Add Oslo Policy options for policy file location

Adds options to the configuration of Shipyard to direct oslo_policy to
the location of the /etc/shipyard/policy.yaml file (default location)
allowing for override of default policies via chart or chart override.

Change-Id: I5cf68994c40aa835a631f5b6f67363a2b8a8af0a
changes/46/589646/7
Bryan Strassner 4 years ago
parent 20c27eed66
commit 4713149b63
  1. 21
      charts/shipyard/values.yaml
  2. 4
      docs/source/_static/shipyard.policy.yaml.sample
  3. 3
      src/bin/shipyard_airflow/etc/shipyard/policy.yaml.sample
  4. 11
      src/bin/shipyard_airflow/shipyard_airflow/policy.py
  5. 4
      src/bin/shipyard_airflow/tests/unit/control/test.conf
  6. 14
      tools/resources/shipyard.conf

@ -361,12 +361,17 @@ conf:
workflow_orchestrator:create_action: rule:admin_required
workflow_orchestrator:get_action: rule:admin_required
workflow_orchestrator:get_action_step: rule:admin_required
workflow_orchestrator:get_action_step_logs: rule:admin_required
workflow_orchestrator:get_action_validation: rule:admin_required
workflow_orchestrator:invoke_action_control: rule:admin_required
workflow_orchestrator:get_configdocs_status: rule:admin_required
workflow_orchestrator:create_configdocs: rule:admin_required
workflow_orchestrator:get_configdocs: rule:admin_required
workflow_orchestrator:commit_configdocs: rule:admin_required
workflow_orchestrator:get_renderedconfigdocs: rule:admin_required
workflow_orchestrator:list_workflows: rule:admin_required
workflow_orchestrator:get_workflow: rule:admin_required
workflow_orchestrator:get_site_statuses: rule:admin_required
paste:
app:shipyard-api:
paste.app_factory: shipyard_airflow.shipyard_api:paste_start_shipyard
@ -385,17 +390,6 @@ conf:
service_type: armada
drydock:
service_type: physicalprovisioner
verify_site_query_interval: 10
verify_site_task_timeout: 60
prepare_site_query_interval: 10
prepare_site_task_timeout: 300
prepare_node_query_interval: 30
prepare_node_task_timeout: 1800
deploy_node_query_interval: 30
deploy_node_task_timeout: 3600
destroy_node_query_interval: 30
destroy_node_task_timeout: 900
cluster_join_check_backoff_time: 120
promenade:
service_type: kubernetesprovisioner
keystone_authtoken:
@ -416,6 +410,11 @@ conf:
worker_port: 8793
k8s_logs:
ucp_namespace: 'ucp'
oslo_policy:
policy_file: /etc/shipyard/policy.yaml
# If non-existent rule is used, the request should be denied. The
# deny_all rule is hard coded in the policy.py code to allow no access.
policy_default_rule: deny_all
airflow_config_file:
path: /usr/local/airflow/airflow.cfg
airflow:

@ -59,3 +59,7 @@
# GET /api/v1.0/workflows/{id}
#"workflow_orchestrator:get_workflow": "rule:admin_required"
# Retrieve the statuses for the site
# GET /api/v1.0/site_statuses
#"workflow_orchestrator:get_site_statuses": "rule:admin_required"

@ -59,6 +59,7 @@
# GET /api/v1.0/workflows/{id}
#"workflow_orchestrator:get_workflow": "rule:admin_required"
# Retrieve the status for node provision status
# Retrieve the statuses for the site
# GET /api/v1.0/site_statuses
#"workflow_orchestrator:get_site_statuses": "rule:admin_required"

@ -32,13 +32,20 @@ class ShipyardPolicy(object):
"""
RULE_ADMIN_REQUIRED = 'rule:admin_required'
RULE_DENY_ALL = 'rule:deny_all'
# Base Policy
base_rules = [
policy.RuleDefault(
'admin_required',
'role:admin',
description='Actions requiring admin authority'),
description='Actions requiring admin authority'
),
policy.RuleDefault(
'deny_all',
'!',
description='Rule to deny all access. Used for default denial'
),
]
# Orchestrator Policy
@ -234,7 +241,7 @@ class ApiEnforcer(object):
authorized = True
except:
# couldn't service the auth request
LOG.error(
LOG.exception(
"Error - Expectation Failed - action: %s", self.action)
raise ApiError(
title="Expectation Failed",

@ -44,4 +44,6 @@ validation_read_timeout = 300
service_type = shipyard
[logging]
named_log_levels = keystoneauth:ERROR,cheese:WARN,pumpkins:INFO
[oslo_policy]
policy_file = /etc/shipyard/policy.yaml
policy_default_rule = deny_all

@ -13,18 +13,7 @@ upgrade_db = false
[deckhand]
service_type = deckhand
[drydock]
cluster_join_check_backoff_time = 120
deploy_node_query_interval = 30
deploy_node_task_timeout = 3600
destroy_node_query_interval = 30
destroy_node_task_timeout = 900
prepare_node_query_interval = 30
prepare_node_task_timeout = 1800
prepare_site_query_interval = 10
prepare_site_task_timeout = 300
service_type = physicalprovisioner
verify_site_query_interval = 10
verify_site_task_timeout = 60
[keystone_authtoken]
auth_section = keystone_authtoken
auth_type = password
@ -53,3 +42,6 @@ validation_connect_timeout = 5
validation_read_timeout = 300
[shipyard]
service_type = shipyard
[oslo_policy]
policy_file = /etc/shipyard/policy.yaml
policy_default_rule = deny_all

Loading…
Cancel
Save