openstack/designate
Code Issues Proposed changes

Implement policy in code (3)

Browse Source 
This commit will move all default policies to code for:
- quota
- record
- recordset
- service_status
- tenant
- tld
- tsigkey

Change-Id: Id090b89b32116a195530484b0d92fc6c9041a6c9
Co-authored-By: Nam Nguyen Hoai <namnh@vn.fujitsu.com>
Implements: blueprint policy-in-code
This commit is contained in:
Dai Dang Van 2017-10-03 12:00:42 +07:00
parent d43fc5fc11
commit 2fa4f50e89
10 changed files with 594 additions and 46 deletions

16
designate/common/policies/__init__.py

@ -22,6 +22,13 @@ from designate.common.policies import blacklist
from designate.common.policies import context
from designate.common.policies import diagnostics
from designate.common.policies import pool
from designate.common.policies import quota
from designate.common.policies import record
from designate.common.policies import recordset
from designate.common.policies import service_status
from designate.common.policies import tenant
from designate.common.policies import tld
from designate.common.policies import tsigkey
def list_rules():
@ -30,5 +37,12 @@ def list_rules():
blacklist.list_rules(),
context.list_rules(),
diagnostics.list_rules(),
pool.list_rules()
pool.list_rules(),
quota.list_rules(),
record.list_rules(),
recordset.list_rules(),
service_status.list_rules(),
tenant.list_rules(),
tld.list_rules(),
tsigkey.list_rules(),
)

6
designate/common/policies/pool.py

@ -22,7 +22,8 @@ rules = [
policy.RuleDefault(
name="create_pool",
check_str=base.RULE_ADMIN,
description='Create pool.'),
description='Create pool.'
),
policy.DocumentedRuleDefault(
name="find_pools",
check_str=base.RULE_ADMIN,
@ -59,7 +60,8 @@ rules = [
policy.RuleDefault(
name="update_pool",
check_str=base.RULE_ADMIN,
description='Update pool.'),
description='Update pool.'
),
policy.RuleDefault(
name="delete_pool",
check_str=base.RULE_ADMIN,

62
designate/common/policies/quota.py Normal file

@ -0,0 +1,62 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="get_quotas",
check_str=base.RULE_ADMIN_OR_OWNER,
description="View Current Project's Quotas.",
operations=[
{
'path': '/v2/quotas',
'method': 'GET'
}
]
),
policy.RuleDefault(
name="get_quota",
check_str=base.RULE_ADMIN_OR_OWNER
),
policy.DocumentedRuleDefault(
name="set_quota",
check_str=base.RULE_ADMIN,
description='Set Quotas.',
operations=[
{
'path': '/v2/quotas/{project_id}',
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name="reset_quotas",
check_str=base.RULE_ADMIN,
description='Reset Quotas.',
operations=[
{
'path': '/v2/quotas/{project_id}',
'method': 'DELETE'
}
]
),
]
def list_rules():
return rules

114
designate/common/policies/record.py Normal file

@ -0,0 +1,114 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="create_record",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Create record.',
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="get_records",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Get records.',
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="get_record",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Get record.',
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="find_records",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Find records.',
operations=[
{
'path': '/v2/reverse/floatingips/{region}:{floatingip_id}',
'method': 'GET'
}, {
'path': '/v2/reverse/floatingips',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="find_record",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Find record.',
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'GET'
}, {
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'DELETE'
}, {
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'PUT'
}
]
),
policy.DocumentedRuleDefault(
name="update_record",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Update record.',
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'PUT'
}
]
),
policy.DocumentedRuleDefault(
name="delete_record",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Delete record.',
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'DELETE'
}
]
),
policy.RuleDefault(
name="count_records",
check_str=base.RULE_ADMIN_OR_OWNER)
]
def list_rules():
return rules

127
designate/common/policies/recordset.py Normal file

@ -0,0 +1,127 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="create_recordset",
check_str=base.RULE_ZONE_PRIMARY_OR_ADMIN,
description="Create Recordset",
operations=[
{
'path': '/v2/zones/{zone_id}/recordsets',
'method': 'POST'
}, {
'path': '/v2/reverse/floatingips/{region}:{floatingip_id}',
'method': 'PATCH'
}
]
),
policy.RuleDefault(
name="get_recordsets",
check_str=base.RULE_ADMIN_OR_OWNER
),
policy.DocumentedRuleDefault(
name="get_recordset",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Get recordset",
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'GET'
}, {
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'PUT'
}, {
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
'method': 'GET'
}, {
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
'method': 'DELETE'
}, {
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
'method': 'PUT'
}
]
),
policy.DocumentedRuleDefault(
name="find_recordsets",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Find recordsets",
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="find_recordset",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Find recordset",
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records',
'method': 'POST'
}, {
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'DELETE'
}
]
),
policy.DocumentedRuleDefault(
name="update_recordset",
check_str=base.RULE_ZONE_PRIMARY_OR_ADMIN,
description="Update recordset",
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'PUT'
}, {
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
'method': 'PUT'
}, {
'path': '/v2/reverse/floatingips/{region}:{floatingip_id}',
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name="delete_recordset",
check_str=base.RULE_ZONE_PRIMARY_OR_ADMIN,
description="Delete RecordSet",
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'DELETE'
}, {
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
'method': 'DELETE'
}
]
),
policy.RuleDefault(
name="count_recordset",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Count recordsets"
)
]
def list_rules():
return rules

50
designate/common/policies/service_status.py Normal file

@ -0,0 +1,50 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="find_service_status",
check_str=base.RULE_ADMIN,
description="Find a single Service Status",
operations=[
{
'path': '/v2/service_status/{service_id}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="find_service_statuses",
check_str=base.RULE_ADMIN,
description="List service statuses.",
operations=[
{
'path': '/v2/service_status',
'method': 'GET'
}
]
),
policy.RuleDefault(
"update_service_service_status",
base.RULE_ADMIN)
]
def list_rules():
return rules

41
designate/common/policies/tenant.py Normal file

@ -0,0 +1,41 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.RuleDefault(
name="find_tenants",
check_str=base.RULE_ADMIN,
description="Find all Tenants."
),
policy.RuleDefault(
name="get_tenant",
check_str=base.RULE_ADMIN,
description="Get all Tenants."
),
policy.RuleDefault(
name="count_tenants",
check_str=base.RULE_ADMIN,
description="Count tenants"
)
]
def list_rules():
return rules

80
designate/common/policies/tld.py Normal file

@ -0,0 +1,80 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="create_tld",
check_str=base.RULE_ADMIN,
description="Create Tld",
operations=[
{
'path': '/v2/tlds',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="find_tlds",
check_str=base.RULE_ADMIN,
description="List Tlds",
operations=[
{
'path': '/v2/tlds',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="get_tld",
check_str=base.RULE_ADMIN,
description="Show Tld",
operations=[
{
'path': '/v2/tlds/{tld_id}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="update_tld",
check_str=base.RULE_ADMIN,
description="Update Tld",
operations=[
{
'path': '/v2/tlds/{tld_id}',
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name="delete_tld",
check_str=base.RULE_ADMIN,
description="Delete Tld",
operations=[
{
'path': '/v2/tlds/{tld_id}',
'method': 'DELETE'
}
]
)
]
def list_rules():
return rules

101
designate/common/policies/tsigkey.py Normal file

@ -0,0 +1,101 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="create_tsigkey",
check_str=base.RULE_ADMIN,
description="Create Tsigkey",
operations=[
{
'path': '/v1/tsigkeys',
'method': 'POST'
}, {
'path': '/v2/tsigkeys',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="find_tsigkeys",
check_str=base.RULE_ADMIN,
description="List Tsigkeys",
operations=[
{
'path': '/v1/tsigkeys',
'method': 'GET'
}, {
'path': '/v1/tsigkeys/<uuid:tsigkey_id>',
'method': 'GET'
}, {
'path': '/v1/tsigkeys/<uuid:tsigkey_id>',
'method': 'DELETE'
}, {
'path': '/v2/tsigkeys',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="get_tsigkey",
check_str=base.RULE_ADMIN,
description="Show a Tsigkey",
operations=[
{
'path': '/v2/tsigkeys/{tsigkey_id}',
'method': 'PATCH'
}, {
'path': '/v2/tsigkeys/{tsigkey_id}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="update_tsigkey",
check_str=base.RULE_ADMIN,
description="Update Tsigkey",
operations=[
{
'path': '/v1/tsigkeys/{tsigkey_id}',
'method': 'PATCH'
}, {
'path': '/v2/tsigkeys/{tsigkey_id}',
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name="delete_tsigkey",
check_str=base.RULE_ADMIN,
description="Delete a Tsigkey",
operations=[
{
'path': '/v1/tsigkeys/{tsigkey_id}',
'method': 'DELETE'
}, {
'path': '/v2/tsigkeys/{tsigkey_id}',
'method': 'DELETE'
}
]
)
]
def list_rules():
return rules

43
etc/designate/policy.json

@ -1,25 +1,4 @@
{
"get_quotas": "rule:admin_or_owner",
"get_quota": "rule:admin_or_owner",
"set_quota": "rule:admin",
"reset_quotas": "rule:admin",
"create_tld": "rule:admin",
"find_tlds": "rule:admin",
"get_tld": "rule:admin",
"update_tld": "rule:admin",
"delete_tld": "rule:admin",
"create_tsigkey": "rule:admin",
"find_tsigkeys": "rule:admin",
"get_tsigkey": "rule:admin",
"update_tsigkey": "rule:admin",
"delete_tsigkey": "rule:admin",
"find_tenants": "rule:admin",
"get_tenant": "rule:admin",
"count_tenants": "rule:admin",
"create_zone": "rule:admin_or_owner",
"get_zones": "rule:admin_or_owner",
"get_zone": "rule:admin_or_owner",
@ -35,24 +14,6 @@
"purge_zones": "rule:admin",
"touch_zone": "rule:admin_or_owner",
"create_recordset": "rule:zone_primary_or_admin",
"get_recordsets": "rule:admin_or_owner",
"get_recordset": "rule:admin_or_owner",
"find_recordsets": "rule:admin_or_owner",
"find_recordset": "rule:admin_or_owner",
"update_recordset": "rule:zone_primary_or_admin",
"delete_recordset": "rule:zone_primary_or_admin",
"count_recordset": "rule:admin_or_owner",
"create_record": "rule:admin_or_owner",
"get_records": "rule:admin_or_owner",
"get_record": "rule:admin_or_owner",
"find_records": "rule:admin_or_owner",
"find_record": "rule:admin_or_owner",
"update_record": "rule:admin_or_owner",
"delete_record": "rule:admin_or_owner",
"count_records": "rule:admin_or_owner",
"create_zone_transfer_request": "rule:admin_or_owner",
"get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
"get_zone_transfer_request_detailed": "rule:admin_or_owner",
@ -79,8 +40,4 @@
"find_zone_exports": "rule:admin_or_owner",
"get_zone_export": "rule:admin_or_owner",
"update_zone_export": "rule:admin_or_owner",
"find_service_status": "rule:admin",
"find_service_statuses": "rule:admin",
"update_service_service_status": "rule:admin"
}