Merge "Register default baymodel policies in code"

2017-10-22 17:27:51 +00:00 · 2017-10-22 17:27:51 +00:00 · 215ab3d3a0
parent e67a20594b 1cbb1d451c
commit 215ab3d3a0
5 changed files with 112 additions and 17 deletions
--- a/etc/magnum/policy.json
+++ b/etc/magnum/policy.json
@ -1,14 +1,6 @@
 {
    "default": "rule:admin_or_owner",

-    "baymodel:create": "rule:deny_cluster_user",
-    "baymodel:delete": "rule:deny_cluster_user",
-    "baymodel:detail": "rule:deny_cluster_user",
-    "baymodel:get": "rule:deny_cluster_user",
-    "baymodel:get_all": "rule:deny_cluster_user",
-    "baymodel:update": "rule:deny_cluster_user",
-    "baymodel:publish": "rule:admin_api",
-
    "cluster:create": "rule:deny_cluster_user",
    "cluster:delete": "rule:deny_cluster_user",
    "cluster:detail": "rule:deny_cluster_user",
--- a/magnum/common/policies/init.py
+++ b/magnum/common/policies/init.py
@ -16,10 +16,12 @@ import itertools

 from magnum.common.policies import base
 from magnum.common.policies import bay
+from magnum.common.policies import baymodel


 def list_rules():
    return itertools.chain(
        base.list_rules(),
-        bay.list_rules()
+        bay.list_rules(),
+        baymodel.list_rules()
    )
--- a/magnum/common/policies/baymodel.py
+++ b/magnum/common/policies/baymodel.py
@ -0,0 +1,106 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_policy import policy
+
+from magnum.common.policies import base
+
+BAYMODEL = 'baymodel:%s'
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name=BAYMODEL % 'create',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Create a new baymodel.',
+        operations=[
+            {
+                'path': '/v1/baymodels',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAYMODEL % 'delete',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Delete a baymodel.',
+        operations=[
+            {
+                'path': '/v1/baymodels/{baymodel_ident}',
+                'method': 'DELETE'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAYMODEL % 'detail',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Retrieve a list of baymodel with detail.',
+        operations=[
+            {
+                'path': '/v1/baymodels',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAYMODEL % 'get',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Retrieve information about the given baymodel.',
+        operations=[
+            {
+                'path': '/v1/baymodels/{baymodel_ident}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAYMODEL % 'get_all',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Retrieve a list of baymodel.',
+        operations=[
+            {
+                'path': '/v1/baymodels',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAYMODEL % 'update',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Update an existing baymodel.',
+        operations=[
+            {
+                'path': '/v1/baymodels/{baymodel_ident}',
+                'method': 'PATCH'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAYMODEL % 'publish',
+        check_str=base.RULE_ADMIN_API,
+        description='Publish an existing baymodel.',
+        operations=[
+            {
+                'path': '/v1/baymodels',
+                'method': 'POST'
+            },
+            {
+                'path': '/v1/baymodels',
+                'method': 'PATCH'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules
--- a/magnum/tests/fake_policy.py
+++ b/magnum/tests/fake_policy.py
@ -17,13 +17,6 @@ policy_data = """
 {
    "default": "rule:admin_or_owner",

-    "baymodel:create": "",
-    "baymodel:delete": "",
-    "baymodel:detail": "",
-    "baymodel:get": "",
-    "baymodel:get_all": "",
-    "baymodel:update": "",
-
    "cluster:create": "",
    "cluster:delete": "",
    "cluster:detail": "",
--- a/magnum/tests/unit/api/controllers/v1/test_baymodel.py
+++ b/magnum/tests/unit/api/controllers/v1/test_baymodel.py
@ -254,7 +254,9 @@ class TestPatch(api_base.FunctionalTest):
                          [{'path': '/public', 'value': True,
                            'op': 'replace'}])

-    def test_update_baymodel_with_bay_allow_update(self):
+    @mock.patch.object(magnum_policy, 'enforce')
+    def test_update_baymodel_with_bay_allow_update(self, mock_policy):
+        mock_policy.return_value = True
        baymodel = obj_utils.create_test_cluster_template(self.context)
        obj_utils.create_test_cluster(self.context,
                                      cluster_template_id=baymodel.uuid)