Implement policy in code (2)

This commit will move all default policies to code for:
- blacklist
- context
- diagnostics
- pool

Change-Id: I0c94ecaadba21b69b1fe4c0cd924e2b9b12c4782
Co-authored-By: Nam Nguyen Hoai <namnh@vn.fujitsu.com>
Implements: blueprint policy-in-code

designate/common/policies/__init__.py

@@ -18,9 +18,17 @@
 import itertools
 
 from designate.common.policies import base
+from designate.common.policies import blacklist
+from designate.common.policies import context
+from designate.common.policies import diagnostics
+from designate.common.policies import pool
 
 
 def list_rules():
     return itertools.chain(
-        base.list_rules()
+        base.list_rules(),
+        blacklist.list_rules(),
+        context.list_rules(),
+        diagnostics.list_rules(),
+        pool.list_rules()
     )

designate/common/policies/blacklist.py

@@ -0,0 +1,103 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+from designate.common.policies import base
+
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name="create_blacklist",
+        check_str=base.RULE_ADMIN,
+        description='Create blacklist.',
+        operations=[
+            {
+                'path': '/v2/blacklists',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="find_blacklist",
+        check_str=base.RULE_ADMIN,
+        description='Find blacklist.',
+        operations=[
+            {
+                'path': '/v2/blacklists',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="find_blacklists",
+        check_str=base.RULE_ADMIN,
+        description='Find blacklists.',
+        operations=[
+            {
+                'path': '/v2/blacklists',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="get_blacklist",
+        check_str=base.RULE_ADMIN,
+        description='Get blacklist.',
+        operations=[
+            {
+                'path': '/v2/blacklists/{blacklist_id}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="update_blacklist",
+        check_str=base.RULE_ADMIN,
+        description='Update blacklist.',
+        operations=[
+            {
+                'path': '/v2/blacklists/{blacklist_id}',
+                'method': 'PATCH'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="delete_blacklist",
+        check_str=base.RULE_ADMIN,
+        description='Delete blacklist.',
+        operations=[
+            {
+                'path': '/v2/blacklists/{blacklist_id}',
+                'method': 'DELETE'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="use_blacklisted_zone",
+        check_str=base.RULE_ADMIN,
+        description='Allowed bypass the blacklist.',
+        operations=[
+            {
+                'path': '/v2/zones',
+                'method': 'POST'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules

designate/common/policies/context.py

@@ -0,0 +1,42 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+from designate.common.policies import base
+
+
+rules = [
+    policy.RuleDefault(
+        name="all_tenants",
+        check_str=base.RULE_ADMIN,
+        description='Action on all tenants.'),
+    policy.RuleDefault(
+        name="edit_managed_records",
+        check_str=base.RULE_ADMIN,
+        description='Edit managed records.'),
+    policy.RuleDefault(
+        name="use_low_ttl",
+        check_str=base.RULE_ADMIN,
+        description='Use low TTL.'),
+    policy.RuleDefault(
+        name="use_sudo",
+        check_str=base.RULE_ADMIN,
+        description='Accept sudo from user to tenant.')
+]
+
+
+def list_rules():
+    return rules

designate/common/policies/diagnostics.py

@@ -0,0 +1,42 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+from designate.common.policies import base
+
+
+rules = [
+    policy.RuleDefault(
+        name="diagnostics_ping",
+        check_str=base.RULE_ADMIN,
+        description='Diagnose ping.'),
+    policy.RuleDefault(
+        name="diagnostics_sync_zones",
+        check_str=base.RULE_ADMIN,
+        description='Diagnose sync zones.'),
+    policy.RuleDefault(
+        name="diagnostics_sync_zone",
+        check_str=base.RULE_ADMIN,
+        description='Diagnose sync zone.'),
+    policy.RuleDefault(
+        name="diagnostics_sync_record",
+        check_str=base.RULE_ADMIN,
+        description='Diagnose sync record.')
+]
+
+
+def list_rules():
+    return rules

designate/common/policies/pool.py

@@ -0,0 +1,83 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+from designate.common.policies import base
+
+
+rules = [
+    policy.RuleDefault(
+        name="create_pool",
+        check_str=base.RULE_ADMIN,
+        description='Create pool.'),
+    policy.DocumentedRuleDefault(
+        name="find_pools",
+        check_str=base.RULE_ADMIN,
+        description='Find pool.',
+        operations=[
+            {
+                'path': '/v2/pools',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="find_pool",
+        check_str=base.RULE_ADMIN,
+        description='Find pools.',
+        operations=[
+            {
+                'path': '/v2/pools',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name="get_pool",
+        check_str=base.RULE_ADMIN,
+        description='Get pool.',
+        operations=[
+            {
+                'path': '/v2/pools/{pool_id}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.RuleDefault(
+        name="update_pool",
+        check_str=base.RULE_ADMIN,
+        description='Update pool.'),
+    policy.RuleDefault(
+        name="delete_pool",
+        check_str=base.RULE_ADMIN,
+        description='Delete pool.'
+    ),
+    policy.DocumentedRuleDefault(
+        name="zone_create_forced_pool",
+        check_str=base.RULE_ADMIN,
+        description='load and set the pool to the one provided in the Zone attributes.',  # noqa
+        operations=[
+            {
+                'path': '/v2/zones',
+                'method': 'POST'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules

etc/designate/policy.json

@@ -1,10 +1,4 @@
 {
-    "all_tenants": "rule:admin",
-
-    "edit_managed_records" : "rule:admin",
-
-    "use_low_ttl": "rule:admin",
-
     "get_quotas": "rule:admin_or_owner",
     "get_quota": "rule:admin_or_owner",
     "set_quota": "rule:admin",
@@ -59,29 +53,6 @@
     "delete_record": "rule:admin_or_owner",
     "count_records": "rule:admin_or_owner",
 
-    "use_sudo": "rule:admin",
-
-    "create_blacklist": "rule:admin",
-    "find_blacklist": "rule:admin",
-    "find_blacklists": "rule:admin",
-    "get_blacklist": "rule:admin",
-    "update_blacklist": "rule:admin",
-    "delete_blacklist": "rule:admin",
-    "use_blacklisted_zone": "rule:admin",
-
-    "create_pool": "rule:admin",
-    "find_pools": "rule:admin",
-    "find_pool": "rule:admin",
-    "get_pool": "rule:admin",
-    "update_pool": "rule:admin",
-    "delete_pool": "rule:admin",
-    "zone_create_forced_pool": "rule:admin",
-
-    "diagnostics_ping": "rule:admin",
-    "diagnostics_sync_zones": "rule:admin",
-    "diagnostics_sync_zone": "rule:admin",
-    "diagnostics_sync_record": "rule:admin",
-
     "create_zone_transfer_request": "rule:admin_or_owner",
     "get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
     "get_zone_transfer_request_detailed": "rule:admin_or_owner",