first policy check for bay
add first policy check for bay. Co-Authored-By: ShaoHe Feng <shaohe.feng@intel.com> Change-Id: Ieadc95d84f0e4ecc68c95673617d154f05a15a57 Partial-implements: blueprint policy-enforce
This commit is contained in:
parent
e8a77b6e1b
commit
d057f8c442
|
@ -3,4 +3,11 @@
|
|||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
"admin_api": "is_admin:True",
|
||||
|
||||
"bay:create": "rule:default",
|
||||
"bay:delete": "rule:default",
|
||||
"bay:detail": "rule:default",
|
||||
"bay:get": "rule:default",
|
||||
"bay:get_all": "rule:default",
|
||||
"bay:update": "rule:default"
|
||||
}
|
||||
|
|
|
@ -27,6 +27,7 @@ from magnum.api.controllers.v1 import collection
|
|||
from magnum.api.controllers.v1 import types
|
||||
from magnum.api.controllers.v1 import utils as api_utils
|
||||
from magnum.common import exception
|
||||
from magnum.common import policy
|
||||
from magnum import objects
|
||||
|
||||
|
||||
|
@ -207,6 +208,7 @@ class BaysController(rest.RestController):
|
|||
sort_key=sort_key,
|
||||
sort_dir=sort_dir)
|
||||
|
||||
@policy.enforce_wsgi("bay")
|
||||
@wsme_pecan.wsexpose(BayCollection, types.uuid,
|
||||
types.uuid, int, wtypes.text, wtypes.text)
|
||||
def get_all(self, bay_uuid=None, marker=None, limit=None,
|
||||
|
@ -221,6 +223,7 @@ class BaysController(rest.RestController):
|
|||
return self._get_bays_collection(marker, limit, sort_key,
|
||||
sort_dir)
|
||||
|
||||
@policy.enforce_wsgi("bay")
|
||||
@wsme_pecan.wsexpose(BayCollection, types.uuid,
|
||||
types.uuid, int, wtypes.text, wtypes.text)
|
||||
def detail(self, bay_uuid=None, marker=None, limit=None,
|
||||
|
@ -244,6 +247,7 @@ class BaysController(rest.RestController):
|
|||
sort_key, sort_dir, expand,
|
||||
resource_url)
|
||||
|
||||
@policy.enforce_wsgi("bay", "get")
|
||||
@wsme_pecan.wsexpose(Bay, types.uuid_or_name)
|
||||
def get_one(self, bay_ident):
|
||||
"""Retrieve information about the given bay.
|
||||
|
@ -257,6 +261,7 @@ class BaysController(rest.RestController):
|
|||
|
||||
return Bay.convert_with_links(rpc_bay)
|
||||
|
||||
@policy.enforce_wsgi("bay", "create")
|
||||
@wsme_pecan.wsexpose(Bay, body=Bay, status_code=201)
|
||||
def post(self, bay):
|
||||
"""Create a new bay.
|
||||
|
@ -281,6 +286,7 @@ class BaysController(rest.RestController):
|
|||
pecan.response.location = link.build_url('bays', res_bay.uuid)
|
||||
return Bay.convert_with_links(res_bay)
|
||||
|
||||
@policy.enforce_wsgi("bay", "update")
|
||||
@wsme.validate(types.uuid, [BayPatchType])
|
||||
@wsme_pecan.wsexpose(Bay, types.uuid_or_name, body=[BayPatchType])
|
||||
def patch(self, bay_ident, patch):
|
||||
|
@ -314,6 +320,7 @@ class BaysController(rest.RestController):
|
|||
res_bay = pecan.request.rpcapi.bay_update(rpc_bay)
|
||||
return Bay.convert_with_links(res_bay)
|
||||
|
||||
@policy.enforce_wsgi("bay", "delete")
|
||||
@wsme_pecan.wsexpose(None, types.uuid_or_name, status_code=204)
|
||||
def delete(self, bay_ident):
|
||||
"""Delete a bay.
|
||||
|
|
|
@ -29,6 +29,7 @@ import testscenarios
|
|||
from magnum.common import context as magnum_context
|
||||
from magnum.objects import base as objects_base
|
||||
from magnum.tests import conf_fixture
|
||||
from magnum.tests import policy_fixture
|
||||
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
@ -68,6 +69,8 @@ class TestCase(base.BaseTestCase):
|
|||
project_id='fake_project',
|
||||
user_id='fake_user')
|
||||
|
||||
self.policy = self.useFixture(policy_fixture.PolicyFixture())
|
||||
|
||||
def make_context(*args, **kwargs):
|
||||
# If context hasn't been constructed with token_info
|
||||
if not kwargs.get('auth_token_info'):
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
# Copyright (c) 2012 OpenStack Foundation
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
policy_data = """
|
||||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
"admin_api": "is_admin:True",
|
||||
|
||||
"bay:create": "",
|
||||
"bay:delete": "",
|
||||
"bay:detail": "",
|
||||
"bay:get": "",
|
||||
"bay:get_all": "",
|
||||
"bay:update": ""
|
||||
}
|
||||
"""
|
||||
|
||||
|
||||
policy_data_compat_juno = """
|
||||
{
|
||||
}
|
||||
"""
|
||||
|
||||
|
||||
def get_policy_data(compat):
|
||||
if not compat:
|
||||
return policy_data
|
||||
elif compat == 'juno':
|
||||
return policy_data_compat_juno
|
||||
else:
|
||||
raise Exception('Policy data for %s not available' % compat)
|
|
@ -0,0 +1,41 @@
|
|||
# Copyright 2012 Hewlett-Packard Development Company, L.P.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import os
|
||||
|
||||
import fixtures
|
||||
from oslo_config import cfg
|
||||
from oslo_policy import opts as policy_opts
|
||||
|
||||
from magnum.common import policy as magnum_policy
|
||||
from magnum.tests import fake_policy
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
||||
|
||||
class PolicyFixture(fixtures.Fixture):
|
||||
def __init__(self, compat=None):
|
||||
self.compat = compat
|
||||
|
||||
def setUp(self):
|
||||
super(PolicyFixture, self).setUp()
|
||||
self.policy_dir = self.useFixture(fixtures.TempDir())
|
||||
self.policy_file_name = os.path.join(self.policy_dir.path,
|
||||
'policy.json')
|
||||
with open(self.policy_file_name, 'w') as policy_file:
|
||||
policy_file.write(fake_policy.get_policy_data(self.compat))
|
||||
policy_opts.set_defaults(CONF)
|
||||
CONF.set_override('policy_file', self.policy_file_name, 'oslo_policy')
|
||||
magnum_policy._ENFORCER = None
|
||||
self.addCleanup(magnum_policy.init().clear)
|
Loading…
Reference in New Issue