drydock/drydock_provisioner/policy.py
Scott Hussey c27c8e6c9b Use new validator model for validation
- Update all validator rules to publish messages using
  new format
- Update unit tests to follow new validation framework
- Add validation for no tagged VLANs on non-trunked links
- Add validation for node interfaces attaching to networks
  not allowed on the interface link
- Unit test change to work around an issue where coverage testing
  and unit testing show different results

- Update tox to skip E126 to match YAPF formatting

Change-Id: Ifef21112896b88c2bd2b361630e041806ebb6663
2018-03-14 14:12:51 -05:00

213 lines
8.3 KiB
Python

# Copyright 2018 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
import logging
import functools
import falcon
from oslo_config import cfg
from oslo_policy import policy
# Global reference to a instantiated DrydockPolicy. Will be initialized by drydock.py
policy_engine = None
class DrydockPolicy(object):
"""
Initialize policy defaults
"""
# Base Policy
base_rules = [
policy.RuleDefault(
'admin_required',
'role:admin or is_admin:1',
description='Actions requiring admin authority'),
]
# Orchestrator Policy
task_rules = [
policy.DocumentedRuleDefault('physical_provisioner:read_task',
'role:admin', 'Get task status',
[{
'path': '/api/v1.0/tasks',
'method': 'GET'
}, {
'path': '/api/v1.0/tasks/{task_id}',
'method': 'GET'
}]),
policy.DocumentedRuleDefault('physical_provisioner:create_task',
'role:admin', 'Create a task',
[{
'path': '/api/v1.0/tasks',
'method': 'POST'
}]),
policy.DocumentedRuleDefault(
'physical_provisioner:validate_design', 'role:admin',
'Create validate_design task', [{
'path': '/api/v1.0/tasks',
'method': 'POST'
}]),
policy.DocumentedRuleDefault('physical_provisioner:verify_site',
'role:admin', 'Create verify_site task',
[{
'path': '/api/v1.0/tasks',
'method': 'POST'
}]),
policy.DocumentedRuleDefault('physical_provisioner:prepare_site',
'role:admin', 'Create prepare_site task',
[{
'path': '/api/v1.0/tasks',
'method': 'POST'
}]),
policy.DocumentedRuleDefault('physical_provisioner:verify_nodes',
'role:admin', 'Create verify_nodes task',
[{
'path': '/api/v1.0/tasks',
'method': 'POST'
}]),
policy.DocumentedRuleDefault('physical_provisioner:prepare_nodes',
'role:admin', 'Create prepare_nodes task',
[{
'path': '/api/v1.0/tasks',
'method': 'POST'
}]),
policy.DocumentedRuleDefault('physical_provisioner:deploy_nodes',
'role:admin', 'Create deploy_nodes task',
[{
'path': '/api/v1.0/tasks',
'method': 'POST'
}]),
policy.DocumentedRuleDefault('physical_provisioner:destroy_nodes',
'role:admin', 'Create destroy_nodes task',
[{
'path': '/api/v1.0/tasks',
'method': 'POST'
}]),
policy.DocumentedRuleDefault(
'physical_provisioner:read_build_data', 'role:admin',
'Read build data for a node',
[{
'path': '/api/v1.0/nodes/{nodename}/builddata',
'method': 'GET',
}]),
]
# Data Management Policy
data_rules = [
policy.DocumentedRuleDefault(
'physical_provisioner:read_data', 'role:admin',
'Read loaded design data',
[{
'path': '/api/v1.0/designs',
'method': 'GET'
}, {
'path': '/api/v1.0/designs/{design_id}',
'method': 'GET'
}]),
policy.DocumentedRuleDefault(
'physical_provisioner:ingest_data', 'role:admin',
'Load design data',
[{
'path': '/api/v1.0/designs',
'method': 'POST'
}, {
'path': '/api/v1.0/designs/{design_id}/parts',
'method': 'POST'
}]),
policy.DocumentedRuleDefault('physical_provisioner:health_data',
'role:admin', 'et health status',
[{
'path': '/api/v1.0/health/extended',
'method': 'GET'
}])
]
# Validate Design Policy
validation_rules = [
policy.DocumentedRuleDefault(
'physical_provisioner:validate_site_design', 'role:admin',
'Validate site design', [{
'path': '/api/v1.0/validatedesign',
'method': 'POST'
}]),
]
def __init__(self):
self.enforcer = policy.Enforcer(cfg.CONF)
def register_policy(self):
self.enforcer.register_defaults(DrydockPolicy.base_rules)
self.enforcer.register_defaults(DrydockPolicy.task_rules)
self.enforcer.register_defaults(DrydockPolicy.data_rules)
self.enforcer.register_defaults(DrydockPolicy.validation_rules)
self.enforcer.load_rules()
def authorize(self, action, ctx):
target = {'project_id': ctx.project_id, 'user_id': ctx.user_id}
return self.enforcer.authorize(action, target, ctx.to_policy_view())
class ApiEnforcer(object):
"""
A decorator class for enforcing RBAC policies
"""
def __init__(self, action):
self.action = action
self.logger = logging.getLogger('drydock.policy')
def __call__(self, f):
@functools.wraps(f)
def secure_handler(slf, req, resp, *args, **kwargs):
ctx = req.context
policy_engine = ctx.policy_engine
self.logger.debug("Enforcing policy %s on request %s" %
(self.action, ctx.request_id))
if policy_engine is not None and policy_engine.authorize(
self.action, ctx):
return f(slf, req, resp, *args, **kwargs)
else:
if ctx.authenticated:
slf.info(
ctx,
"Error - Forbidden access - action: %s" % self.action)
slf.return_error(
resp,
falcon.HTTP_403,
message="Forbidden",
retry=False)
else:
slf.info(ctx, "Error - Unauthenticated access")
slf.return_error(
resp,
falcon.HTTP_401,
message="Unauthenticated",
retry=False)
return secure_handler
def list_policies():
default_policy = []
default_policy.extend(DrydockPolicy.base_rules)
default_policy.extend(DrydockPolicy.task_rules)
default_policy.extend(DrydockPolicy.data_rules)
default_policy.extend(DrydockPolicy.validation_rules)
return default_policy