Browse Source

Merge "Register default certificate policies in code"

changes/74/509374/9
Zuul 4 years ago
committed by Gerrit Code Review
parent
commit
5e45e0f716
4 changed files with 62 additions and 7 deletions
  1. +0
    -4
      etc/magnum/policy.json
  2. +2
    -0
      magnum/common/policies/__init__.py
  3. +60
    -0
      magnum/common/policies/certificate.py
  4. +0
    -3
      magnum/tests/fake_policy.py

+ 0
- 4
etc/magnum/policy.json View File

@ -1,8 +1,4 @@
{
"certificate:rotate_ca": "rule:admin_or_owner",
"certificate:create": "rule:admin_or_user or rule:cluster_user",
"certificate:get": "rule:admin_or_user or rule:cluster_user",
"magnum-service:get_all": "rule:admin_api",
"stats:get_all": "rule:admin_or_owner"
}

+ 2
- 0
magnum/common/policies/__init__.py View File

@ -17,6 +17,7 @@ import itertools
from magnum.common.policies import base
from magnum.common.policies import bay
from magnum.common.policies import baymodel
from magnum.common.policies import certificate
from magnum.common.policies import cluster
from magnum.common.policies import cluster_template
from magnum.common.policies import quota
@ -27,6 +28,7 @@ def list_rules():
base.list_rules(),
bay.list_rules(),
baymodel.list_rules(),
certificate.list_rules(),
cluster.list_rules(),
cluster_template.list_rules(),
quota.list_rules()


+ 60
- 0
magnum/common/policies/certificate.py View File

@ -0,0 +1,60 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from magnum.common.policies import base
CERTIFICATE = 'certificate:%s'
RULE_ADMIN_OR_USER_OR_CLUSTER_USER = base.RULE_ADMIN_OR_USER + " or " + \
base.RULE_CLUSTER_USER
rules = [
policy.DocumentedRuleDefault(
name=CERTIFICATE % 'create',
check_str=RULE_ADMIN_OR_USER_OR_CLUSTER_USER,
description='Sign a new certificate by the CA.',
operations=[
{
'path': '/v1/certificates',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=CERTIFICATE % 'get',
check_str=RULE_ADMIN_OR_USER_OR_CLUSTER_USER,
description='Retrieve CA information about the given bay/cluster.',
operations=[
{
'path': '/v1/certificates/{bay_uuid/cluster_uuid}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=CERTIFICATE % 'rotate_ca',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Rotate the CA certificate on the given bay/cluster.',
operations=[
{
'path': '/v1/certificates/{bay_uuid/cluster_uuid}',
'method': 'PATCH'
}
]
)
]
def list_rules():
return rules

+ 0
- 3
magnum/tests/fake_policy.py View File

@ -15,9 +15,6 @@
policy_data = """
{
"certificate:create": "",
"certificate:get": "",
"magnum-service:get_all": "",
"stats:get_all": ""
}


Loading…
Cancel
Save