Merge "Add default policy in code for the operation log resource"
This commit is contained in:
commit
e3a9dd30dc
|
@ -121,7 +121,11 @@ function configure_karbor {
|
|||
|
||||
cp $KARBOR_DIR/etc/karbor.conf $KARBOR_CONF
|
||||
cp $KARBOR_DIR/etc/api-paste.ini $KARBOR_CONF_DIR
|
||||
cp $KARBOR_DIR/etc/policy.json $KARBOR_CONF_DIR
|
||||
|
||||
if [[ -f $KARBOR_DIR/etc/policy.json ]]; then
|
||||
cp $KARBOR_DIR/etc/policy.json $KARBOR_CONF_DIR
|
||||
fi
|
||||
|
||||
cp -R $KARBOR_DIR/etc/providers.d $KARBOR_CONF_DIR
|
||||
cp $KARBOR_DIR/devstack/providers.d/* $KARBOR_CONF_DIR/providers.d
|
||||
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"operation_log:get": "rule:admin_or_owner",
|
||||
"operation_log:get_all": "rule:admin_or_owner"
|
||||
}
|
|
@ -18,15 +18,13 @@ from oslo_utils import uuidutils
|
|||
|
||||
from webob import exc
|
||||
|
||||
import karbor
|
||||
from karbor.api import common
|
||||
from karbor.api.openstack import wsgi
|
||||
from karbor import exception
|
||||
from karbor.i18n import _
|
||||
|
||||
from karbor import objects
|
||||
from karbor.objects import base as objects_base
|
||||
import karbor.policy
|
||||
from karbor.policies import operation_logs as operation_log_policy
|
||||
from karbor.services.operationengine import api as operationengine_api
|
||||
from karbor.services.protection import api as protection_api
|
||||
from karbor import utils
|
||||
|
@ -47,23 +45,6 @@ CONF.register_opt(query_operation_log_filters_opt)
|
|||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def check_policy(context, action, target_obj=None):
|
||||
target = {
|
||||
'project_id': context.project_id,
|
||||
'user_id': context.user_id,
|
||||
}
|
||||
|
||||
if isinstance(target_obj, objects_base.KarborObject):
|
||||
# Turn object into dict so target.update can work
|
||||
target.update(
|
||||
target_obj.obj_to_primitive() or {})
|
||||
else:
|
||||
target.update(target_obj or {})
|
||||
|
||||
_action = 'operation_log:%s' % action
|
||||
karbor.policy.enforce(context, _action, target)
|
||||
|
||||
|
||||
class OperationLogViewBuilder(common.ViewBuilder):
|
||||
"""Model a server API response as a python dictionary."""
|
||||
|
||||
|
@ -181,7 +162,7 @@ class OperationLogsController(wsgi.Controller):
|
|||
|
||||
def _get_all(self, context, marker=None, limit=None, sort_keys=None,
|
||||
sort_dirs=None, filters=None, offset=None):
|
||||
check_policy(context, 'get_all')
|
||||
context.can(operation_log_policy.GET_ALL_POLICY)
|
||||
|
||||
if filters is None:
|
||||
filters = {}
|
||||
|
@ -231,7 +212,7 @@ class OperationLogsController(wsgi.Controller):
|
|||
operation_log = objects.OperationLog.get_by_id(
|
||||
context, operation_log_id)
|
||||
try:
|
||||
check_policy(context, 'get', operation_log)
|
||||
context.can(operation_log_policy.GET_POLICY, operation_log)
|
||||
except exception.PolicyNotAuthorized:
|
||||
raise exception.OperationLogFound(
|
||||
operation_log_id=operation_log_id)
|
||||
|
|
|
@ -15,6 +15,7 @@
|
|||
import itertools
|
||||
|
||||
from karbor.policies import base
|
||||
from karbor.policies import operation_logs
|
||||
from karbor.policies import plans
|
||||
from karbor.policies import protectables
|
||||
from karbor.policies import providers
|
||||
|
@ -32,4 +33,5 @@ def list_rules():
|
|||
providers.list_rules(),
|
||||
triggers.list_rules(),
|
||||
scheduled_operations.list_rules(),
|
||||
operation_logs.list_rules(),
|
||||
)
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
# Copyright (c) 2017 Huawei Technologies Co., Ltd.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from karbor.policies import base
|
||||
|
||||
|
||||
GET_POLICY = 'operation_log:get'
|
||||
GET_ALL_POLICY = 'operation_log:list'
|
||||
|
||||
operation_logs_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=GET_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description='Get an operation_log.',
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/operation_logs/{operation_log_id}'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=GET_ALL_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description='Get operation_logs.',
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/operation_logs'
|
||||
}
|
||||
]),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return operation_logs_policies
|
|
@ -28,6 +28,8 @@ class OperationLogTest(base.TestCase):
|
|||
super(OperationLogTest, self).setUp()
|
||||
self.controller = operation_logs.OperationLogsController()
|
||||
self.ctxt = context.RequestContext('demo', 'fakeproject', True)
|
||||
self.mock_policy_check = self.mock_object(
|
||||
context.RequestContext, 'can')
|
||||
|
||||
@mock.patch(
|
||||
'karbor.api.v1.operation_logs.'
|
||||
|
|
Loading…
Reference in New Issue