From: Philip Joseph Date: Thu, 6 Apr 2017 18:36:41 +0000 (+0530) Subject: Add MANO roles for projects X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=cd455eba9834532e57a661e41cd5864afc90ddec;p=osm%2FSO.git Add MANO roles for projects Signed-off-by: Philip Joseph --- diff --git a/common/plugins/yang/CMakeLists.txt b/common/plugins/yang/CMakeLists.txt index bc32d5db..b17e218d 100644 --- a/common/plugins/yang/CMakeLists.txt +++ b/common/plugins/yang/CMakeLists.txt @@ -35,6 +35,9 @@ rift_add_yang_target( rwsdn_yang rwprojectmano_yang mano-types_yang + ASSOCIATED_FILES + rw-cloud.role.xml + rw-sdn.role.xml ) rift_add_yang_target( @@ -47,4 +50,6 @@ rift_add_yang_target( DEPENDS rwcal_yang rwprojectmano_yang + ASSOCIATED_FILES + rw-config-agent.role.xml ) diff --git a/common/plugins/yang/rw-cloud.role.xml b/common/plugins/yang/rw-cloud.role.xml new file mode 100644 index 00000000..6fb24865 --- /dev/null +++ b/common/plugins/yang/rw-cloud.role.xml @@ -0,0 +1,38 @@ + + + + rw-project-mano:rw-cloud-role + + project-name + /rw-cloud:update-cloud-status/rw-cloud:project-name + + + + + rw-project-mano:account-oper + rw-project-mano:rw-cloud-role + + read execute + /rw-project:project/rw-cloud:cloud + + + + + rw-project-mano:lcm-admin + rw-project-mano:rw-cloud-role + + create read update delete execute + /rw-project:project/rw-cloud:cloud + /rw-cloud:update-cloud-status + + + + + rw-project-mano:lcm-admin + rw-project-mano:rw-cloud-role + + read execute + /rw-project:project/rw-cloud:cloud + + + diff --git a/common/plugins/yang/rw-config-agent.role.xml b/common/plugins/yang/rw-config-agent.role.xml new file mode 100644 index 00000000..2951e5a8 --- /dev/null +++ b/common/plugins/yang/rw-config-agent.role.xml @@ -0,0 +1,38 @@ + + + + rw-project-mano:rw-config-agent-role + + project-name + /rw-config-agent:update-cfg-agent-status/rw-config-agent:project-name + + + + + rw-project-mano:account-oper + rw-project-mano:rw-config-agent-role + + read execute + /rw-project:project/rw-config-agent:config-agent + + + + + rw-project-mano:lcm-admin + rw-project-mano:rw-config-agent-role + + create read update delete execute + /rw-project:project/rw-config-agent:config-agent + /rw-config-agent:update-cfg-agent-status + + + + + rw-project-mano:lcm-admin + rw-project-mano:rw-config-agent-role + + read execute + /rw-project:project/rw-config-agent:config-agent + + + diff --git a/common/plugins/yang/rw-sdn.role.xml b/common/plugins/yang/rw-sdn.role.xml new file mode 100644 index 00000000..62944f86 --- /dev/null +++ b/common/plugins/yang/rw-sdn.role.xml @@ -0,0 +1,38 @@ + + + + rw-project-mano:rw-sdn-role + + project-name + /rw-sdn:update-sdn-status/rw-sdn:project-name + + + + + rw-project-mano:account-oper + rw-project-mano:rw-sdn-role + + read execute + /rw-project:project/rw-sdn:sdn + + + + + rw-project-mano:account-admin + rw-project-mano:rw-sdn-role + + create read update delete execute + /rw-project:project/rw-sdn:sdn + /rw-sdn:update-sdn-status + + + + + rw-project-mano:lcm-admin + rw-project-mano:rw-sdn-role + + read execute + /rw-project:project/rw-sdn:sdn + + + diff --git a/models/plugins/yang/CMakeLists.txt b/models/plugins/yang/CMakeLists.txt index 48a36983..f22613f9 100644 --- a/models/plugins/yang/CMakeLists.txt +++ b/models/plugins/yang/CMakeLists.txt @@ -44,9 +44,6 @@ rift_add_yang_target( COMPONENT ${PKG_LONG_NAME} LIBRARIES rwprojectmano_yang_gen - ASSOCIATED_FILES - project-vnfd.role.xml - project-nsd.role.xml ) rift_add_yang_target( @@ -65,6 +62,13 @@ rift_add_yang_target( rwcloud_yang rwconfig_agent_yang rwprojectmano_yang + ASSOCIATED_FILES + project-vnfd.role.xml + project-nsd.role.xml + vnfr.role.xml + rw-vnfr.role.xml + vlr.role.xml + nsr.role.xml ) #rift_gen_yang_tree(mano-pyang-trees diff --git a/models/plugins/yang/nsr.role.xml b/models/plugins/yang/nsr.role.xml new file mode 100644 index 00000000..4353911e --- /dev/null +++ b/models/plugins/yang/nsr.role.xml @@ -0,0 +1,39 @@ + + + + rw-project-mano:nsr-role + + project-name + /nsr:exec-scale-out/nsr:project-name + /nsr:exec-scale-in/nsr:project-name + /nsr:exec-ns-service-primitive/nsr:project-name + /nsr:get-ns-service-primitive-values/nsr:project-name + /nsr:start-network-service/nsr:project-name + + + + + rw-project-mano:lcm-oper + rw-project-mano:nsr-role + + read execute + /rw-project:project/nsr:ns-instance-config + /rw-project:project/nsr:ns-instance-opdata + + + + + rw-project-mano:lcm-admin + rw-project-mano:nsr-role + + create read update delete execute + /rw-project:project/nsr:ns-instance-config + /rw-project:project/nsr:ns-instance-opdata + /nsr:exec-scale-out + /nsr:exec-scale-in + /nsr:exec-ns-service-primitive + /nsr:get-ns-service-primitive-values + /nsr:start-network-service + + + diff --git a/models/plugins/yang/project-nsd.role.xml b/models/plugins/yang/project-nsd.role.xml index 1d52f770..afacae33 100644 --- a/models/plugins/yang/project-nsd.role.xml +++ b/models/plugins/yang/project-nsd.role.xml @@ -1,8 +1,15 @@ + + rw-project-mano:project-nsd-role + + project-name + + + rw-project-mano:catalog-oper - rw-project:project-role + rw-project-mano:project-nsd-role read execute /rw-project:project/project-nsd:nsd-catalog @@ -11,10 +18,19 @@ rw-project-mano:catalog-admin - rw-project:project-role + rw-project-mano:project-nsd-role create read update delete execute /rw-project:project/project-nsd:nsd-catalog + + + rw-project-mano:lcm-admin + rw-project-mano:project-nsd-role + + read execute + /rw-project:project/project-nsd:nsd-catalog + + diff --git a/models/plugins/yang/project-vnfd.role.xml b/models/plugins/yang/project-vnfd.role.xml index a9b2a7b8..a32c92f1 100644 --- a/models/plugins/yang/project-vnfd.role.xml +++ b/models/plugins/yang/project-vnfd.role.xml @@ -1,8 +1,15 @@ + + rw-project-mano:project-vnfd-role + + project-name + + + rw-project-mano:catalog-oper - rw-project:project-role + rw-project-mano:project-vnfd-role read execute /rw-project:project/project-vnfd:vnfd-catalog @@ -11,10 +18,19 @@ rw-project-mano:catalog-admin - rw-project:project-role + rw-project-mano:project-vnfd-role create read update delete execute /rw-project:project/project-vnfd:vnfd-catalog + + + rw-project-mano:lcm-admin + rw-project-mano:project-vnfd-role + + read execute + /rw-project:project/project-vnfd:vnfd-catalog + + diff --git a/models/plugins/yang/rw-vnfr.role.xml b/models/plugins/yang/rw-vnfr.role.xml new file mode 100644 index 00000000..91786902 --- /dev/null +++ b/models/plugins/yang/rw-vnfr.role.xml @@ -0,0 +1,27 @@ + + + + rw-project-mano:rw-vnfr-role + + project-name + + + + + rw-project-mano:lcm-oper + rw-project-mano:rw-vnfr-role + + read execute + /rw-project:project/rw-vnfr:vnfr-console + + + + + rw-project-mano:lcm-admin + rw-project-mano:rw-vnfr-role + + create read update delete execute + /rw-project:project/rw-vnfr:vnfr-console + + + diff --git a/models/plugins/yang/vlr.role.xml b/models/plugins/yang/vlr.role.xml new file mode 100644 index 00000000..90350dc9 --- /dev/null +++ b/models/plugins/yang/vlr.role.xml @@ -0,0 +1,27 @@ + + + + rw-project-mano:vlr-role + + project-name + + + + + rw-project-mano:lcm-oper + rw-project-mano:vlr-role + + read execute + /rw-project:project/vlr:vlr-catalog + + + + + rw-project-mano:lcm-admin + rw-project-mano:vlr-role + + create read update delete execute + /rw-project:project/vlr:vlr-catalog + + + diff --git a/models/plugins/yang/vnfr.role.xml b/models/plugins/yang/vnfr.role.xml new file mode 100644 index 00000000..9dff86b8 --- /dev/null +++ b/models/plugins/yang/vnfr.role.xml @@ -0,0 +1,32 @@ + + + + rw-project-mano:vnfr-role + + project-name + /rw-project:project/rw-project:name + /vnfr:create-alarm/vnfr:project-name + /vnfr:destroy-alarm/vnfr:project-name + + + + + rw-project-mano:lcm-oper + rw-project-mano:vnfr-role + + read execute + /rw-project:project/vnfr:vnfr-catalog + + + + + rw-project-mano:lcm-admin + rw-project-mano:vnfr-role + + create read update delete execute + /rw-project:project/vnfr:vnfr-catalog + /vnfr:create-alarm + /vnfr:destroy-alarm + + + diff --git a/rwlaunchpad/plugins/yang/CMakeLists.txt b/rwlaunchpad/plugins/yang/CMakeLists.txt index 4359bff5..2381e861 100644 --- a/rwlaunchpad/plugins/yang/CMakeLists.txt +++ b/rwlaunchpad/plugins/yang/CMakeLists.txt @@ -94,4 +94,6 @@ rift_add_yang_target( rwprojectmano_yang_gen DEPENDS rwprojectmano_yang + ASSOCIATED_FILES + rw-launchpad.role.xml ) diff --git a/rwlaunchpad/plugins/yang/rw-launchpad.role.xml b/rwlaunchpad/plugins/yang/rw-launchpad.role.xml new file mode 100644 index 00000000..0efb351b --- /dev/null +++ b/rwlaunchpad/plugins/yang/rw-launchpad.role.xml @@ -0,0 +1,38 @@ + + + + rw-project-mano:rw-launchpad-role + + project-name + + + + + rw-project-mano:account-oper + rw-project-mano:rw-launchpad-role + + read execute + /rw-project:project/rw-launchpad:datacenters + /rw-project:project/rw-launchpad:resource-orchestrator + + + + + rw-project-mano:account-admin + rw-project-mano:rw-launchpad-role + + read execute + /rw-project:project/rw-launchpad:datacenters + /rw-project:project/rw-launchpad:resource-orchestrator + + + + + rw-project-mano:lcm-admin + rw-project-mano:rw-launchpad-role + + read execute + /rw-project:project/rw-launchpad:datacenters + + + diff --git a/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/projectmano.py b/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/projectmano.py index 406c0a6e..a59284a0 100644 --- a/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/projectmano.py +++ b/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/projectmano.py @@ -24,10 +24,12 @@ import asyncio import gi gi.require_version('RwDts', '1.0') +gi.require_version('RwProjectManoYang', '1.0') from gi.repository import ( RwDts as rwdts, ProtobufC, RwTypes, + RwProjectManoYang, ) import rift.tasklets @@ -38,6 +40,44 @@ from rift.mano.utils.project import ( ) +MANO_PROJECT_ROLES = [ + { 'mano-role':"rw-project-mano:catalog-oper", + 'description':("The catalog-oper Role has read permission to nsd-catalog " + "and vnfd-catalog under specific Projects, " + "as identified by /rw-project:project/rw-project:name. The " + "catatlog-oper Role may also have execute permission to specific " + "non-mutating RPCs. This Role is intended for read-only access to " + "catalogs under a specific project.") }, + + { 'mano-role':"rw-project-mano:catalog-admin", + 'description':("The catalog-admin Role has full CRUDX permissions to vnfd and nsd " + "catalogs under specific Projects, as identified by " + "/rw-project:project/rw-project:name.") }, + + { 'mano-role':"rw-project-mano:lcm-oper", + 'description':("The lcm-oper Role has read permission to the VL, VNF and NS " + "records within a Project. The lcm-oper Role may also have " + "execute permission to specific non-mutating RPCs.") }, + + { 'mano-role':"rw-project-mano:lcm-admin", + 'description':("The lcm-admin Role has full CRUDX permissions to the VL, VNF " + "and NS records within a Project. The lcm-admin Role does " + "not provide general CRUDX permissions to the Project as a whole, " + "nor to the RIFT.ware platform in general.") }, + + { 'mano-role':"rw-project-mano:account-oper", + 'description':("The account-oper Role has read permission to the VIM, SDN, VCA " + "and RO accounts within a Project. The account-oper Role may also have " + "execute permission to specific non-mutating RPCs.") }, + + { 'mano-role':"rw-project-mano:account-admin", + 'description':("The account-admin Role has full CRUDX permissions to the VIM, SDN, VCA " + "and RO accounts within a Project. The account-admin Role does " + "not provide general CRUDX permissions to the Project as a whole, " + "nor to the RIFT.ware platform in general.") }, +] + + class ProjectDtsHandler(object): XPATH = "C,/{}".format(NS_PROJECT) @@ -276,3 +316,43 @@ class ProjectHandler(object): def register(self): self.project_cfg_handler.register() + + +class ProjectStateRolePublisher(rift.tasklets.DtsConfigPublisher): + + def __init__(self, tasklet): + super().__init__(tasklet) + self.proj_state = RwProjectManoYang.YangData_RwProject_Project_ProjectState() + self.projects = set() + self.roles = MANO_PROJECT_ROLES + + def get_xpath(self): + return "D,/rw-project:project/rw-project:project-state/rw-project-mano:mano-role" + + def role_xpath(self, project, role): + return "/rw-project:project[rw-project:name='{}']".format(project) + \ + "/rw-project:project-state/rw-project-mano:mano-role" + \ + "[rw-project-mano:role='{}']".format(role['mano-role']) + + def pb_role(self, role): + pbRole = self.proj_state.create_mano_role() + pbRole.role = role['mano-role'] + pbRole.description = role['description'] + return pbRole + + def publish_roles(self, project): + if not project in self.projects: + self.projects.add(project) + for role in self.roles: + xpath = self.role_xpath(project, role) + pb_role = self.pb_role(role) + self.log.debug("publishing xpath:{}".format(xpath)) + self._regh.update_element(xpath, pb_role) + + def unpublish_roles(self, project): + if project in self.projects: + self.projects.remove(project) + for role in self.roles: + xpath = self.role_xpath(project, role) + self.log.debug("unpublishing xpath:{}".format(xpath)) + self._regh.delete_element(xpath) diff --git a/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py b/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py index 694a704d..0083c060 100644 --- a/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py +++ b/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/rolesmano.py @@ -34,7 +34,6 @@ from gi.repository import ( ) import rift.tasklets -#TODO: Fix once merged to latest platform from rift.tasklets.rwproject.project import ( StateMachine, User, @@ -48,10 +47,7 @@ from rift.mano.utils.project import ( ) -MANO_PROJECT_ROLES = [ - 'rw-project-mano:catalog-oper', - 'rw-project-mano:catalog-admin', -] +from .projectmano import MANO_PROJECT_ROLES class ProjectConfigSubscriber(object): @@ -260,7 +256,7 @@ class RoleConfigPublisher(rift.tasklets.DtsConfigPublisher): self.project_name = project.name self.rbac_int = RwRbacInternalYang.YangData_RwRbacInternal_RwRbacInternal() self.roles = {} - self.proj_roles = MANO_PROJECT_ROLES + self.proj_roles = [role['mano-role'] for role in MANO_PROJECT_ROLES] self.proj_roles_published = False def get_xpath(self): diff --git a/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/tasklet.py b/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/tasklet.py index eb71fa24..fa392d6f 100644 --- a/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/tasklet.py +++ b/rwprojectmano/plugins/rwprojectmano/rift/tasklets/rwprojectmano/tasklet.py @@ -41,6 +41,7 @@ from rift.mano.utils.project import ( from .projectmano import ( ProjectHandler, + ProjectStateRolePublisher, ) from .rolesmano import ( @@ -61,9 +62,11 @@ class ProjectMgrManoProject(ManoProject): def register (self): self._log.info("Initializing the ProjectMgrMano for %s", self.name) yield from self.project_sub.register() + self.tasklet.project_state_role_pub.publish_roles(self.name) def deregister(self): self._log.debug("De-register project %s", self.name) + self.tasklet.project_state_role_pub.unpublish_roles(self.name) self.project_sub.deregister() @@ -110,9 +113,11 @@ class ProjectMgrManoTasklet(rift.tasklets.Tasklet): try: self.log.info("Registering for Project Config") self.project_handler = ProjectHandler(self, ProjectMgrManoProject) - self.project_handler.register() + self.project_state_role_pub = ProjectStateRolePublisher(self) + yield from self.project_state_role_pub.register() + except Exception as e: self.log.exception("Registering for project failed: {}".format(e)) diff --git a/rwprojectmano/plugins/yang/rw-project-mano.tailf.yang b/rwprojectmano/plugins/yang/rw-project-mano.tailf.yang new file mode 100644 index 00000000..61d7fe04 --- /dev/null +++ b/rwprojectmano/plugins/yang/rw-project-mano.tailf.yang @@ -0,0 +1,44 @@ +/* + * + * Copyright 2017 RIFT.IO Inc + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +module rw-project-mano-tailf +{ + namespace "http://riftio.com/ns/riftware-1.0/rw-project-mano-tailf"; + prefix "rw-project-mano-tailf"; + + import rw-project { + prefix "rw-project"; + } + + import tailf-common { + prefix tailf; + } + + import rw-project-mano { + prefix "rw-project-mano"; + } + + revision 2017-04-04 { + description + "Initial revision."; + } + + tailf:annotate "/rw-project:project/rw-project:project-state/rw-project-mano:mano-role" { + tailf:callpoint rw_callpoint; + } +} diff --git a/rwprojectmano/plugins/yang/rw-project-mano.yang b/rwprojectmano/plugins/yang/rw-project-mano.yang index 34d438c2..215236c9 100644 --- a/rwprojectmano/plugins/yang/rw-project-mano.yang +++ b/rwprojectmano/plugins/yang/rw-project-mano.yang @@ -62,6 +62,40 @@ module rw-project-mano nor to the RIFT.ware platform in general."; } + identity lcm-oper { + base rw-project:project-role; + description + "The lcm-oper Role has read permission to the VL, VNF and NS + records within a Project. The lcm-oper Role may also have + execute permission to specific non-mutating RPCs."; + } + + identity lcm-admin { + base rw-project:project-role; + description + "The lcm-admin Role has full CRUDX permissions to the VL, VNF + and NS records within a Project. The lcm-admin Role does + not provide general CRUDX permissions to the Project as a whole, + nor to the RIFT.ware platform in general."; + } + + identity account-oper { + base rw-project:project-role; + description + "The account-oper Role has read permission to the VIM, SDN, VCA + and RO accounts within a Project. The account-oper Role may also have + execute permission to specific non-mutating RPCs."; + } + + identity account-admin { + base rw-project:project-role; + description + "The account-admin Role has full CRUDX permissions to the VIM, SDN, VCA + and RO accounts within a Project. The account-admin Role does + not provide general CRUDX permissions to the Project as a whole, + nor to the RIFT.ware platform in general."; + } + augment /rw-project:project/rw-project:project-config/rw-project:user { description "Configuration for MANO application-specific Roles.";