diff --git a/etc/heat/policy.json b/etc/heat/policy.json index 4ecac36d1c..026ab9e0aa 100644 --- a/etc/heat/policy.json +++ b/etc/heat/policy.json @@ -23,17 +23,5 @@ "cloudwatch:ListMetrics": "rule:deny_stack_user", "cloudwatch:PutMetricAlarm": "rule:deny_stack_user", "cloudwatch:PutMetricData": "", - "cloudwatch:SetAlarmState": "rule:deny_stack_user", - - "software_configs:global_index": "rule:deny_everybody", - "software_configs:index": "rule:deny_stack_user", - "software_configs:create": "rule:deny_stack_user", - "software_configs:show": "rule:deny_stack_user", - "software_configs:delete": "rule:deny_stack_user", - "software_deployments:index": "rule:deny_stack_user", - "software_deployments:create": "rule:deny_stack_user", - "software_deployments:show": "rule:deny_stack_user", - "software_deployments:update": "rule:deny_stack_user", - "software_deployments:delete": "rule:deny_stack_user", - "software_deployments:metadata": "" + "cloudwatch:SetAlarmState": "rule:deny_stack_user" } diff --git a/heat/api/openstack/v1/software_configs.py b/heat/api/openstack/v1/software_configs.py index fc31f16c02..9724f02485 100644 --- a/heat/api/openstack/v1/software_configs.py +++ b/heat/api/openstack/v1/software_configs.py @@ -59,11 +59,11 @@ class SoftwareConfigController(object): **params) return {'software_configs': scs} - @util.policy_enforce + @util.registered_policy_enforce def global_index(self, req): return self._index(req, use_admin_cnxt=True) - @util.policy_enforce + @util.registered_policy_enforce def index(self, req): """Lists summary information for all software configs.""" global_tenant = False @@ -78,14 +78,14 @@ class SoftwareConfigController(object): return self._index(req) - @util.policy_enforce + @util.registered_policy_enforce def show(self, req, config_id): """Gets detailed information for a software config.""" sc = self.rpc_client.show_software_config( req.context, config_id) return {'software_config': sc} - @util.policy_enforce + @util.registered_policy_enforce def create(self, req, body): """Create a new software config.""" create_data = { @@ -100,7 +100,7 @@ class SoftwareConfigController(object): req.context, **create_data) return {'software_config': sc} - @util.policy_enforce + @util.registered_policy_enforce def delete(self, req, config_id): """Delete an existing software config.""" res = self.rpc_client.delete_software_config(req.context, config_id) diff --git a/heat/api/openstack/v1/software_deployments.py b/heat/api/openstack/v1/software_deployments.py index 369383bc48..99aca57858 100644 --- a/heat/api/openstack/v1/software_deployments.py +++ b/heat/api/openstack/v1/software_deployments.py @@ -34,7 +34,7 @@ class SoftwareDeploymentController(object): def default(self, req, **args): raise exc.HTTPNotFound() - @util.policy_enforce + @util.registered_policy_enforce def index(self, req): """List software deployments.""" whitelist = { @@ -44,7 +44,7 @@ class SoftwareDeploymentController(object): sds = self.rpc_client.list_software_deployments(req.context, **params) return {'software_deployments': sds} - @util.policy_enforce + @util.registered_policy_enforce def metadata(self, req, server_id): """List software deployments grouped by the group name. @@ -54,14 +54,14 @@ class SoftwareDeploymentController(object): req.context, server_id=server_id) return {'metadata': sds} - @util.policy_enforce + @util.registered_policy_enforce def show(self, req, deployment_id): """Gets detailed information for a software deployment.""" sd = self.rpc_client.show_software_deployment(req.context, deployment_id) return {'software_deployment': sd} - @util.policy_enforce + @util.registered_policy_enforce def create(self, req, body): """Create a new software deployment.""" create_data = dict((k, body.get(k)) for k in ( @@ -72,7 +72,7 @@ class SoftwareDeploymentController(object): **create_data) return {'software_deployment': sd} - @util.policy_enforce + @util.registered_policy_enforce def update(self, req, deployment_id, body): """Update an existing software deployment.""" update_data = dict((k, body.get(k)) for k in ( @@ -84,7 +84,7 @@ class SoftwareDeploymentController(object): **update_data) return {'software_deployment': sd} - @util.policy_enforce + @util.registered_policy_enforce def delete(self, req, deployment_id): """Delete an existing software deployment.""" res = self.rpc_client.delete_software_deployment(req.context, diff --git a/heat/policies/__init__.py b/heat/policies/__init__.py index 1826d792cf..b11043c454 100644 --- a/heat/policies/__init__.py +++ b/heat/policies/__init__.py @@ -20,6 +20,8 @@ from heat.policies import events from heat.policies import resource from heat.policies import resource_types from heat.policies import service +from heat.policies import software_configs +from heat.policies import software_deployments from heat.policies import stacks @@ -32,5 +34,7 @@ def list_rules(): resource.list_rules(), resource_types.list_rules(), service.list_rules(), + software_configs.list_rules(), + software_deployments.list_rules(), stacks.list_rules(), ) diff --git a/heat/policies/software_configs.py b/heat/policies/software_configs.py new file mode 100644 index 0000000000..72f6f2c996 --- /dev/null +++ b/heat/policies/software_configs.py @@ -0,0 +1,79 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from heat.policies import base + +POLICY_ROOT = 'software_configs:%s' + +software_configs_policies = [ + policy.DocumentedRuleDefault( + name=POLICY_ROOT % 'global_index', + check_str=base.RULE_DENY_EVERYBODY, + description='List configs globally.', + operations=[ + { + 'path': '/v1/{tenant_id}/software_configs', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=POLICY_ROOT % 'index', + check_str=base.RULE_DENY_STACK_USER, + description='List configs.', + operations=[ + { + 'path': '/v1/{tenant_id}/software_configs', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=POLICY_ROOT % 'create', + check_str=base.RULE_DENY_STACK_USER, + description='Create config.', + operations=[ + { + 'path': '/v1/{tenant_id}/software_configs', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=POLICY_ROOT % 'show', + check_str=base.RULE_DENY_STACK_USER, + description='Show config details.', + operations=[ + { + 'path': '/v1/{tenant_id}/software_configs/{config_id}', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=POLICY_ROOT % 'delete', + check_str=base.RULE_DENY_STACK_USER, + description='Delete config.', + operations=[ + { + 'path': '/v1/{tenant_id}/software_configs/{config_id}', + 'method': 'DELETE' + } + ] + ) +] + + +def list_rules(): + return software_configs_policies diff --git a/heat/policies/software_deployments.py b/heat/policies/software_deployments.py new file mode 100644 index 0000000000..05f73d5867 --- /dev/null +++ b/heat/policies/software_deployments.py @@ -0,0 +1,91 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from heat.policies import base + +POLICY_ROOT = 'software_deployments:%s' + +software_deployments_policies = [ + policy.DocumentedRuleDefault( + name=POLICY_ROOT % 'index', + check_str=base.RULE_DENY_STACK_USER, + description='List deployments.', + operations=[ + { + 'path': '/v1/{tenant_id}/software_deployments', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=POLICY_ROOT % 'create', + check_str=base.RULE_DENY_STACK_USER, + description='Create deployment.', + operations=[ + { + 'path': '/v1/{tenant_id}/software_deployments', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=POLICY_ROOT % 'show', + check_str=base.RULE_DENY_STACK_USER, + description='Show deployment details.', + operations=[ + { + 'path': '/v1/{tenant_id}/software_deployments/{deployment_id}', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=POLICY_ROOT % 'update', + check_str=base.RULE_DENY_STACK_USER, + description='Update deployment.', + operations=[ + { + 'path': '/v1/{tenant_id}/software_deployments/{deployment_id}', + 'method': 'PUT' + } + ] + ), + policy.DocumentedRuleDefault( + name=POLICY_ROOT % 'delete', + check_str=base.RULE_DENY_STACK_USER, + description='Delete deployment.', + operations=[ + { + 'path': '/v1/{tenant_id}/software_deployments/{deployment_id}', + 'method': 'DELETE' + } + ] + ), + policy.DocumentedRuleDefault( + name=POLICY_ROOT % 'metadata', + check_str=base.RULE_ALLOW_EVERYBODY, + description='Show server configuration metadata.', + operations=[ + { + 'path': '/v1/{tenant_id}/software_deployments/metadata/' + '{server_id}', + 'method': 'GET' + } + ] + ) +] + + +def list_rules(): + return software_deployments_policies