Merge "Register default certificate policies in code"
commit
5e45e0f716
|
@ -1,8 +1,4 @@
|
|||
{
|
||||
"certificate:rotate_ca": "rule:admin_or_owner",
|
||||
"certificate:create": "rule:admin_or_user or rule:cluster_user",
|
||||
"certificate:get": "rule:admin_or_user or rule:cluster_user",
|
||||
|
||||
"magnum-service:get_all": "rule:admin_api",
|
||||
"stats:get_all": "rule:admin_or_owner"
|
||||
}
|
||||
|
|
|
@ -17,6 +17,7 @@ import itertools
|
|||
from magnum.common.policies import base
|
||||
from magnum.common.policies import bay
|
||||
from magnum.common.policies import baymodel
|
||||
from magnum.common.policies import certificate
|
||||
from magnum.common.policies import cluster
|
||||
from magnum.common.policies import cluster_template
|
||||
from magnum.common.policies import quota
|
||||
|
@ -27,6 +28,7 @@ def list_rules():
|
|||
base.list_rules(),
|
||||
bay.list_rules(),
|
||||
baymodel.list_rules(),
|
||||
certificate.list_rules(),
|
||||
cluster.list_rules(),
|
||||
cluster_template.list_rules(),
|
||||
quota.list_rules()
|
||||
|
|
|
@ -0,0 +1,60 @@
|
|||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
from oslo_policy import policy
|
||||
|
||||
from magnum.common.policies import base
|
||||
|
||||
CERTIFICATE = 'certificate:%s'
|
||||
RULE_ADMIN_OR_USER_OR_CLUSTER_USER = base.RULE_ADMIN_OR_USER + " or " + \
|
||||
base.RULE_CLUSTER_USER
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CERTIFICATE % 'create',
|
||||
check_str=RULE_ADMIN_OR_USER_OR_CLUSTER_USER,
|
||||
description='Sign a new certificate by the CA.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v1/certificates',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CERTIFICATE % 'get',
|
||||
check_str=RULE_ADMIN_OR_USER_OR_CLUSTER_USER,
|
||||
description='Retrieve CA information about the given bay/cluster.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v1/certificates/{bay_uuid/cluster_uuid}',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CERTIFICATE % 'rotate_ca',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description='Rotate the CA certificate on the given bay/cluster.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v1/certificates/{bay_uuid/cluster_uuid}',
|
||||
'method': 'PATCH'
|
||||
}
|
||||
]
|
||||
)
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -15,9 +15,6 @@
|
|||
|
||||
policy_data = """
|
||||
{
|
||||
"certificate:create": "",
|
||||
"certificate:get": "",
|
||||
|
||||
"magnum-service:get_all": "",
|
||||
"stats:get_all": ""
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue