582dee6fb9
This PS implements oslo.policy integration in Deckhand.
The policy.py file implements 2 types of functions for
performing policy enforcement in Deckhand: authorize,
which is a decorator that is used directly around
falcon on_HTTP_VERB methods that raises a 403 immediately
if policy enforcement fails; and conditional_authorize,
to be used inside controller code conditionally.
For example, since Deckhand has two types of documents
with respect to security -- encrypted and cleartext
documents -- policy enforcement is conditioned on the
type of the documents' metadata.storagePolicy.
Included in this PS:
- policy framework implementation
- policy in code and policy documentation for all
Deckhand policies
- modification of functional test script to override
default admin-only policies with custom policy file
dynamically created using lax permissions
- bug fix for filtering out deleted documents (and
its predecessors in previous revisions) for
PUT /revisions/{revision_id}/documents
- policy documentation
- basic unit tests for policy enforcement framework
- allow functional tests to be filtered via regex
Due to the size of this PS, functional tests related to
policy enforcement will be done in a follow up.
Change-Id: If418129f9b401091e098c0bd6c7336b8a5cd2359
59 lines
1.7 KiB
ReStructuredText
59 lines
1.7 KiB
ReStructuredText
..
|
|
Copyright 2017 AT&T Intellectual Property.
|
|
All Rights Reserved.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
not use this file except in compliance with the License. You may obtain
|
|
a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
License for the specific language governing permissions and limitations
|
|
under the License.
|
|
|
|
====================================
|
|
Welcome to Deckhand's documentation!
|
|
====================================
|
|
|
|
Deckhand is a document-based configuration storage service built with
|
|
auditability and validation in mind. It serves as the back-end storage service
|
|
for UCP.
|
|
|
|
Deckhand's primary responsibilities include validating and storing YAML
|
|
documents that are layered together to produce finalized documents, containing
|
|
site configuration data, including sensitive data. Secrets can be stored using
|
|
specialized secret storage management services like Barbican and later
|
|
substituted into finalized or "rendered" documents.
|
|
|
|
The service understands a variety of document formats, the combination of which
|
|
describe the manner in which Deckhand renders finalized documents for
|
|
consumption by other UCP services.
|
|
|
|
User's Guide
|
|
============
|
|
|
|
.. toctree::
|
|
:maxdepth: 2
|
|
|
|
policy-enforcement
|
|
|
|
Developer's Guide
|
|
=================
|
|
|
|
.. toctree::
|
|
:maxdepth: 2
|
|
|
|
HACKING
|
|
testing
|
|
|
|
Glossary
|
|
========
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
glossary
|