole.keys = role.keys + pbRole.state_machine.state = role.state.name return pbRole @@ -322,12 +347,16 @@ class RoleConfigPublisher(rift.tasklets.DtsConfigPublisher): role.add_user(user) update = False - user.state = StateMachine.new + if update: + user.state = StateMachine.new + else: + user.state = StateMachine.new xpath = self.role_xpath(role_key) + self.log.debug("update role: {} user: {} ".format(role_key, user_key)) + pb_role_user = self.pb_role_user(role, user) - self.log.debug("add_update_role: xpath:{} pb_role:{}".format(xpath, pb_role_user)) self._regh.update_element(xpath, pb_role_user) @@ -340,13 +369,13 @@ class RoleConfigPublisher(rift.tasklets.DtsConfigPublisher): user.state = StateMachine.delete xpath = self.role_xpath(role_key) - self.log.debug("deleting role: {} user: {} ".format(role_key, user_key)) + self.log.error("deleting role: {} user: {} ".format(role_key, user_key)) pb_role = self.pb_role_user(role, user) self._regh.update_element(xpath, pb_role) def do_prepare(self, xact_info, action, ks_path, msg): - """Handle on_prepare. To be overridden by Concreate Publisher Handler + """Handle on_prepare. """ self.log.debug("do_prepare: action: {}, path: {} ks_path, msg: {}".format(action, ks_path, msg)) @@ -371,5 +400,6 @@ class RoleConfigPublisher(rift.tasklets.DtsConfigPublisher): def deregister(self): if self._regh: + self.delete_project_roles() self._regh.deregister() self._regh = None diff --git a/rwprojectmano/plugins/yang/CMakeLists.txt b/rwprojectmano/plugins/yang/CMakeLists.txt index 00e5110f..d99f941f 100644 --- a/rwprojectmano/plugins/yang/CMakeLists.txt +++ b/rwprojectmano/plugins/yang/CMakeLists.txt @@ -24,4 +24,3 @@ rift_add_yang_target( LIBRARIES rw_project_yang_gen ) - diff --git a/rwprojectmano/plugins/yang/rw-project-mano.yang b/rwprojectmano/plugins/yang/rw-project-mano.yang index 13690580..34d438c2 100644 --- a/rwprojectmano/plugins/yang/rw-project-mano.yang +++ b/rwprojectmano/plugins/yang/rw-project-mano.yang @@ -45,6 +45,23 @@ module rw-project-mano "Derived from earlier versions of base YANG files"; } + identity catalog-oper { + base rw-project:project-role; + description + "The catalog-oper Role has read permission to the VNFD and NSD + catalogs within a Project. The catalog-oper Role may also have + execute permission to specific non-mutating RPCs."; + } + + identity catalog-admin { + base rw-project:project-role; + description + "The catalog-admin Role has full CRUDX permissions to the VNFD + and NSD catalogs within a Project. The catalog-admin Role does + not provide general CRUDX permissions to the Project as a whole, + nor to the RIFT.ware platform in general."; + } + augment /rw-project:project/rw-project:project-config/rw-project:user { description "Configuration for MANO application-specific Roles.";