openstack
/
magnum
Code Issues Proposed changes

first policy check for bay 

add first policy check for bay.

Co-Authored-By: ShaoHe Feng <shaohe.feng@intel.com>
Change-Id: Ieadc95d84f0e4ecc68c95673617d154f05a15a57
Partial-implements: blueprint policy-enforce
This commit is contained in:
yuntongjin 2015-05-22 21:38:22 +08:00 committed by ShaoHe Feng
parent e8a77b6e1b
commit d057f8c442
5 changed files with 103 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
etc/magnum/policy.json
View File

@ -3,4 +3,11 @@
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "is_admin:True",
"bay:create": "rule:default",
"bay:delete": "rule:default",
"bay:detail": "rule:default",
"bay:get": "rule:default",
"bay:get_all": "rule:default",
"bay:update": "rule:default"
}

7
magnum/api/controllers/v1/bay.py
View File

@ -27,6 +27,7 @@ from magnum.api.controllers.v1 import collection
from magnum.api.controllers.v1 import types
from magnum.api.controllers.v1 import utils as api_utils
from magnum.common import exception
from magnum.common import policy
from magnum import objects
@ -207,6 +208,7 @@ class BaysController(rest.RestController):
sort_key=sort_key,
sort_dir=sort_dir)
@policy.enforce_wsgi("bay")
@wsme_pecan.wsexpose(BayCollection, types.uuid,
types.uuid, int, wtypes.text, wtypes.text)
def get_all(self, bay_uuid=None, marker=None, limit=None,
@ -221,6 +223,7 @@ class BaysController(rest.RestController):
return self._get_bays_collection(marker, limit, sort_key,
sort_dir)
@policy.enforce_wsgi("bay")
@wsme_pecan.wsexpose(BayCollection, types.uuid,
types.uuid, int, wtypes.text, wtypes.text)
def detail(self, bay_uuid=None, marker=None, limit=None,
@ -244,6 +247,7 @@ class BaysController(rest.RestController):
sort_key, sort_dir, expand,
resource_url)
@policy.enforce_wsgi("bay", "get")
@wsme_pecan.wsexpose(Bay, types.uuid_or_name)
def get_one(self, bay_ident):
"""Retrieve information about the given bay.
@ -257,6 +261,7 @@ class BaysController(rest.RestController):
return Bay.convert_with_links(rpc_bay)
@policy.enforce_wsgi("bay", "create")
@wsme_pecan.wsexpose(Bay, body=Bay, status_code=201)
def post(self, bay):
"""Create a new bay.
@ -281,6 +286,7 @@ class BaysController(rest.RestController):
pecan.response.location = link.build_url('bays', res_bay.uuid)
return Bay.convert_with_links(res_bay)
@policy.enforce_wsgi("bay", "update")
@wsme.validate(types.uuid, [BayPatchType])
@wsme_pecan.wsexpose(Bay, types.uuid_or_name, body=[BayPatchType])
def patch(self, bay_ident, patch):
@ -314,6 +320,7 @@ class BaysController(rest.RestController):
res_bay = pecan.request.rpcapi.bay_update(rpc_bay)
return Bay.convert_with_links(res_bay)
@policy.enforce_wsgi("bay", "delete")
@wsme_pecan.wsexpose(None, types.uuid_or_name, status_code=204)
def delete(self, bay_ident):
"""Delete a bay.

3
magnum/tests/base.py
View File

@ -29,6 +29,7 @@ import testscenarios
from magnum.common import context as magnum_context
from magnum.objects import base as objects_base
from magnum.tests import conf_fixture
from magnum.tests import policy_fixture
CONF = cfg.CONF
@ -68,6 +69,8 @@ class TestCase(base.BaseTestCase):
project_id='fake_project',
user_id='fake_user')
self.policy = self.useFixture(policy_fixture.PolicyFixture())
def make_context(*args, **kwargs):
# If context hasn't been constructed with token_info
if not kwargs.get('auth_token_info'):

45
magnum/tests/fake_policy.py Normal file
View File

@ -0,0 +1,45 @@
# Copyright (c) 2012 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
policy_data = """
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "is_admin:True",
"bay:create": "",
"bay:delete": "",
"bay:detail": "",
"bay:get": "",
"bay:get_all": "",
"bay:update": ""
}
"""
policy_data_compat_juno = """
{
}
"""
def get_policy_data(compat):
if not compat:
return policy_data
elif compat == 'juno':
return policy_data_compat_juno
else:
raise Exception('Policy data for %s not available' % compat)

41
magnum/tests/policy_fixture.py Normal file
View File

@ -0,0 +1,41 @@
# Copyright 2012 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import os
import fixtures
from oslo_config import cfg
from oslo_policy import opts as policy_opts
from magnum.common import policy as magnum_policy
from magnum.tests import fake_policy
CONF = cfg.CONF
class PolicyFixture(fixtures.Fixture):
def __init__(self, compat=None):
self.compat = compat
def setUp(self):
super(PolicyFixture, self).setUp()
self.policy_dir = self.useFixture(fixtures.TempDir())
self.policy_file_name = os.path.join(self.policy_dir.path,
'policy.json')
with open(self.policy_file_name, 'w') as policy_file:
policy_file.write(fake_policy.get_policy_data(self.compat))
policy_opts.set_defaults(CONF)
CONF.set_override('policy_file', self.policy_file_name, 'oslo_policy')
magnum_policy._ENFORCER = None
self.addCleanup(magnum_policy.init().clear)