Implement policy in code (1)

This commit will prepare for implementing policies in code.

- https://governance.openstack.org/tc/goals/queens/policy-in-code.html

Change-Id: Iea587cb6f4281b950eaca6bdaac3a8ea5de76c67
Co-authored-By: Nam Nguyen Hoai <namnh@vn.fujitsu.com>
Implements: blueprint policy-in-code
This commit is contained in:
Dai Dang Van 2017-10-03 10:58:38 +07:00
parent 30ffe04b46
commit 271eba7758
9 changed files with 105 additions and 33 deletions

View File

@ -0,0 +1,26 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Borrowed from Zun
import itertools
from designate.common.policies import base
def list_rules():
return itertools.chain(
base.list_rules()
)

View File

@ -0,0 +1,60 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN = 'rule:admin'
RULE_ZONE_PRIMARY_OR_ADMIN = "('PRIMARY':%(zone_type)s and rule:admin_or_owner)\
OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
RULE_ANY = "@"
rules = [
policy.RuleDefault(
name="admin",
check_str="role:admin or is_admin:True"),
policy.RuleDefault(
name="primary_zone",
check_str="target.zone_type:SECONDARY"),
policy.RuleDefault(
name="owner",
check_str="tenant:%(tenant_id)s"),
policy.RuleDefault(
name="admin_or_owner",
check_str="rule:admin or rule:owner"),
policy.RuleDefault(
name="default",
check_str="rule:admin_or_owner"),
policy.RuleDefault(
name="target",
check_str="tenant:%(target_tenant_id)s"),
policy.RuleDefault(
name="owner_or_target",
check_str="rule:target or rule:owner"),
policy.RuleDefault(
name="admin_or_owner_or_target",
check_str="rule:owner_or_target or rule:admin"),
policy.RuleDefault(
name="admin_or_target",
check_str="rule:admin or rule:target"),
policy.RuleDefault(
name="zone_primary_or_admin",
check_str=RULE_ZONE_PRIMARY_OR_ADMIN)
]
def list_rules():
return rules

View File

@ -19,9 +19,8 @@ from oslo_policy import policy
from oslo_policy import opts
from designate.i18n import _
from designate.i18n import _LI
from designate import utils
from designate import exceptions
from designate.common import policies
CONF = cfg.CONF
@ -62,25 +61,12 @@ def set_rules(data, default_rule=None, overwrite=True):
_ENFORCER.set_rules(rules, overwrite=overwrite)
def init(default_rule=None):
policy_files = utils.find_config(CONF['oslo_policy'].policy_file)
if len(policy_files) == 0:
msg = 'Unable to determine appropriate policy json file'
raise exceptions.ConfigurationError(msg)
LOG.info(_LI('Using policy_file found at: %s'), policy_files[0])
with open(policy_files[0]) as fh:
policy_string = fh.read()
rules = policy.Rules.load_json(policy_string, default_rule=default_rule)
def init(default_rule=None, policy_file=None):
global _ENFORCER
if not _ENFORCER:
LOG.debug("Enforcer is not present, recreating.")
_ENFORCER = policy.Enforcer(CONF)
_ENFORCER.set_rules(rules)
_ENFORCER = policy.Enforcer(CONF, policy_file=policy_file)
_ENFORCER.register_defaults(policies.list_rules())
def check(rule, ctxt, target=None, do_raise=True, exc=exceptions.Forbidden):

View File

@ -32,6 +32,7 @@ from designate import policy
from designate import network_api
from designate import rpc
from designate.network_api import fake as fake_network_api
from designate import utils
from designate.sqlalchemy import utils as sqlalchemy_utils
"""Test fixtures
@ -104,6 +105,8 @@ class ServiceFixture(fixtures.Fixture):
class PolicyFixture(fixtures.Fixture):
def setUp(self):
super(PolicyFixture, self).setUp()
policy.init(policy_file=utils.find_config(
cfg.CONF.oslo_policy.policy_file)[0])
self.addCleanup(policy.reset)

View File

@ -96,7 +96,8 @@ class PoolManagerInitTest(test.BaseTestCase):
def test_init(self):
Service()
def test_start(self):
@patch.object(pm_module.DesignateContext, 'get_admin_context')
def test_start(self, *mock):
with patch.object(objects.Pool, 'from_config',
return_value=Mock()):
pm = Service()
@ -218,6 +219,7 @@ class PoolManagerTest(test.BaseTestCase):
self.assertEqual(1, self.pm.pool_manager_api.create_zone.call_count)
self.assertEqual(0, self.pm.pool_manager_api.update_zone.call_count)
@patch.object(pm_module.DesignateContext, 'get_admin_context')
def test_periodic_sync(self, *mocks):
def mock_fetch_healthy_zones(ctx):
return [

View File

@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/designate/policy.yaml.sample
namespace = designate

View File

@ -1,18 +1,4 @@
{
"admin": "role:admin or is_admin:True",
"primary_zone": "target.zone_type:SECONDARY",
"owner": "tenant:%(tenant_id)s",
"admin_or_owner": "rule:admin or rule:owner",
"target": "tenant:%(target_tenant_id)s",
"owner_or_target":"rule:target or rule:owner",
"admin_or_owner_or_target":"rule:owner_or_target or rule:admin",
"admin_or_target":"rule:admin or rule:target",
"zone_primary_or_admin": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)",
"default": "rule:admin_or_owner",
"all_tenants": "rule:admin",
"edit_managed_records" : "rule:admin",

View File

@ -50,6 +50,9 @@ oslo.config.opts =
oslo.config.opts.defaults =
designate.api = designate.common.config:set_defaults
oslo.policy.policies =
designate = designate.common.policies:list_rules
console_scripts =
designate-rootwrap = oslo_rootwrap.cmd:main
designate-api = designate.cmd.api:main

View File

@ -71,6 +71,9 @@ commands = sh tools/pretty_flake8.sh
[testenv:genconfig]
commands = oslo-config-generator --config-file=etc/designate/designate-config-generator.conf
[testenv:genpolicy]
commands = oslopolicy-sample-generator --config-file etc/designate/designate-policy-generator.conf
[testenv:bashate]
deps = bashate
whitelist_externals = bash