policy check for container

add policy check for container

Change-Id: I7ff39b37b4a65d882b896dcad65d6ff5dc08c0d1
Partial-implements: blueprint policy-enforce
changes/34/204834/3
yuntongjin 7 years ago
parent 959f2330d7
commit d9739584bf
  1. 9
      etc/magnum/policy.json
  2. 7
      magnum/api/controllers/v1/container.py
  3. 9
      magnum/tests/fake_policy.py
  4. 50
      magnum/tests/unit/api/controllers/v1/test_container.py

@ -44,5 +44,12 @@
"service:detail": "rule:default",
"service:get": "rule:default",
"service:get_all": "rule:default",
"service:update": "rule:default"
"service:update": "rule:default",
"container:create": "rule:default",
"container:delete": "rule:default",
"container:detail": "rule:default",
"container:get": "rule:default",
"container:get_all": "rule:default",
"container:update": "rule:default"
}

@ -29,6 +29,7 @@ from magnum.api.controllers.v1 import utils as api_utils
from magnum.api import expose
from magnum.api import validation
from magnum.common import exception
from magnum.common import policy
from magnum import objects
LOG = logging.getLogger(__name__)
@ -291,6 +292,7 @@ class ContainersController(rest.RestController):
sort_key=sort_key,
sort_dir=sort_dir)
@policy.enforce_wsgi("container")
@expose.expose(ContainerCollection, types.uuid,
types.uuid, int, wtypes.text, wtypes.text)
def get_all(self, container_uuid=None, marker=None, limit=None,
@ -305,6 +307,7 @@ class ContainersController(rest.RestController):
return self._get_containers_collection(marker, limit, sort_key,
sort_dir)
@policy.enforce_wsgi("container")
@expose.expose(ContainerCollection, types.uuid,
types.uuid, int, wtypes.text, wtypes.text)
def detail(self, container_uuid=None, marker=None, limit=None,
@ -328,6 +331,7 @@ class ContainersController(rest.RestController):
sort_key, sort_dir, expand,
resource_url)
@policy.enforce_wsgi("container", "get")
@expose.expose(Container, types.uuid_or_name)
def get_one(self, container_ident):
"""Retrieve information about the given container.
@ -339,6 +343,7 @@ class ContainersController(rest.RestController):
res_container = pecan.request.rpcapi.container_show(rpc_container.uuid)
return Container.convert_with_links(res_container)
@policy.enforce_wsgi("container", "create")
@expose.expose(Container, body=Container, status_code=201)
@validation.enforce_bay_types('swarm')
def post(self, container):
@ -362,6 +367,7 @@ class ContainersController(rest.RestController):
res_container.uuid)
return Container.convert_with_links(res_container)
@policy.enforce_wsgi("container", "update")
@wsme.validate(types.uuid, [ContainerPatchType])
@expose.expose(Container, types.uuid_or_name,
body=[ContainerPatchType])
@ -395,6 +401,7 @@ class ContainersController(rest.RestController):
rpc_container.save()
return Container.convert_with_links(rpc_container)
@policy.enforce_wsgi("container")
@expose.expose(None, types.uuid_or_name, status_code=204)
def delete(self, container_ident):
"""Delete a container.

@ -60,7 +60,14 @@ policy_data = """
"service:detail": "",
"service:get": "",
"service:get_all": "",
"service:update": ""
"service:update": "",
"container:create": "",
"container:delete": "",
"container:detail": "",
"container:get": "",
"container:get_all": "",
"container:update": ""
}
"""

@ -10,10 +10,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
from magnum.common import utils as comm_utils
from magnum import objects
from magnum.tests.unit.api import base as api_base
from magnum.tests.unit.db import utils
from oslo_policy import policy
import mock
from mock import patch
from webtest.app import AppError
@ -441,3 +444,50 @@ class TestContainerController(api_base.FunctionalTest):
self.assertEqual(response.status_int, 204)
mock_container_delete.assert_called_once_with(container_uuid)
mock_destroy.assert_called_once_with()
class TestContainerEnforcement(api_base.FunctionalTest):
def _common_policy_check(self, rule, func, *arg, **kwarg):
self.policy.set_rules({rule: 'project:non_fake'})
exc = self.assertRaises(policy.PolicyNotAuthorized,
func, *arg, **kwarg)
self.assertTrue(exc.message.startswith(rule))
self.assertTrue(exc.message.endswith('disallowed by policy'))
def test_policy_disallow_get_all(self):
self._common_policy_check(
'container:get_all', self.get_json, '/containers')
def test_policy_disallow_get_one(self):
self._common_policy_check(
'container:get', self.get_json, '/containers/111-222-333')
def test_policy_disallow_detail(self):
self._common_policy_check(
'container:detail',
self.get_json,
'/containers/111-222-333/detail')
def test_policy_disallow_update(self):
test_container = utils.get_test_container()
container_uuid = test_container.get('uuid')
params = [{'path': '/name',
'value': 'new_name',
'op': 'replace'}]
self._common_policy_check(
'container:update', self.app.patch_json,
'/v1/containers/%s' % container_uuid, params)
def test_policy_disallow_create(self):
params = ('{"name": "' + 'i' * 256 + '", "image": "ubuntu",'
'"command": "env",'
'"bay_uuid": "fff114da-3bfa-4a0f-a123-c0dffad9718e"}')
self._common_policy_check(
'container:create', self.app.post, '/v1/containers', params)
def test_policy_disallow_delete(self):
self._common_policy_check(
'container:delete', self.app.delete,
'/v1/containers/%s' % comm_utils.generate_uuid())

Loading…
Cancel
Save