Merge "[policy in code] part 5 (software-*)"
This commit is contained in:
commit
64fd0db4ac
|
@ -23,17 +23,5 @@
|
||||||
"cloudwatch:ListMetrics": "rule:deny_stack_user",
|
"cloudwatch:ListMetrics": "rule:deny_stack_user",
|
||||||
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
|
"cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
|
||||||
"cloudwatch:PutMetricData": "",
|
"cloudwatch:PutMetricData": "",
|
||||||
"cloudwatch:SetAlarmState": "rule:deny_stack_user",
|
"cloudwatch:SetAlarmState": "rule:deny_stack_user"
|
||||||
|
|
||||||
"software_configs:global_index": "rule:deny_everybody",
|
|
||||||
"software_configs:index": "rule:deny_stack_user",
|
|
||||||
"software_configs:create": "rule:deny_stack_user",
|
|
||||||
"software_configs:show": "rule:deny_stack_user",
|
|
||||||
"software_configs:delete": "rule:deny_stack_user",
|
|
||||||
"software_deployments:index": "rule:deny_stack_user",
|
|
||||||
"software_deployments:create": "rule:deny_stack_user",
|
|
||||||
"software_deployments:show": "rule:deny_stack_user",
|
|
||||||
"software_deployments:update": "rule:deny_stack_user",
|
|
||||||
"software_deployments:delete": "rule:deny_stack_user",
|
|
||||||
"software_deployments:metadata": ""
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -59,11 +59,11 @@ class SoftwareConfigController(object):
|
||||||
**params)
|
**params)
|
||||||
return {'software_configs': scs}
|
return {'software_configs': scs}
|
||||||
|
|
||||||
@util.policy_enforce
|
@util.registered_policy_enforce
|
||||||
def global_index(self, req):
|
def global_index(self, req):
|
||||||
return self._index(req, use_admin_cnxt=True)
|
return self._index(req, use_admin_cnxt=True)
|
||||||
|
|
||||||
@util.policy_enforce
|
@util.registered_policy_enforce
|
||||||
def index(self, req):
|
def index(self, req):
|
||||||
"""Lists summary information for all software configs."""
|
"""Lists summary information for all software configs."""
|
||||||
global_tenant = False
|
global_tenant = False
|
||||||
|
@ -78,14 +78,14 @@ class SoftwareConfigController(object):
|
||||||
|
|
||||||
return self._index(req)
|
return self._index(req)
|
||||||
|
|
||||||
@util.policy_enforce
|
@util.registered_policy_enforce
|
||||||
def show(self, req, config_id):
|
def show(self, req, config_id):
|
||||||
"""Gets detailed information for a software config."""
|
"""Gets detailed information for a software config."""
|
||||||
sc = self.rpc_client.show_software_config(
|
sc = self.rpc_client.show_software_config(
|
||||||
req.context, config_id)
|
req.context, config_id)
|
||||||
return {'software_config': sc}
|
return {'software_config': sc}
|
||||||
|
|
||||||
@util.policy_enforce
|
@util.registered_policy_enforce
|
||||||
def create(self, req, body):
|
def create(self, req, body):
|
||||||
"""Create a new software config."""
|
"""Create a new software config."""
|
||||||
create_data = {
|
create_data = {
|
||||||
|
@ -100,7 +100,7 @@ class SoftwareConfigController(object):
|
||||||
req.context, **create_data)
|
req.context, **create_data)
|
||||||
return {'software_config': sc}
|
return {'software_config': sc}
|
||||||
|
|
||||||
@util.policy_enforce
|
@util.registered_policy_enforce
|
||||||
def delete(self, req, config_id):
|
def delete(self, req, config_id):
|
||||||
"""Delete an existing software config."""
|
"""Delete an existing software config."""
|
||||||
res = self.rpc_client.delete_software_config(req.context, config_id)
|
res = self.rpc_client.delete_software_config(req.context, config_id)
|
||||||
|
|
|
@ -34,7 +34,7 @@ class SoftwareDeploymentController(object):
|
||||||
def default(self, req, **args):
|
def default(self, req, **args):
|
||||||
raise exc.HTTPNotFound()
|
raise exc.HTTPNotFound()
|
||||||
|
|
||||||
@util.policy_enforce
|
@util.registered_policy_enforce
|
||||||
def index(self, req):
|
def index(self, req):
|
||||||
"""List software deployments."""
|
"""List software deployments."""
|
||||||
whitelist = {
|
whitelist = {
|
||||||
|
@ -44,7 +44,7 @@ class SoftwareDeploymentController(object):
|
||||||
sds = self.rpc_client.list_software_deployments(req.context, **params)
|
sds = self.rpc_client.list_software_deployments(req.context, **params)
|
||||||
return {'software_deployments': sds}
|
return {'software_deployments': sds}
|
||||||
|
|
||||||
@util.policy_enforce
|
@util.registered_policy_enforce
|
||||||
def metadata(self, req, server_id):
|
def metadata(self, req, server_id):
|
||||||
"""List software deployments grouped by the group name.
|
"""List software deployments grouped by the group name.
|
||||||
|
|
||||||
|
@ -54,14 +54,14 @@ class SoftwareDeploymentController(object):
|
||||||
req.context, server_id=server_id)
|
req.context, server_id=server_id)
|
||||||
return {'metadata': sds}
|
return {'metadata': sds}
|
||||||
|
|
||||||
@util.policy_enforce
|
@util.registered_policy_enforce
|
||||||
def show(self, req, deployment_id):
|
def show(self, req, deployment_id):
|
||||||
"""Gets detailed information for a software deployment."""
|
"""Gets detailed information for a software deployment."""
|
||||||
sd = self.rpc_client.show_software_deployment(req.context,
|
sd = self.rpc_client.show_software_deployment(req.context,
|
||||||
deployment_id)
|
deployment_id)
|
||||||
return {'software_deployment': sd}
|
return {'software_deployment': sd}
|
||||||
|
|
||||||
@util.policy_enforce
|
@util.registered_policy_enforce
|
||||||
def create(self, req, body):
|
def create(self, req, body):
|
||||||
"""Create a new software deployment."""
|
"""Create a new software deployment."""
|
||||||
create_data = dict((k, body.get(k)) for k in (
|
create_data = dict((k, body.get(k)) for k in (
|
||||||
|
@ -72,7 +72,7 @@ class SoftwareDeploymentController(object):
|
||||||
**create_data)
|
**create_data)
|
||||||
return {'software_deployment': sd}
|
return {'software_deployment': sd}
|
||||||
|
|
||||||
@util.policy_enforce
|
@util.registered_policy_enforce
|
||||||
def update(self, req, deployment_id, body):
|
def update(self, req, deployment_id, body):
|
||||||
"""Update an existing software deployment."""
|
"""Update an existing software deployment."""
|
||||||
update_data = dict((k, body.get(k)) for k in (
|
update_data = dict((k, body.get(k)) for k in (
|
||||||
|
@ -84,7 +84,7 @@ class SoftwareDeploymentController(object):
|
||||||
**update_data)
|
**update_data)
|
||||||
return {'software_deployment': sd}
|
return {'software_deployment': sd}
|
||||||
|
|
||||||
@util.policy_enforce
|
@util.registered_policy_enforce
|
||||||
def delete(self, req, deployment_id):
|
def delete(self, req, deployment_id):
|
||||||
"""Delete an existing software deployment."""
|
"""Delete an existing software deployment."""
|
||||||
res = self.rpc_client.delete_software_deployment(req.context,
|
res = self.rpc_client.delete_software_deployment(req.context,
|
||||||
|
|
|
@ -20,6 +20,8 @@ from heat.policies import events
|
||||||
from heat.policies import resource
|
from heat.policies import resource
|
||||||
from heat.policies import resource_types
|
from heat.policies import resource_types
|
||||||
from heat.policies import service
|
from heat.policies import service
|
||||||
|
from heat.policies import software_configs
|
||||||
|
from heat.policies import software_deployments
|
||||||
from heat.policies import stacks
|
from heat.policies import stacks
|
||||||
|
|
||||||
|
|
||||||
|
@ -32,5 +34,7 @@ def list_rules():
|
||||||
resource.list_rules(),
|
resource.list_rules(),
|
||||||
resource_types.list_rules(),
|
resource_types.list_rules(),
|
||||||
service.list_rules(),
|
service.list_rules(),
|
||||||
|
software_configs.list_rules(),
|
||||||
|
software_deployments.list_rules(),
|
||||||
stacks.list_rules(),
|
stacks.list_rules(),
|
||||||
)
|
)
|
||||||
|
|
|
@ -0,0 +1,79 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from heat.policies import base
|
||||||
|
|
||||||
|
POLICY_ROOT = 'software_configs:%s'
|
||||||
|
|
||||||
|
software_configs_policies = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=POLICY_ROOT % 'global_index',
|
||||||
|
check_str=base.RULE_DENY_EVERYBODY,
|
||||||
|
description='List configs globally.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/{tenant_id}/software_configs',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=POLICY_ROOT % 'index',
|
||||||
|
check_str=base.RULE_DENY_STACK_USER,
|
||||||
|
description='List configs.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/{tenant_id}/software_configs',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=POLICY_ROOT % 'create',
|
||||||
|
check_str=base.RULE_DENY_STACK_USER,
|
||||||
|
description='Create config.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/{tenant_id}/software_configs',
|
||||||
|
'method': 'POST'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=POLICY_ROOT % 'show',
|
||||||
|
check_str=base.RULE_DENY_STACK_USER,
|
||||||
|
description='Show config details.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/{tenant_id}/software_configs/{config_id}',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=POLICY_ROOT % 'delete',
|
||||||
|
check_str=base.RULE_DENY_STACK_USER,
|
||||||
|
description='Delete config.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/{tenant_id}/software_configs/{config_id}',
|
||||||
|
'method': 'DELETE'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return software_configs_policies
|
|
@ -0,0 +1,91 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from heat.policies import base
|
||||||
|
|
||||||
|
POLICY_ROOT = 'software_deployments:%s'
|
||||||
|
|
||||||
|
software_deployments_policies = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=POLICY_ROOT % 'index',
|
||||||
|
check_str=base.RULE_DENY_STACK_USER,
|
||||||
|
description='List deployments.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/{tenant_id}/software_deployments',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=POLICY_ROOT % 'create',
|
||||||
|
check_str=base.RULE_DENY_STACK_USER,
|
||||||
|
description='Create deployment.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/{tenant_id}/software_deployments',
|
||||||
|
'method': 'POST'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=POLICY_ROOT % 'show',
|
||||||
|
check_str=base.RULE_DENY_STACK_USER,
|
||||||
|
description='Show deployment details.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/{tenant_id}/software_deployments/{deployment_id}',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=POLICY_ROOT % 'update',
|
||||||
|
check_str=base.RULE_DENY_STACK_USER,
|
||||||
|
description='Update deployment.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/{tenant_id}/software_deployments/{deployment_id}',
|
||||||
|
'method': 'PUT'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=POLICY_ROOT % 'delete',
|
||||||
|
check_str=base.RULE_DENY_STACK_USER,
|
||||||
|
description='Delete deployment.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/{tenant_id}/software_deployments/{deployment_id}',
|
||||||
|
'method': 'DELETE'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=POLICY_ROOT % 'metadata',
|
||||||
|
check_str=base.RULE_ALLOW_EVERYBODY,
|
||||||
|
description='Show server configuration metadata.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/{tenant_id}/software_deployments/metadata/'
|
||||||
|
'{server_id}',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return software_deployments_policies
|
Loading…
Reference in New Issue