Merge "Implement basic policy module in code"

2017-10-22 15:36:36 +00:00 · 2017-10-22 15:36:36 +00:00 · d426a8f5dc
parent 9c1dbe2c22 e06004d9f5
commit d426a8f5dc
9 changed files with 91 additions and 9 deletions
--- a/.gitignore
+++ b/.gitignore
@ -62,5 +62,8 @@ ChangeLog
 # generated config file
 etc/magnum/magnum.conf.sample

+# generated policy file
+etc/magnum/policy.yaml.sample
+
 # Files created by releasenotes build
 releasenotes/build
--- a/etc/magnum/magnum-policy-generator.conf
+++ b/etc/magnum/magnum-policy-generator.conf
@ -0,0 +1,3 @@
+[DEFAULT]
+output_file = etc/magnum/policy.yaml.sample
+namespace = magnum
--- a/etc/magnum/policy.json
+++ b/etc/magnum/policy.json
@ -1,11 +1,5 @@
 {
-    "context_is_admin":  "role:admin",
-    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",
-    "admin_api": "rule:context_is_admin",
-    "admin_or_user": "is_admin:True or user_id:%(user_id)s",
-    "cluster_user": "user_id:%(trustee_user_id)s",
-    "deny_cluster_user": "not domain_id:%(trustee_domain_id)s",

    "bay:create": "rule:deny_cluster_user",
    "bay:delete": "rule:deny_cluster_user",
--- a/magnum/common/policies/init.py
+++ b/magnum/common/policies/init.py
@ -0,0 +1,23 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import itertools
+
+from magnum.common.policies import base
+
+
+def list_rules():
+    return itertools.chain(
+        base.list_rules()
+    )
--- a/magnum/common/policies/base.py
+++ b/magnum/common/policies/base.py
@ -0,0 +1,52 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_policy import policy
+
+ROLE_ADMIN = 'rule:context_is_admin'
+RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
+RULE_ADMIN_API = 'rule:admin_api'
+RULE_ADMIN_OR_USER = 'rule:admin_or_user'
+RULE_CLUSTER_USER = 'rule:cluster_user'
+RULE_DENY_CLUSTER_USER = 'rule:deny_cluster_user'
+
+rules = [
+    policy.RuleDefault(
+        name='context_is_admin',
+        check_str='role:admin'
+    ),
+    policy.RuleDefault(
+        name='admin_or_owner',
+        check_str='is_admin:True or project_id:%(project_id)s'
+    ),
+    policy.RuleDefault(
+        name='admin_api',
+        check_str='rule:context_is_admin'
+    ),
+    policy.RuleDefault(
+        name='admin_or_user',
+        check_str='is_admin:True or user_id:%(user_id)s'
+    ),
+    policy.RuleDefault(
+        name='cluster_user',
+        check_str='user_id:%(trustee_user_id)s'
+    ),
+    policy.RuleDefault(
+        name='deny_cluster_user',
+        check_str='not domain_id:%(trustee_domain_id)s'
+    )
+]
+
+
+def list_rules():
+    return rules
--- a/magnum/common/policy.py
+++ b/magnum/common/policy.py
@ -23,6 +23,7 @@ import pecan

 from magnum.common import clients
 from magnum.common import exception
+from magnum.common import policies


 _ENFORCER = None
@ -60,6 +61,8 @@ def init(policy_file=None, rules=None,
                                    default_rule=default_rule,
                                    use_conf=use_conf,
                                    overwrite=overwrite)
+        _ENFORCER.register_defaults(policies.list_rules())
+
    return _ENFORCER


--- a/magnum/tests/fake_policy.py
+++ b/magnum/tests/fake_policy.py
@ -15,10 +15,7 @@

 policy_data = """
 {
-    "context_is_admin":  "role:admin",
-    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",
-    "admin_api": "rule:context_is_admin",

    "bay:create": "",
    "bay:delete": "",
--- a/setup.cfg
+++ b/setup.cfg
@ -63,6 +63,9 @@ oslo.config.opts =
 oslo.config.opts.defaults =
    magnum = magnum.common.config:set_cors_middleware_defaults

+oslo.policy.policies =
+    magnum = magnum.common.policies:list_rules
+
 magnum.drivers =
    k8s_fedora_atomic_v1 = magnum.drivers.k8s_fedora_atomic_v1.driver:Driver
    k8s_coreos_v1 = magnum.drivers.k8s_coreos_v1.driver:Driver
--- a/tox.ini
+++ b/tox.ini
@ -141,6 +141,10 @@ commands =
 commands =
    oslo-config-generator --config-file etc/magnum/magnum-config-generator.conf

+[testenv:genpolicy]
+commands =
+    oslopolicy-sample-generator --config-file etc/magnum/magnum-policy-generator.conf
+
 [flake8]
 # H106 Don’t put vim configuration in source files
 # H203 Use assertIs(Not)None to check for None