582dee6fb9
This PS implements oslo.policy integration in Deckhand.
The policy.py file implements 2 types of functions for
performing policy enforcement in Deckhand: authorize,
which is a decorator that is used directly around
falcon on_HTTP_VERB methods that raises a 403 immediately
if policy enforcement fails; and conditional_authorize,
to be used inside controller code conditionally.
For example, since Deckhand has two types of documents
with respect to security -- encrypted and cleartext
documents -- policy enforcement is conditioned on the
type of the documents' metadata.storagePolicy.
Included in this PS:
- policy framework implementation
- policy in code and policy documentation for all
Deckhand policies
- modification of functional test script to override
default admin-only policies with custom policy file
dynamically created using lax permissions
- bug fix for filtering out deleted documents (and
its predecessors in previous revisions) for
PUT /revisions/{revision_id}/documents
- policy documentation
- basic unit tests for policy enforcement framework
- allow functional tests to be filtered via regex
Due to the size of this PS, functional tests related to
policy enforcement will be done in a follow up.
Change-Id: If418129f9b401091e098c0bd6c7336b8a5cd2359
65 lines
1.4 KiB
ReStructuredText
65 lines
1.4 KiB
ReStructuredText
..
|
|
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
|
|
========
|
|
Glossary
|
|
========
|
|
|
|
B
|
|
~
|
|
|
|
.. glossary::
|
|
|
|
barbican
|
|
|
|
Code name of the :term:`Key Manager service
|
|
<Key Manager service (barbican)>`.
|
|
|
|
bucket
|
|
|
|
Kind of like a Github repository, an ownership class for documents.
|
|
|
|
D
|
|
~
|
|
|
|
.. glossary::
|
|
|
|
document
|
|
|
|
A collection of metadata and data in YAML format. The data document
|
|
format is modeled loosely after Kubernetes practices. The top level of
|
|
each document is a dictionary with 3 keys: `schema`, `metadata`, and
|
|
`data`.
|
|
|
|
K
|
|
~
|
|
|
|
.. glossary::
|
|
|
|
Key Manager service (barbican)
|
|
|
|
The project that produces a secret storage and
|
|
generation system capable of providing key management for
|
|
services wishing to enable encryption features.
|
|
|
|
U
|
|
~
|
|
|
|
.. glossary::
|
|
|
|
UCP
|
|
|
|
Acronym for the Undercloud Platform.
|