openstack
/
magnum
Code Issues Proposed changes

Register default magnum service and stat policies in code 

This commit uses the existing policy-in-code module to move all
default policies for magnum service and stat into code. This commit
also adds helpful documentation about each API those policies protect,
which will be generated in sample policy files and completely remove
usage of policy.json file.

Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code

Change-Id: I01a8ce964bf8bd569d4aa4e899cbcd9855281835
This commit is contained in:
Hieu LE 2017-10-04 15:18:15 +07:00
parent 5e45e0f716
commit c77e0c709a
9 changed files with 90 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
devstack/lib/magnum
View File

@ -43,8 +43,8 @@ MAGNUM_AUTH_CACHE_DIR=${MAGNUM_AUTH_CACHE_DIR:-/var/cache/magnum}
MAGNUM_CONF_DIR=/etc/magnum
MAGNUM_CONF=$MAGNUM_CONF_DIR/magnum.conf
MAGNUM_POLICY_JSON=$MAGNUM_CONF_DIR/policy.json
MAGNUM_API_PASTE=$MAGNUM_CONF_DIR/api-paste.ini
MAGNUM_POLICY=$MAGNUM_CONF_DIR/policy.yaml
if is_ssl_enabled_service "magnum" || is_service_enabled tls-proxy; then
MAGNUM_SERVICE_PROTOCOL="https"
@ -92,7 +92,6 @@ function configure_magnum {
sudo chown $STACK_USER $MAGNUM_CONF_DIR
fi
install_default_policy magnum
# Rebuild the config file from scratch
create_magnum_conf
@ -132,8 +131,7 @@ function create_magnum_conf {
iniset $MAGNUM_CONF database connection `database_connection_url magnum`
iniset $MAGNUM_CONF api host "$MAGNUM_SERVICE_HOST"
iniset $MAGNUM_CONF api port "$MAGNUM_SERVICE_PORT"
iniset $MAGNUM_CONF oslo_policy policy_file $MAGNUM_POLICY_JSON
iniset $MAGNUM_CONF oslo_policy policy_file $MAGNUM_POLICY
iniset $MAGNUM_CONF keystone_auth auth_type password
iniset $MAGNUM_CONF keystone_auth username magnum

4
etc/magnum/policy.json
View File

@ -1,4 +0,0 @@
{
"magnum-service:get_all": "rule:admin_api",
"stats:get_all": "rule:admin_or_owner"
}

6
magnum/common/policies/__init__.py
View File

@ -20,7 +20,9 @@ from magnum.common.policies import baymodel
from magnum.common.policies import certificate
from magnum.common.policies import cluster
from magnum.common.policies import cluster_template
from magnum.common.policies import magnum_service
from magnum.common.policies import quota
from magnum.common.policies import stats
def list_rules():
@ -31,5 +33,7 @@ def list_rules():
certificate.list_rules(),
cluster.list_rules(),
cluster_template.list_rules(),
quota.list_rules()
magnum_service.list_rules(),
quota.list_rules(),
stats.list_rules()
)

36
magnum/common/policies/magnum_service.py Normal file
View File

@ -0,0 +1,36 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from magnum.common.policies import base
SERVICE = 'magnum-service:%s'
rules = [
policy.DocumentedRuleDefault(
name=SERVICE % 'get_all',
check_str=base.RULE_ADMIN_API,
description='Retrieve a list of magnum-services.',
operations=[
{
'path': '/v1/mservices',
'method': 'GET'
}
]
)
]
def list_rules():
return rules

36
magnum/common/policies/stats.py Normal file
View File

@ -0,0 +1,36 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from magnum.common.policies import base
STATS = 'stats:%s'
rules = [
policy.DocumentedRuleDefault(
name=STATS % 'get_all',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Retrieve magnum stats.',
operations=[
{
'path': '/v1/stats',
'method': 'GET'
}
]
)
]
def list_rules():
return rules

21
magnum/tests/fake_policy.py
View File

@ -1,21 +0,0 @@
# Copyright (c) 2012 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
policy_data = """
{
"magnum-service:get_all": "",
"stats:get_all": ""
}
"""

13
magnum/tests/policy_fixture.py
View File

@ -12,29 +12,20 @@
# License for the specific language governing permissions and limitations
# under the License.
import os
import fixtures
from oslo_config import cfg
from oslo_policy import _parser
from oslo_policy import opts as policy_opts
from magnum.common import policy as magnum_policy
from magnum.tests import fake_policy
import magnum.conf
CONF = cfg.CONF
CONF = magnum.conf.CONF
class PolicyFixture(fixtures.Fixture):
def _setUp(self):
self.policy_dir = self.useFixture(fixtures.TempDir())
self.policy_file_name = os.path.join(self.policy_dir.path,
'policy.json')
with open(self.policy_file_name, 'w') as policy_file:
policy_file.write(fake_policy.policy_data)
policy_opts.set_defaults(CONF)
CONF.set_override('policy_file', self.policy_file_name, 'oslo_policy')
magnum_policy._ENFORCER = None
self.addCleanup(magnum_policy.init().clear)

12
magnum/tests/unit/api/controllers/v1/test_magnum_service.py
View File

@ -44,7 +44,9 @@ class db_rec(object):
class TestMagnumServiceController(api_base.FunctionalTest):
def test_empty(self):
@mock.patch("magnum.common.policy.enforce")
def test_empty(self, mock_policy):
mock_policy.return_value = True
response = self.get_json('/mservices')
self.assertEqual([], response['mservices'])
@ -57,9 +59,11 @@ class TestMagnumServiceController(api_base.FunctionalTest):
reclist.append(rec)
return reclist
@mock.patch("magnum.common.policy.enforce")
@mock.patch.object(objects.MagnumService, 'list')
@mock.patch.object(servicegroup.ServiceGroup, 'service_is_up')
def test_get_one(self, svc_up, rpc_patcher):
def test_get_one(self, svc_up, rpc_patcher, mock_policy):
mock_policy.return_value = True
rpc_patcher.return_value = self._rpc_api_reply()
svc_up.return_value = "up"
@ -67,9 +71,11 @@ class TestMagnumServiceController(api_base.FunctionalTest):
self.assertEqual(1, len(response['mservices']))
self.assertEqual(1, response['mservices'][0]['id'])
@mock.patch("magnum.common.policy.enforce")
@mock.patch.object(objects.MagnumService, 'list')
@mock.patch.object(servicegroup.ServiceGroup, 'service_is_up')
def test_get_many(self, svc_up, rpc_patcher):
def test_get_many(self, svc_up, rpc_patcher, mock_policy):
mock_policy.return_value = True
svc_num = 5
rpc_patcher.return_value = self._rpc_api_reply(svc_num)
svc_up.return_value = "up"

1
setup.cfg
View File

@ -22,7 +22,6 @@ classifier =
data_files =
etc/magnum =
etc/magnum/api-paste.ini
etc/magnum/policy.json
packages =
magnum