Merge "Policy management for Climate"
This commit is contained in:
commit
4d13adad83
@ -14,20 +14,19 @@
|
||||
# limitations under the License.
|
||||
|
||||
from climate.manager.oshosts import rpcapi as manager_rpcapi
|
||||
from climate.openstack.common import log as logging
|
||||
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
from climate import policy
|
||||
|
||||
|
||||
class API(object):
|
||||
def __init__(self):
|
||||
self.manager_rpcapi = manager_rpcapi.ManagerRPCAPI()
|
||||
|
||||
@policy.authorize('oshosts', 'get')
|
||||
def get_computehosts(self):
|
||||
"""List all existing computehosts."""
|
||||
return self.manager_rpcapi.list_computehosts()
|
||||
|
||||
@policy.authorize('oshosts', 'create')
|
||||
def create_computehost(self, data):
|
||||
"""Create new computehost.
|
||||
|
||||
@ -37,6 +36,7 @@ class API(object):
|
||||
|
||||
return self.manager_rpcapi.create_computehost(data)
|
||||
|
||||
@policy.authorize('oshosts', 'get')
|
||||
def get_computehost(self, host_id):
|
||||
"""Get computehost by its ID.
|
||||
|
||||
@ -45,6 +45,7 @@ class API(object):
|
||||
"""
|
||||
return self.manager_rpcapi.get_computehost(host_id)
|
||||
|
||||
@policy.authorize('oshosts', 'update')
|
||||
def update_computehost(self, host_id, data):
|
||||
"""Update computehost. Only name changing may be proceeded.
|
||||
|
||||
@ -55,6 +56,7 @@ class API(object):
|
||||
"""
|
||||
return self.manager_rpcapi.update_computehost(host_id, data)
|
||||
|
||||
@policy.authorize('oshosts', 'delete')
|
||||
def delete_computehost(self, host_id):
|
||||
"""Delete specified computehost.
|
||||
|
||||
|
@ -16,6 +16,7 @@
|
||||
from climate import exceptions
|
||||
from climate.manager import rpcapi as manager_rpcapi
|
||||
from climate.openstack.common import log as logging
|
||||
from climate import policy
|
||||
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
@ -28,10 +29,12 @@ class API(object):
|
||||
|
||||
## Leases operations
|
||||
|
||||
@policy.authorize('leases', 'get')
|
||||
def get_leases(self):
|
||||
"""List all existing leases."""
|
||||
return self.manager_rpcapi.list_leases()
|
||||
|
||||
@policy.authorize('leases', 'create')
|
||||
def create_lease(self, data):
|
||||
"""Create new lease.
|
||||
|
||||
@ -43,6 +46,7 @@ class API(object):
|
||||
data.update({'trust': trust})
|
||||
return self.manager_rpcapi.create_lease(data)
|
||||
|
||||
@policy.authorize('leases', 'get')
|
||||
def get_lease(self, lease_id):
|
||||
"""Get lease by its ID.
|
||||
|
||||
@ -51,6 +55,7 @@ class API(object):
|
||||
"""
|
||||
return self.manager_rpcapi.get_lease(lease_id)
|
||||
|
||||
@policy.authorize('leases', 'update')
|
||||
def update_lease(self, lease_id, data):
|
||||
"""Update lease. Only name changing and prolonging may be proceeded.
|
||||
|
||||
@ -76,6 +81,7 @@ class API(object):
|
||||
data['start_date'] = start_date
|
||||
return self.manager_rpcapi.update_lease(lease_id, data)
|
||||
|
||||
@policy.authorize('leases', 'delete')
|
||||
def delete_lease(self, lease_id):
|
||||
"""Delete specified lease.
|
||||
|
||||
@ -86,6 +92,7 @@ class API(object):
|
||||
|
||||
## Plugins operations
|
||||
|
||||
@policy.authorize('plugins', 'get')
|
||||
def get_plugins(self):
|
||||
"""List all possible plugins."""
|
||||
pass
|
||||
|
111
climate/policy.py
Normal file
111
climate/policy.py
Normal file
@ -0,0 +1,111 @@
|
||||
# Copyright (c) 2013 Bull.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
# implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
"""Policy Engine For Climate."""
|
||||
|
||||
import functools
|
||||
from oslo.config import cfg
|
||||
|
||||
from climate import context
|
||||
from climate import exceptions
|
||||
from climate.openstack.common import log as logging
|
||||
from climate.openstack.common import policy
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
_ENFORCER = None
|
||||
|
||||
|
||||
def reset():
|
||||
global _ENFORCER
|
||||
|
||||
if _ENFORCER:
|
||||
_ENFORCER.clear()
|
||||
_ENFORCER = None
|
||||
|
||||
|
||||
def init():
|
||||
global _ENFORCER
|
||||
if not _ENFORCER:
|
||||
LOG.debug("Enforcer not present, recreating at init stage.")
|
||||
_ENFORCER = policy.Enforcer()
|
||||
|
||||
|
||||
def set_rules(data, default_rule=None):
|
||||
default_rule = default_rule or CONF.policy_default_rule
|
||||
if not _ENFORCER:
|
||||
LOG.debug("Enforcer not present, recreating at rules stage.")
|
||||
init()
|
||||
if default_rule:
|
||||
_ENFORCER.default_rule = default_rule
|
||||
_ENFORCER.set_rules(policy.Rules.load_json(data, default_rule))
|
||||
|
||||
|
||||
def enforce(context, action, target, do_raise=True):
|
||||
"""Verifies that the action is valid on the target in this context.
|
||||
|
||||
:param context: climate context
|
||||
:param action: string representing the action to be checked
|
||||
this should be colon separated for clarity.
|
||||
i.e. ``compute:create_instance``,
|
||||
``compute:attach_volume``,
|
||||
``volume:attach_volume``
|
||||
:param target: dictionary representing the object of the action
|
||||
for object creation this should be a dictionary representing the
|
||||
location of the object e.g. ``{'tenant_id': context.tenant_id}``
|
||||
:param do_raise: if True (the default), raises PolicyNotAuthorized;
|
||||
if False, returns False
|
||||
|
||||
:raises climate.exceptions.PolicyNotAuthorized: if verification fails
|
||||
and do_raise is True.
|
||||
|
||||
:return: returns a non-False value (not necessarily "True") if
|
||||
authorized, and the exact value False if not authorized and
|
||||
do_raise is False.
|
||||
"""
|
||||
|
||||
init()
|
||||
|
||||
credentials = context.to_dict()
|
||||
|
||||
# Add the exceptions arguments if asked to do a raise
|
||||
extra = {}
|
||||
if do_raise:
|
||||
extra.update(exc=exceptions.PolicyNotAuthorized, action=action)
|
||||
|
||||
return _ENFORCER.enforce(action, target, credentials, do_raise=do_raise,
|
||||
**extra)
|
||||
|
||||
|
||||
def authorize(extension, action=None, api='climate', ctx=None,
|
||||
target=None):
|
||||
def decorator(func):
|
||||
|
||||
@functools.wraps(func)
|
||||
def wrapped(self, *args, **kwargs):
|
||||
cur_ctx = ctx or context.current()
|
||||
tgt = target or {'tenant_id': cur_ctx.tenant_id,
|
||||
'user_id': cur_ctx.user_id}
|
||||
if action is None:
|
||||
act = '%s:%s' % (api, extension)
|
||||
else:
|
||||
act = '%s:%s:%s' % (api, extension, action)
|
||||
enforce(cur_ctx, act, tgt)
|
||||
return func(self, *args, **kwargs)
|
||||
|
||||
return wrapped
|
||||
return decorator
|
@ -22,11 +22,13 @@ from oslo.config import cfg
|
||||
from climate import context
|
||||
from climate.db.sqlalchemy import api as db_api
|
||||
from climate.openstack.common.db.sqlalchemy import session as db_session
|
||||
from climate.openstack.common import fileutils
|
||||
from climate.openstack.common.fixture import config
|
||||
from climate.openstack.common.fixture import mockpatch
|
||||
from climate.openstack.common import log as logging
|
||||
from climate.openstack.common import policy as common_policy
|
||||
from climate.openstack.common import test
|
||||
|
||||
from climate.tests import fake_policy
|
||||
|
||||
CONF = cfg.CONF
|
||||
CONF.set_override('use_stderr', False)
|
||||
@ -66,6 +68,13 @@ class TestCase(test.BaseTestCase):
|
||||
self.useFixture(config.Config())
|
||||
self.context_mock = None
|
||||
|
||||
self.fileutils = fileutils
|
||||
self.read_cached_file = self.patch(self.fileutils, 'read_cached_file')
|
||||
self.read_cached_file.return_value = (True, fake_policy.policy_data)
|
||||
self.common_policy = common_policy
|
||||
self.patch(self.common_policy.Enforcer, '_get_policy_path')
|
||||
CONF.set_override('policy_file', 'fake')
|
||||
|
||||
def patch(self, obj, attr):
|
||||
"""Returns a Mocked object on the patched attribute."""
|
||||
mockfixture = self.useFixture(mockpatch.PatchObject(obj, attr))
|
||||
|
28
climate/tests/fake_policy.py
Normal file
28
climate/tests/fake_policy.py
Normal file
@ -0,0 +1,28 @@
|
||||
# Copyright (c) 2013 Bull.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
policy_data = """
|
||||
{
|
||||
|
||||
"admin": "is_admin:True or role:admin or role:masterofuniverse",
|
||||
"admin_or_owner": "rule:admin or tenant_id:%(tenant_id)s",
|
||||
"default": "!",
|
||||
|
||||
"admin_api": "rule:admin",
|
||||
"climate:leases": "rule:admin_or_owner",
|
||||
"climate:leases:get": "rule:admin_or_owner",
|
||||
"climate:os-hosts": "rule:admin_api"
|
||||
}
|
||||
"""
|
137
climate/tests/test_policy.py
Normal file
137
climate/tests/test_policy.py
Normal file
@ -0,0 +1,137 @@
|
||||
# Copyright (c) 2013 Bull.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
# implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
"""Test of Policy Engine For Climate."""
|
||||
|
||||
from oslo.config import cfg
|
||||
|
||||
from climate import context
|
||||
from climate import exceptions
|
||||
from climate import policy
|
||||
from climate import tests
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
||||
|
||||
class DefaultPolicyTestCase(tests.TestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(DefaultPolicyTestCase, self).setUp()
|
||||
|
||||
self.rules = """
|
||||
{
|
||||
"default": "",
|
||||
"example:exist": "!",
|
||||
"example:allowed": "@",
|
||||
"example:my_file": "role:admin or \
|
||||
tenant_id:%(tenant_id)s"
|
||||
}
|
||||
"""
|
||||
|
||||
self.default_rule = None
|
||||
policy.reset()
|
||||
self.read_cached_file.return_value = (True, self.rules)
|
||||
self.context = context.ClimateContext(user_id='fake', tenant_id='fake',
|
||||
roles=['member'])
|
||||
|
||||
def _set_rules(self, default_rule):
|
||||
self.default_rule = default_rule
|
||||
policy.set_rules(self.rules, default_rule)
|
||||
|
||||
def test_policy_called(self):
|
||||
self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce,
|
||||
self.context, "example:exist", {})
|
||||
|
||||
def test_not_found_policy_calls_default(self):
|
||||
result = policy.enforce(self.context, "example:noexist", {}, False)
|
||||
self.assertEqual(result, True)
|
||||
|
||||
def test_default_not_found(self):
|
||||
self._set_rules("default_noexist")
|
||||
self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce,
|
||||
self.context, "example:noexist", {})
|
||||
|
||||
def test_enforce_good_action(self):
|
||||
action = "example:allowed"
|
||||
result = policy.enforce(self.context, action, {}, False)
|
||||
self.assertEqual(result, True)
|
||||
|
||||
def test_templatized_enforcement(self):
|
||||
target_mine = {'tenant_id': 'fake'}
|
||||
target_not_mine = {'tenant_id': 'another'}
|
||||
action = "example:my_file"
|
||||
policy.enforce(self.context, action, target_mine)
|
||||
self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce,
|
||||
self.context, action, target_not_mine)
|
||||
|
||||
|
||||
class ClimatePolicyTestCase(tests.TestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(ClimatePolicyTestCase, self).setUp()
|
||||
|
||||
self.context = context.ClimateContext(user_id='fake', tenant_id='fake',
|
||||
roles=['member'])
|
||||
|
||||
def test_standardpolicy(self):
|
||||
target_good = {'user_id': self.context.user_id,
|
||||
'tenant_id': self.context.tenant_id}
|
||||
target_wrong = {'user_id': self.context.user_id,
|
||||
'tenant_id': 'bad_tenant'}
|
||||
action = "climate:leases"
|
||||
self.assertEqual(True, policy.enforce(self.context, action,
|
||||
target_good))
|
||||
self.assertEqual(False, policy.enforce(self.context, action,
|
||||
target_wrong, False))
|
||||
|
||||
def test_adminpolicy(self):
|
||||
target = {'user_id': self.context.user_id,
|
||||
'tenant_id': self.context.tenant_id}
|
||||
action = "climate:os-hosts"
|
||||
self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce,
|
||||
self.context, action, target)
|
||||
|
||||
def test_elevatedpolicy(self):
|
||||
target = {'user_id': self.context.user_id,
|
||||
'tenant_id': self.context.tenant_id}
|
||||
action = "climate:os-hosts"
|
||||
self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce,
|
||||
self.context, action, target)
|
||||
elevated_context = self.context.elevated()
|
||||
self.assertEqual(True,
|
||||
policy.enforce(elevated_context, action, target))
|
||||
|
||||
def test_authorize(self):
|
||||
|
||||
@policy.authorize('leases', ctx=self.context)
|
||||
def user_method(self):
|
||||
return True
|
||||
|
||||
@policy.authorize('leases', 'get', ctx=self.context)
|
||||
def user_method_with_action(self):
|
||||
return True
|
||||
|
||||
@policy.authorize('oshosts', ctx=self.context)
|
||||
def adminonly_method(self):
|
||||
return True
|
||||
|
||||
self.assertEqual(True, user_method(self))
|
||||
self.assertEqual(True, user_method_with_action(self))
|
||||
try:
|
||||
adminonly_method(self)
|
||||
self.assertTrue(False)
|
||||
except exceptions.PolicyNotAuthorized:
|
||||
# We are expecting this exception
|
||||
self.assertTrue(True)
|
20
etc/policy.json
Normal file
20
etc/policy.json
Normal file
@ -0,0 +1,20 @@
|
||||
{
|
||||
"admin": "is_admin:True or role:admin or role:masterofuniverse",
|
||||
|
||||
"admin_or_owner": "rule:admin or tenant_id:%(tenant_id)s",
|
||||
|
||||
"default": "!",
|
||||
"admin_api": "rule:admin",
|
||||
|
||||
"climate:leases:get": "rule:admin_or_owner",
|
||||
"climate:leases:create": "rule:admin_or_owner",
|
||||
"climate:leases:delete": "rule:admin_or_owner",
|
||||
"climate:leases:update": "rule:admin_or_owner",
|
||||
|
||||
"climate:plugins:get": "@",
|
||||
|
||||
"climate:oshosts:get": "rule:admin_or_owner",
|
||||
"climate:oshosts:create": "rule:admin_api",
|
||||
"climate:oshosts:delete": "rule:admin_api",
|
||||
"climate:oshosts:update": "rule:admin_api"
|
||||
}
|
Loading…
Reference in New Issue
Block a user