Merge "[policy in code] part 5 (software-*)"

2017-12-12 21:28:03 +00:00 · 2017-12-12 21:28:03 +00:00 · 64fd0db4ac
parent d03514e3c8 0e45db46ba
commit 64fd0db4ac
6 changed files with 186 additions and 24 deletions
--- a/etc/heat/policy.json
+++ b/etc/heat/policy.json
@ -23,17 +23,5 @@
    "cloudwatch:ListMetrics": "rule:deny_stack_user",
    "cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
    "cloudwatch:PutMetricData": "",
-    "cloudwatch:SetAlarmState": "rule:deny_stack_user",
-
-    "software_configs:global_index": "rule:deny_everybody",
-    "software_configs:index": "rule:deny_stack_user",
-    "software_configs:create": "rule:deny_stack_user",
-    "software_configs:show": "rule:deny_stack_user",
-    "software_configs:delete": "rule:deny_stack_user",
-    "software_deployments:index": "rule:deny_stack_user",
-    "software_deployments:create": "rule:deny_stack_user",
-    "software_deployments:show": "rule:deny_stack_user",
-    "software_deployments:update": "rule:deny_stack_user",
-    "software_deployments:delete": "rule:deny_stack_user",
-    "software_deployments:metadata": ""
+    "cloudwatch:SetAlarmState": "rule:deny_stack_user"
 }
--- a/heat/api/openstack/v1/software_configs.py
+++ b/heat/api/openstack/v1/software_configs.py
@ -59,11 +59,11 @@ class SoftwareConfigController(object):
                                                    **params)
        return {'software_configs': scs}

-    @util.policy_enforce
+    @util.registered_policy_enforce
    def global_index(self, req):
        return self._index(req, use_admin_cnxt=True)

-    @util.policy_enforce
+    @util.registered_policy_enforce
    def index(self, req):
        """Lists summary information for all software configs."""
        global_tenant = False
@ -78,14 +78,14 @@ class SoftwareConfigController(object):

        return self._index(req)

-    @util.policy_enforce
+    @util.registered_policy_enforce
    def show(self, req, config_id):
        """Gets detailed information for a software config."""
        sc = self.rpc_client.show_software_config(
            req.context, config_id)
        return {'software_config': sc}

-    @util.policy_enforce
+    @util.registered_policy_enforce
    def create(self, req, body):
        """Create a new software config."""
        create_data = {
@ -100,7 +100,7 @@ class SoftwareConfigController(object):
            req.context, **create_data)
        return {'software_config': sc}

-    @util.policy_enforce
+    @util.registered_policy_enforce
    def delete(self, req, config_id):
        """Delete an existing software config."""
        res = self.rpc_client.delete_software_config(req.context, config_id)
--- a/heat/api/openstack/v1/software_deployments.py
+++ b/heat/api/openstack/v1/software_deployments.py
@ -34,7 +34,7 @@ class SoftwareDeploymentController(object):
    def default(self, req, **args):
        raise exc.HTTPNotFound()

-    @util.policy_enforce
+    @util.registered_policy_enforce
    def index(self, req):
        """List software deployments."""
        whitelist = {
@ -44,7 +44,7 @@ class SoftwareDeploymentController(object):
        sds = self.rpc_client.list_software_deployments(req.context, **params)
        return {'software_deployments': sds}

-    @util.policy_enforce
+    @util.registered_policy_enforce
    def metadata(self, req, server_id):
        """List software deployments grouped by the group name.

@ -54,14 +54,14 @@ class SoftwareDeploymentController(object):
            req.context, server_id=server_id)
        return {'metadata': sds}

-    @util.policy_enforce
+    @util.registered_policy_enforce
    def show(self, req, deployment_id):
        """Gets detailed information for a software deployment."""
        sd = self.rpc_client.show_software_deployment(req.context,
                                                      deployment_id)
        return {'software_deployment': sd}

-    @util.policy_enforce
+    @util.registered_policy_enforce
    def create(self, req, body):
        """Create a new software deployment."""
        create_data = dict((k, body.get(k)) for k in (
@ -72,7 +72,7 @@ class SoftwareDeploymentController(object):
                                                        **create_data)
        return {'software_deployment': sd}

-    @util.policy_enforce
+    @util.registered_policy_enforce
    def update(self, req, deployment_id, body):
        """Update an existing software deployment."""
        update_data = dict((k, body.get(k)) for k in (
@ -84,7 +84,7 @@ class SoftwareDeploymentController(object):
                                                        **update_data)
        return {'software_deployment': sd}

-    @util.policy_enforce
+    @util.registered_policy_enforce
    def delete(self, req, deployment_id):
        """Delete an existing software deployment."""
        res = self.rpc_client.delete_software_deployment(req.context,
--- a/heat/policies/init.py
+++ b/heat/policies/init.py
@ -20,6 +20,8 @@ from heat.policies import events
 from heat.policies import resource
 from heat.policies import resource_types
 from heat.policies import service
+from heat.policies import software_configs
+from heat.policies import software_deployments
 from heat.policies import stacks


@ -32,5 +34,7 @@ def list_rules():
        resource.list_rules(),
        resource_types.list_rules(),
        service.list_rules(),
+        software_configs.list_rules(),
+        software_deployments.list_rules(),
        stacks.list_rules(),
    )
--- a/heat/policies/software_configs.py
+++ b/heat/policies/software_configs.py
@ -0,0 +1,79 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from heat.policies import base
+
+POLICY_ROOT = 'software_configs:%s'
+
+software_configs_policies = [
+    policy.DocumentedRuleDefault(
+        name=POLICY_ROOT % 'global_index',
+        check_str=base.RULE_DENY_EVERYBODY,
+        description='List configs globally.',
+        operations=[
+            {
+                'path': '/v1/{tenant_id}/software_configs',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=POLICY_ROOT % 'index',
+        check_str=base.RULE_DENY_STACK_USER,
+        description='List configs.',
+        operations=[
+            {
+                'path': '/v1/{tenant_id}/software_configs',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=POLICY_ROOT % 'create',
+        check_str=base.RULE_DENY_STACK_USER,
+        description='Create config.',
+        operations=[
+            {
+                'path': '/v1/{tenant_id}/software_configs',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=POLICY_ROOT % 'show',
+        check_str=base.RULE_DENY_STACK_USER,
+        description='Show config details.',
+        operations=[
+            {
+                'path': '/v1/{tenant_id}/software_configs/{config_id}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=POLICY_ROOT % 'delete',
+        check_str=base.RULE_DENY_STACK_USER,
+        description='Delete config.',
+        operations=[
+            {
+                'path': '/v1/{tenant_id}/software_configs/{config_id}',
+                'method': 'DELETE'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return software_configs_policies
--- a/heat/policies/software_deployments.py
+++ b/heat/policies/software_deployments.py
@ -0,0 +1,91 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from heat.policies import base
+
+POLICY_ROOT = 'software_deployments:%s'
+
+software_deployments_policies = [
+    policy.DocumentedRuleDefault(
+        name=POLICY_ROOT % 'index',
+        check_str=base.RULE_DENY_STACK_USER,
+        description='List deployments.',
+        operations=[
+            {
+                'path': '/v1/{tenant_id}/software_deployments',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=POLICY_ROOT % 'create',
+        check_str=base.RULE_DENY_STACK_USER,
+        description='Create deployment.',
+        operations=[
+            {
+                'path': '/v1/{tenant_id}/software_deployments',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=POLICY_ROOT % 'show',
+        check_str=base.RULE_DENY_STACK_USER,
+        description='Show deployment details.',
+        operations=[
+            {
+                'path': '/v1/{tenant_id}/software_deployments/{deployment_id}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=POLICY_ROOT % 'update',
+        check_str=base.RULE_DENY_STACK_USER,
+        description='Update deployment.',
+        operations=[
+            {
+                'path': '/v1/{tenant_id}/software_deployments/{deployment_id}',
+                'method': 'PUT'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=POLICY_ROOT % 'delete',
+        check_str=base.RULE_DENY_STACK_USER,
+        description='Delete deployment.',
+        operations=[
+            {
+                'path': '/v1/{tenant_id}/software_deployments/{deployment_id}',
+                'method': 'DELETE'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=POLICY_ROOT % 'metadata',
+        check_str=base.RULE_ALLOW_EVERYBODY,
+        description='Show server configuration metadata.',
+        operations=[
+            {
+                'path': '/v1/{tenant_id}/software_deployments/metadata/'
+                '{server_id}',
+                'method': 'GET'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return software_deployments_policies