diff --git a/etc/magnum/policy.json b/etc/magnum/policy.json index d2cd61f3ee..58f633f5ff 100644 --- a/etc/magnum/policy.json +++ b/etc/magnum/policy.json @@ -1,14 +1,6 @@ { "default": "rule:admin_or_owner", - "clustertemplate:create": "rule:deny_cluster_user", - "clustertemplate:delete": "rule:deny_cluster_user", - "clustertemplate:detail": "rule:deny_cluster_user", - "clustertemplate:get": "rule:deny_cluster_user", - "clustertemplate:get_all": "rule:deny_cluster_user", - "clustertemplate:update": "rule:deny_cluster_user", - "clustertemplate:publish": "rule:admin_api", - "quotas:get": "rule:default", "quotas:get_all": "rule:admin_api", "quotas:create": "rule:admin_api", diff --git a/magnum/common/policies/__init__.py b/magnum/common/policies/__init__.py index 7d25513e9f..e5f115bb5f 100644 --- a/magnum/common/policies/__init__.py +++ b/magnum/common/policies/__init__.py @@ -18,6 +18,7 @@ from magnum.common.policies import base from magnum.common.policies import bay from magnum.common.policies import baymodel from magnum.common.policies import cluster +from magnum.common.policies import cluster_template def list_rules(): @@ -25,5 +26,6 @@ def list_rules(): base.list_rules(), bay.list_rules(), baymodel.list_rules(), - cluster.list_rules() + cluster.list_rules(), + cluster_template.list_rules() ) diff --git a/magnum/common/policies/cluster_template.py b/magnum/common/policies/cluster_template.py new file mode 100644 index 0000000000..027063796d --- /dev/null +++ b/magnum/common/policies/cluster_template.py @@ -0,0 +1,106 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_policy import policy + +from magnum.common.policies import base + +CLUSTER_TEMPLATE = 'clustertemplate:%s' + +rules = [ + policy.DocumentedRuleDefault( + name=CLUSTER_TEMPLATE % 'create', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Create a new cluster template.', + operations=[ + { + 'path': '/v1/clustertemplates', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=CLUSTER_TEMPLATE % 'delete', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Delete a cluster template.', + operations=[ + { + 'path': '/v1/clustertemplate/{clustertemplate_ident}', + 'method': 'DELETE' + } + ] + ), + policy.DocumentedRuleDefault( + name=CLUSTER_TEMPLATE % 'detail', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Retrieve a list of cluster templates with detail.', + operations=[ + { + 'path': '/v1/clustertemplates', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=CLUSTER_TEMPLATE % 'get', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Retrieve information about the given cluster template.', + operations=[ + { + 'path': '/v1/clustertemplate/{clustertemplate_ident}', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=CLUSTER_TEMPLATE % 'get_all', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Retrieve a list of cluster templates.', + operations=[ + { + 'path': '/v1/clustertemplates', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=CLUSTER_TEMPLATE % 'update', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Update an existing cluster template.', + operations=[ + { + 'path': '/v1/clustertemplate/{clustertemplate_ident}', + 'method': 'PATCH' + } + ] + ), + policy.DocumentedRuleDefault( + name=CLUSTER_TEMPLATE % 'publish', + check_str=base.RULE_ADMIN_API, + description='Publish an existing cluster template.', + operations=[ + { + 'path': '/v1/clustertemplates', + 'method': 'POST' + }, + { + 'path': '/v1/clustertemplates', + 'method': 'PATCH' + } + ] + ) +] + + +def list_rules(): + return rules diff --git a/magnum/tests/fake_policy.py b/magnum/tests/fake_policy.py index 8b51c7bc9f..3fb36bc501 100644 --- a/magnum/tests/fake_policy.py +++ b/magnum/tests/fake_policy.py @@ -17,14 +17,6 @@ policy_data = """ { "default": "rule:admin_or_owner", - "clustertemplate:create": "", - "clustertemplate:delete": "", - "clustertemplate:detail": "", - "clustertemplate:get": "", - "clustertemplate:get_all": "", - "clustertemplate:update": "", - "clustertemplate:publish": "", - "certificate:create": "", "certificate:get": "", diff --git a/magnum/tests/unit/api/controllers/v1/test_cluster_template.py b/magnum/tests/unit/api/controllers/v1/test_cluster_template.py index 1a3c6e9961..fdc0af6fdb 100644 --- a/magnum/tests/unit/api/controllers/v1/test_cluster_template.py +++ b/magnum/tests/unit/api/controllers/v1/test_cluster_template.py @@ -293,7 +293,10 @@ class TestPatch(api_base.FunctionalTest): [{'path': '/public', 'value': True, 'op': 'replace'}]) - def test_update_cluster_template_with_cluster_allow_update(self): + @mock.patch.object(magnum_policy, 'enforce') + def test_update_cluster_template_with_cluster_allow_update(self, + mock_policy): + mock_policy.return_value = True cluster_template = obj_utils.create_test_cluster_template(self.context) obj_utils.create_test_cluster( self.context, cluster_template_id=cluster_template.uuid)