diff --git a/devstack/lib/freezer-api b/devstack/lib/freezer-api index 1fdc5a56..f6fb537e 100644 --- a/devstack/lib/freezer-api +++ b/devstack/lib/freezer-api @@ -99,7 +99,6 @@ function configure_freezer_api { sudo cp $FREEZER_API_DIR/etc/freezer/freezer-api.conf.sample $FREEZER_API_CONF_DIR/freezer-api.conf sudo cp $FREEZER_API_DIR/etc/freezer/freezer-paste.ini $FREEZER_API_CONF_DIR/freezer-paste.ini - sudo cp $FREEZER_API_DIR/etc/freezer/policy.json $FREEZER_API_CONF_DIR/policy.json # enable debuging iniset $FREEZER_API_CONF 'DEFAULT' debug True diff --git a/etc/freezer/policy.json b/etc/freezer/policy.json deleted file mode 100644 index a10a50ec..00000000 --- a/etc/freezer/policy.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "clients:get_all": "", - "clients:create": "", - "clients:get": "", - "clients:delete": "" -} diff --git a/freezer_api/common/policies/__init__.py b/freezer_api/common/policies/__init__.py index 93986d97..f4c686ff 100644 --- a/freezer_api/common/policies/__init__.py +++ b/freezer_api/common/policies/__init__.py @@ -20,6 +20,7 @@ import itertools from freezer_api.common.policies import action from freezer_api.common.policies import backup from freezer_api.common.policies import base +from freezer_api.common.policies import client from freezer_api.common.policies import job from freezer_api.common.policies import session @@ -29,6 +30,7 @@ def list_rules(): action.list_rules(), backup.list_rules(), base.list_rules(), + client.list_rules(), job.list_rules(), session.list_rules() ) diff --git a/freezer_api/common/policies/client.py b/freezer_api/common/policies/client.py new file mode 100644 index 00000000..654908d1 --- /dev/null +++ b/freezer_api/common/policies/client.py @@ -0,0 +1,69 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_policy import policy + +from freezer_api.common.policies import base + +CLIENTS = 'clients:%s' + +rules = [ + policy.DocumentedRuleDefault( + name=CLIENTS % 'create', + check_str=base.UNPROTECTED, + description='Create client entry.', + operations=[ + { + 'path': '/v1/clients', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=CLIENTS % 'delete', + check_str=base.UNPROTECTED, + description='Delete specified client.', + operations=[ + { + 'path': '/v1/clients/{client_id}', + 'method': 'DELETE' + } + ] + ), + policy.DocumentedRuleDefault( + name=CLIENTS % 'get', + check_str=base.UNPROTECTED, + description='Show clients.', + operations=[ + { + 'path': '/v1/clients/{client_id}', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=CLIENTS % 'get_all', + check_str=base.UNPROTECTED, + description='List clients.', + operations=[ + { + 'path': '/v1/clients', + 'method': 'GET' + } + ] + ) +] + + +def list_rules(): + return rules diff --git a/freezer_api/tests/unit/common.py b/freezer_api/tests/unit/common.py index b60a61a5..0cd4feaf 100644 --- a/freezer_api/tests/unit/common.py +++ b/freezer_api/tests/unit/common.py @@ -19,7 +19,6 @@ limitations under the License. import copy import io import os -import shutil import fixtures from oslo_config import cfg @@ -27,7 +26,6 @@ from oslo_config import fixture as cfg_fixture import testtools from freezer_api.common import config -from freezer_api.common import exceptions from freezer_api import policy CONF = cfg.CONF @@ -435,26 +433,8 @@ class FreezerBaseTestCase(testtools.TestCase): self.test_dir = self.useFixture(fixtures.TempDir()).path self.conf_dir = os.path.join(self.test_dir, 'etc') os.makedirs(self.conf_dir) - self.configure_policy() - policy.ENFORCER = FakePolicyEnforcer() - - def configure_policy(self): - src_policy_file = 'etc/freezer/policy.json' - # copy policy file to test config dir - shutil.copy(src_policy_file, self.conf_dir) - policy_file = os.path.join(self.conf_dir, 'policy.json') - self._config_fixture.config(policy_file=policy_file, - group='oslo_policy') - - -class FakePolicyEnforcer(object): - def __init__(self, *args, **kwargs): - self.rules = {} - - def enforce(self, rule, action, ctxt, do_raise=True, - exc=exceptions.AccessForbidden): - if self.rules.get(rule) is False: - raise exceptions.AccessForbidden() + policy.ENFORCER = None + policy.setup_policy(CONF) class FakeContext(object): @@ -468,6 +448,3 @@ class FakeContext(object): def get_req_items(name): req_info = {'freezer.context': FakeContext()} return req_info[name] - - -policy.ENFORCER = FakePolicyEnforcer() diff --git a/releasenotes/notes/policy-and-doc-in-code-60163967ec604cbb.yaml b/releasenotes/notes/policy-and-doc-in-code-60163967ec604cbb.yaml new file mode 100644 index 00000000..1edd7524 --- /dev/null +++ b/releasenotes/notes/policy-and-doc-in-code-60163967ec604cbb.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + Freezer now support policy in code, which means if users didn't modify + any of policy rules, they can remove or comment out all of rules in + policy file or even not deploy it at all. Because from now, Freezer + keeps all default policies under `freezer-api/common/policies` module. + Users can still modify/generate `policy.yaml` file which will override + policy rules in code if those rules show in `policy.yaml` file. +other: + - | + Default `policy.json` file is now removed as Freezer now generate the + default policies in code. Please be aware that when using that file in your + environment.