Merge "Register default certificate policies in code"

etc/magnum/policy.json

@@ -1,8 +1,4 @@
 {
-    "certificate:rotate_ca": "rule:admin_or_owner",
-    "certificate:create": "rule:admin_or_user or rule:cluster_user",
-    "certificate:get": "rule:admin_or_user or rule:cluster_user",
-
     "magnum-service:get_all": "rule:admin_api",
     "stats:get_all": "rule:admin_or_owner"
 }

magnum/common/policies/__init__.py

@@ -17,6 +17,7 @@ import itertools
 from magnum.common.policies import base
 from magnum.common.policies import bay
 from magnum.common.policies import baymodel
+from magnum.common.policies import certificate
 from magnum.common.policies import cluster
 from magnum.common.policies import cluster_template
 from magnum.common.policies import quota
@@ -27,6 +28,7 @@ def list_rules():
         base.list_rules(),
         bay.list_rules(),
         baymodel.list_rules(),
+        certificate.list_rules(),
         cluster.list_rules(),
         cluster_template.list_rules(),
         quota.list_rules()

magnum/common/policies/certificate.py

@@ -0,0 +1,60 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_policy import policy
+
+from magnum.common.policies import base
+
+CERTIFICATE = 'certificate:%s'
+RULE_ADMIN_OR_USER_OR_CLUSTER_USER = base.RULE_ADMIN_OR_USER + " or " + \
+    base.RULE_CLUSTER_USER
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name=CERTIFICATE % 'create',
+        check_str=RULE_ADMIN_OR_USER_OR_CLUSTER_USER,
+        description='Sign a new certificate by the CA.',
+        operations=[
+            {
+                'path': '/v1/certificates',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=CERTIFICATE % 'get',
+        check_str=RULE_ADMIN_OR_USER_OR_CLUSTER_USER,
+        description='Retrieve CA information about the given bay/cluster.',
+        operations=[
+            {
+                'path': '/v1/certificates/{bay_uuid/cluster_uuid}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=CERTIFICATE % 'rotate_ca',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Rotate the CA certificate on the given bay/cluster.',
+        operations=[
+            {
+                'path': '/v1/certificates/{bay_uuid/cluster_uuid}',
+                'method': 'PATCH'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules

magnum/tests/fake_policy.py

@@ -15,9 +15,6 @@
 
 policy_data = """
 {
-    "certificate:create": "",
-    "certificate:get": "",
-
     "magnum-service:get_all": "",
     "stats:get_all": ""
 }