Merge "Refactor neutrong state and module (part 1)"
diff --git a/.kitchen.yml b/.kitchen.yml
index 8b89e35..d144018 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -24,6 +24,9 @@
- name: linux
repo: git
source: https://github.com/salt-formulas/salt-formula-linux
+ - name: keystone
+ repo: git
+ source: https://github.com/salt-formulas/salt-formula-keystone
state_top:
base:
"*":
diff --git a/README.rst b/README.rst
index 23072ae..e8e633f 100644
--- a/README.rst
+++ b/README.rst
@@ -59,6 +59,20 @@
because a single request may fail (timeout). This is enabled with both
parameters *allow_pagination* and *pagination_max_limit* as shown above.
+
+Configuration of policy.json file
+
+.. code-block:: yaml
+
+ neutron:
+ server:
+ ....
+ policy:
+ create_subnet: 'rule:admin_or_network_owner'
+ 'get_network:queue_id': 'rule:admin_only'
+ # Add key without value to remove line from policy.json
+ 'create_network:shared':
+
Neutron lbaas provides on the controller node
.. code-block:: yaml
diff --git a/_grains/neutron_policy.py b/_grains/neutron_policy.py
new file mode 100644
index 0000000..f194aeb
--- /dev/null
+++ b/_grains/neutron_policy.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+import salt.config
+import salt.loader
+
+
+def main():
+ path = "/etc/neutron/policy.json"
+ __opts__ = salt.config.minion_config('/etc/salt/minion')
+ keystone_policy_mod = salt.loader.raw_mod(__opts__, 'keystone_policy', None)
+ if keystone_policy_mod:
+ result = keystone_policy_mod['keystone_policy.rule_list'](path)
+ if result and 'Error' not in result:
+ return {'neutron_policy': result}
+ return {}
+
diff --git a/metadata.yml b/metadata.yml
index c7e6b3b..d43d586 100644
--- a/metadata.yml
+++ b/metadata.yml
@@ -1,3 +1,6 @@
name: "neutron"
version: "2016.4.1"
source: "https://github.com/openstack/salt-formula-neutron"
+dependencies:
+ - name: keystone
+ source: "https://github.com/salt-formulas/salt-formula-keystone"
diff --git a/metadata/service/support.yml b/metadata/service/support.yml
index 6f76ed5..9876a1e 100644
--- a/metadata/service/support.yml
+++ b/metadata/service/support.yml
@@ -6,7 +6,7 @@
heka:
enabled: true
sensu:
- enabled: true
+ enabled: false
sphinx:
enabled: true
config:
diff --git a/neutron/compute.sls b/neutron/compute.sls
index bd6e3e0..bfefb53 100644
--- a/neutron/compute.sls
+++ b/neutron/compute.sls
@@ -50,6 +50,18 @@
- neutron-l3-agent
- neutron-metadata-agent
+neutron_dvr_agents:
+ service.running:
+ - enable: true
+ - names:
+ - neutron-l3-agent
+ - neutron-metadata-agent
+ - watch:
+ - file: /etc/neutron/l3_agent.ini
+ - file: /etc/neutron/metadata_agent.ini
+ - require:
+ - pkg: neutron_dvr_packages
+
/etc/neutron/l3_agent.ini:
file.managed:
- source: salt://neutron/files/{{ compute.version }}/l3_agent.ini
@@ -57,7 +69,7 @@
- watch_in:
- service: neutron_compute_services
- require:
- - pkg: neutron_compute_packages
+ - pkg: neutron_dvr_packages
/etc/neutron/metadata_agent.ini:
file.managed:
@@ -66,7 +78,7 @@
- watch_in:
- service: neutron_compute_services
- require:
- - pkg: neutron_compute_packages
+ - pkg: neutron_dvr_packages
{% endif %}
diff --git a/neutron/files/mitaka/neutron-server.conf.Debian b/neutron/files/mitaka/neutron-server.conf.Debian
index ae5cddc..f36b5fa 100644
--- a/neutron/files/mitaka/neutron-server.conf.Debian
+++ b/neutron/files/mitaka/neutron-server.conf.Debian
@@ -28,14 +28,11 @@
{% if server.backend.engine == "contrail" %}
-# TEMPORARY - until neutron v2 contrail package would be supported
-#api_extensions_path = extensions:/usr/lib/python2.7/dist-packages/neutron_plugin_contrail/extensions:/usr/lib/python2.7/dist-packages/neutron_lbaas/extensions
-api_extensions_path = extensions:/usr/lib/python2.7/dist-packages/neutron_plugin_contrail/extensions
+api_extensions_path = extensions:/usr/lib/python2.7/dist-packages/neutron_plugin_contrail/extensions:/usr/lib/python2.7/dist-packages/neutron_lbaas/extensions
# The core plugin Neutron will use (string value)
core_plugin = neutron_plugin_contrail.plugins.opencontrail.contrail_plugin.NeutronPluginContrailCoreV2
-# TEMPORARY - until neutron v2 contrail package would be supported
-#service_plugins = neutron_plugin_contrail.plugins.opencontrail.loadbalancer.v2.plugin.LoadBalancerPluginV2
+service_plugins = neutron_plugin_contrail.plugins.opencontrail.loadbalancer.v2.plugin.LoadBalancerPluginV2
{% elif server.backend.engine == "ml2" %}
core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
@@ -842,7 +839,19 @@
auth_region={{ server.identity.region }}
auth_protocol=http
revocation_cache_time = 10
+{% if server.backend.engine == "contrail" %}
+# LBaaS contrail neutron plugin for versions 3.x expects auth_type to be
+# 'keystone' or 'noauth'
+# This behaviour is fixed after the release MCP1.0 by using auth_strategy
+# instead of auth_type, until this is backported to MCP1.0 auth_type must be
+# set to keystone, noauth or commented out.
+#
+# When not defined, contrail defaults to 'keystone'
+#
+#auth_type=keystone
+{% else %}
auth_type = password
+{% endif %}
auth_host = {{ server.identity.host }}
auth_port = 35357
user_domain_id = {{ server.identity.get('domain', 'default') }}
@@ -1656,7 +1665,7 @@
{%- for lbaas_name, lbaas in server.lbaas.providers.iteritems() %}
{%- if lbaas.engine == "avinetworks" -%}
-service_provider=LOADBALANCERV2:{{ lbaas_name }}:neutron_lbaas.drivers.avi.avi_driver.AviDriver
+service_provider=LOADBALANCERV2:{{ lbaas_name }}:{{ lbaas.get('driver_path', 'avi_lbaasv2.avi_driver.AviDriver') }}:default
[{{ lbaas_name }}]
address={{ lbaas.controller_address }}
@@ -1671,7 +1680,7 @@
{% elif server.backend.engine == "contrail" %}
-service_provider = LOADBALANCER:Opencontrail:neutron_plugin_contrail.plugins.opencontrail.loadbalancer.driver.OpencontrailLoadbalancerDriver:default
+service_provider = LOADBALANCERV2:Opencontrail:neutron_plugin_contrail.plugins.opencontrail.loadbalancer.driver.OpencontrailLoadbalancerDummyDriver:default
{% include "neutron/files/"+server.version+"/ContrailPlugin.ini" %}
diff --git a/neutron/files/newton/neutron-server.conf.Debian b/neutron/files/newton/neutron-server.conf.Debian
index 13d30c1..1ae886b 100644
--- a/neutron/files/newton/neutron-server.conf.Debian
+++ b/neutron/files/newton/neutron-server.conf.Debian
@@ -28,14 +28,11 @@
{% if server.backend.engine == "contrail" %}
-# TEMPORARY - until neutron v2 contrail package would be supported
-#api_extensions_path = extensions:/usr/lib/python2.7/dist-packages/neutron_plugin_contrail/extensions:/usr/lib/python2.7/dist-packages/neutron_lbaas/extensions
-api_extensions_path = extensions:/usr/lib/python2.7/dist-packages/neutron_plugin_contrail/extensions
+api_extensions_path = extensions:/usr/lib/python2.7/dist-packages/neutron_plugin_contrail/extensions:/usr/lib/python2.7/dist-packages/neutron_lbaas/extensions
# The core plugin Neutron will use (string value)
core_plugin = neutron_plugin_contrail.plugins.opencontrail.contrail_plugin.NeutronPluginContrailCoreV2
-# TEMPORARY - until neutron v2 contrail package would be supported
-#service_plugins = neutron_plugin_contrail.plugins.opencontrail.loadbalancer.v2.plugin.LoadBalancerPluginV2
+service_plugins = neutron_plugin_contrail.plugins.opencontrail.loadbalancer.v2.plugin.LoadBalancerPluginV2
{% elif server.backend.engine == "ml2" %}
core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
@@ -1654,7 +1651,7 @@
{%- for lbaas_name, lbaas in server.lbaas.providers.iteritems() %}
{%- if lbaas.engine == "avinetworks" -%}
-service_provider=LOADBALANCERV2:{{ lbaas_name }}:neutron_lbaas.drivers.avi.avi_driver.AviDriver
+service_provider=LOADBALANCERV2:{{ lbaas_name }}:{{ lbaas.get('driver_path', 'avi_lbaasv2.avi_driver.AviDriver') }}:default
[{{ lbaas_name }}]
address={{ lbaas.controller_address }}
@@ -1669,7 +1666,7 @@
{% elif server.backend.engine == "contrail" %}
-service_provider = LOADBALANCER:Opencontrail:neutron_plugin_contrail.plugins.opencontrail.loadbalancer.driver.OpencontrailLoadbalancerDriver:default
+service_provider = LOADBALANCERV2:Opencontrail:neutron_plugin_contrail.plugins.opencontrail.loadbalancer.driver.OpencontrailLoadbalancerDummyDriver:default
{% include "neutron/files/"+server.version+"/ContrailPlugin.ini" %}
diff --git a/neutron/files/ocata/neutron-server.conf.Debian b/neutron/files/ocata/neutron-server.conf.Debian
index 70bfc9e..0047550 100644
--- a/neutron/files/ocata/neutron-server.conf.Debian
+++ b/neutron/files/ocata/neutron-server.conf.Debian
@@ -34,19 +34,16 @@
{% if server.backend.engine == "contrail" %}
-# TEMPORARY - until neutron v2 contrail package would be supported
-#api_extensions_path = extensions:/usr/lib/python2.7/dist-packages/neutron_plugin_contrail/extensions:/usr/lib/python2.7/dist-packages/neutron_lbaas/extensions
-api_extensions_path = extensions:/usr/lib/python2.7/dist-packages/neutron_plugin_contrail/extensions
+api_extensions_path = extensions:/usr/lib/python2.7/dist-packages/neutron_plugin_contrail/extensions:/usr/lib/python2.7/dist-packages/neutron_lbaas/extensions
# The core plugin Neutron will use (string value)
core_plugin = neutron_plugin_contrail.plugins.opencontrail.contrail_plugin.NeutronPluginContrailCoreV2
-# TEMPORARY - until neutron v2 contrail package would be supported
-#service_plugins = neutron_plugin_contrail.plugins.opencontrail.loadbalancer.v2.plugin.LoadBalancerPluginV2
+service_plugins = neutron_plugin_contrail.plugins.opencontrail.loadbalancer.v2.plugin.LoadBalancerPluginV2
{% elif server.backend.engine == "ml2" %}
core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
-service_plugins =neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,neutron.services.metering.metering_plugin.MeteringPlugin{%- if server.lbaas is defined -%}
+service_plugins =neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,neutron.services.metering.metering_plugin.MeteringPlugin,trunk{%- if server.lbaas is defined -%}
,neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2
{%- endif -%}
@@ -2164,7 +2161,7 @@
{%- for lbaas_name, lbaas in server.lbaas.providers.iteritems() %}
{%- if lbaas.engine == "avinetworks" -%}
-service_provider=LOADBALANCERV2:{{ lbaas_name }}:neutron_lbaas.drivers.avi.avi_driver.AviDriver
+service_provider=LOADBALANCERV2:{{ lbaas_name }}:{{ lbaas.get('driver_path', 'avi_lbaasv2.avi_driver.AviDriver') }}:default
[{{ lbaas_name }}]
address={{ lbaas.controller_address }}
@@ -2179,7 +2176,7 @@
{% elif server.backend.engine == "contrail" %}
-service_provider = LOADBALANCER:Opencontrail:neutron_plugin_contrail.plugins.opencontrail.loadbalancer.driver.OpencontrailLoadbalancerDriver:default
+service_provider = LOADBALANCERV2:Opencontrail:neutron_plugin_contrail.plugins.opencontrail.loadbalancer.driver.OpencontrailLoadbalancerDummyDriver:default
{% include "neutron/files/"+server.version+"/ContrailPlugin.ini" %}
diff --git a/neutron/meta/sphinx.yml b/neutron/meta/sphinx.yml
index a4d2085..20af434 100644
--- a/neutron/meta/sphinx.yml
+++ b/neutron/meta/sphinx.yml
@@ -16,7 +16,7 @@
bind:
value: {{ server.bind.address }}:{{ server.bind.port }}
plugin:
- value: {{ server.plugin }}
+ value: {{ server.backend.engine }}
version:
name: "Version"
value: {{ server.version }}
@@ -38,4 +38,4 @@
{%- set pkg_version = "dpkg -l "+pkg+" | grep "+pkg+" | awk '{print $3}'" %}
* {{ pkg }}: {{ salt['cmd.run'](pkg_version) }}
{%- endfor %}
- {%- endif %}
\ No newline at end of file
+ {%- endif %}
diff --git a/neutron/server.sls b/neutron/server.sls
index 2f530e2..5bf73e3 100644
--- a/neutron/server.sls
+++ b/neutron/server.sls
@@ -80,6 +80,30 @@
- require:
- pkg: neutron_server_packages
+{%- for name, rule in server.get('policy', {}).iteritems() %}
+
+{%- if rule != None %}
+rule_{{ name }}_present:
+ keystone_policy.rule_present:
+ - path: /etc/neutron/policy.json
+ - name: {{ name }}
+ - rule: {{ rule }}
+ - require:
+ - pkg: neutron_server_packages
+
+{%- else %}
+
+rule_{{ name }}_absent:
+ keystone_policy.rule_absent:
+ - path: /etc/neutron/policy.json
+ - name: {{ name }}
+ - require:
+ - pkg: neutron_server_packages
+
+{%- endif %}
+
+{%- endfor %}
+
{%- if grains.os_family == "Debian" %}
/etc/default/neutron-server:
diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index 1aba7fd..763b549 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls
@@ -51,4 +51,8 @@
audit:
filter_factory: 'keystonemiddleware.audit:filter_factory'
map_file: '/etc/pycadf/neutron_api_audit_map.conf'
+ policy:
+ create_subnet: 'rule:admin_or_network_owner'
+ 'get_network:queue_id': 'rule:admin_only'
+ 'create_network:shared':
diff --git a/tests/pillar/control_dvr.sls b/tests/pillar/control_dvr.sls
index 014de67..a6fc8b3 100644
--- a/tests/pillar/control_dvr.sls
+++ b/tests/pillar/control_dvr.sls
@@ -45,4 +45,8 @@
user: openstack
virtual_host: /openstack
plugin: ml2
- version: mitaka
\ No newline at end of file
+ version: mitaka
+ policy:
+ create_subnet: 'rule:admin_or_network_owner'
+ 'get_network:queue_id': 'rule:admin_only'
+ 'create_network:shared':
diff --git a/tests/pillar/control_nodvr.sls b/tests/pillar/control_nodvr.sls
index 8840b5e..0d18f6a 100644
--- a/tests/pillar/control_nodvr.sls
+++ b/tests/pillar/control_nodvr.sls
@@ -45,4 +45,8 @@
user: openstack
virtual_host: /openstack
plugin: ml2
- version: mitaka
\ No newline at end of file
+ version: mitaka
+ policy:
+ create_subnet: 'rule:admin_or_network_owner'
+ 'get_network:queue_id': 'rule:admin_only'
+ 'create_network:shared':
diff --git a/tests/pillar/control_single.sls b/tests/pillar/control_single.sls
index 1f8a28e..2eb905e 100644
--- a/tests/pillar/control_single.sls
+++ b/tests/pillar/control_single.sls
@@ -46,3 +46,7 @@
user: nova
password: password
tenant: service
+ policy:
+ create_subnet: 'rule:admin_or_network_owner'
+ 'get_network:queue_id': 'rule:admin_only'
+ 'create_network:shared':