Reorganize user and access code
Move aws iam resources to heat/engine/resources/aws/user.py, and move OS::Heat::AccessPolicy to heat/engine/resources/openstack/access_policy.py. Change-Id: I390132cf2c8616c6b68771e0c6d8df460407fe97 Implements: blueprint decouple-aws-os-resources
This commit is contained in:
parent
7dcf6123db
commit
6012fb94e4
@ -28,7 +28,9 @@ LOG = logging.getLogger(__name__)
|
||||
#
|
||||
# We are ignoring Groups as keystone does not support them.
|
||||
# For now support users and accesskeys,
|
||||
# We also now support a limited heat-native Policy implementation
|
||||
# We also now support a limited heat-native Policy implementation, and
|
||||
# the native access policy resource is located at:
|
||||
# heat/engine/resources/openstack/access_policy.py
|
||||
#
|
||||
|
||||
|
||||
@ -267,43 +269,8 @@ class AccessKey(resource.Resource):
|
||||
self.resource_id, access_allowed)
|
||||
|
||||
|
||||
class AccessPolicy(resource.Resource):
|
||||
PROPERTIES = (
|
||||
ALLOWED_RESOURCES,
|
||||
) = (
|
||||
'AllowedResources',
|
||||
)
|
||||
|
||||
properties_schema = {
|
||||
ALLOWED_RESOURCES: properties.Schema(
|
||||
properties.Schema.LIST,
|
||||
_('Resources that users are allowed to access by the '
|
||||
'DescribeStackResource API.'),
|
||||
required=True
|
||||
),
|
||||
}
|
||||
|
||||
def handle_create(self):
|
||||
pass
|
||||
|
||||
def validate(self):
|
||||
"""Make sure all the AllowedResources are present."""
|
||||
super(AccessPolicy, self).validate()
|
||||
|
||||
resources = self.properties[self.ALLOWED_RESOURCES]
|
||||
# All of the provided resource names must exist in this stack
|
||||
for res in resources:
|
||||
if res not in self.stack:
|
||||
msg = _("AccessPolicy resource %s not in stack") % res
|
||||
raise exception.StackValidationFailed(message=msg)
|
||||
|
||||
def access_allowed(self, resource_name):
|
||||
return resource_name in self.properties[self.ALLOWED_RESOURCES]
|
||||
|
||||
|
||||
def resource_mapping():
|
||||
return {
|
||||
'AWS::IAM::User': User,
|
||||
'AWS::IAM::AccessKey': AccessKey,
|
||||
'OS::Heat::AccessPolicy': AccessPolicy,
|
||||
}
|
62
heat/engine/resources/openstack/access_policy.py
Normal file
62
heat/engine/resources/openstack/access_policy.py
Normal file
@ -0,0 +1,62 @@
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from heat.common import exception
|
||||
from heat.common.i18n import _
|
||||
from heat.engine import properties
|
||||
from heat.engine import resource
|
||||
|
||||
#
|
||||
# Notes: Now this resource is actually associated with an AWS user resource,
|
||||
# not any OS:: resource though it is registered under the OS namespace below
|
||||
#
|
||||
|
||||
|
||||
class AccessPolicy(resource.Resource):
|
||||
PROPERTIES = (
|
||||
ALLOWED_RESOURCES,
|
||||
) = (
|
||||
'AllowedResources',
|
||||
)
|
||||
|
||||
properties_schema = {
|
||||
ALLOWED_RESOURCES: properties.Schema(
|
||||
properties.Schema.LIST,
|
||||
_('Resources that users are allowed to access by the '
|
||||
'DescribeStackResource API.'),
|
||||
required=True
|
||||
),
|
||||
}
|
||||
|
||||
def handle_create(self):
|
||||
pass
|
||||
|
||||
def validate(self):
|
||||
"""Make sure all the AllowedResources are present."""
|
||||
super(AccessPolicy, self).validate()
|
||||
|
||||
resources = self.properties[self.ALLOWED_RESOURCES]
|
||||
# All of the provided resource names must exist in this stack
|
||||
for res in resources:
|
||||
if res not in self.stack:
|
||||
msg = _("AccessPolicy resource %s not in stack") % res
|
||||
raise exception.StackValidationFailed(message=msg)
|
||||
|
||||
def access_allowed(self, resource_name):
|
||||
return resource_name in self.properties[self.ALLOWED_RESOURCES]
|
||||
|
||||
|
||||
def resource_mapping():
|
||||
return {
|
||||
'OS::Heat::AccessPolicy': AccessPolicy,
|
||||
}
|
@ -17,7 +17,8 @@ from heat.common import exception
|
||||
from heat.common import short_id
|
||||
from heat.common import template_format
|
||||
from heat.db import api as db_api
|
||||
from heat.engine.resources import user
|
||||
from heat.engine.resources.aws import user
|
||||
from heat.engine.resources.openstack import access_policy as ap
|
||||
from heat.engine import scheduler
|
||||
from heat.tests import common
|
||||
from heat.tests import fakes
|
||||
@ -232,9 +233,9 @@ class UserTest(common.HeatTestCase):
|
||||
rsrc.handle_create)
|
||||
|
||||
def test_user_access_allowed(self):
|
||||
self.m.StubOutWithMock(user.AccessPolicy, 'access_allowed')
|
||||
user.AccessPolicy.access_allowed('a_resource').AndReturn(True)
|
||||
user.AccessPolicy.access_allowed('b_resource').AndReturn(False)
|
||||
self.m.StubOutWithMock(ap.AccessPolicy, 'access_allowed')
|
||||
ap.AccessPolicy.access_allowed('a_resource').AndReturn(True)
|
||||
ap.AccessPolicy.access_allowed('b_resource').AndReturn(False)
|
||||
|
||||
self.m.ReplayAll()
|
||||
|
||||
@ -251,9 +252,9 @@ class UserTest(common.HeatTestCase):
|
||||
self.m.VerifyAll()
|
||||
|
||||
def test_user_access_allowed_ignorepolicy(self):
|
||||
self.m.StubOutWithMock(user.AccessPolicy, 'access_allowed')
|
||||
user.AccessPolicy.access_allowed('a_resource').AndReturn(True)
|
||||
user.AccessPolicy.access_allowed('b_resource').AndReturn(False)
|
||||
self.m.StubOutWithMock(ap.AccessPolicy, 'access_allowed')
|
||||
ap.AccessPolicy.access_allowed('a_resource').AndReturn(True)
|
||||
ap.AccessPolicy.access_allowed('b_resource').AndReturn(False)
|
||||
|
||||
self.m.ReplayAll()
|
||||
|
||||
@ -398,9 +399,9 @@ class AccessPolicyTest(common.HeatTestCase):
|
||||
|
||||
resource_name = 'WebServerAccessPolicy'
|
||||
resource_defns = stack.t.resource_definitions(stack)
|
||||
rsrc = user.AccessPolicy(resource_name,
|
||||
resource_defns[resource_name],
|
||||
stack)
|
||||
rsrc = ap.AccessPolicy(resource_name,
|
||||
resource_defns[resource_name],
|
||||
stack)
|
||||
scheduler.TaskRunner(rsrc.create)()
|
||||
self.assertEqual((rsrc.CREATE, rsrc.COMPLETE), rsrc.state)
|
||||
|
||||
@ -411,9 +412,9 @@ class AccessPolicyTest(common.HeatTestCase):
|
||||
stack = utils.parse_stack(t)
|
||||
|
||||
resource_defns = stack.t.resource_definitions(stack)
|
||||
rsrc = user.AccessPolicy(resource_name,
|
||||
resource_defns[resource_name],
|
||||
stack)
|
||||
rsrc = ap.AccessPolicy(resource_name,
|
||||
resource_defns[resource_name],
|
||||
stack)
|
||||
scheduler.TaskRunner(rsrc.create)()
|
||||
self.assertEqual((rsrc.CREATE, rsrc.COMPLETE), rsrc.state)
|
||||
|
||||
@ -432,9 +433,9 @@ class AccessPolicyTest(common.HeatTestCase):
|
||||
stack = utils.parse_stack(t)
|
||||
|
||||
resource_defns = stack.t.resource_definitions(stack)
|
||||
rsrc = user.AccessPolicy(resource_name,
|
||||
resource_defns[resource_name],
|
||||
stack)
|
||||
rsrc = ap.AccessPolicy(resource_name,
|
||||
resource_defns[resource_name],
|
||||
stack)
|
||||
self.assertTrue(rsrc.access_allowed('WikiDatabase'))
|
||||
self.assertFalse(rsrc.access_allowed('NotWikiDatabase'))
|
||||
self.assertFalse(rsrc.access_allowed(None))
|
||||
|
Loading…
Reference in New Issue
Block a user