openstack/cloudkitty
Code Issues Proposed changes

Policy in code

Browse Source 
This patch introduces the implementation for registering
default policy rules in code. Default rules are defined under
cloudkitty.common.policies. Each API's policies are defined in a
sub-folder under that path and __init__.py contains all the
default policies in code which are registered in the ``init``
enforcer function in cloudkitty/common/policy.py.

This commit does the following:
 - Creates the ``policies`` module that contains all the default
   policies in code.
 - Adds the base policy rules into code (context_is_admin,
   admin_or_owner and default rules).
 - Add policies in code for current APIs
 - Add a tox env to generate default policy sample file
 - Delete policy.json from repo as policies in code will be used.

Change-Id: I257e8cefc2b699fc979c717531cd9ba77233d94b
Implements: blueprint policy-in-code
This commit is contained in:
Jeremy Liu
2017-09-05 17:52:45 +08:00
committed by Martin CAMEY
parent 43e1999e9d
commit 7eca672645
27 changed files with 611 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cloudkitty/api/v1/controllers/info.py
View File

@@ -44,7 +44,7 @@ class ServiceInfoController(rest.RestController):
:return: List of every services.
"""
policy.enforce(pecan.request.context, 'info:list_services_info', {})
policy.authorize(pecan.request.context, 'info:list_services_info', {})
services_info_list = []
for service, metadata in METADATA.items():
info = metadata.copy()
@@ -60,7 +60,7 @@ class ServiceInfoController(rest.RestController):
:param service_name: name of the service.
"""
policy.enforce(pecan.request.context, 'info:get_service_info', {})
policy.authorize(pecan.request.context, 'info:get_service_info', {})
try:
info = METADATA[service_name].copy()
info['service_id'] = service_name
@@ -81,7 +81,7 @@ class InfoController(rest.RestController):
})
def config(self):
"""Return current configuration."""
policy.enforce(pecan.request.context, 'info:get_config', {})
policy.authorize(pecan.request.context, 'info:get_config', {})
info = {}
info["collect"] = ck_utils.get_metrics_conf(CONF.collect.metrics_conf)
return info