diff --git a/etc/magnum/policy.json b/etc/magnum/policy.json index eac6513833..d2cd61f3ee 100644 --- a/etc/magnum/policy.json +++ b/etc/magnum/policy.json @@ -1,13 +1,6 @@ { "default": "rule:admin_or_owner", - "cluster:create": "rule:deny_cluster_user", - "cluster:delete": "rule:deny_cluster_user", - "cluster:detail": "rule:deny_cluster_user", - "cluster:get": "rule:deny_cluster_user", - "cluster:get_all": "rule:deny_cluster_user", - "cluster:update": "rule:deny_cluster_user", - "clustertemplate:create": "rule:deny_cluster_user", "clustertemplate:delete": "rule:deny_cluster_user", "clustertemplate:detail": "rule:deny_cluster_user", diff --git a/magnum/common/policies/__init__.py b/magnum/common/policies/__init__.py index 5ec120d9a7..7d25513e9f 100644 --- a/magnum/common/policies/__init__.py +++ b/magnum/common/policies/__init__.py @@ -17,11 +17,13 @@ import itertools from magnum.common.policies import base from magnum.common.policies import bay from magnum.common.policies import baymodel +from magnum.common.policies import cluster def list_rules(): return itertools.chain( base.list_rules(), bay.list_rules(), - baymodel.list_rules() + baymodel.list_rules(), + cluster.list_rules() ) diff --git a/magnum/common/policies/cluster.py b/magnum/common/policies/cluster.py new file mode 100644 index 0000000000..84eff7db0a --- /dev/null +++ b/magnum/common/policies/cluster.py @@ -0,0 +1,91 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_policy import policy + +from magnum.common.policies import base + +CLUSTER = 'cluster:%s' + +rules = [ + policy.DocumentedRuleDefault( + name=CLUSTER % 'create', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Create a new cluster.', + operations=[ + { + 'path': '/v1/clusters', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=CLUSTER % 'delete', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Delete a cluster.', + operations=[ + { + 'path': '/v1/clusters/{cluster_ident}', + 'method': 'DELETE' + } + ] + ), + policy.DocumentedRuleDefault( + name=CLUSTER % 'detail', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Retrieve a list of clusters with detail.', + operations=[ + { + 'path': '/v1/clusters', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=CLUSTER % 'get', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Retrieve information about the given cluster.', + operations=[ + { + 'path': '/v1/clusters/{cluster_ident}', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=CLUSTER % 'get_all', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Retrieve a list of clusters.', + operations=[ + { + 'path': '/v1/clusters/', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=CLUSTER % 'update', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Update an existing cluster.', + operations=[ + { + 'path': '/v1/clusters/{cluster_ident}', + 'method': 'PATCH' + } + ] + ) +] + + +def list_rules(): + return rules diff --git a/magnum/tests/fake_policy.py b/magnum/tests/fake_policy.py index fc8aba3585..8b51c7bc9f 100644 --- a/magnum/tests/fake_policy.py +++ b/magnum/tests/fake_policy.py @@ -17,13 +17,6 @@ policy_data = """ { "default": "rule:admin_or_owner", - "cluster:create": "", - "cluster:delete": "", - "cluster:detail": "", - "cluster:get": "", - "cluster:get_all": "", - "cluster:update": "", - "clustertemplate:create": "", "clustertemplate:delete": "", "clustertemplate:detail": "",