Merge "Register default certificate policies in code"

5 years ago · 5e45e0f716
4 changed files with 62 additions and 7 deletions
--- a/etc/magnum/policy.json
+++ b/etc/magnum/policy.json
@ -1,8 +1,4 @@
 {
-    "certificate:rotate_ca": "rule:admin_or_owner",
-    "certificate:create": "rule:admin_or_user or rule:cluster_user",
-    "certificate:get": "rule:admin_or_user or rule:cluster_user",
-
    "magnum-service:get_all": "rule:admin_api",
    "stats:get_all": "rule:admin_or_owner"
 }
--- a/magnum/common/policies/init.py
+++ b/magnum/common/policies/init.py
@ -17,6 +17,7 @@ import itertools
 from magnum.common.policies import base
 from magnum.common.policies import bay
 from magnum.common.policies import baymodel
+from magnum.common.policies import certificate
 from magnum.common.policies import cluster
 from magnum.common.policies import cluster_template
 from magnum.common.policies import quota
@ -27,6 +28,7 @@ def list_rules():
        base.list_rules(),
        bay.list_rules(),
        baymodel.list_rules(),
+        certificate.list_rules(),
        cluster.list_rules(),
        cluster_template.list_rules(),
        quota.list_rules()
--- a/magnum/common/policies/certificate.py
+++ b/magnum/common/policies/certificate.py
@ -0,0 +1,60 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_policy import policy
+
+from magnum.common.policies import base
+
+CERTIFICATE = 'certificate:%s'
+RULE_ADMIN_OR_USER_OR_CLUSTER_USER = base.RULE_ADMIN_OR_USER + " or " + \
+    base.RULE_CLUSTER_USER
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name=CERTIFICATE % 'create',
+        check_str=RULE_ADMIN_OR_USER_OR_CLUSTER_USER,
+        description='Sign a new certificate by the CA.',
+        operations=[
+            {
+                'path': '/v1/certificates',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=CERTIFICATE % 'get',
+        check_str=RULE_ADMIN_OR_USER_OR_CLUSTER_USER,
+        description='Retrieve CA information about the given bay/cluster.',
+        operations=[
+            {
+                'path': '/v1/certificates/{bay_uuid/cluster_uuid}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=CERTIFICATE % 'rotate_ca',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Rotate the CA certificate on the given bay/cluster.',
+        operations=[
+            {
+                'path': '/v1/certificates/{bay_uuid/cluster_uuid}',
+                'method': 'PATCH'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules
--- a/magnum/tests/fake_policy.py
+++ b/magnum/tests/fake_policy.py
@ -15,9 +15,6 @@

 policy_data = """
 {
-    "certificate:create": "",
-    "certificate:get": "",
-
    "magnum-service:get_all": "",
    "stats:get_all": ""
 }