Browse Source

Implement basic policy module in code

This change prepares the magnum project to start implementing
policies in code. Subsequent patches will register more magnum
policies in code and remove the corresponding entry from the
policy file maintained in source.

This is part of a community effort to provide better user
experience for those having to maintain RBAC policy. More
information on this effort can be found below:
https://governance.openstack.org/tc/goals/queens/policy-in-code.html

Change-Id: I0e2b34067ea1e4d5868df544a9f65ae3f1944c43
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
changes/44/509144/7
Hieu LE 4 years ago
parent
commit
e06004d9f5
9 changed files with 91 additions and 9 deletions
  1. +3
    -0
      .gitignore
  2. +3
    -0
      etc/magnum/magnum-policy-generator.conf
  3. +0
    -6
      etc/magnum/policy.json
  4. +23
    -0
      magnum/common/policies/__init__.py
  5. +52
    -0
      magnum/common/policies/base.py
  6. +3
    -0
      magnum/common/policy.py
  7. +0
    -3
      magnum/tests/fake_policy.py
  8. +3
    -0
      setup.cfg
  9. +4
    -0
      tox.ini

+ 3
- 0
.gitignore View File

@ -62,5 +62,8 @@ ChangeLog
# generated config file
etc/magnum/magnum.conf.sample
# generated policy file
etc/magnum/policy.yaml.sample
# Files created by releasenotes build
releasenotes/build

+ 3
- 0
etc/magnum/magnum-policy-generator.conf View File

@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/magnum/policy.yaml.sample
namespace = magnum

+ 0
- 6
etc/magnum/policy.json View File

@ -1,11 +1,5 @@
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "rule:context_is_admin",
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
"cluster_user": "user_id:%(trustee_user_id)s",
"deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
"bay:create": "rule:deny_cluster_user",
"bay:delete": "rule:deny_cluster_user",


+ 23
- 0
magnum/common/policies/__init__.py View File

@ -0,0 +1,23 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import itertools
from magnum.common.policies import base
def list_rules():
return itertools.chain(
base.list_rules()
)

+ 52
- 0
magnum/common/policies/base.py View File

@ -0,0 +1,52 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
ROLE_ADMIN = 'rule:context_is_admin'
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN_API = 'rule:admin_api'
RULE_ADMIN_OR_USER = 'rule:admin_or_user'
RULE_CLUSTER_USER = 'rule:cluster_user'
RULE_DENY_CLUSTER_USER = 'rule:deny_cluster_user'
rules = [
policy.RuleDefault(
name='context_is_admin',
check_str='role:admin'
),
policy.RuleDefault(
name='admin_or_owner',
check_str='is_admin:True or project_id:%(project_id)s'
),
policy.RuleDefault(
name='admin_api',
check_str='rule:context_is_admin'
),
policy.RuleDefault(
name='admin_or_user',
check_str='is_admin:True or user_id:%(user_id)s'
),
policy.RuleDefault(
name='cluster_user',
check_str='user_id:%(trustee_user_id)s'
),
policy.RuleDefault(
name='deny_cluster_user',
check_str='not domain_id:%(trustee_domain_id)s'
)
]
def list_rules():
return rules

+ 3
- 0
magnum/common/policy.py View File

@ -23,6 +23,7 @@ import pecan
from magnum.common import clients
from magnum.common import exception
from magnum.common import policies
_ENFORCER = None
@ -60,6 +61,8 @@ def init(policy_file=None, rules=None,
default_rule=default_rule,
use_conf=use_conf,
overwrite=overwrite)
_ENFORCER.register_defaults(policies.list_rules())
return _ENFORCER


+ 0
- 3
magnum/tests/fake_policy.py View File

@ -15,10 +15,7 @@
policy_data = """
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "rule:context_is_admin",
"bay:create": "",
"bay:delete": "",


+ 3
- 0
setup.cfg View File

@ -63,6 +63,9 @@ oslo.config.opts =
oslo.config.opts.defaults =
magnum = magnum.common.config:set_cors_middleware_defaults
oslo.policy.policies =
magnum = magnum.common.policies:list_rules
magnum.drivers =
k8s_fedora_atomic_v1 = magnum.drivers.k8s_fedora_atomic_v1.driver:Driver
k8s_coreos_v1 = magnum.drivers.k8s_coreos_v1.driver:Driver


+ 4
- 0
tox.ini View File

@ -141,6 +141,10 @@ commands =
commands =
oslo-config-generator --config-file etc/magnum/magnum-config-generator.conf
[testenv:genpolicy]
commands =
oslopolicy-sample-generator --config-file etc/magnum/magnum-policy-generator.conf
[flake8]
# H106 Don’t put vim configuration in source files
# H203 Use assertIs(Not)None to check for None


Loading…
Cancel
Save