openstack/glance
Code Issues Proposed changes

Merge "Use constants for common rules"

Browse Source
This commit is contained in:
Zuul 2024-06-28 11:43:24 +00:00 committed by Gerrit Code Review
commit 4dec531b0a
5 changed files with 76 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
glance/policies/base.py
View File

@ -57,34 +57,34 @@ PROJECT_READER_OR_PUBLIC_NAMESPACE = (
# typical in OpenStack services. But following check strings offer formal
# support for project membership and a read-only variant consistent with
# other OpenStack services.
ADMIN_OR_PROJECT_MEMBER = f'rule:context_is_admin or ({PROJECT_MEMBER})'
ADMIN_OR_PROJECT_READER = f'rule:context_is_admin or ({PROJECT_READER})'
ADMIN = 'rule:context_is_admin'
DEFAULT = 'rule:default'
ADMIN_OR_PROJECT_MEMBER = f'{ADMIN} or ({PROJECT_MEMBER})'
ADMIN_OR_PROJECT_READER = f'{ADMIN} or ({PROJECT_READER})'
ADMIN_OR_PROJECT_READER_GET_IMAGE = (
f'rule:context_is_admin or '
f'{ADMIN} or '
f'({PROJECT_READER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})'
)
ADMIN_OR_PROJECT_MEMBER_DOWNLOAD_IMAGE = (
f'rule:context_is_admin or '
f'{ADMIN} or '
f'({PROJECT_MEMBER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})'
)
ADMIN_OR_PROJECT_MEMBER_CREATE_IMAGE = (
f'rule:context_is_admin or ({PROJECT_MEMBER} and project_id:%(owner)s)'
f'{ADMIN} or ({PROJECT_MEMBER} and project_id:%(owner)s)'
)
ADMIN_OR_PROJECT_READER_GET_NAMESPACE = (
f'rule:context_is_admin or ({PROJECT_READER_OR_PUBLIC_NAMESPACE})'
f'{ADMIN} or ({PROJECT_READER_OR_PUBLIC_NAMESPACE})'
)
ADMIN_OR_SHARED_MEMBER = (
f'rule:context_is_admin or (role:member and {IMAGE_MEMBER_CHECK})'
f'{ADMIN} or (role:member and {IMAGE_MEMBER_CHECK})'
)
ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER = (
f'rule:context_is_admin or '
f'{ADMIN} or '
f'role:reader and (project_id:%(project_id)s or {IMAGE_MEMBER_CHECK})'
)
ADMIN = 'rule:context_is_admin'
rules = [
policy.RuleDefault(name='default', check_str='',
description='Defines the default rule used for '
@ -92,7 +92,7 @@ rules = [
'policy in the supplied policy.json file.',
deprecated_rule=policy.DeprecatedRule(
name='default',
check_str='rule:context_is_admin',
check_str=ADMIN,
deprecated_reason='In order to allow operators to '
'accept the default policies from code by not '
'defining them in the policy file, while still '

4
glance/policies/discovery.py
View File

@ -14,11 +14,13 @@
# under the License.
from oslo_policy import policy
from glance.policies import base
discovery_policies = [
policy.DocumentedRuleDefault(
name="stores_info_detail",
check_str='rule:context_is_admin',
check_str=base.ADMIN,
scope_types=['project'],
description='Expose store specific information',
operations=[

44
glance/policies/image.py
View File

@ -31,7 +31,7 @@ image_policies = [
'method': 'POST'}
],
deprecated_rule=policy.DeprecatedRule(
name="add_image", check_str="rule:default",
name="add_image", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
),
@ -45,7 +45,7 @@ image_policies = [
'method': 'DELETE'}
],
deprecated_rule=policy.DeprecatedRule(
name="delete_image", check_str="rule:default",
name="delete_image", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
@ -59,7 +59,7 @@ image_policies = [
'method': 'GET'}
],
deprecated_rule=policy.DeprecatedRule(
name="get_image", check_str="rule:default",
name="get_image", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
@ -73,7 +73,7 @@ image_policies = [
'method': 'GET'}
],
deprecated_rule=policy.DeprecatedRule(
name="get_images", check_str="rule:default",
name="get_images", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
@ -87,13 +87,13 @@ image_policies = [
'method': 'PATCH'}
],
deprecated_rule=policy.DeprecatedRule(
name="modify_image", check_str="rule:default",
name="modify_image", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name="publicize_image",
check_str='rule:context_is_admin',
check_str=base.ADMIN,
scope_types=['project'],
description='Publicize given image',
operations=[
@ -111,7 +111,7 @@ image_policies = [
'method': 'PATCH'}
],
deprecated_rule=policy.DeprecatedRule(
name="communitize_image", check_str="rule:default",
name="communitize_image", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
@ -126,7 +126,7 @@ image_policies = [
'method': 'GET'}
],
deprecated_rule=policy.DeprecatedRule(
name="download_image", check_str="rule:default",
name="download_image", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
@ -140,14 +140,14 @@ image_policies = [
'method': 'PUT'}
],
deprecated_rule=policy.DeprecatedRule(
name="upload_image", check_str="rule:default",
name="upload_image", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name="delete_image_location",
check_str="rule:context_is_admin",
check_str=base.ADMIN,
scope_types=['project'],
description='Deletes the location of given image',
operations=[
@ -155,7 +155,7 @@ image_policies = [
'method': 'PATCH'}
],
deprecated_rule=policy.DeprecatedRule(
name="delete_image_location", check_str="rule:default",
name="delete_image_location", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
@ -169,7 +169,7 @@ image_policies = [
'method': 'GET'}
],
deprecated_rule=policy.DeprecatedRule(
name="get_image_location", check_str="rule:default",
name="get_image_location", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
@ -183,7 +183,7 @@ image_policies = [
'method': 'PATCH'}
],
deprecated_rule=policy.DeprecatedRule(
name="set_image_location", check_str="rule:default",
name="set_image_location", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
@ -198,7 +198,7 @@ image_policies = [
'method': 'POST'}
],
deprecated_rule=policy.DeprecatedRule(
name="add_member", check_str="rule:default",
name="add_member", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
@ -212,7 +212,7 @@ image_policies = [
'method': 'DELETE'}
],
deprecated_rule=policy.DeprecatedRule(
name="delete_member", check_str="rule:default",
name="delete_member", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
@ -226,7 +226,7 @@ image_policies = [
'method': 'GET'}
],
deprecated_rule=policy.DeprecatedRule(
name="get_member", check_str="rule:default",
name="get_member", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
@ -240,7 +240,7 @@ image_policies = [
'method': 'GET'}
],
deprecated_rule=policy.DeprecatedRule(
name="get_members", check_str="rule:default",
name="get_members", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
@ -254,14 +254,14 @@ image_policies = [
'method': 'PUT'}
],
deprecated_rule=policy.DeprecatedRule(
name="modify_member", check_str="rule:default",
name="modify_member", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.RuleDefault(
name="manage_image_cache",
check_str='rule:context_is_admin',
check_str=base.ADMIN,
scope_types=['project'],
description='Manage image cache'
),
@ -276,7 +276,7 @@ image_policies = [
'method': 'POST'}
],
deprecated_rule=policy.DeprecatedRule(
name="deactivate", check_str="rule:default",
name="deactivate", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
@ -290,14 +290,14 @@ image_policies = [
'method': 'POST'}
],
deprecated_rule=policy.DeprecatedRule(
name="reactivate", check_str="rule:default",
name="reactivate", check_str=base.DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
),
policy.DocumentedRuleDefault(
name="copy_image",
check_str='rule:context_is_admin',
check_str=base.ADMIN,
# For now this is restricted to project-admins.
# That might change in the future if we decide to push
# this functionality down to project-members.

57
glance/policies/metadef.py
View File

@ -20,11 +20,14 @@ DEPRECATED_REASON = """
The metadata API now supports project scope and default roles.
"""
METADEF_ADMIN = "rule:metadef_admin"
METADEF_DEFAULT = "rule:metadef_default"
metadef_policies = [
policy.RuleDefault(name="metadef_default", check_str=""),
policy.RuleDefault(name="metadef_admin",
check_str="rule:context_is_admin"),
check_str=base.ADMIN),
policy.DocumentedRuleDefault(
name="get_metadef_namespace",
check_str=base.ADMIN_OR_PROJECT_READER_GET_NAMESPACE,
@ -35,7 +38,7 @@ metadef_policies = [
'method': 'GET'}
],
deprecated_rule=policy.DeprecatedRule(
name="get_metadef_namespace", check_str="rule:metadef_default",
name="get_metadef_namespace", check_str=METADEF_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.XENA
),
@ -50,14 +53,14 @@ metadef_policies = [
'method': 'GET'}
],
deprecated_rule=policy.DeprecatedRule(
name="get_metadef_namespaces", check_str="rule:metadef_default",
name="get_metadef_namespaces", check_str=METADEF_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.XENA
),
),
policy.DocumentedRuleDefault(
name="modify_metadef_namespace",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Modify an existing namespace.",
operations=[
@ -67,7 +70,7 @@ metadef_policies = [
),
policy.DocumentedRuleDefault(
name="add_metadef_namespace",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Create a namespace.",
operations=[
@ -77,7 +80,7 @@ metadef_policies = [
),
policy.DocumentedRuleDefault(
name="delete_metadef_namespace",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Delete a namespace.",
operations=[
@ -97,7 +100,7 @@ metadef_policies = [
'method': 'GET'}
],
deprecated_rule=policy.DeprecatedRule(
name="get_metadef_object", check_str="rule:metadef_default",
name="get_metadef_object", check_str=METADEF_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.XENA
),
@ -112,14 +115,14 @@ metadef_policies = [
'method': 'GET'}
],
deprecated_rule=policy.DeprecatedRule(
name="get_metadef_objects", check_str="rule:metadef_default",
name="get_metadef_objects", check_str=METADEF_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.XENA
),
),
policy.DocumentedRuleDefault(
name="modify_metadef_object",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Update an object within a namespace.",
operations=[
@ -130,7 +133,7 @@ metadef_policies = [
),
policy.DocumentedRuleDefault(
name="add_metadef_object",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Create an object within a namespace.",
operations=[
@ -140,7 +143,7 @@ metadef_policies = [
),
policy.DocumentedRuleDefault(
name="delete_metadef_object",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Delete an object within a namespace.",
operations=[
@ -161,7 +164,7 @@ metadef_policies = [
],
deprecated_rule=policy.DeprecatedRule(
name="list_metadef_resource_types",
check_str="rule:metadef_default",
check_str=METADEF_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.XENA
),
@ -177,14 +180,14 @@ metadef_policies = [
],
deprecated_rule=policy.DeprecatedRule(
name="get_metadef_resource_type",
check_str="rule:metadef_default",
check_str=METADEF_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.XENA
),
),
policy.DocumentedRuleDefault(
name="add_metadef_resource_type_association",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Create meta definition resource types association.",
operations=[
@ -194,7 +197,7 @@ metadef_policies = [
),
policy.DocumentedRuleDefault(
name="remove_metadef_resource_type_association",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Delete meta definition resource types association.",
operations=[
@ -216,7 +219,7 @@ metadef_policies = [
],
deprecated_rule=policy.DeprecatedRule(
name="get_metadef_property",
check_str="rule:metadef_default",
check_str=METADEF_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.XENA
),
@ -232,14 +235,14 @@ metadef_policies = [
],
deprecated_rule=policy.DeprecatedRule(
name="get_metadef_properties",
check_str="rule:metadef_default",
check_str=METADEF_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.XENA
),
),
policy.DocumentedRuleDefault(
name="modify_metadef_property",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Update meta definition property.",
operations=[
@ -250,7 +253,7 @@ metadef_policies = [
),
policy.DocumentedRuleDefault(
name="add_metadef_property",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Create meta definition property.",
operations=[
@ -260,7 +263,7 @@ metadef_policies = [
),
policy.DocumentedRuleDefault(
name="remove_metadef_property",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Delete meta definition property.",
operations=[
@ -281,7 +284,7 @@ metadef_policies = [
'method': 'GET'}
],
deprecated_rule=policy.DeprecatedRule(
name="get_metadef_tag", check_str="rule:metadef_default",
name="get_metadef_tag", check_str=METADEF_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.XENA
),
@ -296,14 +299,14 @@ metadef_policies = [
'method': 'GET'}
],
deprecated_rule=policy.DeprecatedRule(
name="get_metadef_tags", check_str="rule:metadef_default",
name="get_metadef_tags", check_str=METADEF_DEFAULT,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.XENA
),
),
policy.DocumentedRuleDefault(
name="modify_metadef_tag",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Update tag definition.",
operations=[
@ -314,7 +317,7 @@ metadef_policies = [
),
policy.DocumentedRuleDefault(
name="add_metadef_tag",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Add tag definition.",
operations=[
@ -325,7 +328,7 @@ metadef_policies = [
),
policy.DocumentedRuleDefault(
name="add_metadef_tags",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Create tag definitions.",
operations=[
@ -335,7 +338,7 @@ metadef_policies = [
),
policy.DocumentedRuleDefault(
name="delete_metadef_tag",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Delete tag definition.",
operations=[
@ -346,7 +349,7 @@ metadef_policies = [
),
policy.DocumentedRuleDefault(
name="delete_metadef_tags",
check_str="rule:metadef_admin",
check_str=METADEF_ADMIN,
scope_types=['project'],
description="Delete tag definitions.",
operations=[

18
glance/policies/tasks.py
View File

@ -13,6 +13,8 @@
from oslo_log import versionutils
from oslo_policy import policy
from glance.policies import base
TASK_DESCRIPTION = """
This granular policy controls access to tasks, both from the tasks API as well
@ -46,7 +48,7 @@ task_policies = [
name="get_task",
# All policies except tasks_api_access are internal policies that are
# only called by glance as a result of some other operation.
check_str='rule:default',
check_str=base.DEFAULT,
scope_types=['project'],
description='Get an image task.\n' + TASK_DESCRIPTION,
operations=[
@ -54,13 +56,13 @@ task_policies = [
'method': 'GET'}
],
deprecated_rule=policy.DeprecatedRule(
name="get_task", check_str="rule:default",
name="get_task", check_str=base.DEFAULT,
deprecated_reason=DEPRECATION_REASON,
deprecated_since=versionutils.deprecated.XENA)
),
policy.DocumentedRuleDefault(
name="get_tasks",
check_str='rule:default',
check_str=base.DEFAULT,
scope_types=['project'],
description='List tasks for all images.\n' + TASK_DESCRIPTION,
operations=[
@ -68,13 +70,13 @@ task_policies = [
'method': 'GET'}
],
deprecated_rule=policy.DeprecatedRule(
name="get_tasks", check_str="rule:default",
name="get_tasks", check_str=base.DEFAULT,
deprecated_reason=DEPRECATION_REASON,
deprecated_since=versionutils.deprecated.XENA)
),
policy.DocumentedRuleDefault(
name="add_task",
check_str='rule:default',
check_str=base.DEFAULT,
scope_types=['project'],
description='List tasks for all images.\n' + TASK_DESCRIPTION,
operations=[
@ -82,13 +84,13 @@ task_policies = [
'method': 'POST'}
],
deprecated_rule=policy.DeprecatedRule(
name="add_task", check_str="rule:default",
name="add_task", check_str=base.DEFAULT,
deprecated_reason=DEPRECATION_REASON,
deprecated_since=versionutils.deprecated.XENA)
),
policy.DocumentedRuleDefault(
name="modify_task",
check_str='rule:default',
check_str=base.DEFAULT,
scope_types=['project'],
description="This policy is not used.",
operations=[
@ -101,7 +103,7 @@ task_policies = [
),
policy.DocumentedRuleDefault(
name="tasks_api_access",
check_str="rule:context_is_admin",
check_str=base.ADMIN,
scope_types=['project'],
description=TASK_ACCESS_DESCRIPTION,
operations=[