diff --git a/etc/magnum/policy.json b/etc/magnum/policy.json index 5d5c1cc4c4..e0c768d736 100644 --- a/etc/magnum/policy.json +++ b/etc/magnum/policy.json @@ -1,13 +1,6 @@ { "default": "rule:admin_or_owner", - "bay:create": "rule:deny_cluster_user", - "bay:delete": "rule:deny_cluster_user", - "bay:detail": "rule:deny_cluster_user", - "bay:get": "rule:deny_cluster_user", - "bay:get_all": "rule:deny_cluster_user", - "bay:update": "rule:deny_cluster_user", - "baymodel:create": "rule:deny_cluster_user", "baymodel:delete": "rule:deny_cluster_user", "baymodel:detail": "rule:deny_cluster_user", diff --git a/magnum/common/policies/__init__.py b/magnum/common/policies/__init__.py index 8ad662efa4..81d0fe3d4a 100644 --- a/magnum/common/policies/__init__.py +++ b/magnum/common/policies/__init__.py @@ -15,9 +15,11 @@ import itertools from magnum.common.policies import base +from magnum.common.policies import bay def list_rules(): return itertools.chain( - base.list_rules() + base.list_rules(), + bay.list_rules() ) diff --git a/magnum/common/policies/bay.py b/magnum/common/policies/bay.py new file mode 100644 index 0000000000..4cba970a53 --- /dev/null +++ b/magnum/common/policies/bay.py @@ -0,0 +1,91 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_policy import policy + +from magnum.common.policies import base + +BAY = 'bay:%s' + +rules = [ + policy.DocumentedRuleDefault( + name=BAY % 'create', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Create a new bay.', + operations=[ + { + 'path': '/v1/bays', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=BAY % 'delete', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Delete a bay.', + operations=[ + { + 'path': '/v1/bays/{bay_ident}', + 'method': 'DELETE' + } + ] + ), + policy.DocumentedRuleDefault( + name=BAY % 'detail', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Retrieve a list of bays with detail.', + operations=[ + { + 'path': '/v1/bays', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=BAY % 'get', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Retrieve information about the given bay.', + operations=[ + { + 'path': '/v1/bays/{bay_ident}', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=BAY % 'get_all', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Retrieve a list of bays.', + operations=[ + { + 'path': '/v1/bays/', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=BAY % 'update', + check_str=base.RULE_DENY_CLUSTER_USER, + description='Update an existing bay.', + operations=[ + { + 'path': '/v1/bays/{bay_ident}', + 'method': 'PATCH' + } + ] + ) +] + + +def list_rules(): + return rules diff --git a/magnum/tests/fake_policy.py b/magnum/tests/fake_policy.py index b2d7987a0e..872923d48a 100644 --- a/magnum/tests/fake_policy.py +++ b/magnum/tests/fake_policy.py @@ -17,13 +17,6 @@ policy_data = """ { "default": "rule:admin_or_owner", - "bay:create": "", - "bay:delete": "", - "bay:detail": "", - "bay:get": "", - "bay:get_all": "", - "bay:update": "", - "baymodel:create": "", "baymodel:delete": "", "baymodel:detail": "",