Merge "Add default policy in code for the operation log resource"

2017-10-13 06:19:38 +00:00 · 2017-10-13 06:19:38 +00:00 · e3a9dd30dc
parent 6cb8bc582e 5f69bb846c
commit e3a9dd30dc
6 changed files with 61 additions and 27 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -121,7 +121,11 @@ function configure_karbor {

        cp $KARBOR_DIR/etc/karbor.conf $KARBOR_CONF
        cp $KARBOR_DIR/etc/api-paste.ini $KARBOR_CONF_DIR
-        cp $KARBOR_DIR/etc/policy.json $KARBOR_CONF_DIR
+
+        if [[ -f $KARBOR_DIR/etc/policy.json ]]; then
+            cp $KARBOR_DIR/etc/policy.json $KARBOR_CONF_DIR
+        fi
+
        cp -R $KARBOR_DIR/etc/providers.d $KARBOR_CONF_DIR
        cp $KARBOR_DIR/devstack/providers.d/* $KARBOR_CONF_DIR/providers.d

--- a/etc/policy.json
+++ b/etc/policy.json
@ -1,4 +0,0 @@
-{
-    "operation_log:get": "rule:admin_or_owner",
-    "operation_log:get_all": "rule:admin_or_owner"
-}
--- a/karbor/api/v1/operation_logs.py
+++ b/karbor/api/v1/operation_logs.py
@ -18,15 +18,13 @@ from oslo_utils import uuidutils

 from webob import exc

-import karbor
 from karbor.api import common
 from karbor.api.openstack import wsgi
 from karbor import exception
 from karbor.i18n import _

 from karbor import objects
-from karbor.objects import base as objects_base
-import karbor.policy
+from karbor.policies import operation_logs as operation_log_policy
 from karbor.services.operationengine import api as operationengine_api
 from karbor.services.protection import api as protection_api
 from karbor import utils
@ -47,23 +45,6 @@ CONF.register_opt(query_operation_log_filters_opt)
 LOG = logging.getLogger(__name__)


-def check_policy(context, action, target_obj=None):
-    target = {
-        'project_id': context.project_id,
-        'user_id': context.user_id,
-    }
-
-    if isinstance(target_obj, objects_base.KarborObject):
-        # Turn object into dict so target.update can work
-        target.update(
-            target_obj.obj_to_primitive() or {})
-    else:
-        target.update(target_obj or {})
-
-    _action = 'operation_log:%s' % action
-    karbor.policy.enforce(context, _action, target)
-
-
 class OperationLogViewBuilder(common.ViewBuilder):
    """Model a server API response as a python dictionary."""

@ -181,7 +162,7 @@ class OperationLogsController(wsgi.Controller):

    def _get_all(self, context, marker=None, limit=None, sort_keys=None,
                 sort_dirs=None, filters=None, offset=None):
-        check_policy(context, 'get_all')
+        context.can(operation_log_policy.GET_ALL_POLICY)

        if filters is None:
            filters = {}
@ -231,7 +212,7 @@ class OperationLogsController(wsgi.Controller):
        operation_log = objects.OperationLog.get_by_id(
            context, operation_log_id)
        try:
-            check_policy(context, 'get', operation_log)
+            context.can(operation_log_policy.GET_POLICY, operation_log)
        except exception.PolicyNotAuthorized:
            raise exception.OperationLogFound(
                operation_log_id=operation_log_id)
--- a/karbor/policies/init.py
+++ b/karbor/policies/init.py
@ -15,6 +15,7 @@
 import itertools

 from karbor.policies import base
+from karbor.policies import operation_logs
 from karbor.policies import plans
 from karbor.policies import protectables
 from karbor.policies import providers
@ -32,4 +33,5 @@ def list_rules():
        providers.list_rules(),
        triggers.list_rules(),
        scheduled_operations.list_rules(),
+        operation_logs.list_rules(),
    )
--- a/karbor/policies/operation_logs.py
+++ b/karbor/policies/operation_logs.py
@ -0,0 +1,49 @@
+# Copyright (c) 2017 Huawei Technologies Co., Ltd.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from karbor.policies import base
+
+
+GET_POLICY = 'operation_log:get'
+GET_ALL_POLICY = 'operation_log:list'
+
+operation_logs_policies = [
+    policy.DocumentedRuleDefault(
+        name=GET_POLICY,
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Get an operation_log.',
+        operations=[
+            {
+                'method': 'GET',
+                'path': '/operation_logs/{operation_log_id}'
+            }
+        ]),
+    policy.DocumentedRuleDefault(
+        name=GET_ALL_POLICY,
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Get operation_logs.',
+        operations=[
+            {
+                'method': 'GET',
+                'path': '/operation_logs'
+            }
+        ]),
+]
+
+
+def list_rules():
+    return operation_logs_policies
--- a/karbor/tests/unit/api/v1/test_operation_logs.py
+++ b/karbor/tests/unit/api/v1/test_operation_logs.py
@ -28,6 +28,8 @@ class OperationLogTest(base.TestCase):
        super(OperationLogTest, self).setUp()
        self.controller = operation_logs.OperationLogsController()
        self.ctxt = context.RequestContext('demo', 'fakeproject', True)
+        self.mock_policy_check = self.mock_object(
+            context.RequestContext, 'can')

    @mock.patch(
        'karbor.api.v1.operation_logs.'