Enable RBAC for OpenContrail
PROD-17451
Change-Id: I55f1fc517369fa40d408f17748186f4a23d0909e
diff --git a/README.rst b/README.rst
index 215d855..bd4fc8f 100644
--- a/README.rst
+++ b/README.rst
@@ -1086,6 +1086,16 @@
port: 9001
protocol: http
+Enable RBAC for OpenContrail engine
+-----------------------------------
+.. code-block:: yaml
+
+ neutron:
+ server:
+ backend:
+ engine: contrail
+ rbac:
+ enabled: True
Enhanced logging with logging.conf
----------------------------------
diff --git a/neutron/files/ocata/api-paste.ini.Debian b/neutron/files/ocata/api-paste.ini.Debian
index 580ee6f..bc61d4a 100644
--- a/neutron/files/ocata/api-paste.ini.Debian
+++ b/neutron/files/ocata/api-paste.ini.Debian
@@ -7,13 +7,18 @@
[composite:neutronapi_v2_0]
use = call:neutron.auth:pipeline_factory
noauth = cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
-keystone = cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
+keystone = cors http_proxy_to_wsgi {%- if server.backend.engine == "contrail" and server.backend.rbac %} user_token {%- endif %} request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
[composite:neutronversions_composite]
use = call:neutron.auth:pipeline_factory
noauth = cors http_proxy_to_wsgi neutronversions
keystone = cors http_proxy_to_wsgi {% if server.audit.enabled %}audit {% endif %}neutronversions
+{%- if server.backend.engine == "contrail" and server.backend.rbac %}
+[filter:user_token]
+paste.filter_factory = neutron_plugin_contrail.plugins.opencontrail.neutron_middleware:token_factory
+{%- endif %}
+
[filter:request_id]
paste.filter_factory = oslo_middleware:RequestId.factory
diff --git a/neutron/files/pike/api-paste.ini.Debian b/neutron/files/pike/api-paste.ini.Debian
index 580ee6f..bc61d4a 100644
--- a/neutron/files/pike/api-paste.ini.Debian
+++ b/neutron/files/pike/api-paste.ini.Debian
@@ -7,13 +7,18 @@
[composite:neutronapi_v2_0]
use = call:neutron.auth:pipeline_factory
noauth = cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
-keystone = cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
+keystone = cors http_proxy_to_wsgi {%- if server.backend.engine == "contrail" and server.backend.rbac %} user_token {%- endif %} request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
[composite:neutronversions_composite]
use = call:neutron.auth:pipeline_factory
noauth = cors http_proxy_to_wsgi neutronversions
keystone = cors http_proxy_to_wsgi {% if server.audit.enabled %}audit {% endif %}neutronversions
+{%- if server.backend.engine == "contrail" and server.backend.rbac %}
+[filter:user_token]
+paste.filter_factory = neutron_plugin_contrail.plugins.opencontrail.neutron_middleware:token_factory
+{%- endif %}
+
[filter:request_id]
paste.filter_factory = oslo_middleware:RequestId.factory
diff --git a/neutron/files/pike/api-paste.ini.RedHat b/neutron/files/pike/api-paste.ini.RedHat
index 580ee6f..bc61d4a 100644
--- a/neutron/files/pike/api-paste.ini.RedHat
+++ b/neutron/files/pike/api-paste.ini.RedHat
@@ -7,13 +7,18 @@
[composite:neutronapi_v2_0]
use = call:neutron.auth:pipeline_factory
noauth = cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
-keystone = cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
+keystone = cors http_proxy_to_wsgi {%- if server.backend.engine == "contrail" and server.backend.rbac %} user_token {%- endif %} request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
[composite:neutronversions_composite]
use = call:neutron.auth:pipeline_factory
noauth = cors http_proxy_to_wsgi neutronversions
keystone = cors http_proxy_to_wsgi {% if server.audit.enabled %}audit {% endif %}neutronversions
+{%- if server.backend.engine == "contrail" and server.backend.rbac %}
+[filter:user_token]
+paste.filter_factory = neutron_plugin_contrail.plugins.opencontrail.neutron_middleware:token_factory
+{%- endif %}
+
[filter:request_id]
paste.filter_factory = oslo_middleware:RequestId.factory