582dee6fb9
This PS implements oslo.policy integration in Deckhand. The policy.py file implements 2 types of functions for performing policy enforcement in Deckhand: authorize, which is a decorator that is used directly around falcon on_HTTP_VERB methods that raises a 403 immediately if policy enforcement fails; and conditional_authorize, to be used inside controller code conditionally. For example, since Deckhand has two types of documents with respect to security -- encrypted and cleartext documents -- policy enforcement is conditioned on the type of the documents' metadata.storagePolicy. Included in this PS: - policy framework implementation - policy in code and policy documentation for all Deckhand policies - modification of functional test script to override default admin-only policies with custom policy file dynamically created using lax permissions - bug fix for filtering out deleted documents (and its predecessors in previous revisions) for PUT /revisions/{revision_id}/documents - policy documentation - basic unit tests for policy enforcement framework - allow functional tests to be filtered via regex Due to the size of this PS, functional tests related to policy enforcement will be done in a follow up. Change-Id: If418129f9b401091e098c0bd6c7336b8a5cd2359
65 lines
1.4 KiB
ReStructuredText
65 lines
1.4 KiB
ReStructuredText
..
|
|
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
|
|
========
|
|
Glossary
|
|
========
|
|
|
|
B
|
|
~
|
|
|
|
.. glossary::
|
|
|
|
barbican
|
|
|
|
Code name of the :term:`Key Manager service
|
|
<Key Manager service (barbican)>`.
|
|
|
|
bucket
|
|
|
|
Kind of like a Github repository, an ownership class for documents.
|
|
|
|
D
|
|
~
|
|
|
|
.. glossary::
|
|
|
|
document
|
|
|
|
A collection of metadata and data in YAML format. The data document
|
|
format is modeled loosely after Kubernetes practices. The top level of
|
|
each document is a dictionary with 3 keys: `schema`, `metadata`, and
|
|
`data`.
|
|
|
|
K
|
|
~
|
|
|
|
.. glossary::
|
|
|
|
Key Manager service (barbican)
|
|
|
|
The project that produces a secret storage and
|
|
generation system capable of providing key management for
|
|
services wishing to enable encryption features.
|
|
|
|
U
|
|
~
|
|
|
|
.. glossary::
|
|
|
|
UCP
|
|
|
|
Acronym for the Undercloud Platform.
|