openstack/designate
Code Issues Proposed changes

Merge "Implement policy in code (2)"

Browse Source
This commit is contained in:
Zuul 2017-10-25 16:24:07 +00:00 committed by Gerrit Code Review
commit 4f67abe6b2
6 changed files with 279 additions and 30 deletions

10
designate/common/policies/__init__.py

@ -18,9 +18,17 @@
import itertools
from designate.common.policies import base
from designate.common.policies import blacklist
from designate.common.policies import context
from designate.common.policies import diagnostics
from designate.common.policies import pool
def list_rules():
return itertools.chain(
base.list_rules()
base.list_rules(),
blacklist.list_rules(),
context.list_rules(),
diagnostics.list_rules(),
pool.list_rules()
)

103
designate/common/policies/blacklist.py Normal file

@ -0,0 +1,103 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="create_blacklist",
check_str=base.RULE_ADMIN,
description='Create blacklist.',
operations=[
{
'path': '/v2/blacklists',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="find_blacklist",
check_str=base.RULE_ADMIN,
description='Find blacklist.',
operations=[
{
'path': '/v2/blacklists',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="find_blacklists",
check_str=base.RULE_ADMIN,
description='Find blacklists.',
operations=[
{
'path': '/v2/blacklists',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="get_blacklist",
check_str=base.RULE_ADMIN,
description='Get blacklist.',
operations=[
{
'path': '/v2/blacklists/{blacklist_id}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="update_blacklist",
check_str=base.RULE_ADMIN,
description='Update blacklist.',
operations=[
{
'path': '/v2/blacklists/{blacklist_id}',
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name="delete_blacklist",
check_str=base.RULE_ADMIN,
description='Delete blacklist.',
operations=[
{
'path': '/v2/blacklists/{blacklist_id}',
'method': 'DELETE'
}
]
),
policy.DocumentedRuleDefault(
name="use_blacklisted_zone",
check_str=base.RULE_ADMIN,
description='Allowed bypass the blacklist.',
operations=[
{
'path': '/v2/zones',
'method': 'POST'
}
]
)
]
def list_rules():
return rules

42
designate/common/policies/context.py Normal file

@ -0,0 +1,42 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.RuleDefault(
name="all_tenants",
check_str=base.RULE_ADMIN,
description='Action on all tenants.'),
policy.RuleDefault(
name="edit_managed_records",
check_str=base.RULE_ADMIN,
description='Edit managed records.'),
policy.RuleDefault(
name="use_low_ttl",
check_str=base.RULE_ADMIN,
description='Use low TTL.'),
policy.RuleDefault(
name="use_sudo",
check_str=base.RULE_ADMIN,
description='Accept sudo from user to tenant.')
]
def list_rules():
return rules

42
designate/common/policies/diagnostics.py Normal file

@ -0,0 +1,42 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.RuleDefault(
name="diagnostics_ping",
check_str=base.RULE_ADMIN,
description='Diagnose ping.'),
policy.RuleDefault(
name="diagnostics_sync_zones",
check_str=base.RULE_ADMIN,
description='Diagnose sync zones.'),
policy.RuleDefault(
name="diagnostics_sync_zone",
check_str=base.RULE_ADMIN,
description='Diagnose sync zone.'),
policy.RuleDefault(
name="diagnostics_sync_record",
check_str=base.RULE_ADMIN,
description='Diagnose sync record.')
]
def list_rules():
return rules

83
designate/common/policies/pool.py Normal file

@ -0,0 +1,83 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.RuleDefault(
name="create_pool",
check_str=base.RULE_ADMIN,
description='Create pool.'),
policy.DocumentedRuleDefault(
name="find_pools",
check_str=base.RULE_ADMIN,
description='Find pool.',
operations=[
{
'path': '/v2/pools',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="find_pool",
check_str=base.RULE_ADMIN,
description='Find pools.',
operations=[
{
'path': '/v2/pools',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="get_pool",
check_str=base.RULE_ADMIN,
description='Get pool.',
operations=[
{
'path': '/v2/pools/{pool_id}',
'method': 'GET'
}
]
),
policy.RuleDefault(
name="update_pool",
check_str=base.RULE_ADMIN,
description='Update pool.'),
policy.RuleDefault(
name="delete_pool",
check_str=base.RULE_ADMIN,
description='Delete pool.'
),
policy.DocumentedRuleDefault(
name="zone_create_forced_pool",
check_str=base.RULE_ADMIN,
description='load and set the pool to the one provided in the Zone attributes.', # noqa
operations=[
{
'path': '/v2/zones',
'method': 'POST'
}
]
)
]
def list_rules():
return rules

29
etc/designate/policy.json

@ -1,10 +1,4 @@
{
"all_tenants": "rule:admin",
"edit_managed_records" : "rule:admin",
"use_low_ttl": "rule:admin",
"get_quotas": "rule:admin_or_owner",
"get_quota": "rule:admin_or_owner",
"set_quota": "rule:admin",
@ -59,29 +53,6 @@
"delete_record": "rule:admin_or_owner",
"count_records": "rule:admin_or_owner",
"use_sudo": "rule:admin",
"create_blacklist": "rule:admin",
"find_blacklist": "rule:admin",
"find_blacklists": "rule:admin",
"get_blacklist": "rule:admin",
"update_blacklist": "rule:admin",
"delete_blacklist": "rule:admin",
"use_blacklisted_zone": "rule:admin",
"create_pool": "rule:admin",
"find_pools": "rule:admin",
"find_pool": "rule:admin",
"get_pool": "rule:admin",
"update_pool": "rule:admin",
"delete_pool": "rule:admin",
"zone_create_forced_pool": "rule:admin",
"diagnostics_ping": "rule:admin",
"diagnostics_sync_zones": "rule:admin",
"diagnostics_sync_zone": "rule:admin",
"diagnostics_sync_record": "rule:admin",
"create_zone_transfer_request": "rule:admin_or_owner",
"get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
"get_zone_transfer_request_detailed": "rule:admin_or_owner",