Use default policy in code
Delete policy.json from repo since we can use policies registered in code. We can also change default policy rules through below steps: - generate policy.yaml and copy to /etc/barbican - configure `policy_file=policy.yaml` in `oslo_policy` section - uncomment rules in policy.yaml and make changes as we desire - restart barbican api service - test whether new rules take effect on corresponding API Change-Id: Ia64eac1eb4e30457b323c6ab99d26d3d40c28060
This commit is contained in:
Jeremy Liu
parent
48f50a0868
commit
73420137a6
71
barbican/common/policy.py
Normal file
71
barbican/common/policy.py
Normal file
@ -0,0 +1,71 @@
|
||||
# Copyright 2011-2012 OpenStack LLC.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import copy
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from barbican.common import config
|
||||
from barbican.common import policies
|
||||
|
||||
CONF = config.CONF
|
||||
ENFORCER = None
|
||||
# oslo_policy will read the policy configuration file again when the file
|
||||
# is changed in runtime so the old policy rules will be saved to
|
||||
# saved_file_rules and used to compare with new rules to determine the
|
||||
# rules whether were updated.
|
||||
saved_file_rules = []
|
||||
|
||||
|
||||
def reset():
|
||||
global ENFORCER
|
||||
if ENFORCER:
|
||||
ENFORCER.clear()
|
||||
ENFORCER = None
|
||||
|
||||
|
||||
def init():
|
||||
global ENFORCER
|
||||
global saved_file_rules
|
||||
|
||||
if not ENFORCER:
|
||||
ENFORCER = policy.Enforcer(CONF)
|
||||
register_rules(ENFORCER)
|
||||
ENFORCER.load_rules()
|
||||
|
||||
# Only the rules which are loaded from file may be changed.
|
||||
current_file_rules = ENFORCER.file_rules
|
||||
current_file_rules = _serialize_rules(current_file_rules)
|
||||
|
||||
# Checks whether the rules are updated in the runtime
|
||||
if saved_file_rules != current_file_rules:
|
||||
saved_file_rules = copy.deepcopy(current_file_rules)
|
||||
|
||||
|
||||
def _serialize_rules(rules):
|
||||
"""Serialize all the Rule object as string."""
|
||||
|
||||
result = [(rule_name, str(rule))
|
||||
for rule_name, rule in rules.items()]
|
||||
return sorted(result, key=lambda rule: rule[0])
|
||||
|
||||
|
||||
def register_rules(enforcer):
|
||||
enforcer.register_defaults(policies.list_rules())
|
||||
|
||||
|
||||
def get_enforcer():
|
||||
init()
|
||||
return ENFORCER
|
||||
@ -14,11 +14,8 @@
|
||||
# under the License.
|
||||
|
||||
import oslo_context
|
||||
from oslo_policy import policy
|
||||
|
||||
from barbican.common import config
|
||||
|
||||
CONF = config.CONF
|
||||
from barbican.common import policy
|
||||
|
||||
|
||||
class RequestContext(oslo_context.context.RequestContext):
|
||||
@ -33,7 +30,11 @@ class RequestContext(oslo_context.context.RequestContext):
|
||||
if project:
|
||||
kwargs['tenant'] = project
|
||||
self.project = project
|
||||
self.policy_enforcer = policy_enforcer or policy.Enforcer(CONF)
|
||||
if policy_enforcer:
|
||||
self.policy_enforcer = policy_enforcer
|
||||
else:
|
||||
policy.init()
|
||||
self.policy_enforcer = policy.get_enforcer()
|
||||
super(RequestContext, self).__init__(**kwargs)
|
||||
|
||||
def to_dict(self):
|
||||
|
||||
@ -20,7 +20,6 @@ For typical-flow business logic tests of these classes, see the
|
||||
import os
|
||||
|
||||
import mock
|
||||
from oslo_policy import policy
|
||||
from webob import exc
|
||||
|
||||
from barbican.api.controllers import consumers
|
||||
@ -30,6 +29,7 @@ from barbican.api.controllers import secrets
|
||||
from barbican.api.controllers import secretstores
|
||||
from barbican.api.controllers import versions
|
||||
from barbican.common import config
|
||||
from barbican.common import policy
|
||||
from barbican import context
|
||||
from barbican.model import models
|
||||
from barbican.tests import utils
|
||||
@ -41,7 +41,8 @@ TEST_VAR_DIR = os.path.abspath(os.path.join(os.path.dirname(__file__),
|
||||
|
||||
CONF = config.new_config()
|
||||
|
||||
ENFORCER = policy.Enforcer(CONF)
|
||||
policy.init()
|
||||
ENFORCER = policy.ENFORCER
|
||||
|
||||
|
||||
class TestableResource(object):
|
||||
|
||||
@ -125,10 +125,6 @@ function configure_barbican {
|
||||
setup_colorized_logging $BARBICAN_CONF DEFAULT project user
|
||||
fi
|
||||
|
||||
# Install the policy file for the API server
|
||||
cp $BARBICAN_DIR/etc/barbican/policy.json $BARBICAN_CONF_DIR
|
||||
iniset $BARBICAN_CONF DEFAULT policy_file $BARBICAN_CONF_DIR/policy.json
|
||||
|
||||
# Set the database connection url
|
||||
iniset $BARBICAN_CONF DEFAULT sql_connection `database_connection_url barbican`
|
||||
|
||||
|
||||
@ -1,90 +0,0 @@
|
||||
{
|
||||
"admin": "role:admin",
|
||||
"observer": "role:observer",
|
||||
"creator": "role:creator",
|
||||
"audit": "role:audit",
|
||||
"service_admin": "role:key-manager:service-admin",
|
||||
"admin_or_user_does_not_work": "project_id:%(project_id)s",
|
||||
"admin_or_user": "rule:admin or project_id:%(project_id)s",
|
||||
"admin_or_creator": "rule:admin or rule:creator",
|
||||
"all_but_audit": "rule:admin or rule:observer or rule:creator",
|
||||
"all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin",
|
||||
"secret_project_match": "project:%(target.secret.project_id)s",
|
||||
"secret_acl_read": "'read':%(target.secret.read)s",
|
||||
"secret_private_read": "'False':%(target.secret.read_project_access)s",
|
||||
"secret_creator_user": "user:%(target.secret.creator_id)s",
|
||||
"container_project_match": "project:%(target.container.project_id)s",
|
||||
"container_acl_read": "'read':%(target.container.read)s",
|
||||
"container_private_read": "'False':%(target.container.read_project_access)s",
|
||||
"container_creator_user": "user:%(target.container.creator_id)s",
|
||||
|
||||
"secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read",
|
||||
"secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read",
|
||||
"container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read",
|
||||
"secret_project_admin": "rule:admin and rule:secret_project_match",
|
||||
"secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user",
|
||||
"container_project_admin": "rule:admin and rule:container_project_match",
|
||||
"container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user",
|
||||
|
||||
"version:get": "@",
|
||||
"secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
|
||||
"secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
|
||||
"secret:put": "rule:admin_or_creator and rule:secret_project_match",
|
||||
"secret:delete": "rule:secret_project_admin or rule:secret_project_creator",
|
||||
"secrets:post": "rule:admin_or_creator",
|
||||
"secrets:get": "rule:all_but_audit",
|
||||
"orders:post": "rule:admin_or_creator",
|
||||
"orders:get": "rule:all_but_audit",
|
||||
"order:get": "rule:all_users",
|
||||
"order:put": "rule:admin_or_creator",
|
||||
"order:delete": "rule:admin",
|
||||
"consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
||||
"consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
||||
"consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
||||
"consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
||||
"containers:post": "rule:admin_or_creator",
|
||||
"containers:get": "rule:all_but_audit",
|
||||
"container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
|
||||
"container:delete": "rule:container_project_admin or rule:container_project_creator",
|
||||
"container_secret:post": "rule:admin",
|
||||
"container_secret:delete": "rule:admin",
|
||||
"transport_key:get": "rule:all_users",
|
||||
"transport_key:delete": "rule:admin",
|
||||
"transport_keys:get": "rule:all_users",
|
||||
"transport_keys:post": "rule:admin",
|
||||
"certificate_authorities:get_limited": "rule:all_users",
|
||||
"certificate_authorities:get_all": "rule:admin",
|
||||
"certificate_authorities:post": "rule:admin",
|
||||
"certificate_authorities:get_preferred_ca": "rule:all_users",
|
||||
"certificate_authorities:get_global_preferred_ca": "rule:service_admin",
|
||||
"certificate_authorities:unset_global_preferred": "rule:service_admin",
|
||||
"certificate_authority:delete": "rule:admin",
|
||||
"certificate_authority:get": "rule:all_users",
|
||||
"certificate_authority:get_cacert": "rule:all_users",
|
||||
"certificate_authority:get_ca_cert_chain": "rule:all_users",
|
||||
"certificate_authority:get_projects": "rule:service_admin",
|
||||
"certificate_authority:add_to_project": "rule:admin",
|
||||
"certificate_authority:remove_from_project": "rule:admin",
|
||||
"certificate_authority:set_preferred": "rule:admin",
|
||||
"certificate_authority:set_global_preferred": "rule:service_admin",
|
||||
"secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator",
|
||||
"secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator",
|
||||
"secret_acls:get": "rule:all_but_audit and rule:secret_project_match",
|
||||
"container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator",
|
||||
"container_acls:delete": "rule:container_project_admin or rule:container_project_creator",
|
||||
"container_acls:get": "rule:all_but_audit and rule:container_project_match",
|
||||
"quotas:get": "rule:all_users",
|
||||
"project_quotas:get": "rule:service_admin",
|
||||
"project_quotas:put": "rule:service_admin",
|
||||
"project_quotas:delete": "rule:service_admin",
|
||||
"secret_meta:get": "rule:all_but_audit",
|
||||
"secret_meta:post": "rule:admin_or_creator",
|
||||
"secret_meta:put": "rule:admin_or_creator",
|
||||
"secret_meta:delete": "rule:admin_or_creator",
|
||||
"secretstores:get": "rule:admin",
|
||||
"secretstores:get_global_default": "rule:admin",
|
||||
"secretstores:get_preferred": "rule:admin",
|
||||
"secretstore_preferred:post": "rule:admin",
|
||||
"secretstore_preferred:delete": "rule:admin",
|
||||
"secretstore:get": "rule:admin"
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user