Browse Source

[policy in code] part 5 (software-*)

Add software_deployments rules, software_configs rules.
Partially-Implements: bp policy-in-code

Change-Id: If0c98ffcfceae395ab2443356aea3904edaf7b4e
changes/76/510076/8
ricolin 5 years ago committed by Dai Dang Van
parent
commit
0e45db46ba
  1. 14
      etc/heat/policy.json
  2. 10
      heat/api/openstack/v1/software_configs.py
  3. 12
      heat/api/openstack/v1/software_deployments.py
  4. 4
      heat/policies/__init__.py
  5. 79
      heat/policies/software_configs.py
  6. 91
      heat/policies/software_deployments.py

14
etc/heat/policy.json

@ -23,17 +23,5 @@
"cloudwatch:ListMetrics": "rule:deny_stack_user",
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
"cloudwatch:PutMetricData": "",
"cloudwatch:SetAlarmState": "rule:deny_stack_user",
"software_configs:global_index": "rule:deny_everybody",
"software_configs:index": "rule:deny_stack_user",
"software_configs:create": "rule:deny_stack_user",
"software_configs:show": "rule:deny_stack_user",
"software_configs:delete": "rule:deny_stack_user",
"software_deployments:index": "rule:deny_stack_user",
"software_deployments:create": "rule:deny_stack_user",
"software_deployments:show": "rule:deny_stack_user",
"software_deployments:update": "rule:deny_stack_user",
"software_deployments:delete": "rule:deny_stack_user",
"software_deployments:metadata": ""
"cloudwatch:SetAlarmState": "rule:deny_stack_user"
}

10
heat/api/openstack/v1/software_configs.py

@ -59,11 +59,11 @@ class SoftwareConfigController(object):
**params)
return {'software_configs': scs}
@util.policy_enforce
@util.registered_policy_enforce
def global_index(self, req):
return self._index(req, use_admin_cnxt=True)
@util.policy_enforce
@util.registered_policy_enforce
def index(self, req):
"""Lists summary information for all software configs."""
global_tenant = False
@ -78,14 +78,14 @@ class SoftwareConfigController(object):
return self._index(req)
@util.policy_enforce
@util.registered_policy_enforce
def show(self, req, config_id):
"""Gets detailed information for a software config."""
sc = self.rpc_client.show_software_config(
req.context, config_id)
return {'software_config': sc}
@util.policy_enforce
@util.registered_policy_enforce
def create(self, req, body):
"""Create a new software config."""
create_data = {
@ -100,7 +100,7 @@ class SoftwareConfigController(object):
req.context, **create_data)
return {'software_config': sc}
@util.policy_enforce
@util.registered_policy_enforce
def delete(self, req, config_id):
"""Delete an existing software config."""
res = self.rpc_client.delete_software_config(req.context, config_id)

12
heat/api/openstack/v1/software_deployments.py

@ -34,7 +34,7 @@ class SoftwareDeploymentController(object):
def default(self, req, **args):
raise exc.HTTPNotFound()
@util.policy_enforce
@util.registered_policy_enforce
def index(self, req):
"""List software deployments."""
whitelist = {
@ -44,7 +44,7 @@ class SoftwareDeploymentController(object):
sds = self.rpc_client.list_software_deployments(req.context, **params)
return {'software_deployments': sds}
@util.policy_enforce
@util.registered_policy_enforce
def metadata(self, req, server_id):
"""List software deployments grouped by the group name.
@ -54,14 +54,14 @@ class SoftwareDeploymentController(object):
req.context, server_id=server_id)
return {'metadata': sds}
@util.policy_enforce
@util.registered_policy_enforce
def show(self, req, deployment_id):
"""Gets detailed information for a software deployment."""
sd = self.rpc_client.show_software_deployment(req.context,
deployment_id)
return {'software_deployment': sd}
@util.policy_enforce
@util.registered_policy_enforce
def create(self, req, body):
"""Create a new software deployment."""
create_data = dict((k, body.get(k)) for k in (
@ -72,7 +72,7 @@ class SoftwareDeploymentController(object):
**create_data)
return {'software_deployment': sd}
@util.policy_enforce
@util.registered_policy_enforce
def update(self, req, deployment_id, body):
"""Update an existing software deployment."""
update_data = dict((k, body.get(k)) for k in (
@ -84,7 +84,7 @@ class SoftwareDeploymentController(object):
**update_data)
return {'software_deployment': sd}
@util.policy_enforce
@util.registered_policy_enforce
def delete(self, req, deployment_id):
"""Delete an existing software deployment."""
res = self.rpc_client.delete_software_deployment(req.context,

4
heat/policies/__init__.py

@ -20,6 +20,8 @@ from heat.policies import events
from heat.policies import resource
from heat.policies import resource_types
from heat.policies import service
from heat.policies import software_configs
from heat.policies import software_deployments
from heat.policies import stacks
@ -32,5 +34,7 @@ def list_rules():
resource.list_rules(),
resource_types.list_rules(),
service.list_rules(),
software_configs.list_rules(),
software_deployments.list_rules(),
stacks.list_rules(),
)

79
heat/policies/software_configs.py

@ -0,0 +1,79 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from heat.policies import base
POLICY_ROOT = 'software_configs:%s'
software_configs_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'global_index',
check_str=base.RULE_DENY_EVERYBODY,
description='List configs globally.',
operations=[
{
'path': '/v1/{tenant_id}/software_configs',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.RULE_DENY_STACK_USER,
description='List configs.',
operations=[
{
'path': '/v1/{tenant_id}/software_configs',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'create',
check_str=base.RULE_DENY_STACK_USER,
description='Create config.',
operations=[
{
'path': '/v1/{tenant_id}/software_configs',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.RULE_DENY_STACK_USER,
description='Show config details.',
operations=[
{
'path': '/v1/{tenant_id}/software_configs/{config_id}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.RULE_DENY_STACK_USER,
description='Delete config.',
operations=[
{
'path': '/v1/{tenant_id}/software_configs/{config_id}',
'method': 'DELETE'
}
]
)
]
def list_rules():
return software_configs_policies

91
heat/policies/software_deployments.py

@ -0,0 +1,91 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from heat.policies import base
POLICY_ROOT = 'software_deployments:%s'
software_deployments_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.RULE_DENY_STACK_USER,
description='List deployments.',
operations=[
{
'path': '/v1/{tenant_id}/software_deployments',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'create',
check_str=base.RULE_DENY_STACK_USER,
description='Create deployment.',
operations=[
{
'path': '/v1/{tenant_id}/software_deployments',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.RULE_DENY_STACK_USER,
description='Show deployment details.',
operations=[
{
'path': '/v1/{tenant_id}/software_deployments/{deployment_id}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'update',
check_str=base.RULE_DENY_STACK_USER,
description='Update deployment.',
operations=[
{
'path': '/v1/{tenant_id}/software_deployments/{deployment_id}',
'method': 'PUT'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.RULE_DENY_STACK_USER,
description='Delete deployment.',
operations=[
{
'path': '/v1/{tenant_id}/software_deployments/{deployment_id}',
'method': 'DELETE'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'metadata',
check_str=base.RULE_ALLOW_EVERYBODY,
description='Show server configuration metadata.',
operations=[
{
'path': '/v1/{tenant_id}/software_deployments/metadata/'
'{server_id}',
'method': 'GET'
}
]
)
]
def list_rules():
return software_deployments_policies
Loading…
Cancel
Save