promenade/promenade/policy.py
pallav ea5de25b1a Adding node-labels api
Blueprint: https://review.openstack.org/#/c/583343

1. Added node-labels api for managing node labels in
   kubernetes cluster
2. Added unit test cases
3. Updated documents
4. Resiliency gate script update

Change-Id: Iebd49706b3fdbb3650f2e46c5a7fbd21d236b906
2018-08-09 23:58:59 +05:30

135 lines
4.9 KiB
Python

# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import falcon
import functools
import oslo_policy.policy as op
from oslo_config import cfg
from promenade import exceptions as ex
from promenade import logging
LOG = logging.getLogger(__name__)
policy_engine = None
POLICIES = [
op.RuleDefault(
'admin_required',
'role:admin or is_admin:1',
description='Actions requiring admin authority'),
op.DocumentedRuleDefault('kubernetes_provisioner:get_join_scripts',
'role:admin', 'Get join script for node',
[{
'path': '/api/v1.0/join-scripts',
'method': 'GET'
}]),
op.DocumentedRuleDefault('kubernetes_provisioner:post_validatedesign',
'role:admin', 'Validate documents',
[{
'path': '/api/v1.0/validatedesign',
'method': 'POST'
}]),
op.DocumentedRuleDefault('kubernetes_provisioner:update_node_labels',
'role:admin', 'Update Node Labels',
[{
'path': '/api/v1.0/node-labels/{node_name}',
'method': 'PUT'
}]),
]
class PromenadePolicy:
def __init__(self):
self.enforcer = op.Enforcer(cfg.CONF)
def register_policy(self):
self.enforcer.register_defaults(POLICIES)
self.enforcer.load_rules()
def authorize(self, action, ctx):
target = {'project_id': ctx.project_id, 'user_id': ctx.user_id}
return self.enforcer.authorize(action, target, ctx.to_policy_view())
class ApiEnforcer(object):
"""
A decorator class for enforcing RBAC policies
"""
def __init__(self, action):
self.action = action
def __call__(self, f):
@functools.wraps(f)
def secure_handler(slf, req, resp, *args, **kwargs):
ctx = req.context
policy_eng = ctx.policy_engine
# policy engine must be configured
if policy_eng is not None:
LOG.debug(
'Enforcing policy %s on request %s using engine %s',
self.action,
ctx.request_id,
policy_eng.__class__.__name__,
ctx=ctx)
else:
LOG.error('No policy engine configured', ctx=ctx)
raise ex.PromenadeException(
title="Auth is not being handled by any policy engine",
status=falcon.HTTP_500,
retry=False)
authorized = False
try:
if policy_eng.authorize(self.action, ctx):
LOG.debug('Request is authorized', ctx=ctx)
authorized = True
except Exception:
LOG.exception(
'Error authorizing request for action %s',
self.action,
ctx=ctx)
raise ex.ApiError(
title="Expectation Failed",
status=falcon.HTTP_417,
retry=False)
if authorized:
return f(slf, req, resp, *args, **kwargs)
else:
# raise the appropriate response exeception
if ctx.authenticated:
LOG.error(
'Unauthorized access attempted for action %s',
self.action,
ctx=ctx)
raise ex.ApiError(
title="Forbidden",
status=falcon.HTTP_403,
description="Credentials do not permit access",
retry=False)
else:
LOG.error(
'Unathenticated access attempted for action %s',
self.action,
ctx=ctx)
raise ex.ApiError(
title="Unauthenticated",
status=falcon.HTTP_401,
description="Credentials are not established",
retry=False)
return secure_handler