Implement policy in code (1)

This commit will prepare for implementing policies in code. - https://governance.openstack.org/tc/goals/queens/policy-in-code.html Change-Id: Iea587cb6f4281b950eaca6bdaac3a8ea5de76c67 Co-authored-By: Nam Nguyen Hoai <namnh@vn.fujitsu.com> Implements: blueprint policy-in-code
2017-10-03 10:58:38 +07:00 · 2017-10-03 10:58:38 +07:00 · 271eba7758
commit 271eba7758
parent 30ffe04b46
9 changed files with 105 additions and 33 deletions
--- a/designate/common/policies/init.py
+++ b/designate/common/policies/init.py
@ -0,0 +1,26 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+# Borrowed from Zun
+
+
+import itertools
+
+from designate.common.policies import base
+
+
+def list_rules():
+    return itertools.chain(
+        base.list_rules()
+    )
--- a/designate/common/policies/base.py
+++ b/designate/common/policies/base.py
@ -0,0 +1,60 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+
+RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
+RULE_ADMIN = 'rule:admin'
+RULE_ZONE_PRIMARY_OR_ADMIN = "('PRIMARY':%(zone_type)s and rule:admin_or_owner)\
+                            OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
+RULE_ANY = "@"
+
+rules = [
+    policy.RuleDefault(
+        name="admin",
+        check_str="role:admin or is_admin:True"),
+    policy.RuleDefault(
+        name="primary_zone",
+        check_str="target.zone_type:SECONDARY"),
+    policy.RuleDefault(
+        name="owner",
+        check_str="tenant:%(tenant_id)s"),
+    policy.RuleDefault(
+        name="admin_or_owner",
+        check_str="rule:admin or rule:owner"),
+    policy.RuleDefault(
+        name="default",
+        check_str="rule:admin_or_owner"),
+    policy.RuleDefault(
+        name="target",
+        check_str="tenant:%(target_tenant_id)s"),
+    policy.RuleDefault(
+        name="owner_or_target",
+        check_str="rule:target or rule:owner"),
+    policy.RuleDefault(
+        name="admin_or_owner_or_target",
+        check_str="rule:owner_or_target or rule:admin"),
+    policy.RuleDefault(
+        name="admin_or_target",
+        check_str="rule:admin or rule:target"),
+    policy.RuleDefault(
+        name="zone_primary_or_admin",
+        check_str=RULE_ZONE_PRIMARY_OR_ADMIN)
+]
+
+
+def list_rules():
+    return rules
--- a/designate/policy.py
+++ b/designate/policy.py
@ -19,9 +19,8 @@ from oslo_policy import policy
 from oslo_policy import opts

 from designate.i18n import _
-from designate.i18n import _LI
-from designate import utils
 from designate import exceptions
+from designate.common import policies


 CONF = cfg.CONF
@ -62,25 +61,12 @@ def set_rules(data, default_rule=None, overwrite=True):
    _ENFORCER.set_rules(rules, overwrite=overwrite)


-def init(default_rule=None):
-    policy_files = utils.find_config(CONF['oslo_policy'].policy_file)
-
-    if len(policy_files) == 0:
-        msg = 'Unable to determine appropriate policy json file'
-        raise exceptions.ConfigurationError(msg)
-
-    LOG.info(_LI('Using policy_file found at: %s'), policy_files[0])
-
-    with open(policy_files[0]) as fh:
-        policy_string = fh.read()
-    rules = policy.Rules.load_json(policy_string, default_rule=default_rule)
-
+def init(default_rule=None, policy_file=None):
    global _ENFORCER
    if not _ENFORCER:
        LOG.debug("Enforcer is not present, recreating.")
-        _ENFORCER = policy.Enforcer(CONF)
-
-    _ENFORCER.set_rules(rules)
+        _ENFORCER = policy.Enforcer(CONF, policy_file=policy_file)
+        _ENFORCER.register_defaults(policies.list_rules())


 def check(rule, ctxt, target=None, do_raise=True, exc=exceptions.Forbidden):
--- a/designate/tests/fixtures.py
+++ b/designate/tests/fixtures.py
@ -32,6 +32,7 @@ from designate import policy
 from designate import network_api
 from designate import rpc
 from designate.network_api import fake as fake_network_api
+from designate import utils
 from designate.sqlalchemy import utils as sqlalchemy_utils

 """Test fixtures
@ -104,6 +105,8 @@ class ServiceFixture(fixtures.Fixture):
 class PolicyFixture(fixtures.Fixture):
    def setUp(self):
        super(PolicyFixture, self).setUp()
+        policy.init(policy_file=utils.find_config(
+            cfg.CONF.oslo_policy.policy_file)[0])
        self.addCleanup(policy.reset)


--- a/designate/tests/unit/test_pool_manager/test_service.py
+++ b/designate/tests/unit/test_pool_manager/test_service.py
@ -96,7 +96,8 @@ class PoolManagerInitTest(test.BaseTestCase):
    def test_init(self):
            Service()

-    def test_start(self):
+    @patch.object(pm_module.DesignateContext, 'get_admin_context')
+    def test_start(self, *mock):
        with patch.object(objects.Pool, 'from_config',
                          return_value=Mock()):
            pm = Service()
@ -218,6 +219,7 @@ class PoolManagerTest(test.BaseTestCase):
        self.assertEqual(1, self.pm.pool_manager_api.create_zone.call_count)
        self.assertEqual(0, self.pm.pool_manager_api.update_zone.call_count)

+    @patch.object(pm_module.DesignateContext, 'get_admin_context')
    def test_periodic_sync(self, *mocks):
        def mock_fetch_healthy_zones(ctx):
            return [
--- a/etc/designate/designate-policy-generator.conf
+++ b/etc/designate/designate-policy-generator.conf
@ -0,0 +1,3 @@
+[DEFAULT]
+output_file = etc/designate/policy.yaml.sample
+namespace = designate
--- a/etc/designate/policy.json
+++ b/etc/designate/policy.json
@ -1,18 +1,4 @@
 {
-    "admin": "role:admin or is_admin:True",
-    "primary_zone": "target.zone_type:SECONDARY",
-
-    "owner": "tenant:%(tenant_id)s",
-    "admin_or_owner": "rule:admin or rule:owner",
-    "target": "tenant:%(target_tenant_id)s",
-    "owner_or_target":"rule:target or rule:owner",
-    "admin_or_owner_or_target":"rule:owner_or_target or rule:admin",
-    "admin_or_target":"rule:admin or rule:target",
-
-    "zone_primary_or_admin": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)",
-
-    "default": "rule:admin_or_owner",
-
    "all_tenants": "rule:admin",

    "edit_managed_records" : "rule:admin",
--- a/setup.cfg
+++ b/setup.cfg
@ -50,6 +50,9 @@ oslo.config.opts =
 oslo.config.opts.defaults =
    designate.api = designate.common.config:set_defaults

+oslo.policy.policies =
+    designate = designate.common.policies:list_rules
+
 console_scripts =
    designate-rootwrap = oslo_rootwrap.cmd:main
    designate-api = designate.cmd.api:main
--- a/tox.ini
+++ b/tox.ini
@ -71,6 +71,9 @@ commands = sh tools/pretty_flake8.sh
 [testenv:genconfig]
 commands = oslo-config-generator --config-file=etc/designate/designate-config-generator.conf

+[testenv:genpolicy]
+commands = oslopolicy-sample-generator --config-file etc/designate/designate-policy-generator.conf
+
 [testenv:bashate]
 deps = bashate
 whitelist_externals = bash