openstack
/
karbor
Code Issues Proposed changes

Add default policy in code for the scheduled operation resource 

Leverage oslo.policy to register default policies in the
code. Administrator only need to update the specified
policy in the config file.

Change-Id: I049aac17063543d3c32bd193e9c81fb0da26d79f
Partial-Implements: blueprint policy-in-code
This commit is contained in:
chenying 2017-09-28 19:32:56 +08:00
parent 6afc133e7a
commit 2c08b82537
6 changed files with 81 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
etc/policy.json
View File

@ -1,9 +1,4 @@
{
"scheduled_operation:create": "",
"scheduled_operation:delete": "rule:admin_or_owner",
"scheduled_operation:get": "rule:admin_or_owner",
"scheduled_operation:list": "",
"operation_log:get": "rule:admin_or_owner",
"operation_log:get_all": "rule:admin_or_owner"
}

15
karbor/api/v1/scheduled_operations.py
View File

@ -21,18 +21,13 @@ from karbor.api.openstack import wsgi
from karbor import exception
from karbor.i18n import _
from karbor import objects
from karbor import policy
from karbor.policies import scheduled_operations as scheduled_operation_policy
from karbor.services.operationengine import api as operationengine_api
from karbor import utils
LOG = logging.getLogger(__name__)
def check_policy(context, action, target_obj=None):
_action = 'scheduled_operation:%s' % action
policy.enforce(context, _action, target_obj)
class ScheduledOperationViewBuilder(common.ViewBuilder):
"""Model a server API response as a python dictionary."""
@ -92,7 +87,7 @@ class ScheduledOperationController(wsgi.Controller):
LOG.debug('Create a scheduled operation, request body: %s', body)
context = req.environ['karbor.context']
check_policy(context, 'create')
context.can(scheduled_operation_policy.CREATE_POLICY)
operation_info = body['scheduled_operation']
name = operation_info.get("name", None)
@ -148,7 +143,7 @@ class ScheduledOperationController(wsgi.Controller):
operation = self._get_operation_by_id(context, id, ['trigger'])
trigger = operation.trigger
check_policy(context, 'delete', operation)
context.can(scheduled_operation_policy.DELETE_POLICY, operation)
try:
self.operationengine_api.delete_scheduled_operation(
@ -168,7 +163,7 @@ class ScheduledOperationController(wsgi.Controller):
context = req.environ['karbor.context']
operation = self._get_operation_by_id(context, id)
check_policy(context, 'get', operation)
context.can(scheduled_operation_policy.GET_POLICY, operation)
return self._view_builder.detail(req, operation)
@ -176,7 +171,7 @@ class ScheduledOperationController(wsgi.Controller):
"""Returns a list of operations, transformed through view builder."""
context = req.environ['karbor.context']
check_policy(context, 'list')
context.can(scheduled_operation_policy.GET_ALL_POLICY)
params = req.params.copy()
LOG.debug('List scheduled operation start, params=%s', params)

2
karbor/policies/__init__.py
View File

@ -19,6 +19,7 @@ from karbor.policies import plans
from karbor.policies import protectables
from karbor.policies import providers
from karbor.policies import restores
from karbor.policies import scheduled_operations
from karbor.policies import triggers
@ -30,4 +31,5 @@ def list_rules():
protectables.list_rules(),
providers.list_rules(),
triggers.list_rules(),
scheduled_operations.list_rules(),
)

71
karbor/policies/scheduled_operations.py Normal file
View File

@ -0,0 +1,71 @@
# Copyright (c) 2017 Huawei Technologies Co., Ltd.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from karbor.policies import base
CREATE_POLICY = 'scheduled_operation:create'
DELETE_POLICY = 'scheduled_operation:delete'
GET_POLICY = 'scheduled_operation:get'
GET_ALL_POLICY = 'scheduled_operation:list'
scheduled_operations_policies = [
policy.DocumentedRuleDefault(
name=CREATE_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""Create a scheduled_operation.""",
operations=[
{
'method': 'POST',
'path': '/scheduled_operations'
}
]),
policy.DocumentedRuleDefault(
name=DELETE_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""Delete a scheduled_operation.""",
operations=[
{
'method': 'DELETE',
'path': '/scheduled_operations/{scheduled_operation_id}'
}
]),
policy.DocumentedRuleDefault(
name=GET_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""Get a scheduled_operation.""",
operations=[
{
'method': 'GET',
'path': '/scheduled_operations/{scheduled_operation_id}'
}
]),
policy.DocumentedRuleDefault(
name=GET_ALL_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""Get scheduled_operations.""",
operations=[
{
'method': 'GET',
'path': '/scheduled_operations'
}
]),
]
def list_rules():
return scheduled_operations_policies

2
karbor/policy.py
View File

@ -183,7 +183,7 @@ def authorize(context, action, target, do_raise=True, exc=None):
LOG.exception('Policy not registered')
except Exception:
with excutils.save_and_reraise_exception():
LOG.debug('Policy check for %(action)s failed with credentials '
LOG.error('Policy check for %(action)s failed with credentials '
'%(credentials)s',
{'action': action, 'credentials': credentials})
return result

2
karbor/tests/unit/api/v1/test_scheduled_operation.py
View File

@ -63,6 +63,8 @@ class ScheduledOperationApiTest(base.TestCase):
"provider_id": self._plan['provider_id']
},
}
self.mock_policy_check = self.mock_object(
context.RequestContext, 'can')
def test_create_operation_InvalidBody(self):
self.assertRaises(exc.HTTPUnprocessableEntity,