From f8c346230cb51845d60df671cb1a8b8aa95c7da7 Mon Sep 17 00:00:00 2001 From: Felipe Monteiro Date: Thu, 1 Jun 2017 22:13:21 +0100 Subject: [PATCH] Policy in code for environment templates This commit implements policy in code for the environment templates API. The default rules for the environment templates API were removed from the policy.json and moved into code under murano.common.policies.env_template. This commit specifically: - Moves policy actions related to the environment templates API from the policy.json into code. - Documents the API information and paths associated with each environment template policy. - Updates the ``create_environment`` policy action documentation in murano.common.policies.environment to include API /v1/templates/{env_template_id}/create-environment which enforces this policy as well. Partially Implements: blueprint policy-in-code Change-Id: I715f4b0a61fd4404e20b88736a9a4c86fc038b55 --- etc/murano/policy.json | 6 --- murano/common/policies/__init__.py | 4 +- murano/common/policies/env_template.py | 61 ++++++++++++++++++++++++++ murano/common/policies/environment.py | 10 +++-- 4 files changed, 71 insertions(+), 10 deletions(-) create mode 100644 murano/common/policies/env_template.py diff --git a/etc/murano/policy.json b/etc/murano/policy.json index 6afd20fa..7c72b1a8 100644 --- a/etc/murano/policy.json +++ b/etc/murano/policy.json @@ -19,12 +19,6 @@ "list_deployments_all_environments": "rule:default", "statuses_deployments": "rule:default", - "list_env_templates": "rule:default", - "create_env_template": "rule:default", - "show_env_template": "rule:default", - "update_env_template": "rule:default", - "delete_env_template": "rule:default", - "execute_action": "rule:default" } diff --git a/murano/common/policies/__init__.py b/murano/common/policies/__init__.py index f5a29b75..d8b1ad9e 100644 --- a/murano/common/policies/__init__.py +++ b/murano/common/policies/__init__.py @@ -15,10 +15,12 @@ import itertools +from murano.common.policies import env_template from murano.common.policies import environment def list_rules(): return itertools.chain( - environment.list_rules() + environment.list_rules(), + env_template.list_rules() ) diff --git a/murano/common/policies/env_template.py b/murano/common/policies/env_template.py new file mode 100644 index 00000000..9cd2e7f4 --- /dev/null +++ b/murano/common/policies/env_template.py @@ -0,0 +1,61 @@ +# Copyright 2017 AT&T Corporation. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from murano.common.policies import base + +template_policies = [ + policy.DocumentedRuleDefault( + name='list_env_templates', + check_str=base.RULE_DEFAULT, + description='List environment templates in a project.', + operations=[{'path': '/v1/templates', + 'method': 'GET'}]), + policy.DocumentedRuleDefault( + name='create_env_template', + check_str=base.RULE_DEFAULT, + description='Create an environment template.', + operations=[{'path': '/v1/templates', + 'method': 'POST'}]), + policy.DocumentedRuleDefault( + name='show_env_template', + check_str=base.RULE_DEFAULT, + description='Show environment template details.', + operations=[{'path': '/v1/templates/{env_template_id}', + 'method': 'GET'}]), + policy.DocumentedRuleDefault( + name='update_env_template', + check_str=base.RULE_DEFAULT, + description='Update an environment template.', + operations=[{'path': '/v1/templates/{env_template_id}', + 'method': 'PUT'}]), + policy.DocumentedRuleDefault( + name='delete_env_template', + check_str=base.RULE_DEFAULT, + description='Delete an environment template.', + operations=[{'path': '/v1/templates/{env_template_id}', + 'method': 'DELETE'}]), + policy.DocumentedRuleDefault( + name='clone_env_template', + check_str=base.RULE_DEFAULT, + description='Clone an environment template.', + operations=[{'path': '/v1/templates/{env_template_id}/clone', + 'method': 'POST'}]) +] + + +def list_rules(): + return template_policies diff --git a/murano/common/policies/environment.py b/murano/common/policies/environment.py index e7cff07d..6752e5b1 100644 --- a/murano/common/policies/environment.py +++ b/murano/common/policies/environment.py @@ -50,9 +50,13 @@ environment_policies = [ policy.DocumentedRuleDefault( name='create_environment', check_str=base.RULE_DEFAULT, - description='Create an environment.', - operations=[{'path': '/v1/environments/{environment_id}', - 'method': 'POST'}]), + description='Create an environment or create an environment and ' + 'session from an environment template.', + operations=[ + {'path': '/v1/environments/{environment_id}', + 'method': 'POST'}, + {'path': '/v1/templates/{env_template_id}/create-environment', + 'method': 'POST'}]), policy.DocumentedRuleDefault( name='delete_environment', check_str=base.RULE_DEFAULT,