first policy check for bay
add first policy check for bay. Co-Authored-By: ShaoHe Feng <shaohe.feng@intel.com> Change-Id: Ieadc95d84f0e4ecc68c95673617d154f05a15a57 Partial-implements: blueprint policy-enforce
This commit is contained in:
parent
e8a77b6e1b
commit
d057f8c442
|
@ -3,4 +3,11 @@
|
||||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||||
"default": "rule:admin_or_owner",
|
"default": "rule:admin_or_owner",
|
||||||
"admin_api": "is_admin:True",
|
"admin_api": "is_admin:True",
|
||||||
|
|
||||||
|
"bay:create": "rule:default",
|
||||||
|
"bay:delete": "rule:default",
|
||||||
|
"bay:detail": "rule:default",
|
||||||
|
"bay:get": "rule:default",
|
||||||
|
"bay:get_all": "rule:default",
|
||||||
|
"bay:update": "rule:default"
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,6 +27,7 @@ from magnum.api.controllers.v1 import collection
|
||||||
from magnum.api.controllers.v1 import types
|
from magnum.api.controllers.v1 import types
|
||||||
from magnum.api.controllers.v1 import utils as api_utils
|
from magnum.api.controllers.v1 import utils as api_utils
|
||||||
from magnum.common import exception
|
from magnum.common import exception
|
||||||
|
from magnum.common import policy
|
||||||
from magnum import objects
|
from magnum import objects
|
||||||
|
|
||||||
|
|
||||||
|
@ -207,6 +208,7 @@ class BaysController(rest.RestController):
|
||||||
sort_key=sort_key,
|
sort_key=sort_key,
|
||||||
sort_dir=sort_dir)
|
sort_dir=sort_dir)
|
||||||
|
|
||||||
|
@policy.enforce_wsgi("bay")
|
||||||
@wsme_pecan.wsexpose(BayCollection, types.uuid,
|
@wsme_pecan.wsexpose(BayCollection, types.uuid,
|
||||||
types.uuid, int, wtypes.text, wtypes.text)
|
types.uuid, int, wtypes.text, wtypes.text)
|
||||||
def get_all(self, bay_uuid=None, marker=None, limit=None,
|
def get_all(self, bay_uuid=None, marker=None, limit=None,
|
||||||
|
@ -221,6 +223,7 @@ class BaysController(rest.RestController):
|
||||||
return self._get_bays_collection(marker, limit, sort_key,
|
return self._get_bays_collection(marker, limit, sort_key,
|
||||||
sort_dir)
|
sort_dir)
|
||||||
|
|
||||||
|
@policy.enforce_wsgi("bay")
|
||||||
@wsme_pecan.wsexpose(BayCollection, types.uuid,
|
@wsme_pecan.wsexpose(BayCollection, types.uuid,
|
||||||
types.uuid, int, wtypes.text, wtypes.text)
|
types.uuid, int, wtypes.text, wtypes.text)
|
||||||
def detail(self, bay_uuid=None, marker=None, limit=None,
|
def detail(self, bay_uuid=None, marker=None, limit=None,
|
||||||
|
@ -244,6 +247,7 @@ class BaysController(rest.RestController):
|
||||||
sort_key, sort_dir, expand,
|
sort_key, sort_dir, expand,
|
||||||
resource_url)
|
resource_url)
|
||||||
|
|
||||||
|
@policy.enforce_wsgi("bay", "get")
|
||||||
@wsme_pecan.wsexpose(Bay, types.uuid_or_name)
|
@wsme_pecan.wsexpose(Bay, types.uuid_or_name)
|
||||||
def get_one(self, bay_ident):
|
def get_one(self, bay_ident):
|
||||||
"""Retrieve information about the given bay.
|
"""Retrieve information about the given bay.
|
||||||
|
@ -257,6 +261,7 @@ class BaysController(rest.RestController):
|
||||||
|
|
||||||
return Bay.convert_with_links(rpc_bay)
|
return Bay.convert_with_links(rpc_bay)
|
||||||
|
|
||||||
|
@policy.enforce_wsgi("bay", "create")
|
||||||
@wsme_pecan.wsexpose(Bay, body=Bay, status_code=201)
|
@wsme_pecan.wsexpose(Bay, body=Bay, status_code=201)
|
||||||
def post(self, bay):
|
def post(self, bay):
|
||||||
"""Create a new bay.
|
"""Create a new bay.
|
||||||
|
@ -281,6 +286,7 @@ class BaysController(rest.RestController):
|
||||||
pecan.response.location = link.build_url('bays', res_bay.uuid)
|
pecan.response.location = link.build_url('bays', res_bay.uuid)
|
||||||
return Bay.convert_with_links(res_bay)
|
return Bay.convert_with_links(res_bay)
|
||||||
|
|
||||||
|
@policy.enforce_wsgi("bay", "update")
|
||||||
@wsme.validate(types.uuid, [BayPatchType])
|
@wsme.validate(types.uuid, [BayPatchType])
|
||||||
@wsme_pecan.wsexpose(Bay, types.uuid_or_name, body=[BayPatchType])
|
@wsme_pecan.wsexpose(Bay, types.uuid_or_name, body=[BayPatchType])
|
||||||
def patch(self, bay_ident, patch):
|
def patch(self, bay_ident, patch):
|
||||||
|
@ -314,6 +320,7 @@ class BaysController(rest.RestController):
|
||||||
res_bay = pecan.request.rpcapi.bay_update(rpc_bay)
|
res_bay = pecan.request.rpcapi.bay_update(rpc_bay)
|
||||||
return Bay.convert_with_links(res_bay)
|
return Bay.convert_with_links(res_bay)
|
||||||
|
|
||||||
|
@policy.enforce_wsgi("bay", "delete")
|
||||||
@wsme_pecan.wsexpose(None, types.uuid_or_name, status_code=204)
|
@wsme_pecan.wsexpose(None, types.uuid_or_name, status_code=204)
|
||||||
def delete(self, bay_ident):
|
def delete(self, bay_ident):
|
||||||
"""Delete a bay.
|
"""Delete a bay.
|
||||||
|
|
|
@ -29,6 +29,7 @@ import testscenarios
|
||||||
from magnum.common import context as magnum_context
|
from magnum.common import context as magnum_context
|
||||||
from magnum.objects import base as objects_base
|
from magnum.objects import base as objects_base
|
||||||
from magnum.tests import conf_fixture
|
from magnum.tests import conf_fixture
|
||||||
|
from magnum.tests import policy_fixture
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = cfg.CONF
|
||||||
|
@ -68,6 +69,8 @@ class TestCase(base.BaseTestCase):
|
||||||
project_id='fake_project',
|
project_id='fake_project',
|
||||||
user_id='fake_user')
|
user_id='fake_user')
|
||||||
|
|
||||||
|
self.policy = self.useFixture(policy_fixture.PolicyFixture())
|
||||||
|
|
||||||
def make_context(*args, **kwargs):
|
def make_context(*args, **kwargs):
|
||||||
# If context hasn't been constructed with token_info
|
# If context hasn't been constructed with token_info
|
||||||
if not kwargs.get('auth_token_info'):
|
if not kwargs.get('auth_token_info'):
|
||||||
|
|
|
@ -0,0 +1,45 @@
|
||||||
|
# Copyright (c) 2012 OpenStack Foundation
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
|
policy_data = """
|
||||||
|
{
|
||||||
|
"context_is_admin": "role:admin",
|
||||||
|
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||||
|
"default": "rule:admin_or_owner",
|
||||||
|
"admin_api": "is_admin:True",
|
||||||
|
|
||||||
|
"bay:create": "",
|
||||||
|
"bay:delete": "",
|
||||||
|
"bay:detail": "",
|
||||||
|
"bay:get": "",
|
||||||
|
"bay:get_all": "",
|
||||||
|
"bay:update": ""
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
|
||||||
|
|
||||||
|
policy_data_compat_juno = """
|
||||||
|
{
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
|
||||||
|
|
||||||
|
def get_policy_data(compat):
|
||||||
|
if not compat:
|
||||||
|
return policy_data
|
||||||
|
elif compat == 'juno':
|
||||||
|
return policy_data_compat_juno
|
||||||
|
else:
|
||||||
|
raise Exception('Policy data for %s not available' % compat)
|
|
@ -0,0 +1,41 @@
|
||||||
|
# Copyright 2012 Hewlett-Packard Development Company, L.P.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
import os
|
||||||
|
|
||||||
|
import fixtures
|
||||||
|
from oslo_config import cfg
|
||||||
|
from oslo_policy import opts as policy_opts
|
||||||
|
|
||||||
|
from magnum.common import policy as magnum_policy
|
||||||
|
from magnum.tests import fake_policy
|
||||||
|
|
||||||
|
CONF = cfg.CONF
|
||||||
|
|
||||||
|
|
||||||
|
class PolicyFixture(fixtures.Fixture):
|
||||||
|
def __init__(self, compat=None):
|
||||||
|
self.compat = compat
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(PolicyFixture, self).setUp()
|
||||||
|
self.policy_dir = self.useFixture(fixtures.TempDir())
|
||||||
|
self.policy_file_name = os.path.join(self.policy_dir.path,
|
||||||
|
'policy.json')
|
||||||
|
with open(self.policy_file_name, 'w') as policy_file:
|
||||||
|
policy_file.write(fake_policy.get_policy_data(self.compat))
|
||||||
|
policy_opts.set_defaults(CONF)
|
||||||
|
CONF.set_override('policy_file', self.policy_file_name, 'oslo_policy')
|
||||||
|
magnum_policy._ENFORCER = None
|
||||||
|
self.addCleanup(magnum_policy.init().clear)
|
Loading…
Reference in New Issue