582dee6fb9
This PS implements oslo.policy integration in Deckhand.
The policy.py file implements 2 types of functions for
performing policy enforcement in Deckhand: authorize,
which is a decorator that is used directly around
falcon on_HTTP_VERB methods that raises a 403 immediately
if policy enforcement fails; and conditional_authorize,
to be used inside controller code conditionally.
For example, since Deckhand has two types of documents
with respect to security -- encrypted and cleartext
documents -- policy enforcement is conditioned on the
type of the documents' metadata.storagePolicy.
Included in this PS:
- policy framework implementation
- policy in code and policy documentation for all
Deckhand policies
- modification of functional test script to override
default admin-only policies with custom policy file
dynamically created using lax permissions
- bug fix for filtering out deleted documents (and
its predecessors in previous revisions) for
PUT /revisions/{revision_id}/documents
- policy documentation
- basic unit tests for policy enforcement framework
- allow functional tests to be filtered via regex
Due to the size of this PS, functional tests related to
policy enforcement will be done in a follow up.
Change-Id: If418129f9b401091e098c0bd6c7336b8a5cd2359
86 lines
2.8 KiB
Python
86 lines
2.8 KiB
Python
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import os
|
|
|
|
import falcon
|
|
from oslo_config import cfg
|
|
from oslo_log import log as logging
|
|
|
|
from deckhand.control import base
|
|
from deckhand.control import buckets
|
|
from deckhand.control import revision_diffing
|
|
from deckhand.control import revision_documents
|
|
from deckhand.control import revision_tags
|
|
from deckhand.control import revisions
|
|
from deckhand.control import rollback
|
|
from deckhand.control import versions
|
|
from deckhand.db.sqlalchemy import api as db_api
|
|
|
|
CONF = cfg.CONF
|
|
logging.register_options(CONF)
|
|
|
|
# TODO(fmontei): Include deckhand-paste.ini later.
|
|
CONFIG_FILES = ['deckhand.conf']
|
|
|
|
|
|
def _get_config_files(env=None):
|
|
if env is None:
|
|
env = os.environ
|
|
dirname = env.get('OS_DECKHAND_CONFIG_DIR', '/etc/deckhand').strip()
|
|
return [os.path.join(dirname, config_file) for config_file in CONFIG_FILES]
|
|
|
|
|
|
def start_api():
|
|
"""Main entry point for initializing the Deckhand API service.
|
|
|
|
Create routes for the v1.0 API and sets up logging.
|
|
"""
|
|
config_files = _get_config_files()
|
|
CONF([], project='deckhand', default_config_files=config_files)
|
|
logging.setup(CONF, "deckhand")
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
LOG.info('Initiated Deckhand logging.')
|
|
|
|
db_api.drop_db()
|
|
db_api.setup_db()
|
|
|
|
control_api = falcon.API(request_type=base.DeckhandRequest)
|
|
|
|
v1_0_routes = [
|
|
('bucket/{bucket_name}/documents', buckets.BucketsResource()),
|
|
('revisions', revisions.RevisionsResource()),
|
|
('revisions/{revision_id}', revisions.RevisionsResource()),
|
|
('revisions/{revision_id}/diff/{comparison_revision_id}',
|
|
revision_diffing.RevisionDiffingResource()),
|
|
('revisions/{revision_id}/documents',
|
|
revision_documents.RevisionDocumentsResource()),
|
|
('revisions/{revision_id}/tags', revision_tags.RevisionTagsResource()),
|
|
('revisions/{revision_id}/tags/{tag}',
|
|
revision_tags.RevisionTagsResource()),
|
|
('rollback/{revision_id}', rollback.RollbackResource())
|
|
]
|
|
|
|
for path, res in v1_0_routes:
|
|
control_api.add_route(os.path.join('/api/v1.0', path), res)
|
|
|
|
control_api.add_route('/versions', versions.VersionsResource())
|
|
|
|
return control_api
|
|
|
|
|
|
if __name__ == '__main__':
|
|
start_api()
|