Merge "Implement basic policy module in code"
This commit is contained in:
commit
d426a8f5dc
|
@ -62,5 +62,8 @@ ChangeLog
|
|||
# generated config file
|
||||
etc/magnum/magnum.conf.sample
|
||||
|
||||
# generated policy file
|
||||
etc/magnum/policy.yaml.sample
|
||||
|
||||
# Files created by releasenotes build
|
||||
releasenotes/build
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
[DEFAULT]
|
||||
output_file = etc/magnum/policy.yaml.sample
|
||||
namespace = magnum
|
|
@ -1,11 +1,5 @@
|
|||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
"admin_api": "rule:context_is_admin",
|
||||
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
|
||||
"cluster_user": "user_id:%(trustee_user_id)s",
|
||||
"deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
|
||||
|
||||
"bay:create": "rule:deny_cluster_user",
|
||||
"bay:delete": "rule:deny_cluster_user",
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import itertools
|
||||
|
||||
from magnum.common.policies import base
|
||||
|
||||
|
||||
def list_rules():
|
||||
return itertools.chain(
|
||||
base.list_rules()
|
||||
)
|
|
@ -0,0 +1,52 @@
|
|||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
from oslo_policy import policy
|
||||
|
||||
ROLE_ADMIN = 'rule:context_is_admin'
|
||||
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||
RULE_ADMIN_API = 'rule:admin_api'
|
||||
RULE_ADMIN_OR_USER = 'rule:admin_or_user'
|
||||
RULE_CLUSTER_USER = 'rule:cluster_user'
|
||||
RULE_DENY_CLUSTER_USER = 'rule:deny_cluster_user'
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
name='context_is_admin',
|
||||
check_str='role:admin'
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name='admin_or_owner',
|
||||
check_str='is_admin:True or project_id:%(project_id)s'
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name='admin_api',
|
||||
check_str='rule:context_is_admin'
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name='admin_or_user',
|
||||
check_str='is_admin:True or user_id:%(user_id)s'
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name='cluster_user',
|
||||
check_str='user_id:%(trustee_user_id)s'
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name='deny_cluster_user',
|
||||
check_str='not domain_id:%(trustee_domain_id)s'
|
||||
)
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -23,6 +23,7 @@ import pecan
|
|||
|
||||
from magnum.common import clients
|
||||
from magnum.common import exception
|
||||
from magnum.common import policies
|
||||
|
||||
|
||||
_ENFORCER = None
|
||||
|
@ -60,6 +61,8 @@ def init(policy_file=None, rules=None,
|
|||
default_rule=default_rule,
|
||||
use_conf=use_conf,
|
||||
overwrite=overwrite)
|
||||
_ENFORCER.register_defaults(policies.list_rules())
|
||||
|
||||
return _ENFORCER
|
||||
|
||||
|
||||
|
|
|
@ -15,10 +15,7 @@
|
|||
|
||||
policy_data = """
|
||||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
"admin_api": "rule:context_is_admin",
|
||||
|
||||
"bay:create": "",
|
||||
"bay:delete": "",
|
||||
|
|
|
@ -63,6 +63,9 @@ oslo.config.opts =
|
|||
oslo.config.opts.defaults =
|
||||
magnum = magnum.common.config:set_cors_middleware_defaults
|
||||
|
||||
oslo.policy.policies =
|
||||
magnum = magnum.common.policies:list_rules
|
||||
|
||||
magnum.drivers =
|
||||
k8s_fedora_atomic_v1 = magnum.drivers.k8s_fedora_atomic_v1.driver:Driver
|
||||
k8s_coreos_v1 = magnum.drivers.k8s_coreos_v1.driver:Driver
|
||||
|
|
4
tox.ini
4
tox.ini
|
@ -141,6 +141,10 @@ commands =
|
|||
commands =
|
||||
oslo-config-generator --config-file etc/magnum/magnum-config-generator.conf
|
||||
|
||||
[testenv:genpolicy]
|
||||
commands =
|
||||
oslopolicy-sample-generator --config-file etc/magnum/magnum-policy-generator.conf
|
||||
|
||||
[flake8]
|
||||
# H106 Don’t put vim configuration in source files
|
||||
# H203 Use assertIs(Not)None to check for None
|
||||
|
|
Loading…
Reference in New Issue