openstack
/
heat
Code Issues Proposed changes

[policy in code] part 5 (software-*) 

Add software_deployments rules, software_configs rules.
Partially-Implements: bp policy-in-code

Change-Id: If0c98ffcfceae395ab2443356aea3904edaf7b4e
This commit is contained in:
ricolin 2017-10-06 18:47:08 +08:00 committed by Dai Dang Van
parent dc25b6911f
commit 0e45db46ba
6 changed files with 186 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
etc/heat/policy.json
View File

@ -23,17 +23,5 @@
"cloudwatch:ListMetrics": "rule:deny_stack_user", "cloudwatch:ListMetrics": "rule:deny_stack_user",
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user", "cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
"cloudwatch:PutMetricData": "", "cloudwatch:PutMetricData": "",
"cloudwatch:SetAlarmState": "rule:deny_stack_user", "cloudwatch:SetAlarmState": "rule:deny_stack_user"
"software_configs:global_index": "rule:deny_everybody",
"software_configs:index": "rule:deny_stack_user",
"software_configs:create": "rule:deny_stack_user",
"software_configs:show": "rule:deny_stack_user",
"software_configs:delete": "rule:deny_stack_user",
"software_deployments:index": "rule:deny_stack_user",
"software_deployments:create": "rule:deny_stack_user",
"software_deployments:show": "rule:deny_stack_user",
"software_deployments:update": "rule:deny_stack_user",
"software_deployments:delete": "rule:deny_stack_user",
"software_deployments:metadata": ""
} }

10
heat/api/openstack/v1/software_configs.py
View File

@ -59,11 +59,11 @@ class SoftwareConfigController(object):
**params) **params)
return {'software_configs': scs} return {'software_configs': scs}
@util.policy_enforce @util.registered_policy_enforce
def global_index(self, req): def global_index(self, req):
return self._index(req, use_admin_cnxt=True) return self._index(req, use_admin_cnxt=True)
@util.policy_enforce @util.registered_policy_enforce
def index(self, req): def index(self, req):
"""Lists summary information for all software configs.""" """Lists summary information for all software configs."""
global_tenant = False global_tenant = False
@ -78,14 +78,14 @@ class SoftwareConfigController(object):
return self._index(req) return self._index(req)
@util.policy_enforce @util.registered_policy_enforce
def show(self, req, config_id): def show(self, req, config_id):
"""Gets detailed information for a software config.""" """Gets detailed information for a software config."""
sc = self.rpc_client.show_software_config( sc = self.rpc_client.show_software_config(
req.context, config_id) req.context, config_id)
return {'software_config': sc} return {'software_config': sc}
@util.policy_enforce @util.registered_policy_enforce
def create(self, req, body): def create(self, req, body):
"""Create a new software config.""" """Create a new software config."""
create_data = { create_data = {
@ -100,7 +100,7 @@ class SoftwareConfigController(object):
req.context, **create_data) req.context, **create_data)
return {'software_config': sc} return {'software_config': sc}
@util.policy_enforce @util.registered_policy_enforce
def delete(self, req, config_id): def delete(self, req, config_id):
"""Delete an existing software config.""" """Delete an existing software config."""
res = self.rpc_client.delete_software_config(req.context, config_id) res = self.rpc_client.delete_software_config(req.context, config_id)

12
heat/api/openstack/v1/software_deployments.py
View File

@ -34,7 +34,7 @@ class SoftwareDeploymentController(object):
def default(self, req, **args): def default(self, req, **args):
raise exc.HTTPNotFound() raise exc.HTTPNotFound()
@util.policy_enforce @util.registered_policy_enforce
def index(self, req): def index(self, req):
"""List software deployments.""" """List software deployments."""
whitelist = { whitelist = {
@ -44,7 +44,7 @@ class SoftwareDeploymentController(object):
sds = self.rpc_client.list_software_deployments(req.context, **params) sds = self.rpc_client.list_software_deployments(req.context, **params)
return {'software_deployments': sds} return {'software_deployments': sds}
@util.policy_enforce @util.registered_policy_enforce
def metadata(self, req, server_id): def metadata(self, req, server_id):
"""List software deployments grouped by the group name. """List software deployments grouped by the group name.
@ -54,14 +54,14 @@ class SoftwareDeploymentController(object):
req.context, server_id=server_id) req.context, server_id=server_id)
return {'metadata': sds} return {'metadata': sds}
@util.policy_enforce @util.registered_policy_enforce
def show(self, req, deployment_id): def show(self, req, deployment_id):
"""Gets detailed information for a software deployment.""" """Gets detailed information for a software deployment."""
sd = self.rpc_client.show_software_deployment(req.context, sd = self.rpc_client.show_software_deployment(req.context,
deployment_id) deployment_id)
return {'software_deployment': sd} return {'software_deployment': sd}
@util.policy_enforce @util.registered_policy_enforce
def create(self, req, body): def create(self, req, body):
"""Create a new software deployment.""" """Create a new software deployment."""
create_data = dict((k, body.get(k)) for k in ( create_data = dict((k, body.get(k)) for k in (
@ -72,7 +72,7 @@ class SoftwareDeploymentController(object):
**create_data) **create_data)
return {'software_deployment': sd} return {'software_deployment': sd}
@util.policy_enforce @util.registered_policy_enforce
def update(self, req, deployment_id, body): def update(self, req, deployment_id, body):
"""Update an existing software deployment.""" """Update an existing software deployment."""
update_data = dict((k, body.get(k)) for k in ( update_data = dict((k, body.get(k)) for k in (
@ -84,7 +84,7 @@ class SoftwareDeploymentController(object):
**update_data) **update_data)
return {'software_deployment': sd} return {'software_deployment': sd}
@util.policy_enforce @util.registered_policy_enforce
def delete(self, req, deployment_id): def delete(self, req, deployment_id):
"""Delete an existing software deployment.""" """Delete an existing software deployment."""
res = self.rpc_client.delete_software_deployment(req.context, res = self.rpc_client.delete_software_deployment(req.context,

4
heat/policies/__init__.py
View File

@ -20,6 +20,8 @@ from heat.policies import events
from heat.policies import resource from heat.policies import resource
from heat.policies import resource_types from heat.policies import resource_types
from heat.policies import service from heat.policies import service
from heat.policies import software_configs
from heat.policies import software_deployments
from heat.policies import stacks from heat.policies import stacks
@ -32,5 +34,7 @@ def list_rules():
resource.list_rules(), resource.list_rules(),
resource_types.list_rules(), resource_types.list_rules(),
service.list_rules(), service.list_rules(),
software_configs.list_rules(),
software_deployments.list_rules(),
stacks.list_rules(), stacks.list_rules(),
) )

79
heat/policies/software_configs.py Normal file
View File

@ -0,0 +1,79 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from heat.policies import base
POLICY_ROOT = 'software_configs:%s'
software_configs_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'global_index',
check_str=base.RULE_DENY_EVERYBODY,
description='List configs globally.',
operations=[
{
'path': '/v1/{tenant_id}/software_configs',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.RULE_DENY_STACK_USER,
description='List configs.',
operations=[
{
'path': '/v1/{tenant_id}/software_configs',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'create',
check_str=base.RULE_DENY_STACK_USER,
description='Create config.',
operations=[
{
'path': '/v1/{tenant_id}/software_configs',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.RULE_DENY_STACK_USER,
description='Show config details.',
operations=[
{
'path': '/v1/{tenant_id}/software_configs/{config_id}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.RULE_DENY_STACK_USER,
description='Delete config.',
operations=[
{
'path': '/v1/{tenant_id}/software_configs/{config_id}',
'method': 'DELETE'
}
]
)
]
def list_rules():
return software_configs_policies

91
heat/policies/software_deployments.py Normal file
View File

@ -0,0 +1,91 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from heat.policies import base
POLICY_ROOT = 'software_deployments:%s'
software_deployments_policies = [
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.RULE_DENY_STACK_USER,
description='List deployments.',
operations=[
{
'path': '/v1/{tenant_id}/software_deployments',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'create',
check_str=base.RULE_DENY_STACK_USER,
description='Create deployment.',
operations=[
{
'path': '/v1/{tenant_id}/software_deployments',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.RULE_DENY_STACK_USER,
description='Show deployment details.',
operations=[
{
'path': '/v1/{tenant_id}/software_deployments/{deployment_id}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'update',
check_str=base.RULE_DENY_STACK_USER,
description='Update deployment.',
operations=[
{
'path': '/v1/{tenant_id}/software_deployments/{deployment_id}',
'method': 'PUT'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.RULE_DENY_STACK_USER,
description='Delete deployment.',
operations=[
{
'path': '/v1/{tenant_id}/software_deployments/{deployment_id}',
'method': 'DELETE'
}
]
),
policy.DocumentedRuleDefault(
name=POLICY_ROOT % 'metadata',
check_str=base.RULE_ALLOW_EVERYBODY,
description='Show server configuration metadata.',
operations=[
{
'path': '/v1/{tenant_id}/software_deployments/metadata/'
'{server_id}',
'method': 'GET'
}
]
)
]
def list_rules():
return software_deployments_policies