Making policy namespaces more unique

This adds "data-processing:" to the beginning of all namespaces for
sahara's policy based actions. This will help ensure that we minimize
the possibility for name collisions in unified policy files.

* change policy names in policy.json
* change policy names in v10 and v11 api functions
* change policy tests to reflect newer names (not strictly necessary but
  added for consistency)

Change-Id: Ieef8c8de25764197a2ed59ba9f71c37fc62a75ca
Closes-Bug: 1460196
This commit is contained in:
Michael McCune 2015-05-29 15:47:11 -04:00
parent 4c048161e0
commit 8636c71e1a
4 changed files with 106 additions and 106 deletions

View File

@ -2,65 +2,65 @@
"context_is_admin": "role:admin",
"default": "",
"clusters:get_all": "",
"clusters:create": "",
"clusters:scale": "",
"clusters:get": "",
"clusters:delete": "",
"data-processing:clusters:get_all": "",
"data-processing:clusters:create": "",
"data-processing:clusters:scale": "",
"data-processing:clusters:get": "",
"data-processing:clusters:delete": "",
"cluster-templates:get_all": "",
"cluster-templates:create": "",
"cluster-templates:get": "",
"cluster-templates:modify": "",
"cluster-templates:delete": "",
"data-processing:cluster-templates:get_all": "",
"data-processing:cluster-templates:create": "",
"data-processing:cluster-templates:get": "",
"data-processing:cluster-templates:modify": "",
"data-processing:cluster-templates:delete": "",
"node-group-templates:get_all": "",
"node-group-templates:create": "",
"node-group-templates:get": "",
"node-group-templates:modify": "",
"node-group-templates:delete": "",
"data-processing:node-group-templates:get_all": "",
"data-processing:node-group-templates:create": "",
"data-processing:node-group-templates:get": "",
"data-processing:node-group-templates:modify": "",
"data-processing:node-group-templates:delete": "",
"plugins:get_all": "",
"plugins:get": "",
"plugins:get_version": "",
"plugins:convert_config": "",
"data-processing:plugins:get_all": "",
"data-processing:plugins:get": "",
"data-processing:plugins:get_version": "",
"data-processing:plugins:convert_config": "",
"images:get_all": "",
"images:get": "",
"images:register": "",
"images:unregister": "",
"images:add_tags": "",
"images:remove_tags": "",
"data-processing:images:get_all": "",
"data-processing:images:get": "",
"data-processing:images:register": "",
"data-processing:images:unregister": "",
"data-processing:images:add_tags": "",
"data-processing:images:remove_tags": "",
"job-executions:get_all": "",
"job-executions:get": "",
"job-executions:refresh_status": "",
"job-executions:cancel": "",
"job-executions:delete": "",
"data-processing:job-executions:get_all": "",
"data-processing:job-executions:get": "",
"data-processing:job-executions:refresh_status": "",
"data-processing:job-executions:cancel": "",
"data-processing:job-executions:delete": "",
"data-sources:get_all": "",
"data-sources:get": "",
"data-sources:register": "",
"data-sources:delete": "",
"data-processing:data-sources:get_all": "",
"data-processing:data-sources:get": "",
"data-processing:data-sources:register": "",
"data-processing:data-sources:delete": "",
"jobs:get_all": "",
"jobs:create": "",
"jobs:get": "",
"jobs:delete": "",
"jobs:get_config_hints": "",
"jobs:execute": "",
"data-processing:jobs:get_all": "",
"data-processing:jobs:create": "",
"data-processing:jobs:get": "",
"data-processing:jobs:delete": "",
"data-processing:jobs:get_config_hints": "",
"data-processing:jobs:execute": "",
"job-binaries:get_all": "",
"job-binaries:create": "",
"job-binaries:get": "",
"job-binaries:delete": "",
"job-binaries:get_data": "",
"data-processing:job-binaries:get_all": "",
"data-processing:job-binaries:create": "",
"data-processing:job-binaries:get": "",
"data-processing:job-binaries:delete": "",
"data-processing:job-binaries:get_data": "",
"job-binary-internals:get_all": "",
"job-binary-internals:create": "",
"job-binary-internals:get": "",
"job-binary-internals:delete": "",
"job-binary-internals:get_data": "",
"data-processing:job-binary-internals:get_all": "",
"data-processing:job-binary-internals:create": "",
"data-processing:job-binary-internals:get": "",
"data-processing:job-binary-internals:delete": "",
"data-processing:job-binary-internals:get_data": "",
"job-types:get_all": ""
"data-processing:job-types:get_all": ""
}

View File

@ -37,21 +37,21 @@ rest = u.Rest('v10', __name__)
# Cluster ops
@rest.get('/clusters')
@acl.enforce("clusters:get_all")
@acl.enforce("data-processing:clusters:get_all")
def clusters_list():
return u.render(clusters=[c.to_dict() for c in api.get_clusters(
**u.get_request_args().to_dict())])
@rest.post('/clusters')
@acl.enforce("clusters:create")
@acl.enforce("data-processing:clusters:create")
@v.validate(v_c.CLUSTER_SCHEMA, v_c.check_cluster_create)
def clusters_create(data):
return u.render(api.create_cluster(data).to_wrapped_dict())
@rest.put('/clusters/<cluster_id>')
@acl.enforce("clusters:scale")
@acl.enforce("data-processing:clusters:scale")
@v.check_exists(api.get_cluster, 'cluster_id')
@v.validate(v_c_s.CLUSTER_SCALING_SCHEMA, v_c_s.check_cluster_scaling)
def clusters_scale(cluster_id, data):
@ -59,7 +59,7 @@ def clusters_scale(cluster_id, data):
@rest.get('/clusters/<cluster_id>')
@acl.enforce("clusters:get")
@acl.enforce("data-processing:clusters:get")
@v.check_exists(api.get_cluster, 'cluster_id')
def clusters_get(cluster_id):
data = u.get_request_args()
@ -68,7 +68,7 @@ def clusters_get(cluster_id):
@rest.delete('/clusters/<cluster_id>')
@acl.enforce("clusters:delete")
@acl.enforce("data-processing:clusters:delete")
@v.check_exists(api.get_cluster, 'cluster_id')
def clusters_delete(cluster_id):
api.terminate_cluster(cluster_id)
@ -78,7 +78,7 @@ def clusters_delete(cluster_id):
# ClusterTemplate ops
@rest.get('/cluster-templates')
@acl.enforce("cluster-templates:get_all")
@acl.enforce("data-processing:cluster-templates:get_all")
def cluster_templates_list():
return u.render(
cluster_templates=[t.to_dict() for t in api.get_cluster_templates(
@ -86,7 +86,7 @@ def cluster_templates_list():
@rest.post('/cluster-templates')
@acl.enforce("cluster-templates:create")
@acl.enforce("data-processing:cluster-templates:create")
@v.validate(ct_schema.CLUSTER_TEMPLATE_SCHEMA,
v_ct.check_cluster_template_create)
def cluster_templates_create(data):
@ -94,7 +94,7 @@ def cluster_templates_create(data):
@rest.get('/cluster-templates/<cluster_template_id>')
@acl.enforce("cluster-templates:get")
@acl.enforce("data-processing:cluster-templates:get")
@v.check_exists(api.get_cluster_template, 'cluster_template_id')
def cluster_templates_get(cluster_template_id):
return u.render(
@ -102,7 +102,7 @@ def cluster_templates_get(cluster_template_id):
@rest.put('/cluster-templates/<cluster_template_id>')
@acl.enforce("cluster-templates:modify")
@acl.enforce("data-processing:cluster-templates:modify")
@v.check_exists(api.get_cluster_template, 'cluster_template_id')
@v.validate(ct_schema.CLUSTER_TEMPLATE_UPDATE_SCHEMA,
v_ct.check_cluster_template_update)
@ -113,7 +113,7 @@ def cluster_templates_update(cluster_template_id, data):
@rest.delete('/cluster-templates/<cluster_template_id>')
@acl.enforce("cluster-templates:delete")
@acl.enforce("data-processing:cluster-templates:delete")
@v.check_exists(api.get_cluster_template, 'cluster_template_id')
@v.validate(None, v_ct.check_cluster_template_usage)
def cluster_templates_delete(cluster_template_id):
@ -124,7 +124,7 @@ def cluster_templates_delete(cluster_template_id):
# NodeGroupTemplate ops
@rest.get('/node-group-templates')
@acl.enforce("node-group-templates:get_all")
@acl.enforce("data-processing:node-group-templates:get_all")
def node_group_templates_list():
return u.render(
node_group_templates=[t.to_dict()
@ -133,7 +133,7 @@ def node_group_templates_list():
@rest.post('/node-group-templates')
@acl.enforce("node-group-templates:create")
@acl.enforce("data-processing:node-group-templates:create")
@v.validate(ngt_schema.NODE_GROUP_TEMPLATE_SCHEMA,
v_ngt.check_node_group_template_create)
def node_group_templates_create(data):
@ -141,7 +141,7 @@ def node_group_templates_create(data):
@rest.get('/node-group-templates/<node_group_template_id>')
@acl.enforce("node-group-templates:get")
@acl.enforce("data-processing:node-group-templates:get")
@v.check_exists(api.get_node_group_template, 'node_group_template_id')
def node_group_templates_get(node_group_template_id):
return u.render(
@ -149,7 +149,7 @@ def node_group_templates_get(node_group_template_id):
@rest.put('/node-group-templates/<node_group_template_id>')
@acl.enforce("node-group-templates:modify")
@acl.enforce("data-processing:node-group-templates:modify")
@v.check_exists(api.get_node_group_template, 'node_group_template_id')
@v.validate(ngt_schema.NODE_GROUP_TEMPLATE_UPDATE_SCHEMA,
v_ngt.check_node_group_template_update)
@ -160,7 +160,7 @@ def node_group_templates_update(node_group_template_id, data):
@rest.delete('/node-group-templates/<node_group_template_id>')
@acl.enforce("node-group-templates:delete")
@acl.enforce("data-processing:node-group-templates:delete")
@v.check_exists(api.get_node_group_template, 'node_group_template_id')
@v.validate(None, v_ngt.check_node_group_template_usage)
def node_group_templates_delete(node_group_template_id):
@ -171,27 +171,27 @@ def node_group_templates_delete(node_group_template_id):
# Plugins ops
@rest.get('/plugins')
@acl.enforce("plugins:get_all")
@acl.enforce("data-processing:plugins:get_all")
def plugins_list():
return u.render(plugins=[p.dict for p in api.get_plugins()])
@rest.get('/plugins/<plugin_name>')
@acl.enforce("plugins:get")
@acl.enforce("data-processing:plugins:get")
@v.check_exists(api.get_plugin, plugin_name='plugin_name')
def plugins_get(plugin_name):
return u.render(api.get_plugin(plugin_name).wrapped_dict)
@rest.get('/plugins/<plugin_name>/<version>')
@acl.enforce("plugins:get_version")
@acl.enforce("data-processing:plugins:get_version")
@v.check_exists(api.get_plugin, plugin_name='plugin_name', version='version')
def plugins_get_version(plugin_name, version):
return u.render(api.get_plugin(plugin_name, version).wrapped_dict)
@rest.post_file('/plugins/<plugin_name>/<version>/convert-config/<name>')
@acl.enforce("plugins:convert_config")
@acl.enforce("data-processing:plugins:convert_config")
@v.check_exists(api.get_plugin, plugin_name='plugin_name', version='version')
@v.validate(v_p.CONVERT_TO_TEMPLATE_SCHEMA, v_p.check_convert_to_template)
def plugins_convert_to_cluster_template(plugin_name, version, name, data):
@ -204,7 +204,7 @@ def plugins_convert_to_cluster_template(plugin_name, version, name, data):
# Image Registry ops
@rest.get('/images')
@acl.enforce("images:get_all")
@acl.enforce("data-processing:images:get_all")
def images_list():
tags = u.get_request_args().getlist('tags')
name = u.get_request_args().get('name', None)
@ -212,14 +212,14 @@ def images_list():
@rest.get('/images/<image_id>')
@acl.enforce("images:get")
@acl.enforce("data-processing:images:get")
@v.check_exists(api.get_image, id='image_id')
def images_get(image_id):
return u.render(api.get_registered_image(id=image_id).wrapped_dict)
@rest.post('/images/<image_id>')
@acl.enforce("images:register")
@acl.enforce("data-processing:images:register")
@v.check_exists(api.get_image, id='image_id')
@v.validate(v_images.image_register_schema, v_images.check_image_register)
def images_set(image_id, data):
@ -227,7 +227,7 @@ def images_set(image_id, data):
@rest.delete('/images/<image_id>')
@acl.enforce("images:unregister")
@acl.enforce("data-processing:images:unregister")
@v.check_exists(api.get_image, id='image_id')
def images_unset(image_id):
api.unregister_image(image_id)
@ -235,7 +235,7 @@ def images_unset(image_id):
@rest.post('/images/<image_id>/tag')
@acl.enforce("images:add_tags")
@acl.enforce("data-processing:images:add_tags")
@v.check_exists(api.get_image, id='image_id')
@v.validate(v_images.image_tags_schema, v_images.check_tags)
def image_tags_add(image_id, data):
@ -243,7 +243,7 @@ def image_tags_add(image_id, data):
@rest.post('/images/<image_id>/untag')
@acl.enforce("images:remove_tags")
@acl.enforce("data-processing:images:remove_tags")
@v.check_exists(api.get_image, id='image_id')
@v.validate(v_images.image_tags_schema)
def image_tags_delete(image_id, data):

View File

@ -34,7 +34,7 @@ rest = u.Rest('v11', __name__)
# Job execution ops
@rest.get('/job-executions')
@acl.enforce("job-executions:get_all")
@acl.enforce("data-processing:job-executions:get_all")
def job_executions_list():
job_executions = [je.to_dict() for je in api.job_execution_list(
**u.get_request_args().to_dict())]
@ -42,7 +42,7 @@ def job_executions_list():
@rest.get('/job-executions/<job_execution_id>')
@acl.enforce("job-executions:get")
@acl.enforce("data-processing:job-executions:get")
@v.check_exists(api.get_job_execution, id='job_execution_id')
def job_executions(job_execution_id):
job_execution = api.get_job_execution(job_execution_id)
@ -50,7 +50,7 @@ def job_executions(job_execution_id):
@rest.get('/job-executions/<job_execution_id>/refresh-status')
@acl.enforce("job-executions:refresh_status")
@acl.enforce("data-processing:job-executions:refresh_status")
@v.check_exists(api.get_job_execution, id='job_execution_id')
def job_executions_status(job_execution_id):
job_execution = api.get_job_execution_status(job_execution_id)
@ -58,7 +58,7 @@ def job_executions_status(job_execution_id):
@rest.get('/job-executions/<job_execution_id>/cancel')
@acl.enforce("job-executions:cancel")
@acl.enforce("data-processing:job-executions:cancel")
@v.check_exists(api.get_job_execution, id='job_execution_id')
def job_executions_cancel(job_execution_id):
job_execution = api.cancel_job_execution(job_execution_id)
@ -66,7 +66,7 @@ def job_executions_cancel(job_execution_id):
@rest.delete('/job-executions/<job_execution_id>')
@acl.enforce("job-executions:delete")
@acl.enforce("data-processing:job-executions:delete")
@v.check_exists(api.get_job_execution, id='job_execution_id')
def job_executions_delete(job_execution_id):
api.delete_job_execution(job_execution_id)
@ -76,7 +76,7 @@ def job_executions_delete(job_execution_id):
# Data source ops
@rest.get('/data-sources')
@acl.enforce("data-sources:get_all")
@acl.enforce("data-processing:data-sources:get_all")
def data_sources_list():
return u.render(
data_sources=[ds.to_dict() for ds in api.get_data_sources(
@ -84,21 +84,21 @@ def data_sources_list():
@rest.post('/data-sources')
@acl.enforce("data-sources:register")
@acl.enforce("data-processing:data-sources:register")
@v.validate(v_d_s.DATA_SOURCE_SCHEMA, v_d_s.check_data_source_create)
def data_source_register(data):
return u.render(api.register_data_source(data).to_wrapped_dict())
@rest.get('/data-sources/<data_source_id>')
@acl.enforce("data-sources:get")
@acl.enforce("data-processing:data-sources:get")
@v.check_exists(api.get_data_source, 'data_source_id')
def data_source_get(data_source_id):
return u.render(api.get_data_source(data_source_id).to_wrapped_dict())
@rest.delete('/data-sources/<data_source_id>')
@acl.enforce("data-sources:delete")
@acl.enforce("data-processing:data-sources:delete")
@v.check_exists(api.get_data_source, 'data_source_id')
def data_source_delete(data_source_id):
api.delete_data_source(data_source_id)
@ -108,28 +108,28 @@ def data_source_delete(data_source_id):
# Job ops
@rest.get('/jobs')
@acl.enforce("jobs:get_all")
@acl.enforce("data-processing:jobs:get_all")
def job_list():
return u.render(jobs=[j.to_dict() for j in api.get_jobs(
**u.get_request_args().to_dict())])
@rest.post('/jobs')
@acl.enforce("jobs:create")
@acl.enforce("data-processing:jobs:create")
@v.validate(v_j.JOB_SCHEMA, v_j.check_mains_libs)
def job_create(data):
return u.render(api.create_job(data).to_wrapped_dict())
@rest.get('/jobs/<job_id>')
@acl.enforce("jobs:get")
@acl.enforce("data-processing:jobs:get")
@v.check_exists(api.get_job, id='job_id')
def job_get(job_id):
return u.render(api.get_job(job_id).to_wrapped_dict())
@rest.delete('/jobs/<job_id>')
@acl.enforce("jobs:delete")
@acl.enforce("data-processing:jobs:delete")
@v.check_exists(api.get_job, id='job_id')
def job_delete(job_id):
api.delete_job(job_id)
@ -137,7 +137,7 @@ def job_delete(job_id):
@rest.post('/jobs/<job_id>/execute')
@acl.enforce("jobs:execute")
@acl.enforce("data-processing:jobs:execute")
@v.check_exists(api.get_job, id='job_id')
@v.validate(v_j_e.JOB_EXEC_SCHEMA, v_j_e.check_job_execution)
def job_execute(job_id, data):
@ -145,14 +145,14 @@ def job_execute(job_id, data):
@rest.get('/jobs/config-hints/<job_type>')
@acl.enforce("jobs:get_config_hints")
@acl.enforce("data-processing:jobs:get_config_hints")
@v.check_exists(api.get_job_config_hints, job_type='job_type')
def job_config_hints_get(job_type):
return u.render(api.get_job_config_hints(job_type))
@rest.get('/job-types')
@acl.enforce("job-types:get_all")
@acl.enforce("data-processing:job-types:get_all")
def job_types_get():
# We want to use flat=False with to_dict() so that
# the value of each arg is given as a list. This supports
@ -164,28 +164,28 @@ def job_types_get():
@rest.post('/job-binaries')
@acl.enforce("job-binaries:create")
@acl.enforce("data-processing:job-binaries:create")
@v.validate(v_j_b.JOB_BINARY_SCHEMA, v_j_b.check_job_binary)
def job_binary_create(data):
return u.render(api.create_job_binary(data).to_wrapped_dict())
@rest.get('/job-binaries')
@acl.enforce("job-binaries:get_all")
@acl.enforce("data-processing:job-binaries:get_all")
def job_binary_list():
return u.render(binaries=[j.to_dict() for j in api.get_job_binaries(
**u.get_request_args().to_dict())])
@rest.get('/job-binaries/<job_binary_id>')
@acl.enforce("job-binaries:get")
@acl.enforce("data-processing:job-binaries:get")
@v.check_exists(api.get_job_binary, 'job_binary_id')
def job_binary_get(job_binary_id):
return u.render(api.get_job_binary(job_binary_id).to_wrapped_dict())
@rest.delete('/job-binaries/<job_binary_id>')
@acl.enforce("job-binaries:delete")
@acl.enforce("data-processing:job-binaries:delete")
@v.check_exists(api.get_job_binary, id='job_binary_id')
def job_binary_delete(job_binary_id):
api.delete_job_binary(job_binary_id)
@ -193,7 +193,7 @@ def job_binary_delete(job_binary_id):
@rest.get('/job-binaries/<job_binary_id>/data')
@acl.enforce("job-binaries:get_data")
@acl.enforce("data-processing:job-binaries:get_data")
@v.check_exists(api.get_job_binary, 'job_binary_id')
def job_binary_data(job_binary_id):
data = api.get_job_binary_data(job_binary_id)
@ -205,14 +205,14 @@ def job_binary_data(job_binary_id):
# Job binary internals ops
@rest.put_file('/job-binary-internals/<name>')
@acl.enforce("job-binary-internals:create")
@acl.enforce("data-processing:job-binary-internals:create")
@v.validate(None, v_j_b_i.check_job_binary_internal)
def job_binary_internal_create(**values):
return u.render(api.create_job_binary_internal(values).to_wrapped_dict())
@rest.get('/job-binary-internals')
@acl.enforce("job-binary-internals:get_all")
@acl.enforce("data-processing:job-binary-internals:get_all")
def job_binary_internal_list():
return u.render(binaries=[j.to_dict() for j in
api.get_job_binary_internals(
@ -220,7 +220,7 @@ def job_binary_internal_list():
@rest.get('/job-binary-internals/<job_binary_internal_id>')
@acl.enforce("job-binary-internals:get")
@acl.enforce("data-processing:job-binary-internals:get")
@v.check_exists(api.get_job_binary_internal, 'job_binary_internal_id')
def job_binary_internal_get(job_binary_internal_id):
return u.render(api.get_job_binary_internal(job_binary_internal_id
@ -228,7 +228,7 @@ def job_binary_internal_get(job_binary_internal_id):
@rest.delete('/job-binary-internals/<job_binary_internal_id>')
@acl.enforce("job-binary-internals:delete")
@acl.enforce("data-processing:job-binary-internals:delete")
@v.check_exists(api.get_job_binary_internal, 'job_binary_internal_id')
def job_binary_internal_delete(job_binary_internal_id):
api.delete_job_binary_internal(job_binary_internal_id)
@ -236,7 +236,7 @@ def job_binary_internal_delete(job_binary_internal_id):
@rest.get('/job-binary-internals/<job_binary_internal_id>/data')
@acl.enforce("job-binary-internals:get_data")
@acl.enforce("data-processing:job-binary-internals:get_data")
@v.check_exists(api.get_job_binary_internal, 'job_binary_internal_id')
def job_binary_internal_data(job_binary_internal_id):
return api.get_job_binary_internal_data(job_binary_internal_id)

View File

@ -28,21 +28,21 @@ class TestAcl(base.SaharaTestCase):
acl.ENFORCER.set_rules(rules, use_conf=False)
def test_policy_allow(self):
@acl.enforce("clusters:get_all")
@acl.enforce("data-processing:clusters:get_all")
def test():
pass
json = '{"clusters:get_all": ""}'
json = '{"data-processing:clusters:get_all": ""}'
self._set_policy(json)
test()
def test_policy_deny(self):
@acl.enforce("clusters:get_all")
@acl.enforce("data-processing:clusters:get_all")
def test():
pass
json = '{"clusters:get_all": "!"}'
json = '{"data-processing:clusters:get_all": "!"}'
self._set_policy(json)
self.assertRaises(ex.Forbidden, test)