Merge "Implement basic policy module in code"
This commit is contained in:
commit
d426a8f5dc
|
@ -62,5 +62,8 @@ ChangeLog
|
||||||
# generated config file
|
# generated config file
|
||||||
etc/magnum/magnum.conf.sample
|
etc/magnum/magnum.conf.sample
|
||||||
|
|
||||||
|
# generated policy file
|
||||||
|
etc/magnum/policy.yaml.sample
|
||||||
|
|
||||||
# Files created by releasenotes build
|
# Files created by releasenotes build
|
||||||
releasenotes/build
|
releasenotes/build
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
[DEFAULT]
|
||||||
|
output_file = etc/magnum/policy.yaml.sample
|
||||||
|
namespace = magnum
|
|
@ -1,11 +1,5 @@
|
||||||
{
|
{
|
||||||
"context_is_admin": "role:admin",
|
|
||||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
|
||||||
"default": "rule:admin_or_owner",
|
"default": "rule:admin_or_owner",
|
||||||
"admin_api": "rule:context_is_admin",
|
|
||||||
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
|
|
||||||
"cluster_user": "user_id:%(trustee_user_id)s",
|
|
||||||
"deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
|
|
||||||
|
|
||||||
"bay:create": "rule:deny_cluster_user",
|
"bay:create": "rule:deny_cluster_user",
|
||||||
"bay:delete": "rule:deny_cluster_user",
|
"bay:delete": "rule:deny_cluster_user",
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
import itertools
|
||||||
|
|
||||||
|
from magnum.common.policies import base
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return itertools.chain(
|
||||||
|
base.list_rules()
|
||||||
|
)
|
|
@ -0,0 +1,52 @@
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
ROLE_ADMIN = 'rule:context_is_admin'
|
||||||
|
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||||
|
RULE_ADMIN_API = 'rule:admin_api'
|
||||||
|
RULE_ADMIN_OR_USER = 'rule:admin_or_user'
|
||||||
|
RULE_CLUSTER_USER = 'rule:cluster_user'
|
||||||
|
RULE_DENY_CLUSTER_USER = 'rule:deny_cluster_user'
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name='context_is_admin',
|
||||||
|
check_str='role:admin'
|
||||||
|
),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name='admin_or_owner',
|
||||||
|
check_str='is_admin:True or project_id:%(project_id)s'
|
||||||
|
),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name='admin_api',
|
||||||
|
check_str='rule:context_is_admin'
|
||||||
|
),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name='admin_or_user',
|
||||||
|
check_str='is_admin:True or user_id:%(user_id)s'
|
||||||
|
),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name='cluster_user',
|
||||||
|
check_str='user_id:%(trustee_user_id)s'
|
||||||
|
),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name='deny_cluster_user',
|
||||||
|
check_str='not domain_id:%(trustee_domain_id)s'
|
||||||
|
)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return rules
|
|
@ -23,6 +23,7 @@ import pecan
|
||||||
|
|
||||||
from magnum.common import clients
|
from magnum.common import clients
|
||||||
from magnum.common import exception
|
from magnum.common import exception
|
||||||
|
from magnum.common import policies
|
||||||
|
|
||||||
|
|
||||||
_ENFORCER = None
|
_ENFORCER = None
|
||||||
|
@ -60,6 +61,8 @@ def init(policy_file=None, rules=None,
|
||||||
default_rule=default_rule,
|
default_rule=default_rule,
|
||||||
use_conf=use_conf,
|
use_conf=use_conf,
|
||||||
overwrite=overwrite)
|
overwrite=overwrite)
|
||||||
|
_ENFORCER.register_defaults(policies.list_rules())
|
||||||
|
|
||||||
return _ENFORCER
|
return _ENFORCER
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -15,10 +15,7 @@
|
||||||
|
|
||||||
policy_data = """
|
policy_data = """
|
||||||
{
|
{
|
||||||
"context_is_admin": "role:admin",
|
|
||||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
|
||||||
"default": "rule:admin_or_owner",
|
"default": "rule:admin_or_owner",
|
||||||
"admin_api": "rule:context_is_admin",
|
|
||||||
|
|
||||||
"bay:create": "",
|
"bay:create": "",
|
||||||
"bay:delete": "",
|
"bay:delete": "",
|
||||||
|
|
|
@ -63,6 +63,9 @@ oslo.config.opts =
|
||||||
oslo.config.opts.defaults =
|
oslo.config.opts.defaults =
|
||||||
magnum = magnum.common.config:set_cors_middleware_defaults
|
magnum = magnum.common.config:set_cors_middleware_defaults
|
||||||
|
|
||||||
|
oslo.policy.policies =
|
||||||
|
magnum = magnum.common.policies:list_rules
|
||||||
|
|
||||||
magnum.drivers =
|
magnum.drivers =
|
||||||
k8s_fedora_atomic_v1 = magnum.drivers.k8s_fedora_atomic_v1.driver:Driver
|
k8s_fedora_atomic_v1 = magnum.drivers.k8s_fedora_atomic_v1.driver:Driver
|
||||||
k8s_coreos_v1 = magnum.drivers.k8s_coreos_v1.driver:Driver
|
k8s_coreos_v1 = magnum.drivers.k8s_coreos_v1.driver:Driver
|
||||||
|
|
4
tox.ini
4
tox.ini
|
@ -141,6 +141,10 @@ commands =
|
||||||
commands =
|
commands =
|
||||||
oslo-config-generator --config-file etc/magnum/magnum-config-generator.conf
|
oslo-config-generator --config-file etc/magnum/magnum-config-generator.conf
|
||||||
|
|
||||||
|
[testenv:genpolicy]
|
||||||
|
commands =
|
||||||
|
oslopolicy-sample-generator --config-file etc/magnum/magnum-policy-generator.conf
|
||||||
|
|
||||||
[flake8]
|
[flake8]
|
||||||
# H106 Don’t put vim configuration in source files
|
# H106 Don’t put vim configuration in source files
|
||||||
# H203 Use assertIs(Not)None to check for None
|
# H203 Use assertIs(Not)None to check for None
|
||||||
|
|
Loading…
Reference in New Issue