Implement policy in code (2)

This commit will move all default policies to code for:
- telemetry:get_alarm
- telemetry:get_alarms
- telemetry:query_alarm
- telemetry:create_alarm
- telemetry:change_alarm
- telemetry:delete_alarm

Change-Id: Iae86738119882c49b9488f78f206ecd2f6fa26d7
Co-authored-By: Hieu LE <hieulq@vn.fujitsu.com>

aodh/api/policies.py

@@ -15,9 +15,9 @@
 
 from oslo_policy import policy
 
-
 RULE_CONTEXT_IS_ADMIN = 'rule:context_is_admin'
 RULE_ADMIN_OR_OWNER = 'rule:context_is_admin or project_id:%(project_id)s'
+UNPROTECTED = ''
 
 rules = [
     policy.RuleDefault(
@@ -34,6 +34,72 @@ rules = [
     policy.RuleDefault(
         name="default",
         check_str=RULE_ADMIN_OR_OWNER
+    ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:get_alarm",
+        check_str=RULE_ADMIN_OR_OWNER,
+        description='Get an alarm.',
+        operations=[
+            {
+                'path': '/v2/alarms/{alarm_id}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:get_alarms",
+        check_str=RULE_ADMIN_OR_OWNER,
+        description='Get all alarms, based on the query provided.',
+        operations=[
+            {
+                'path': '/v2/alarms',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:query_alarm",
+        check_str=RULE_ADMIN_OR_OWNER,
+        description='Get all alarms, based on the query provided.',
+        operations=[
+            {
+                'path': '/v2/query/alarms',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:create_alarm",
+        check_str=UNPROTECTED,
+        description='Create a new alarm.',
+        operations=[
+            {
+                'path': '/v2/alarms',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:change_alarm",
+        check_str=RULE_ADMIN_OR_OWNER,
+        description='Modify this alarm.',
+        operations=[
+            {
+                'path': '/v2/alarms/{alarm_id}',
+                'method': 'PUT'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:delete_alarm",
+        check_str=RULE_ADMIN_OR_OWNER,
+        description='Delete this alarm.',
+        operations=[
+            {
+                'path': '/v2/alarms/{alarm_id}',
+                'method': 'DELETE'
+            }
+        ]
     )
 ]
 

aodh/api/policy.json

@@ -1,12 +1,4 @@
 {
-    "telemetry:get_alarm": "rule:admin_or_owner",
-    "telemetry:get_alarms": "rule:admin_or_owner",
-    "telemetry:query_alarm": "rule:admin_or_owner",
-
-    "telemetry:create_alarm": "",
-    "telemetry:change_alarm": "rule:admin_or_owner",
-    "telemetry:delete_alarm": "rule:admin_or_owner",
-
     "telemetry:get_alarm_state": "rule:admin_or_owner",
     "telemetry:change_alarm_state": "rule:admin_or_owner",
 

aodh/tests/functional/gabbi/fixtures.py

@@ -27,6 +27,7 @@ from six.moves.urllib import parse as urlparse
 import sqlalchemy_utils
 
 from aodh.api import app
+from aodh.api import rbac
 from aodh import service
 from aodh import storage
 
@@ -76,10 +77,7 @@ class ConfigFixture(fixture.GabbiFixture):
         self.conf = conf
         opts.set_defaults(self.conf)
 
-        conf.set_override('policy_file',
+        rbac.enforce = mock.Mock()
-                          os.path.abspath(
-                              'aodh/tests/open-policy.json'),
-                          group='oslo_policy')
         conf.set_override('auth_mode', None, group='api')
 
         parsed_url = urlparse.urlparse(db_url)

aodh/tests/open-policy.json

@@ -1,5 +0,0 @@
-{
-    "context_is_admin": "role:admin",
-    "segregation": "rule:context_is_admin",
-    "default": ""
-}