From 8636c71e1a00175b18b38a98f05e82838ce0b6c2 Mon Sep 17 00:00:00 2001 From: Michael McCune Date: Fri, 29 May 2015 15:47:11 -0400 Subject: [PATCH] Making policy namespaces more unique This adds "data-processing:" to the beginning of all namespaces for sahara's policy based actions. This will help ensure that we minimize the possibility for name collisions in unified policy files. * change policy names in policy.json * change policy names in v10 and v11 api functions * change policy tests to reflect newer names (not strictly necessary but added for consistency) Change-Id: Ieef8c8de25764197a2ed59ba9f71c37fc62a75ca Closes-Bug: 1460196 --- etc/sahara/policy.json | 102 +++++++++++++++--------------- sahara/api/v10.py | 50 +++++++-------- sahara/api/v11.py | 52 +++++++-------- sahara/tests/unit/api/test_acl.py | 8 +-- 4 files changed, 106 insertions(+), 106 deletions(-) diff --git a/etc/sahara/policy.json b/etc/sahara/policy.json index 8915f899..d632ca08 100644 --- a/etc/sahara/policy.json +++ b/etc/sahara/policy.json @@ -2,65 +2,65 @@ "context_is_admin": "role:admin", "default": "", - "clusters:get_all": "", - "clusters:create": "", - "clusters:scale": "", - "clusters:get": "", - "clusters:delete": "", + "data-processing:clusters:get_all": "", + "data-processing:clusters:create": "", + "data-processing:clusters:scale": "", + "data-processing:clusters:get": "", + "data-processing:clusters:delete": "", - "cluster-templates:get_all": "", - "cluster-templates:create": "", - "cluster-templates:get": "", - "cluster-templates:modify": "", - "cluster-templates:delete": "", + "data-processing:cluster-templates:get_all": "", + "data-processing:cluster-templates:create": "", + "data-processing:cluster-templates:get": "", + "data-processing:cluster-templates:modify": "", + "data-processing:cluster-templates:delete": "", - "node-group-templates:get_all": "", - "node-group-templates:create": "", - "node-group-templates:get": "", - "node-group-templates:modify": "", - "node-group-templates:delete": "", + "data-processing:node-group-templates:get_all": "", + "data-processing:node-group-templates:create": "", + "data-processing:node-group-templates:get": "", + "data-processing:node-group-templates:modify": "", + "data-processing:node-group-templates:delete": "", - "plugins:get_all": "", - "plugins:get": "", - "plugins:get_version": "", - "plugins:convert_config": "", + "data-processing:plugins:get_all": "", + "data-processing:plugins:get": "", + "data-processing:plugins:get_version": "", + "data-processing:plugins:convert_config": "", - "images:get_all": "", - "images:get": "", - "images:register": "", - "images:unregister": "", - "images:add_tags": "", - "images:remove_tags": "", + "data-processing:images:get_all": "", + "data-processing:images:get": "", + "data-processing:images:register": "", + "data-processing:images:unregister": "", + "data-processing:images:add_tags": "", + "data-processing:images:remove_tags": "", - "job-executions:get_all": "", - "job-executions:get": "", - "job-executions:refresh_status": "", - "job-executions:cancel": "", - "job-executions:delete": "", + "data-processing:job-executions:get_all": "", + "data-processing:job-executions:get": "", + "data-processing:job-executions:refresh_status": "", + "data-processing:job-executions:cancel": "", + "data-processing:job-executions:delete": "", - "data-sources:get_all": "", - "data-sources:get": "", - "data-sources:register": "", - "data-sources:delete": "", + "data-processing:data-sources:get_all": "", + "data-processing:data-sources:get": "", + "data-processing:data-sources:register": "", + "data-processing:data-sources:delete": "", - "jobs:get_all": "", - "jobs:create": "", - "jobs:get": "", - "jobs:delete": "", - "jobs:get_config_hints": "", - "jobs:execute": "", + "data-processing:jobs:get_all": "", + "data-processing:jobs:create": "", + "data-processing:jobs:get": "", + "data-processing:jobs:delete": "", + "data-processing:jobs:get_config_hints": "", + "data-processing:jobs:execute": "", - "job-binaries:get_all": "", - "job-binaries:create": "", - "job-binaries:get": "", - "job-binaries:delete": "", - "job-binaries:get_data": "", + "data-processing:job-binaries:get_all": "", + "data-processing:job-binaries:create": "", + "data-processing:job-binaries:get": "", + "data-processing:job-binaries:delete": "", + "data-processing:job-binaries:get_data": "", - "job-binary-internals:get_all": "", - "job-binary-internals:create": "", - "job-binary-internals:get": "", - "job-binary-internals:delete": "", - "job-binary-internals:get_data": "", + "data-processing:job-binary-internals:get_all": "", + "data-processing:job-binary-internals:create": "", + "data-processing:job-binary-internals:get": "", + "data-processing:job-binary-internals:delete": "", + "data-processing:job-binary-internals:get_data": "", - "job-types:get_all": "" + "data-processing:job-types:get_all": "" } diff --git a/sahara/api/v10.py b/sahara/api/v10.py index 5413765a..b427adb4 100644 --- a/sahara/api/v10.py +++ b/sahara/api/v10.py @@ -37,21 +37,21 @@ rest = u.Rest('v10', __name__) # Cluster ops @rest.get('/clusters') -@acl.enforce("clusters:get_all") +@acl.enforce("data-processing:clusters:get_all") def clusters_list(): return u.render(clusters=[c.to_dict() for c in api.get_clusters( **u.get_request_args().to_dict())]) @rest.post('/clusters') -@acl.enforce("clusters:create") +@acl.enforce("data-processing:clusters:create") @v.validate(v_c.CLUSTER_SCHEMA, v_c.check_cluster_create) def clusters_create(data): return u.render(api.create_cluster(data).to_wrapped_dict()) @rest.put('/clusters/') -@acl.enforce("clusters:scale") +@acl.enforce("data-processing:clusters:scale") @v.check_exists(api.get_cluster, 'cluster_id') @v.validate(v_c_s.CLUSTER_SCALING_SCHEMA, v_c_s.check_cluster_scaling) def clusters_scale(cluster_id, data): @@ -59,7 +59,7 @@ def clusters_scale(cluster_id, data): @rest.get('/clusters/') -@acl.enforce("clusters:get") +@acl.enforce("data-processing:clusters:get") @v.check_exists(api.get_cluster, 'cluster_id') def clusters_get(cluster_id): data = u.get_request_args() @@ -68,7 +68,7 @@ def clusters_get(cluster_id): @rest.delete('/clusters/') -@acl.enforce("clusters:delete") +@acl.enforce("data-processing:clusters:delete") @v.check_exists(api.get_cluster, 'cluster_id') def clusters_delete(cluster_id): api.terminate_cluster(cluster_id) @@ -78,7 +78,7 @@ def clusters_delete(cluster_id): # ClusterTemplate ops @rest.get('/cluster-templates') -@acl.enforce("cluster-templates:get_all") +@acl.enforce("data-processing:cluster-templates:get_all") def cluster_templates_list(): return u.render( cluster_templates=[t.to_dict() for t in api.get_cluster_templates( @@ -86,7 +86,7 @@ def cluster_templates_list(): @rest.post('/cluster-templates') -@acl.enforce("cluster-templates:create") +@acl.enforce("data-processing:cluster-templates:create") @v.validate(ct_schema.CLUSTER_TEMPLATE_SCHEMA, v_ct.check_cluster_template_create) def cluster_templates_create(data): @@ -94,7 +94,7 @@ def cluster_templates_create(data): @rest.get('/cluster-templates/') -@acl.enforce("cluster-templates:get") +@acl.enforce("data-processing:cluster-templates:get") @v.check_exists(api.get_cluster_template, 'cluster_template_id') def cluster_templates_get(cluster_template_id): return u.render( @@ -102,7 +102,7 @@ def cluster_templates_get(cluster_template_id): @rest.put('/cluster-templates/') -@acl.enforce("cluster-templates:modify") +@acl.enforce("data-processing:cluster-templates:modify") @v.check_exists(api.get_cluster_template, 'cluster_template_id') @v.validate(ct_schema.CLUSTER_TEMPLATE_UPDATE_SCHEMA, v_ct.check_cluster_template_update) @@ -113,7 +113,7 @@ def cluster_templates_update(cluster_template_id, data): @rest.delete('/cluster-templates/') -@acl.enforce("cluster-templates:delete") +@acl.enforce("data-processing:cluster-templates:delete") @v.check_exists(api.get_cluster_template, 'cluster_template_id') @v.validate(None, v_ct.check_cluster_template_usage) def cluster_templates_delete(cluster_template_id): @@ -124,7 +124,7 @@ def cluster_templates_delete(cluster_template_id): # NodeGroupTemplate ops @rest.get('/node-group-templates') -@acl.enforce("node-group-templates:get_all") +@acl.enforce("data-processing:node-group-templates:get_all") def node_group_templates_list(): return u.render( node_group_templates=[t.to_dict() @@ -133,7 +133,7 @@ def node_group_templates_list(): @rest.post('/node-group-templates') -@acl.enforce("node-group-templates:create") +@acl.enforce("data-processing:node-group-templates:create") @v.validate(ngt_schema.NODE_GROUP_TEMPLATE_SCHEMA, v_ngt.check_node_group_template_create) def node_group_templates_create(data): @@ -141,7 +141,7 @@ def node_group_templates_create(data): @rest.get('/node-group-templates/') -@acl.enforce("node-group-templates:get") +@acl.enforce("data-processing:node-group-templates:get") @v.check_exists(api.get_node_group_template, 'node_group_template_id') def node_group_templates_get(node_group_template_id): return u.render( @@ -149,7 +149,7 @@ def node_group_templates_get(node_group_template_id): @rest.put('/node-group-templates/') -@acl.enforce("node-group-templates:modify") +@acl.enforce("data-processing:node-group-templates:modify") @v.check_exists(api.get_node_group_template, 'node_group_template_id') @v.validate(ngt_schema.NODE_GROUP_TEMPLATE_UPDATE_SCHEMA, v_ngt.check_node_group_template_update) @@ -160,7 +160,7 @@ def node_group_templates_update(node_group_template_id, data): @rest.delete('/node-group-templates/') -@acl.enforce("node-group-templates:delete") +@acl.enforce("data-processing:node-group-templates:delete") @v.check_exists(api.get_node_group_template, 'node_group_template_id') @v.validate(None, v_ngt.check_node_group_template_usage) def node_group_templates_delete(node_group_template_id): @@ -171,27 +171,27 @@ def node_group_templates_delete(node_group_template_id): # Plugins ops @rest.get('/plugins') -@acl.enforce("plugins:get_all") +@acl.enforce("data-processing:plugins:get_all") def plugins_list(): return u.render(plugins=[p.dict for p in api.get_plugins()]) @rest.get('/plugins/') -@acl.enforce("plugins:get") +@acl.enforce("data-processing:plugins:get") @v.check_exists(api.get_plugin, plugin_name='plugin_name') def plugins_get(plugin_name): return u.render(api.get_plugin(plugin_name).wrapped_dict) @rest.get('/plugins//') -@acl.enforce("plugins:get_version") +@acl.enforce("data-processing:plugins:get_version") @v.check_exists(api.get_plugin, plugin_name='plugin_name', version='version') def plugins_get_version(plugin_name, version): return u.render(api.get_plugin(plugin_name, version).wrapped_dict) @rest.post_file('/plugins///convert-config/') -@acl.enforce("plugins:convert_config") +@acl.enforce("data-processing:plugins:convert_config") @v.check_exists(api.get_plugin, plugin_name='plugin_name', version='version') @v.validate(v_p.CONVERT_TO_TEMPLATE_SCHEMA, v_p.check_convert_to_template) def plugins_convert_to_cluster_template(plugin_name, version, name, data): @@ -204,7 +204,7 @@ def plugins_convert_to_cluster_template(plugin_name, version, name, data): # Image Registry ops @rest.get('/images') -@acl.enforce("images:get_all") +@acl.enforce("data-processing:images:get_all") def images_list(): tags = u.get_request_args().getlist('tags') name = u.get_request_args().get('name', None) @@ -212,14 +212,14 @@ def images_list(): @rest.get('/images/') -@acl.enforce("images:get") +@acl.enforce("data-processing:images:get") @v.check_exists(api.get_image, id='image_id') def images_get(image_id): return u.render(api.get_registered_image(id=image_id).wrapped_dict) @rest.post('/images/') -@acl.enforce("images:register") +@acl.enforce("data-processing:images:register") @v.check_exists(api.get_image, id='image_id') @v.validate(v_images.image_register_schema, v_images.check_image_register) def images_set(image_id, data): @@ -227,7 +227,7 @@ def images_set(image_id, data): @rest.delete('/images/') -@acl.enforce("images:unregister") +@acl.enforce("data-processing:images:unregister") @v.check_exists(api.get_image, id='image_id') def images_unset(image_id): api.unregister_image(image_id) @@ -235,7 +235,7 @@ def images_unset(image_id): @rest.post('/images//tag') -@acl.enforce("images:add_tags") +@acl.enforce("data-processing:images:add_tags") @v.check_exists(api.get_image, id='image_id') @v.validate(v_images.image_tags_schema, v_images.check_tags) def image_tags_add(image_id, data): @@ -243,7 +243,7 @@ def image_tags_add(image_id, data): @rest.post('/images//untag') -@acl.enforce("images:remove_tags") +@acl.enforce("data-processing:images:remove_tags") @v.check_exists(api.get_image, id='image_id') @v.validate(v_images.image_tags_schema) def image_tags_delete(image_id, data): diff --git a/sahara/api/v11.py b/sahara/api/v11.py index e06f0b28..e118ebb0 100644 --- a/sahara/api/v11.py +++ b/sahara/api/v11.py @@ -34,7 +34,7 @@ rest = u.Rest('v11', __name__) # Job execution ops @rest.get('/job-executions') -@acl.enforce("job-executions:get_all") +@acl.enforce("data-processing:job-executions:get_all") def job_executions_list(): job_executions = [je.to_dict() for je in api.job_execution_list( **u.get_request_args().to_dict())] @@ -42,7 +42,7 @@ def job_executions_list(): @rest.get('/job-executions/') -@acl.enforce("job-executions:get") +@acl.enforce("data-processing:job-executions:get") @v.check_exists(api.get_job_execution, id='job_execution_id') def job_executions(job_execution_id): job_execution = api.get_job_execution(job_execution_id) @@ -50,7 +50,7 @@ def job_executions(job_execution_id): @rest.get('/job-executions//refresh-status') -@acl.enforce("job-executions:refresh_status") +@acl.enforce("data-processing:job-executions:refresh_status") @v.check_exists(api.get_job_execution, id='job_execution_id') def job_executions_status(job_execution_id): job_execution = api.get_job_execution_status(job_execution_id) @@ -58,7 +58,7 @@ def job_executions_status(job_execution_id): @rest.get('/job-executions//cancel') -@acl.enforce("job-executions:cancel") +@acl.enforce("data-processing:job-executions:cancel") @v.check_exists(api.get_job_execution, id='job_execution_id') def job_executions_cancel(job_execution_id): job_execution = api.cancel_job_execution(job_execution_id) @@ -66,7 +66,7 @@ def job_executions_cancel(job_execution_id): @rest.delete('/job-executions/') -@acl.enforce("job-executions:delete") +@acl.enforce("data-processing:job-executions:delete") @v.check_exists(api.get_job_execution, id='job_execution_id') def job_executions_delete(job_execution_id): api.delete_job_execution(job_execution_id) @@ -76,7 +76,7 @@ def job_executions_delete(job_execution_id): # Data source ops @rest.get('/data-sources') -@acl.enforce("data-sources:get_all") +@acl.enforce("data-processing:data-sources:get_all") def data_sources_list(): return u.render( data_sources=[ds.to_dict() for ds in api.get_data_sources( @@ -84,21 +84,21 @@ def data_sources_list(): @rest.post('/data-sources') -@acl.enforce("data-sources:register") +@acl.enforce("data-processing:data-sources:register") @v.validate(v_d_s.DATA_SOURCE_SCHEMA, v_d_s.check_data_source_create) def data_source_register(data): return u.render(api.register_data_source(data).to_wrapped_dict()) @rest.get('/data-sources/') -@acl.enforce("data-sources:get") +@acl.enforce("data-processing:data-sources:get") @v.check_exists(api.get_data_source, 'data_source_id') def data_source_get(data_source_id): return u.render(api.get_data_source(data_source_id).to_wrapped_dict()) @rest.delete('/data-sources/') -@acl.enforce("data-sources:delete") +@acl.enforce("data-processing:data-sources:delete") @v.check_exists(api.get_data_source, 'data_source_id') def data_source_delete(data_source_id): api.delete_data_source(data_source_id) @@ -108,28 +108,28 @@ def data_source_delete(data_source_id): # Job ops @rest.get('/jobs') -@acl.enforce("jobs:get_all") +@acl.enforce("data-processing:jobs:get_all") def job_list(): return u.render(jobs=[j.to_dict() for j in api.get_jobs( **u.get_request_args().to_dict())]) @rest.post('/jobs') -@acl.enforce("jobs:create") +@acl.enforce("data-processing:jobs:create") @v.validate(v_j.JOB_SCHEMA, v_j.check_mains_libs) def job_create(data): return u.render(api.create_job(data).to_wrapped_dict()) @rest.get('/jobs/') -@acl.enforce("jobs:get") +@acl.enforce("data-processing:jobs:get") @v.check_exists(api.get_job, id='job_id') def job_get(job_id): return u.render(api.get_job(job_id).to_wrapped_dict()) @rest.delete('/jobs/') -@acl.enforce("jobs:delete") +@acl.enforce("data-processing:jobs:delete") @v.check_exists(api.get_job, id='job_id') def job_delete(job_id): api.delete_job(job_id) @@ -137,7 +137,7 @@ def job_delete(job_id): @rest.post('/jobs//execute') -@acl.enforce("jobs:execute") +@acl.enforce("data-processing:jobs:execute") @v.check_exists(api.get_job, id='job_id') @v.validate(v_j_e.JOB_EXEC_SCHEMA, v_j_e.check_job_execution) def job_execute(job_id, data): @@ -145,14 +145,14 @@ def job_execute(job_id, data): @rest.get('/jobs/config-hints/') -@acl.enforce("jobs:get_config_hints") +@acl.enforce("data-processing:jobs:get_config_hints") @v.check_exists(api.get_job_config_hints, job_type='job_type') def job_config_hints_get(job_type): return u.render(api.get_job_config_hints(job_type)) @rest.get('/job-types') -@acl.enforce("job-types:get_all") +@acl.enforce("data-processing:job-types:get_all") def job_types_get(): # We want to use flat=False with to_dict() so that # the value of each arg is given as a list. This supports @@ -164,28 +164,28 @@ def job_types_get(): @rest.post('/job-binaries') -@acl.enforce("job-binaries:create") +@acl.enforce("data-processing:job-binaries:create") @v.validate(v_j_b.JOB_BINARY_SCHEMA, v_j_b.check_job_binary) def job_binary_create(data): return u.render(api.create_job_binary(data).to_wrapped_dict()) @rest.get('/job-binaries') -@acl.enforce("job-binaries:get_all") +@acl.enforce("data-processing:job-binaries:get_all") def job_binary_list(): return u.render(binaries=[j.to_dict() for j in api.get_job_binaries( **u.get_request_args().to_dict())]) @rest.get('/job-binaries/') -@acl.enforce("job-binaries:get") +@acl.enforce("data-processing:job-binaries:get") @v.check_exists(api.get_job_binary, 'job_binary_id') def job_binary_get(job_binary_id): return u.render(api.get_job_binary(job_binary_id).to_wrapped_dict()) @rest.delete('/job-binaries/') -@acl.enforce("job-binaries:delete") +@acl.enforce("data-processing:job-binaries:delete") @v.check_exists(api.get_job_binary, id='job_binary_id') def job_binary_delete(job_binary_id): api.delete_job_binary(job_binary_id) @@ -193,7 +193,7 @@ def job_binary_delete(job_binary_id): @rest.get('/job-binaries//data') -@acl.enforce("job-binaries:get_data") +@acl.enforce("data-processing:job-binaries:get_data") @v.check_exists(api.get_job_binary, 'job_binary_id') def job_binary_data(job_binary_id): data = api.get_job_binary_data(job_binary_id) @@ -205,14 +205,14 @@ def job_binary_data(job_binary_id): # Job binary internals ops @rest.put_file('/job-binary-internals/') -@acl.enforce("job-binary-internals:create") +@acl.enforce("data-processing:job-binary-internals:create") @v.validate(None, v_j_b_i.check_job_binary_internal) def job_binary_internal_create(**values): return u.render(api.create_job_binary_internal(values).to_wrapped_dict()) @rest.get('/job-binary-internals') -@acl.enforce("job-binary-internals:get_all") +@acl.enforce("data-processing:job-binary-internals:get_all") def job_binary_internal_list(): return u.render(binaries=[j.to_dict() for j in api.get_job_binary_internals( @@ -220,7 +220,7 @@ def job_binary_internal_list(): @rest.get('/job-binary-internals/') -@acl.enforce("job-binary-internals:get") +@acl.enforce("data-processing:job-binary-internals:get") @v.check_exists(api.get_job_binary_internal, 'job_binary_internal_id') def job_binary_internal_get(job_binary_internal_id): return u.render(api.get_job_binary_internal(job_binary_internal_id @@ -228,7 +228,7 @@ def job_binary_internal_get(job_binary_internal_id): @rest.delete('/job-binary-internals/') -@acl.enforce("job-binary-internals:delete") +@acl.enforce("data-processing:job-binary-internals:delete") @v.check_exists(api.get_job_binary_internal, 'job_binary_internal_id') def job_binary_internal_delete(job_binary_internal_id): api.delete_job_binary_internal(job_binary_internal_id) @@ -236,7 +236,7 @@ def job_binary_internal_delete(job_binary_internal_id): @rest.get('/job-binary-internals//data') -@acl.enforce("job-binary-internals:get_data") +@acl.enforce("data-processing:job-binary-internals:get_data") @v.check_exists(api.get_job_binary_internal, 'job_binary_internal_id') def job_binary_internal_data(job_binary_internal_id): return api.get_job_binary_internal_data(job_binary_internal_id) diff --git a/sahara/tests/unit/api/test_acl.py b/sahara/tests/unit/api/test_acl.py index 0b008929..a7d799c7 100644 --- a/sahara/tests/unit/api/test_acl.py +++ b/sahara/tests/unit/api/test_acl.py @@ -28,21 +28,21 @@ class TestAcl(base.SaharaTestCase): acl.ENFORCER.set_rules(rules, use_conf=False) def test_policy_allow(self): - @acl.enforce("clusters:get_all") + @acl.enforce("data-processing:clusters:get_all") def test(): pass - json = '{"clusters:get_all": ""}' + json = '{"data-processing:clusters:get_all": ""}' self._set_policy(json) test() def test_policy_deny(self): - @acl.enforce("clusters:get_all") + @acl.enforce("data-processing:clusters:get_all") def test(): pass - json = '{"clusters:get_all": "!"}' + json = '{"data-processing:clusters:get_all": "!"}' self._set_policy(json) self.assertRaises(ex.Forbidden, test)