Merge "Enable RBAC for OpenContrail"

commit: df615857063836e9f97acd62225372e644a46ec3 [log] [tgz]
author: Jakub Josef <jjosef@mirantis.com> Wed Feb 21 10:42:38 2018 +0000
committer: Gerrit Code Review <gerrit2@56fc70e46927> Wed Feb 21 10:42:38 2018 +0000
tree: f162fbecc59c7885a462ce40af881e93c50ad155
parent: 2a8b9523720e01694fd7b415ec94559975aaa00e [diff]
parent: 67ce2063f195be81efca02ca964f3d95bed4d49e [diff]
diff --git a/README.rst b/README.rst
index 4db341c..81d7e5e 100644
--- a/README.rst
+++ b/README.rst

@@ -1086,6 +1086,16 @@
               port: 9001
               protocol: http
 
+Enable RBAC for OpenContrail engine
+-----------------------------------
+.. code-block:: yaml
+
+    neutron:
+      server:
+        backend:
+          engine: contrail
+          rbac:
+            enabled: True
 
 Enhanced logging with logging.conf
 ----------------------------------

diff --git a/neutron/files/ocata/api-paste.ini.Debian b/neutron/files/ocata/api-paste.ini.Debian
index 580ee6f..bc61d4a 100644
--- a/neutron/files/ocata/api-paste.ini.Debian
+++ b/neutron/files/ocata/api-paste.ini.Debian

@@ -7,13 +7,18 @@
 [composite:neutronapi_v2_0]
 use = call:neutron.auth:pipeline_factory
 noauth = cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
-keystone = cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
+keystone = cors http_proxy_to_wsgi {%- if server.backend.engine == "contrail" and server.backend.rbac %} user_token {%- endif %} request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
 
 [composite:neutronversions_composite]
 use = call:neutron.auth:pipeline_factory
 noauth = cors http_proxy_to_wsgi neutronversions
 keystone = cors http_proxy_to_wsgi {% if server.audit.enabled %}audit {% endif %}neutronversions
 
+{%- if server.backend.engine == "contrail" and server.backend.rbac %}
+[filter:user_token]
+paste.filter_factory = neutron_plugin_contrail.plugins.opencontrail.neutron_middleware:token_factory
+{%- endif %}
+
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
 

diff --git a/neutron/files/pike/api-paste.ini.Debian b/neutron/files/pike/api-paste.ini.Debian
index 580ee6f..bc61d4a 100644
--- a/neutron/files/pike/api-paste.ini.Debian
+++ b/neutron/files/pike/api-paste.ini.Debian

@@ -7,13 +7,18 @@
 [composite:neutronapi_v2_0]
 use = call:neutron.auth:pipeline_factory
 noauth = cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
-keystone = cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
+keystone = cors http_proxy_to_wsgi {%- if server.backend.engine == "contrail" and server.backend.rbac %} user_token {%- endif %} request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
 
 [composite:neutronversions_composite]
 use = call:neutron.auth:pipeline_factory
 noauth = cors http_proxy_to_wsgi neutronversions
 keystone = cors http_proxy_to_wsgi {% if server.audit.enabled %}audit {% endif %}neutronversions
 
+{%- if server.backend.engine == "contrail" and server.backend.rbac %}
+[filter:user_token]
+paste.filter_factory = neutron_plugin_contrail.plugins.opencontrail.neutron_middleware:token_factory
+{%- endif %}
+
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
 

diff --git a/neutron/files/pike/api-paste.ini.RedHat b/neutron/files/pike/api-paste.ini.RedHat
index 580ee6f..bc61d4a 100644
--- a/neutron/files/pike/api-paste.ini.RedHat
+++ b/neutron/files/pike/api-paste.ini.RedHat

@@ -7,13 +7,18 @@
 [composite:neutronapi_v2_0]
 use = call:neutron.auth:pipeline_factory
 noauth = cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
-keystone = cors http_proxy_to_wsgi request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
+keystone = cors http_proxy_to_wsgi {%- if server.backend.engine == "contrail" and server.backend.rbac %} user_token {%- endif %} request_id catch_errors authtoken keystonecontext extensions {% if server.audit.enabled %}audit {% endif %}neutronapiapp_v2_0
 
 [composite:neutronversions_composite]
 use = call:neutron.auth:pipeline_factory
 noauth = cors http_proxy_to_wsgi neutronversions
 keystone = cors http_proxy_to_wsgi {% if server.audit.enabled %}audit {% endif %}neutronversions
 
+{%- if server.backend.engine == "contrail" and server.backend.rbac %}
+[filter:user_token]
+paste.filter_factory = neutron_plugin_contrail.plugins.opencontrail.neutron_middleware:token_factory
+{%- endif %}
+
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
commit	df615857063836e9f97acd62225372e644a46ec3	[log] [tgz]
author	Jakub Josef <jjosef@mirantis.com>	Wed Feb 21 10:42:38 2018 +0000
committer	Gerrit Code Review <gerrit2@56fc70e46927>	Wed Feb 21 10:42:38 2018 +0000
tree	f162fbecc59c7885a462ce40af881e93c50ad155
parent	2a8b9523720e01694fd7b415ec94559975aaa00e [diff]
parent	67ce2063f195be81efca02ca964f3d95bed4d49e [diff]