stackhpc
diff --git a/‎devstack/plugin.sh‎
Lines changed: 4 additions & 0 deletions b/‎devstack/plugin.sh‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎etc/policy/octavia-advanced-rbac-policy.yaml‎
Lines changed: 74 additions & 0 deletions b/‎etc/policy/octavia-advanced-rbac-policy.yaml‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎octavia/api/drivers/utils.py‎
Lines changed: 6 additions & 0 deletions b/‎octavia/api/drivers/utils.py‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎octavia/common/constants.py‎
Lines changed: 1 addition & 0 deletions b/‎octavia/common/constants.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎octavia/common/data_models.py‎
Lines changed: 19 additions & 1 deletion b/‎octavia/common/data_models.py‎
Lines changed: 19 additions & 1 deletion
diff --git a/‎octavia/db/base_models.py‎
Lines changed: 2 additions & 0 deletions b/‎octavia/db/base_models.py‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎octavia/db/migration/alembic_migrations/versions/3097e55493ae_add_sg_id_to_vip_table.py‎
Lines changed: 39 additions & 0 deletions b/‎octavia/db/migration/alembic_migrations/versions/3097e55493ae_add_sg_id_to_vip_table.py‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎octavia/db/models.py‎
Lines changed: 24 additions & 0 deletions b/‎octavia/db/models.py‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎octavia/db/repositories.py‎
Lines changed: 28 additions & 2 deletions b/‎octavia/db/repositories.py‎
Lines changed: 28 additions & 2 deletions
diff --git a/‎octavia/network/base.py‎
Lines changed: 18 additions & 1 deletion b/‎octavia/network/base.py‎
Lines changed: 18 additions & 1 deletion
@@ -431,6 +431,10 @@ function octavia_configure {
     # Controller side symmetric encryption, not used for PKI
     iniset $OCTAVIA_CONF certificates server_certs_key_passphrase insecure-key-do-not-use-this-key
 
+    if [[ "$OCTAVIA_USE_ADVANCED_RBAC" == "True" ]]; then
+        cp $OCTAVIA_DIR/etc/policy/octavia-advanced-rbac-policy.yaml $OCTAVIA_CONF_DIR/policy.yaml
+        iniset $OCTAVIA_CONF oslo_policy policy_file $OCTAVIA_CONF_DIR/policy.yaml
+    fi
     if [[ "$OCTAVIA_USE_LEGACY_RBAC" == "True" ]]; then
         cp $OCTAVIA_DIR/etc/policy/admin_or_owner-policy.yaml $OCTAVIA_CONF_DIR/policy.yaml
         iniset $OCTAVIA_CONF oslo_policy policy_file $OCTAVIA_CONF_DIR/policy.yaml
 
@@ -0,0 +1,74 @@
+# This policy YAML file implements the "Advanced RBAC" rules for Octavia that
+# were introduced in the Pike release of the Octavia API.
+#
+# These rules require users to have a load-balancer_* role to be able to access
+# the Octavia v2 API.
+#
+# This is stricter than the "Keystone Default Roles" implemented in the code
+# as part of the "Consistent and Secure Default RBAC" OpenStack community goal.
+
+# The default is to not allow access unless the auth_strategy is 'noauth'.
+# Users must be a member of one of the following roles to have access to
+# the load-balancer API:
+#
+# role:load-balancer_observer
+#     User has access to load-balancer read-only APIs
+# role:load-balancer_global_observer
+#     User has access to load-balancer read-only APIs including resources
+#     owned by others.
+# role:load-balancer_member
+#     User has access to load-balancer read and write APIs
+# role:load-balancer_admin
+#     User is considered an admin for all load-balnacer APIs including
+#     resources owned by others.
+# role:admin
+#     User is admin to all APIs
+
+"context_is_admin": "role:admin or
+                     role:load-balancer_admin"
+
+# API access roles
+
+"load-balancer:owner": "project_id:%(project_id)s"
+
+# Note: 'is_admin:True' is a policy rule that takes into account the
+# auth_strategy == noauth configuration setting.
+# It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
+
+"load-balancer:admin": "is_admin:True or
+                        role:admin or
+                        role:load-balancer_admin"
+
+"load-balancer:observer_and_owner": "role:load-balancer_observer and
+                                     rule:load-balancer:owner"
+
+"load-balancer:global_observer": "role:load-balancer_global_observer"
+
+"load-balancer:member_and_owner": "role:load-balancer_member and
+                                   rule:load-balancer:owner"
+
+# API access methods
+
+"load-balancer:read": "rule:load-balancer:observer_and_owner or
+                       rule:load-balancer:global_observer or
+                       rule:load-balancer:member_and_owner or
+                       rule:load-balancer:admin"
+
+"load-balancer:read-global": "rule:load-balancer:global_observer or
+                              rule:load-balancer:admin"
+
+"load-balancer:write": "rule:load-balancer:member_and_owner or
+                        rule:load-balancer:admin"
+
+"load-balancer:read-quota": "rule:load-balancer:observer_and_owner or
+                             rule:load-balancer:global_observer or
+                             rule:load-balancer:member_and_owner or
+                             role:load-balancer_quota_admin or
+                             rule:load-balancer:admin"
+
+"load-balancer:read-quota-global": "rule:load-balancer:global_observer or
+                                    role:load-balancer_quota_admin or
+                                    rule:load-balancer:admin"
+
+"load-balancer:write-quota": "role:load-balancer_quota_admin or
+                              rule:load-balancer:admin"
@@ -16,6 +16,7 @@
 
 from octavia_lib.api.drivers import data_models as driver_dm
 from octavia_lib.api.drivers import exceptions as lib_exceptions
+from octavia_lib.common import constants as lib_consts
 from oslo_config import cfg
 from oslo_context import context as oslo_context
 from oslo_log import log as logging
@@ -130,6 +131,7 @@ def lb_dict_to_provider_dict(lb_dict, vip=None, add_vips=None, db_pools=None,
         new_lb_dict['vip_port_id'] = vip.port_id
         new_lb_dict['vip_subnet_id'] = vip.subnet_id
         new_lb_dict['vip_qos_policy_id'] = vip.qos_policy_id
+        new_lb_dict[lib_consts.VIP_SG_IDS] = vip.sg_ids
     if 'flavor_id' in lb_dict and lb_dict['flavor_id']:
         flavor_repo = repositories.FlavorRepository()
         session = db_api.get_session()
@@ -565,6 +567,8 @@ def vip_dict_to_provider_dict(vip_dict):
         new_vip_dict['vip_subnet_id'] = vip_dict['subnet_id']
     if 'qos_policy_id' in vip_dict:
         new_vip_dict['vip_qos_policy_id'] = vip_dict['qos_policy_id']
+    if constants.SG_IDS in vip_dict:
+        new_vip_dict[lib_consts.VIP_SG_IDS] = vip_dict[constants.SG_IDS]
     if constants.OCTAVIA_OWNED in vip_dict:
         new_vip_dict[constants.OCTAVIA_OWNED] = vip_dict[
             constants.OCTAVIA_OWNED]
@@ -596,6 +600,8 @@ def provider_vip_dict_to_vip_obj(vip_dictionary):
         vip_obj.subnet_id = vip_dictionary['vip_subnet_id']
     if 'vip_qos_policy_id' in vip_dictionary:
         vip_obj.qos_policy_id = vip_dictionary['vip_qos_policy_id']
+    if lib_consts.VIP_SG_IDS in vip_dictionary:
+        vip_obj.sg_ids = vip_dictionary[lib_consts.VIP_SG_IDS]
     if constants.OCTAVIA_OWNED in vip_dictionary:
         vip_obj.octavia_owned = vip_dictionary[constants.OCTAVIA_OWNED]
     return vip_obj
 
@@ -428,6 +428,7 @@
 SECURITY_GROUP_RULES = 'security_group_rules'
 SERVER_GROUP_ID = 'server_group_id'
 SERVER_PEM = 'server_pem'
+SG_IDS = 'sg_ids'
 SNI_CONTAINER_DATA = 'sni_container_data'
 SNI_CONTAINERS = 'sni_containers'
 SOFT_ANTI_AFFINITY = 'soft-anti-affinity'
 
@@ -558,7 +558,7 @@ class Vip(BaseDataModel):
     def __init__(self, load_balancer_id=None, ip_address=None,
                  subnet_id=None, network_id=None, port_id=None,
                  load_balancer=None, qos_policy_id=None, octavia_owned=None,
-                 vnic_type=None):
+                 vnic_type=None, sg_ids=None):
         self.load_balancer_id = load_balancer_id
         self.ip_address = ip_address
         self.subnet_id = subnet_id
@@ -568,6 +568,18 @@ def __init__(self, load_balancer_id=None, ip_address=None,
         self.qos_policy_id = qos_policy_id
         self.octavia_owned = octavia_owned
         self.vnic_type = vnic_type
+        self.sg_ids = sg_ids or []
+
+    def to_dict(self, **kwargs):
+        ret = super().to_dict(**kwargs)
+        if kwargs.get('recurse') is not True:
+            # NOTE(gthiemonge) we need to return the associated SG IDs but as
+            # sg_ids is a list, they are only added with recurse=True, which
+            # does a full recursion on the Vip, adding the associated
+            # LoadBalancer, its Listeners, etc...
+            # Adding it directly here avoids unnecessary recursion
+            ret[constants.SG_IDS] = self.sg_ids
+        return ret
 
 
 class AdditionalVip(BaseDataModel):
@@ -886,3 +898,9 @@ def __init__(self, listener_id=None, cidr=None):
     # object. Otherwise we recurse down the "ghost" listener object.
     def to_dict(self, **kwargs):
         return {'cidr': self.cidr, 'listener_id': self.listener_id}
+
+
+class VipSecurityGroup(BaseDataModel):
+    def __init__(self, load_balancer_id: str = None, sg_id: str = None):
+        self.load_balancer_id = load_balancer_id
+        self.sg_id = sg_id
@@ -59,6 +59,8 @@ def _get_unique_key(obj):
         if obj.__class__.__name__ in ['AdditionalVip']:
             return (obj.__class__.__name__ +
                     obj.load_balancer_id + obj.subnet_id)
+        if obj.__class__.__name__ in ['VipSecurityGroup']:
+            return obj.__class__.__name__ + obj.load_balancer_id + obj.sg_id
         raise NotImplementedError
 
     def to_data_model(
 
@@ -0,0 +1,39 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+"""add sg_id to vip table
+
+Revision ID: 3097e55493ae
+Revises: db2a73e82626
+Create Date: 2024-04-05 10:04:32.015445
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '3097e55493ae'
+down_revision = 'db2a73e82626'
+
+
+def upgrade():
+    op.create_table(
+        "vip_security_group",
+        sa.Column("load_balancer_id", sa.String(36), nullable=False),
+        sa.Column("sg_id", sa.String(36), nullable=False),
+        sa.ForeignKeyConstraint(["load_balancer_id"],
+                                ["vip.load_balancer_id"],
+                                name="fk_vip_sg_vip_lb_id"),
+        sa.PrimaryKeyConstraint("load_balancer_id", "sg_id")
+    )
@@ -508,6 +508,14 @@ class Vip(base_models.BASE):
     octavia_owned = sa.Column(sa.Boolean(), nullable=True)
     vnic_type = sa.Column(sa.String(64), nullable=True)
 
+    sgs = orm.relationship(
+        "VipSecurityGroup", cascade="all,delete-orphan",
+        uselist=True, backref=orm.backref("vip", uselist=False))
+
+    @property
+    def sg_ids(self) -> list[str]:
+        return [sg.sg_id for sg in self.sgs]
+
 
 class AdditionalVip(base_models.BASE):
 
@@ -976,3 +984,19 @@ class ListenerCidr(base_models.BASE):
         sa.ForeignKey("listener.id", name="fk_listener_cidr_listener_id"),
         nullable=False)
     cidr = sa.Column(sa.String(64), nullable=False)
+
+
+class VipSecurityGroup(base_models.BASE):
+
+    __data_model__ = data_models.VipSecurityGroup
+
+    __tablename__ = "vip_security_group"
+    __table_args__ = (
+        sa.PrimaryKeyConstraint('load_balancer_id', 'sg_id'),
+    )
+
+    load_balancer_id = sa.Column(
+        sa.String(36),
+        sa.ForeignKey("vip.load_balancer_id", name="fk_vip_sg_vip_lb_id"),
+        nullable=False)
+    sg_id = sa.Column(sa.String(64), nullable=False)
@@ -275,9 +275,17 @@ def create_load_balancer_and_vip(self, session, lb_dict, vip_dict,
             lb_dict['id'] = uuidutils.generate_uuid()
         lb = models.LoadBalancer(**lb_dict)
         session.add(lb)
+        vip_sg_ids = vip_dict.pop(consts.SG_IDS, [])
         vip_dict['load_balancer_id'] = lb_dict['id']
         vip = models.Vip(**vip_dict)
         session.add(vip)
+        if vip_sg_ids:
+            vip_dict[consts.SG_IDS] = vip_sg_ids
+            for vip_sg_id in vip_sg_ids:
+                vip_sg = models.VipSecurityGroup(
+                    load_balancer_id=lb_dict['id'],
+                    sg_id=vip_sg_id)
+                session.add(vip_sg)
         for add_vip_dict in additional_vip_dicts:
             add_vip_dict['load_balancer_id'] = lb_dict['id']
             add_vip_dict['network_id'] = vip_dict.get('network_id')
@@ -734,6 +742,8 @@ def get_all_API_list(self, session, pagination_helper=None, **filters):
         query_options = (
             subqueryload(models.LoadBalancer.vip),
             subqueryload(models.LoadBalancer.additional_vips),
+            (subqueryload(models.LoadBalancer.vip).
+             subqueryload(models.Vip.sgs)),
             subqueryload(models.LoadBalancer.amphorae),
             subqueryload(models.LoadBalancer.pools),
             subqueryload(models.LoadBalancer.listeners),
@@ -811,8 +821,24 @@ class VipRepository(BaseRepository):
 
     def update(self, session, load_balancer_id, **model_kwargs):
         """Updates a vip entity in the database by load_balancer_id."""
-        session.query(self.model_class).filter_by(
-            load_balancer_id=load_balancer_id).update(model_kwargs)
+        sg_ids = model_kwargs.pop(consts.SG_IDS, None)
+
+        vip = session.query(self.model_class).filter_by(
+            load_balancer_id=load_balancer_id)
+        if model_kwargs:
+            vip.update(model_kwargs)
+
+        # NOTE(gthiemonge) the vip must be updated when sg_ids is []
+        # (removal of current sg_ids)
+        if sg_ids is not None:
+            vip = vip.first()
+            vip.sgs = [
+                models.VipSecurityGroup(
+                    load_balancer_id=load_balancer_id,
+                    sg_id=sg_id)
+                for sg_id in sg_ids]
+
+        session.flush()
 
 
 class AdditionalVipRepository(BaseRepository):
 
@@ -13,10 +13,15 @@
 #    under the License.
 
 import abc
+import typing
 
 from octavia.common import constants
 from octavia.common import exceptions
 
+if typing.TYPE_CHECKING:
+    from octavia.common import context
+    import octavia.network.data_models as n_data_models
+
 
 class NetworkException(exceptions.OctaviaException):
     pass
@@ -294,13 +299,25 @@ def get_port_by_net_id_device_id(self, network_id, device_id):
 
     @abc.abstractmethod
     def get_security_group(self, sg_name):
-        """Retrieves the security group by it's name.
+        """Retrieves the security group by its name.
 
         :param sg_name: The security group name.
         :return: octavia.network.data_models.SecurityGroup, None if not enabled
         :raises: NetworkException, SecurityGroupNotFound
         """
 
+    @abc.abstractmethod
+    def get_security_group_by_id(self, sg_id: str,
+                                 context: 'context.RequestContext' = None) -> (
+            'n_data_models.SecurityGroup'):
+        """Retrieves the security group by its id.
+
+        :param sg_id: The security group ID.
+        :param context: A request context
+        :return: octavia.network.data_models.SecurityGroup, None if not enabled
+        :raises: NetworkException, SecurityGroupNotFound
+        """
+
     @abc.abstractmethod
     def failover_preparation(self, amphora):
         """Prepare an amphora for failover.