Use default policy in code
Delete policy.json from repo since we can use policies registered in code. We can also change default policy rules through below steps: - generate policy.yaml and copy to /etc/barbican - configure `policy_file=policy.yaml` in `oslo_policy` section - uncomment rules in policy.yaml and make changes as we desire - restart barbican api service - test whether new rules take effect on corresponding API Change-Id: Ia64eac1eb4e30457b323c6ab99d26d3d40c28060
This commit is contained in:
Jeremy Liu
parent
48f50a0868
commit
73420137a6
71
barbican/common/policy.py
Normal file
71
barbican/common/policy.py
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
# Copyright 2011-2012 OpenStack LLC.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
import copy
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from barbican.common import config
|
||||||
|
from barbican.common import policies
|
||||||
|
|
||||||
|
CONF = config.CONF
|
||||||
|
ENFORCER = None
|
||||||
|
# oslo_policy will read the policy configuration file again when the file
|
||||||
|
# is changed in runtime so the old policy rules will be saved to
|
||||||
|
# saved_file_rules and used to compare with new rules to determine the
|
||||||
|
# rules whether were updated.
|
||||||
|
saved_file_rules = []
|
||||||
|
|
||||||
|
|
||||||
|
def reset():
|
||||||
|
global ENFORCER
|
||||||
|
if ENFORCER:
|
||||||
|
ENFORCER.clear()
|
||||||
|
ENFORCER = None
|
||||||
|
|
||||||
|
|
||||||
|
def init():
|
||||||
|
global ENFORCER
|
||||||
|
global saved_file_rules
|
||||||
|
|
||||||
|
if not ENFORCER:
|
||||||
|
ENFORCER = policy.Enforcer(CONF)
|
||||||
|
register_rules(ENFORCER)
|
||||||
|
ENFORCER.load_rules()
|
||||||
|
|
||||||
|
# Only the rules which are loaded from file may be changed.
|
||||||
|
current_file_rules = ENFORCER.file_rules
|
||||||
|
current_file_rules = _serialize_rules(current_file_rules)
|
||||||
|
|
||||||
|
# Checks whether the rules are updated in the runtime
|
||||||
|
if saved_file_rules != current_file_rules:
|
||||||
|
saved_file_rules = copy.deepcopy(current_file_rules)
|
||||||
|
|
||||||
|
|
||||||
|
def _serialize_rules(rules):
|
||||||
|
"""Serialize all the Rule object as string."""
|
||||||
|
|
||||||
|
result = [(rule_name, str(rule))
|
||||||
|
for rule_name, rule in rules.items()]
|
||||||
|
return sorted(result, key=lambda rule: rule[0])
|
||||||
|
|
||||||
|
|
||||||
|
def register_rules(enforcer):
|
||||||
|
enforcer.register_defaults(policies.list_rules())
|
||||||
|
|
||||||
|
|
||||||
|
def get_enforcer():
|
||||||
|
init()
|
||||||
|
return ENFORCER
|
||||||
@ -14,11 +14,8 @@
|
|||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
import oslo_context
|
import oslo_context
|
||||||
from oslo_policy import policy
|
|
||||||
|
|
||||||
from barbican.common import config
|
from barbican.common import policy
|
||||||
|
|
||||||
CONF = config.CONF
|
|
||||||
|
|
||||||
|
|
||||||
class RequestContext(oslo_context.context.RequestContext):
|
class RequestContext(oslo_context.context.RequestContext):
|
||||||
@ -33,7 +30,11 @@ class RequestContext(oslo_context.context.RequestContext):
|
|||||||
if project:
|
if project:
|
||||||
kwargs['tenant'] = project
|
kwargs['tenant'] = project
|
||||||
self.project = project
|
self.project = project
|
||||||
self.policy_enforcer = policy_enforcer or policy.Enforcer(CONF)
|
if policy_enforcer:
|
||||||
|
self.policy_enforcer = policy_enforcer
|
||||||
|
else:
|
||||||
|
policy.init()
|
||||||
|
self.policy_enforcer = policy.get_enforcer()
|
||||||
super(RequestContext, self).__init__(**kwargs)
|
super(RequestContext, self).__init__(**kwargs)
|
||||||
|
|
||||||
def to_dict(self):
|
def to_dict(self):
|
||||||
|
|||||||
@ -20,7 +20,6 @@ For typical-flow business logic tests of these classes, see the
|
|||||||
import os
|
import os
|
||||||
|
|
||||||
import mock
|
import mock
|
||||||
from oslo_policy import policy
|
|
||||||
from webob import exc
|
from webob import exc
|
||||||
|
|
||||||
from barbican.api.controllers import consumers
|
from barbican.api.controllers import consumers
|
||||||
@ -30,6 +29,7 @@ from barbican.api.controllers import secrets
|
|||||||
from barbican.api.controllers import secretstores
|
from barbican.api.controllers import secretstores
|
||||||
from barbican.api.controllers import versions
|
from barbican.api.controllers import versions
|
||||||
from barbican.common import config
|
from barbican.common import config
|
||||||
|
from barbican.common import policy
|
||||||
from barbican import context
|
from barbican import context
|
||||||
from barbican.model import models
|
from barbican.model import models
|
||||||
from barbican.tests import utils
|
from barbican.tests import utils
|
||||||
@ -41,7 +41,8 @@ TEST_VAR_DIR = os.path.abspath(os.path.join(os.path.dirname(__file__),
|
|||||||
|
|
||||||
CONF = config.new_config()
|
CONF = config.new_config()
|
||||||
|
|
||||||
ENFORCER = policy.Enforcer(CONF)
|
policy.init()
|
||||||
|
ENFORCER = policy.ENFORCER
|
||||||
|
|
||||||
|
|
||||||
class TestableResource(object):
|
class TestableResource(object):
|
||||||
|
|||||||
@ -125,10 +125,6 @@ function configure_barbican {
|
|||||||
setup_colorized_logging $BARBICAN_CONF DEFAULT project user
|
setup_colorized_logging $BARBICAN_CONF DEFAULT project user
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Install the policy file for the API server
|
|
||||||
cp $BARBICAN_DIR/etc/barbican/policy.json $BARBICAN_CONF_DIR
|
|
||||||
iniset $BARBICAN_CONF DEFAULT policy_file $BARBICAN_CONF_DIR/policy.json
|
|
||||||
|
|
||||||
# Set the database connection url
|
# Set the database connection url
|
||||||
iniset $BARBICAN_CONF DEFAULT sql_connection `database_connection_url barbican`
|
iniset $BARBICAN_CONF DEFAULT sql_connection `database_connection_url barbican`
|
||||||
|
|
||||||
|
|||||||
@ -1,90 +0,0 @@
|
|||||||
{
|
|
||||||
"admin": "role:admin",
|
|
||||||
"observer": "role:observer",
|
|
||||||
"creator": "role:creator",
|
|
||||||
"audit": "role:audit",
|
|
||||||
"service_admin": "role:key-manager:service-admin",
|
|
||||||
"admin_or_user_does_not_work": "project_id:%(project_id)s",
|
|
||||||
"admin_or_user": "rule:admin or project_id:%(project_id)s",
|
|
||||||
"admin_or_creator": "rule:admin or rule:creator",
|
|
||||||
"all_but_audit": "rule:admin or rule:observer or rule:creator",
|
|
||||||
"all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin",
|
|
||||||
"secret_project_match": "project:%(target.secret.project_id)s",
|
|
||||||
"secret_acl_read": "'read':%(target.secret.read)s",
|
|
||||||
"secret_private_read": "'False':%(target.secret.read_project_access)s",
|
|
||||||
"secret_creator_user": "user:%(target.secret.creator_id)s",
|
|
||||||
"container_project_match": "project:%(target.container.project_id)s",
|
|
||||||
"container_acl_read": "'read':%(target.container.read)s",
|
|
||||||
"container_private_read": "'False':%(target.container.read_project_access)s",
|
|
||||||
"container_creator_user": "user:%(target.container.creator_id)s",
|
|
||||||
|
|
||||||
"secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read",
|
|
||||||
"secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read",
|
|
||||||
"container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read",
|
|
||||||
"secret_project_admin": "rule:admin and rule:secret_project_match",
|
|
||||||
"secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user",
|
|
||||||
"container_project_admin": "rule:admin and rule:container_project_match",
|
|
||||||
"container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user",
|
|
||||||
|
|
||||||
"version:get": "@",
|
|
||||||
"secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
|
|
||||||
"secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
|
|
||||||
"secret:put": "rule:admin_or_creator and rule:secret_project_match",
|
|
||||||
"secret:delete": "rule:secret_project_admin or rule:secret_project_creator",
|
|
||||||
"secrets:post": "rule:admin_or_creator",
|
|
||||||
"secrets:get": "rule:all_but_audit",
|
|
||||||
"orders:post": "rule:admin_or_creator",
|
|
||||||
"orders:get": "rule:all_but_audit",
|
|
||||||
"order:get": "rule:all_users",
|
|
||||||
"order:put": "rule:admin_or_creator",
|
|
||||||
"order:delete": "rule:admin",
|
|
||||||
"consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
|
||||||
"consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
|
||||||
"consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
|
||||||
"consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
|
||||||
"containers:post": "rule:admin_or_creator",
|
|
||||||
"containers:get": "rule:all_but_audit",
|
|
||||||
"container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
|
||||||
"container:delete": "rule:container_project_admin or rule:container_project_creator",
|
|
||||||
"container_secret:post": "rule:admin",
|
|
||||||
"container_secret:delete": "rule:admin",
|
|
||||||
"transport_key:get": "rule:all_users",
|
|
||||||
"transport_key:delete": "rule:admin",
|
|
||||||
"transport_keys:get": "rule:all_users",
|
|
||||||
"transport_keys:post": "rule:admin",
|
|
||||||
"certificate_authorities:get_limited": "rule:all_users",
|
|
||||||
"certificate_authorities:get_all": "rule:admin",
|
|
||||||
"certificate_authorities:post": "rule:admin",
|
|
||||||
"certificate_authorities:get_preferred_ca": "rule:all_users",
|
|
||||||
"certificate_authorities:get_global_preferred_ca": "rule:service_admin",
|
|
||||||
"certificate_authorities:unset_global_preferred": "rule:service_admin",
|
|
||||||
"certificate_authority:delete": "rule:admin",
|
|
||||||
"certificate_authority:get": "rule:all_users",
|
|
||||||
"certificate_authority:get_cacert": "rule:all_users",
|
|
||||||
"certificate_authority:get_ca_cert_chain": "rule:all_users",
|
|
||||||
"certificate_authority:get_projects": "rule:service_admin",
|
|
||||||
"certificate_authority:add_to_project": "rule:admin",
|
|
||||||
"certificate_authority:remove_from_project": "rule:admin",
|
|
||||||
"certificate_authority:set_preferred": "rule:admin",
|
|
||||||
"certificate_authority:set_global_preferred": "rule:service_admin",
|
|
||||||
"secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator",
|
|
||||||
"secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator",
|
|
||||||
"secret_acls:get": "rule:all_but_audit and rule:secret_project_match",
|
|
||||||
"container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator",
|
|
||||||
"container_acls:delete": "rule:container_project_admin or rule:container_project_creator",
|
|
||||||
"container_acls:get": "rule:all_but_audit and rule:container_project_match",
|
|
||||||
"quotas:get": "rule:all_users",
|
|
||||||
"project_quotas:get": "rule:service_admin",
|
|
||||||
"project_quotas:put": "rule:service_admin",
|
|
||||||
"project_quotas:delete": "rule:service_admin",
|
|
||||||
"secret_meta:get": "rule:all_but_audit",
|
|
||||||
"secret_meta:post": "rule:admin_or_creator",
|
|
||||||
"secret_meta:put": "rule:admin_or_creator",
|
|
||||||
"secret_meta:delete": "rule:admin_or_creator",
|
|
||||||
"secretstores:get": "rule:admin",
|
|
||||||
"secretstores:get_global_default": "rule:admin",
|
|
||||||
"secretstores:get_preferred": "rule:admin",
|
|
||||||
"secretstore_preferred:post": "rule:admin",
|
|
||||||
"secretstore_preferred:delete": "rule:admin",
|
|
||||||
"secretstore:get": "rule:admin"
|
|
||||||
}
|
|
||||||
@ -28,6 +28,9 @@ dogtag =
|
|||||||
dogtag-pki>=10.3.5.1 # LGPLv3+
|
dogtag-pki>=10.3.5.1 # LGPLv3+
|
||||||
|
|
||||||
[entry_points]
|
[entry_points]
|
||||||
|
oslo.policy.enforcer =
|
||||||
|
barbican = barbican.common.policy:get_enforcer
|
||||||
|
|
||||||
oslo.policy.policies =
|
oslo.policy.policies =
|
||||||
barbican = barbican.common.policies:list_rules
|
barbican = barbican.common.policies:list_rules
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user