diff --git a/etc/magnum/policy.json b/etc/magnum/policy.json index ad008eb2ee..7ec3c3729f 100644 --- a/etc/magnum/policy.json +++ b/etc/magnum/policy.json @@ -1,8 +1,4 @@ { - "certificate:rotate_ca": "rule:admin_or_owner", - "certificate:create": "rule:admin_or_user or rule:cluster_user", - "certificate:get": "rule:admin_or_user or rule:cluster_user", - "magnum-service:get_all": "rule:admin_api", "stats:get_all": "rule:admin_or_owner" } diff --git a/magnum/common/policies/__init__.py b/magnum/common/policies/__init__.py index d191625c69..9727a75139 100644 --- a/magnum/common/policies/__init__.py +++ b/magnum/common/policies/__init__.py @@ -17,6 +17,7 @@ import itertools from magnum.common.policies import base from magnum.common.policies import bay from magnum.common.policies import baymodel +from magnum.common.policies import certificate from magnum.common.policies import cluster from magnum.common.policies import cluster_template from magnum.common.policies import quota @@ -27,6 +28,7 @@ def list_rules(): base.list_rules(), bay.list_rules(), baymodel.list_rules(), + certificate.list_rules(), cluster.list_rules(), cluster_template.list_rules(), quota.list_rules() diff --git a/magnum/common/policies/certificate.py b/magnum/common/policies/certificate.py new file mode 100644 index 0000000000..5e96b64f5b --- /dev/null +++ b/magnum/common/policies/certificate.py @@ -0,0 +1,60 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_policy import policy + +from magnum.common.policies import base + +CERTIFICATE = 'certificate:%s' +RULE_ADMIN_OR_USER_OR_CLUSTER_USER = base.RULE_ADMIN_OR_USER + " or " + \ + base.RULE_CLUSTER_USER + +rules = [ + policy.DocumentedRuleDefault( + name=CERTIFICATE % 'create', + check_str=RULE_ADMIN_OR_USER_OR_CLUSTER_USER, + description='Sign a new certificate by the CA.', + operations=[ + { + 'path': '/v1/certificates', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=CERTIFICATE % 'get', + check_str=RULE_ADMIN_OR_USER_OR_CLUSTER_USER, + description='Retrieve CA information about the given bay/cluster.', + operations=[ + { + 'path': '/v1/certificates/{bay_uuid/cluster_uuid}', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=CERTIFICATE % 'rotate_ca', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Rotate the CA certificate on the given bay/cluster.', + operations=[ + { + 'path': '/v1/certificates/{bay_uuid/cluster_uuid}', + 'method': 'PATCH' + } + ] + ) +] + + +def list_rules(): + return rules diff --git a/magnum/tests/fake_policy.py b/magnum/tests/fake_policy.py index ed765c9f6a..61fe26ac4f 100644 --- a/magnum/tests/fake_policy.py +++ b/magnum/tests/fake_policy.py @@ -15,9 +15,6 @@ policy_data = """ { - "certificate:create": "", - "certificate:get": "", - "magnum-service:get_all": "", "stats:get_all": "" }