octavia 15.0.0__py3-none-any.whl → 16.0.0__py3-none-any.whl

octavia/network/drivers/noop_driver/driver.py

@@ -12,14 +12,28 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import typing
+
 from oslo_log import log as logging
 from oslo_utils import uuidutils
+from sqlalchemy import Column
+from sqlalchemy import create_engine
+from sqlalchemy import delete
+from sqlalchemy import event
+from sqlalchemy import insert
+from sqlalchemy import MetaData
+from sqlalchemy import select
+from sqlalchemy import String
+from sqlalchemy import Table
 
 from octavia.common import constants
 from octavia.common import data_models
 from octavia.network import base as driver_base
 from octavia.network import data_models as network_models
 
+if typing.TYPE_CHECKING:
+    from octavia.common import context
+
 LOG = logging.getLogger(__name__)
 
 _NOOP_MANAGER_VARS = {
@@ -38,6 +52,39 @@ class NoopManager:
         self.networkconfigconfig = {}
         self._qos_extension_enabled = True
 
+        # The controller worker can run with multiple processes, so we
+        # need to have a persistent and shared store for the no-op driver.
+        self.engine = create_engine('sqlite:////tmp/octavia-network-noop.db')
+
+        # TODO(johnsom) work around pysqlite locking issues per:
+        # https://github.com/sqlalchemy/sqlalchemy/discussions/12330
+        @event.listens_for(self.engine, "connect")
+        def do_connect(dbapi_connection, connection_record):
+            # disable pysqlite's emitting of the BEGIN statement entirely.
+            # also stops it from emitting COMMIT before any DDL.
+            dbapi_connection.isolation_level = None
+
+        @event.listens_for(self.engine, "begin")
+        def do_begin(conn):
+            conn.exec_driver_sql("BEGIN EXCLUSIVE")
+
+        metadata_obj = MetaData()
+
+        self.interfaces_table = Table(
+            'interfaces',
+            metadata_obj,
+            Column('port_id', String(36)),
+            Column('network_id', String(36)),
+            Column('compute_id', String(36)),
+            Column('vnic_type', String(6)))
+        self.fixed_ips_table = Table(
+            'fixed_ips',
+            metadata_obj,
+            Column('port_id', String(36)),
+            Column('subnet_id', String(36)),
+            Column('ip_address', String(64)))
+        metadata_obj.create_all(self.engine)
+
     def allocate_vip(self, loadbalancer):
         LOG.debug("Network %s no-op, allocate_vip loadbalancer %s",
                   self.__class__.__name__, loadbalancer)
@@ -82,6 +129,18 @@ class NoopManager:
                                   vip.ip_address)] = (load_balancer, vip,
                                                       'update_vip_sg')
 
+    def update_aap_port_sg(self,
+                           load_balancer: data_models.LoadBalancer,
+                           amphora: data_models.Amphora,
+                           vip: data_models.Vip):
+        LOG.debug("Network %s no-op, update_aap_port_sg load_balancer %s, "
+                  " vip %s, amphora %s", self.__class__.__name__,
+                  load_balancer.id, vip.ip_address, amphora)
+        self.networkconfigconfig[(amphora.id,
+                                  vip.ip_address)] = (load_balancer, vip,
+                                                      amphora,
+                                                      'update_aap_port_sg')
+
     def plug_aap_port(self, load_balancer, vip, amphora, subnet):
         LOG.debug("Network %s no-op, plug_aap_port loadbalancer %s, vip %s,"
                   " amphora %s, subnet %s",
@@ -91,12 +150,34 @@ class NoopManager:
                                   vip.ip_address)] = (
             load_balancer, vip, amphora, subnet,
             'plug_aap_port')
+
+        fixed_ips = [network_models.FixedIP(subnet_id=subnet.id,
+                                            ip_address=vip.ip_address)]
+
+        port_id = uuidutils.generate_uuid()
+        LOG.debug("Network %s no-op, plug_aap_port loadbalancer %s is using "
+                  "base port ID %s",
+                  self.__class__.__name__,
+                  load_balancer.id, port_id)
+
+        # Store the interface information in the no-op DB
+        with self.engine.connect() as connection:
+            connection.execute(insert(self.interfaces_table).values(
+                port_id=port_id, network_id=vip.network_id,
+                compute_id=amphora.compute_id,
+                vnic_type=constants.VNIC_TYPE_NORMAL))
+            for fixed_ip in fixed_ips:
+                connection.execute(insert(self.fixed_ips_table).values(
+                    port_id=port_id, subnet_id=fixed_ip.subnet_id,
+                    ip_address=fixed_ip.ip_address))
+            connection.commit()
+
         return data_models.Amphora(
             id=amphora.id,
             compute_id=amphora.compute_id,
             vrrp_ip='198.51.100.1',
             ha_ip='198.51.100.1',
-            vrrp_port_id=uuidutils.generate_uuid(),
+            vrrp_port_id=port_id,
             ha_port_id=uuidutils.generate_uuid()
         )
 
@@ -117,42 +198,45 @@ class NoopManager:
                                   vip.ip_address)] = (vip, amphora, subnet,
                                                       'unplug_aap_port')
 
-    def plug_network(self, compute_id, network_id):
-        LOG.debug("Network %s no-op, plug_network compute_id %s, network_id "
-                  "%s", self.__class__.__name__, compute_id,
-                  network_id)
-        self.networkconfigconfig[(compute_id, network_id)] = (
-            compute_id, network_id, 'plug_network')
-        interface = network_models.Interface(
-            id=uuidutils.generate_uuid(),
-            compute_id=compute_id,
-            network_id=network_id,
-            fixed_ips=[],
-            port_id=uuidutils.generate_uuid()
-        )
-        _NOOP_MANAGER_VARS['ports'][interface.port_id] = (
-            network_models.Port(
-                id=interface.port_id,
-                network_id=network_id))
-        _NOOP_MANAGER_VARS['interfaces'][(network_id, compute_id)] = (
-            interface)
-        return interface
-
     def unplug_network(self, compute_id, network_id):
         LOG.debug("Network %s no-op, unplug_network compute_id %s, "
                   "network_id %s",
                   self.__class__.__name__, compute_id, network_id)
         self.networkconfigconfig[(compute_id, network_id)] = (
             compute_id, network_id, 'unplug_network')
-        _NOOP_MANAGER_VARS['interfaces'].pop((network_id, compute_id), None)
 
     def get_plugged_networks(self, compute_id):
-        LOG.debug("Network %s no-op, get_plugged_networks amphora_id %s",
+        LOG.debug("Network %s no-op, get_plugged_networks compute_id %s",
                   self.__class__.__name__, compute_id)
         self.networkconfigconfig[compute_id] = (
             compute_id, 'get_plugged_networks')
-        return [pn for pn in _NOOP_MANAGER_VARS['interfaces'].values()
-                if pn.compute_id == compute_id]
+
+        # Retrieve the interfaces from the no-op DB for this compute_id
+        interfaces = []
+        with self.engine.connect() as connection:
+            int_results = connection.execute(
+                select(self.interfaces_table)
+                .where(self.interfaces_table.c.compute_id == compute_id))
+            # Walk through the matching interfaces
+            for interface in int_results:
+                fixed_ips = []
+                # Get the fixed IPs on each interface
+                fixed_ip_results = connection.execute(
+                    select(self.fixed_ips_table)
+                    .where(
+                        self.fixed_ips_table.c.port_id == interface.port_id))
+                # Build the FixedIP objects for the interface
+                for fixed_ip in fixed_ip_results:
+                    fixed_ips.append(network_models.FixedIP(
+                        subnet_id=fixed_ip.subnet_id,
+                        ip_address=fixed_ip.ip_address))
+                # Add the interface object to the list
+                interfaces.append(network_models.Interface(
+                    compute_id=interface.compute_id,
+                    network_id=interface.network_id,
+                    port_id=interface.port_id, fixed_ips=fixed_ips,
+                    vnic_type=interface.vnic_type))
+        return interfaces
 
     def update_vip(self, loadbalancer, for_delete=False):
         LOG.debug("Network %s no-op, update_vip loadbalancer %s "
@@ -228,6 +312,14 @@ class NoopManager:
         _NOOP_MANAGER_VARS['ports'][port_id] = port
         return port
 
+    def get_security_group_by_id(self, sg_id: str,
+                                 context: 'context.RequestContext' = None) -> (
+            'network_models.SecurityGroup'):
+        LOG.debug("Network %s no-op, get_security_group_by_id %s",
+                  self.__class__.__name__, sg_id)
+        self.networkconfigconfig[sg_id] = (sg_id, 'get_security_group_by_id')
+        return network_models.SecurityGroup(id=sg_id)
+
     def get_network_by_name(self, network_name):
         LOG.debug("Network %s no-op, get_network_by_name network_name %s",
                   self.__class__.__name__, network_name)
@@ -374,6 +466,16 @@ class NoopManager:
                   self.__class__.__name__, port_id)
         self.networkconfigconfig[port_id] = (port_id, 'delete_port')
 
+        # Remove the port from the no-op DB
+        with self.engine.connect() as connection:
+            connection.execute(delete(self.interfaces_table)
+                               .where(
+                                   self.interfaces_table.c.port_id == port_id))
+            connection.execute(delete(self.fixed_ips_table)
+                               .where(
+                                   self.fixed_ips_table.c.port_id == port_id))
+            connection.commit()
+
     def set_port_admin_state_up(self, port_id, state):
         LOG.debug("Network %s no-op, set_port_admin_state_up port_id %s, "
                   "state %s", self.__class__.__name__, port_id, state)
@@ -410,6 +512,17 @@ class NoopManager:
         self.networkconfigconfig[(network_id, 'create_port')] = (
             network_id, name, fixed_ip_obj_list, secondary_ips,
             security_group_ids, admin_state_up, qos_policy_id, vnic_type)
+
+        # Store the interface information in the no-op DB
+        with self.engine.connect() as connection:
+            connection.execute(insert(self.interfaces_table).values(
+                port_id=port_id, network_id=network_id, vnic_type=vnic_type))
+            for fixed_ip in fixed_ip_obj_list:
+                connection.execute(insert(self.fixed_ips_table).values(
+                    port_id=port_id, subnet_id=fixed_ip.subnet_id,
+                    ip_address=fixed_ip.ip_address))
+            connection.commit()
+
         return network_models.Port(
             id=port_id, name=name, device_id='no-op-device-id',
             device_owner='Octavia', mac_address='00:00:5E:00:53:05',
@@ -454,9 +567,6 @@ class NoopNetworkDriver(driver_base.AbstractNetworkDriver):
     def unplug_vip(self, loadbalancer, vip):
         self.driver.unplug_vip(loadbalancer, vip)
 
-    def plug_network(self, compute_id, network_id):
-        return self.driver.plug_network(compute_id, network_id)
-
     def unplug_network(self, compute_id, network_id):
         self.driver.unplug_network(compute_id, network_id)
 
@@ -475,6 +585,11 @@ class NoopNetworkDriver(driver_base.AbstractNetworkDriver):
     def get_port(self, port_id, context=None):
         return self.driver.get_port(port_id)
 
+    def get_security_group_by_id(self, sg_id: str,
+                                 context: 'context.RequestContext' = None) -> (
+            'network_models.SecurityGroup'):
+        return self.driver.get_security_group_by_id(sg_id, context=context)
+
     def get_qos_policy(self, qos_policy_id):
         return self.driver.get_qos_policy(qos_policy_id)
 
@@ -508,6 +623,12 @@ class NoopNetworkDriver(driver_base.AbstractNetworkDriver):
     def update_vip_sg(self, load_balancer, vip):
         self.driver.update_vip_sg(load_balancer, vip)
 
+    def update_aap_port_sg(self,
+                           load_balancer: data_models.LoadBalancer,
+                           amphora: data_models.Amphora,
+                           vip: data_models.Vip):
+        self.driver.update_aap_port_sg(load_balancer, amphora, vip)
+
     def plug_aap_port(self, load_balancer, vip, amphora, subnet):
         return self.driver.plug_aap_port(load_balancer, vip, amphora, subnet)
 

octavia/policies/__init__.py

@@ -13,6 +13,7 @@
 
 import itertools
 
+from octavia.policies import advanced_rbac
 from octavia.policies import amphora
 from octavia.policies import availability_zone
 from octavia.policies import availability_zone_profile
@@ -20,6 +21,7 @@ from octavia.policies import base
 from octavia.policies import flavor
 from octavia.policies import flavor_profile
 from octavia.policies import healthmonitor
+from octavia.policies import keystone_default_roles
 from octavia.policies import l7policy
 from octavia.policies import l7rule
 from octavia.policies import listener
@@ -35,6 +37,8 @@ from octavia.policies import quota
 def list_rules():
     return itertools.chain(
         base.list_rules(),
+        keystone_default_roles.list_rules(),
+        advanced_rbac.list_rules(),
         flavor.list_rules(),
         flavor_profile.list_rules(),
         availability_zone.list_rules(),

octavia/policies/advanced_rbac.py

@@ -0,0 +1,95 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_log import versionutils
+from oslo_policy import policy
+
+from octavia.common import constants
+
+# Octavia specific Advanced RBAC rules
+
+# The default is to not allow access unless the auth_strategy is 'noauth'.
+# Users must be a member of one of the following roles to have access to
+# the load-balancer API:
+#
+# role:load-balancer_observer
+#     User has access to load-balancer read-only APIs
+# role:load-balancer_global_observer
+#     User has access to load-balancer read-only APIs including resources
+#     owned by others.
+# role:load-balancer_member
+#     User has access to load-balancer read and write APIs
+# role:load-balancer_admin
+#     User is considered an admin for all load-balancer APIs including
+#     resources owned by others.
+
+deprecated_context_is_admin = policy.DeprecatedRule(
+    name='context_is_admin',
+    check_str='role:admin or '
+              'role:load-balancer_admin',
+    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.WALLABY,
+)
+
+# Note: 'is_admin:True' is a policy rule that takes into account the
+# auth_strategy == noauth configuration setting.
+# It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
+
+deprecated_admin = policy.DeprecatedRule(
+    name='load-balancer:admin',
+    check_str='is_admin:True or '
+              'role:admin or '
+              'role:load-balancer_admin',
+    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.WALLABY,
+)
+
+deprecated_global_observer = policy.DeprecatedRule(
+    name='load-balancer:global_observer',
+    check_str='role:load-balancer_global_observer',
+    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.WALLABY,
+)
+
+deprecated_member_and_owner = policy.DeprecatedRule(
+    name='load-balancer:member_and_owner',
+    check_str='role:load-balancer_member and '
+              'rule:load-balancer:owner',
+    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.WALLABY,
+)
+
+deprecated_observer_and_owner = policy.DeprecatedRule(
+    name='load-balancer:observer_and_owner',
+    check_str='role:load-balancer_observer and '
+              'rule:load-balancer:owner',
+    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.WALLABY,
+)
+
+deprecated_quota_admin = policy.DeprecatedRule(
+    name='load-balancer:quota-admin',
+    check_str='role:load-balancer_quota_admin',
+    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
+    deprecated_since=versionutils.deprecated.WALLABY,
+)
+
+rules = [
+    policy.RuleDefault(
+        name='load-balancer:owner',
+        check_str='project_id:%(project_id)s',
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
+]
+
+
+def list_rules():
+    return rules

octavia/policies/base.py

@@ -10,112 +10,16 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-from oslo_log import versionutils
 from oslo_policy import policy
 
 from octavia.common import constants
 
-deprecated_context_is_admin = policy.DeprecatedRule(
-    name='context_is_admin',
-    check_str='role:admin or '
-              'role:load-balancer_admin',
-    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
-    deprecated_since=versionutils.deprecated.WALLABY,
-)
-deprecated_observer_and_owner = policy.DeprecatedRule(
-    name='load-balancer:observer_and_owner',
-    check_str='role:load-balancer_observer and '
-              'rule:load-balancer:owner',
-    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
-    deprecated_since=versionutils.deprecated.WALLABY,
-)
-deprecated_member_and_owner = policy.DeprecatedRule(
-    name='load-balancer:member_and_owner',
-    check_str='role:load-balancer_member and '
-              'rule:load-balancer:owner',
-    deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
-    deprecated_since=versionutils.deprecated.WALLABY,
-)
 
 rules = [
 
-    # OpenStack wide scoped rules
-
-    # Project scoped Member
-    policy.RuleDefault(
-        name='project-member',
-        check_str='role:member and '
-                  'project_id:%(project_id)s',
-        scope_types=[constants.RBAC_SCOPE_PROJECT]),
-
-    # Project scoped Reader
-    policy.RuleDefault(
-        name='project-reader',
-        check_str='role:reader and '
-                  'project_id:%(project_id)s',
-        scope_types=[constants.RBAC_SCOPE_PROJECT]),
-
-    # Octavia specific Advanced RBAC rules
-
-    # The default is to not allow access unless the auth_strategy is 'noauth'.
-    # Users must be a member of one of the following roles to have access to
-    # the load-balancer API:
-    #
-    # role:load-balancer_observer
-    #     User has access to load-balancer read-only APIs
-    # role:load-balancer_global_observer
-    #     User has access to load-balancer read-only APIs including resources
-    #     owned by others.
-    # role:load-balancer_member
-    #     User has access to load-balancer read and write APIs
-    # role:load-balancer_admin
-    #     User is considered an admin for all load-balancer APIs including
-    #     resources owned by others.
-
-    policy.RuleDefault(
-        name='context_is_admin',
-        check_str='role:load-balancer_admin or '
-                  'role:admin',
-        deprecated_rule=deprecated_context_is_admin,
-        scope_types=[constants.RBAC_SCOPE_PROJECT]),
-
-    # Note: 'is_admin:True' is a policy rule that takes into account the
-    # auth_strategy == noauth configuration setting.
-    # It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
-
-    policy.RuleDefault(
-        name='load-balancer:owner',
-        check_str='project_id:%(project_id)s',
-        scope_types=[constants.RBAC_SCOPE_PROJECT]),
-
-    # API access roles
-    policy.RuleDefault(
-        name='load-balancer:observer_and_owner',
-        check_str='role:load-balancer_observer and '
-                  'rule:project-reader',
-        deprecated_rule=deprecated_observer_and_owner,
-        scope_types=[constants.RBAC_SCOPE_PROJECT]),
-
-    policy.RuleDefault(
-        name='load-balancer:global_observer',
-        check_str='role:load-balancer_global_observer',
-        scope_types=[constants.RBAC_SCOPE_PROJECT]),
-
-    policy.RuleDefault(
-        name='load-balancer:member_and_owner',
-        check_str='role:load-balancer_member and '
-                  'rule:project-member',
-        deprecated_rule=deprecated_member_and_owner,
-        scope_types=[constants.RBAC_SCOPE_PROJECT]),
-
     # API access methods
-
-    policy.RuleDefault(
-        name='load-balancer:admin',
-        check_str='is_admin:True or '
-                  'role:load-balancer_admin or '
-                  'role:admin',
-        scope_types=[constants.RBAC_SCOPE_PROJECT]),
+    #
+    # These are the only rules that should be applied to API endpoints.
 
     policy.RuleDefault(
         name='load-balancer:read',
@@ -142,20 +46,20 @@ rules = [
         check_str='rule:load-balancer:observer_and_owner or '
                   'rule:load-balancer:global_observer or '
                   'rule:load-balancer:member_and_owner or '
-                  'role:load-balancer_quota_admin or '
+                  'rule:load-balancer:quota-admin or '
                   'rule:load-balancer:admin',
         scope_types=[constants.RBAC_SCOPE_PROJECT]),
 
     policy.RuleDefault(
         name='load-balancer:read-quota-global',
         check_str='rule:load-balancer:global_observer or '
-                  'role:load-balancer_quota_admin or '
+                  'rule:load-balancer:quota-admin or '
                   'rule:load-balancer:admin',
         scope_types=[constants.RBAC_SCOPE_PROJECT]),
 
     policy.RuleDefault(
         name='load-balancer:write-quota',
-        check_str='role:load-balancer_quota_admin or '
+        check_str='rule:load-balancer:quota-admin or '
                   'rule:load-balancer:admin',
         scope_types=[constants.RBAC_SCOPE_PROJECT]),
 ]

octavia/policies/keystone_default_roles.py

@@ -0,0 +1,81 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from octavia.common import constants
+from octavia.policies import advanced_rbac
+
+rules = [
+
+    # OpenStack keystone default roles
+
+    # Project scoped Member
+    policy.RuleDefault(
+        name='project-member',
+        check_str='role:member and '
+                  'project_id:%(project_id)s',
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
+
+    # Project scoped Reader
+    policy.RuleDefault(
+        name='project-reader',
+        check_str='role:reader and '
+                  'project_id:%(project_id)s',
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
+
+    policy.RuleDefault(
+        name='context_is_admin',
+        check_str='role:admin',
+        deprecated_rule=advanced_rbac.deprecated_context_is_admin,
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
+
+    # API access roles
+    policy.RuleDefault(
+        name='load-balancer:admin',
+        check_str='is_admin:True or '
+                  'role:admin',
+        deprecated_rule=advanced_rbac.deprecated_admin,
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
+
+    # Note: 'is_admin:True' is a policy rule that takes into account the
+    # auth_strategy == noauth configuration setting.
+    # It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
+
+    policy.RuleDefault(
+        name='load-balancer:global_observer',
+        check_str='role:admin',
+        deprecated_rule=advanced_rbac.deprecated_global_observer,
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
+
+    policy.RuleDefault(
+        name='load-balancer:member_and_owner',
+        check_str='rule:project-member',
+        deprecated_rule=advanced_rbac.deprecated_member_and_owner,
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
+
+    policy.RuleDefault(
+        name='load-balancer:observer_and_owner',
+        check_str='rule:project-reader',
+        deprecated_rule=advanced_rbac.deprecated_observer_and_owner,
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
+
+    policy.RuleDefault(
+        name='load-balancer:quota-admin',
+        check_str='role:admin',
+        deprecated_rule=advanced_rbac.deprecated_quota_admin,
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
+]
+
+
+def list_rules():
+    return rules

octavia/policies/loadbalancer.py

@@ -34,6 +34,12 @@ rules = [
         "Create a Load Balancer",
         [{'method': 'POST', 'path': '/v2/lbaas/loadbalancers'}]
     ),
+    policy.DocumentedRuleDefault(
+        f'{constants.RBAC_LOADBALANCER}{constants.RBAC_POST}:vip_sg_ids',
+        constants.RULE_API_WRITE,
+        "Create a Load Balancer with VIP Security Groups",
+        [{'method': 'POST', 'path': '/v2/lbaas/loadbalancers'}]
+    ),
     policy.DocumentedRuleDefault(
         f'{constants.RBAC_LOADBALANCER}{constants.RBAC_GET_ONE}',
         constants.RULE_API_READ,
@@ -48,6 +54,13 @@ rules = [
         [{'method': 'PUT',
           'path': '/v2/lbaas/loadbalancers/{loadbalancer_id}'}]
     ),
+    policy.DocumentedRuleDefault(
+        f'{constants.RBAC_LOADBALANCER}{constants.RBAC_PUT}:vip_sg_ids',
+        constants.RULE_API_WRITE,
+        "Update the VIP Security Groups of a Load Balancer",
+        [{'method': 'PUT',
+          'path': '/v2/lbaas/loadbalancers/{loadbalancer_id}'}]
+    ),
     policy.DocumentedRuleDefault(
         f'{constants.RBAC_LOADBALANCER}{constants.RBAC_DELETE}',
         constants.RULE_API_WRITE,

octavia/tests/common/constants.py

@@ -139,7 +139,8 @@ MOCK_NEUTRON_PORT = Port(**{'network_id': MOCK_NETWORK_ID,
                             'mac_address': MOCK_MAC_ADDR,
                             'fixed_ips': [{'ip_address': MOCK_IP_ADDRESS,
                                            'subnet_id': MOCK_SUBNET_ID}],
-                            'security_groups': [MOCK_SECURITY_GROUP_ID]})
+                            'security_groups': [MOCK_SECURITY_GROUP_ID],
+                            'binding_vnic_type': constants.VNIC_TYPE_NORMAL})
 MOCK_NEUTRON_QOS_POLICY_ID = 'mock-qos-id'
 MOCK_QOS_POLICY_ID1 = 'qos1-id'
 MOCK_QOS_POLICY_ID2 = 'qos2-id'