Browse Source

Merge "Implement basic policy module in code"

changes/78/514078/1
Zuul 4 years ago
committed by Gerrit Code Review
parent
commit
d426a8f5dc
9 changed files with 91 additions and 9 deletions
  1. +3
    -0
      .gitignore
  2. +3
    -0
      etc/magnum/magnum-policy-generator.conf
  3. +0
    -6
      etc/magnum/policy.json
  4. +23
    -0
      magnum/common/policies/__init__.py
  5. +52
    -0
      magnum/common/policies/base.py
  6. +3
    -0
      magnum/common/policy.py
  7. +0
    -3
      magnum/tests/fake_policy.py
  8. +3
    -0
      setup.cfg
  9. +4
    -0
      tox.ini

+ 3
- 0
.gitignore View File

@ -62,5 +62,8 @@ ChangeLog
# generated config file
etc/magnum/magnum.conf.sample
# generated policy file
etc/magnum/policy.yaml.sample
# Files created by releasenotes build
releasenotes/build

+ 3
- 0
etc/magnum/magnum-policy-generator.conf View File

@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/magnum/policy.yaml.sample
namespace = magnum

+ 0
- 6
etc/magnum/policy.json View File

@ -1,11 +1,5 @@
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "rule:context_is_admin",
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
"cluster_user": "user_id:%(trustee_user_id)s",
"deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
"bay:create": "rule:deny_cluster_user",
"bay:delete": "rule:deny_cluster_user",


+ 23
- 0
magnum/common/policies/__init__.py View File

@ -0,0 +1,23 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import itertools
from magnum.common.policies import base
def list_rules():
return itertools.chain(
base.list_rules()
)

+ 52
- 0
magnum/common/policies/base.py View File

@ -0,0 +1,52 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
ROLE_ADMIN = 'rule:context_is_admin'
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN_API = 'rule:admin_api'
RULE_ADMIN_OR_USER = 'rule:admin_or_user'
RULE_CLUSTER_USER = 'rule:cluster_user'
RULE_DENY_CLUSTER_USER = 'rule:deny_cluster_user'
rules = [
policy.RuleDefault(
name='context_is_admin',
check_str='role:admin'
),
policy.RuleDefault(
name='admin_or_owner',
check_str='is_admin:True or project_id:%(project_id)s'
),
policy.RuleDefault(
name='admin_api',
check_str='rule:context_is_admin'
),
policy.RuleDefault(
name='admin_or_user',
check_str='is_admin:True or user_id:%(user_id)s'
),
policy.RuleDefault(
name='cluster_user',
check_str='user_id:%(trustee_user_id)s'
),
policy.RuleDefault(
name='deny_cluster_user',
check_str='not domain_id:%(trustee_domain_id)s'
)
]
def list_rules():
return rules

+ 3
- 0
magnum/common/policy.py View File

@ -23,6 +23,7 @@ import pecan
from magnum.common import clients
from magnum.common import exception
from magnum.common import policies
_ENFORCER = None
@ -60,6 +61,8 @@ def init(policy_file=None, rules=None,
default_rule=default_rule,
use_conf=use_conf,
overwrite=overwrite)
_ENFORCER.register_defaults(policies.list_rules())
return _ENFORCER


+ 0
- 3
magnum/tests/fake_policy.py View File

@ -15,10 +15,7 @@
policy_data = """
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "rule:context_is_admin",
"bay:create": "",
"bay:delete": "",


+ 3
- 0
setup.cfg View File

@ -63,6 +63,9 @@ oslo.config.opts =
oslo.config.opts.defaults =
magnum = magnum.common.config:set_cors_middleware_defaults
oslo.policy.policies =
magnum = magnum.common.policies:list_rules
magnum.drivers =
k8s_fedora_atomic_v1 = magnum.drivers.k8s_fedora_atomic_v1.driver:Driver
k8s_coreos_v1 = magnum.drivers.k8s_coreos_v1.driver:Driver


+ 4
- 0
tox.ini View File

@ -141,6 +141,10 @@ commands =
commands =
oslo-config-generator --config-file etc/magnum/magnum-config-generator.conf
[testenv:genpolicy]
commands =
oslopolicy-sample-generator --config-file etc/magnum/magnum-policy-generator.conf
[flake8]
# H106 Don’t put vim configuration in source files
# H203 Use assertIs(Not)None to check for None


Loading…
Cancel
Save