Implement basic policy module in code

This change prepares the magnum project to start implementing policies in code. Subsequent patches will register more magnum policies in code and remove the corresponding entry from the policy file maintained in source. This is part of a community effort to provide better user experience for those having to maintain RBAC policy. More information on this effort can be found below: https://governance.openstack.org/tc/goals/queens/policy-in-code.html Change-Id: I0e2b34067ea1e4d5868df544a9f65ae3f1944c43 Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com> Implements: blueprint policy-in-code
2017-10-03 17:48:56 +07:00 · 2017-10-03 17:48:56 +07:00 · e06004d9f5
commit e06004d9f5
parent 4b88f7b780
9 changed files with 91 additions and 9 deletions
--- a/.gitignore
+++ b/.gitignore
@ -62,5 +62,8 @@ ChangeLog
 # generated config file
 etc/magnum/magnum.conf.sample

+# generated policy file
+etc/magnum/policy.yaml.sample
+
 # Files created by releasenotes build
 releasenotes/build
--- a/etc/magnum/magnum-policy-generator.conf
+++ b/etc/magnum/magnum-policy-generator.conf
@ -0,0 +1,3 @@
+[DEFAULT]
+output_file = etc/magnum/policy.yaml.sample
+namespace = magnum
--- a/etc/magnum/policy.json
+++ b/etc/magnum/policy.json
@ -1,11 +1,5 @@
 {
-    "context_is_admin":  "role:admin",
-    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",
-    "admin_api": "rule:context_is_admin",
-    "admin_or_user": "is_admin:True or user_id:%(user_id)s",
-    "cluster_user": "user_id:%(trustee_user_id)s",
-    "deny_cluster_user": "not domain_id:%(trustee_domain_id)s",

    "bay:create": "rule:deny_cluster_user",
    "bay:delete": "rule:deny_cluster_user",
--- a/magnum/common/policies/init.py
+++ b/magnum/common/policies/init.py
@ -0,0 +1,23 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import itertools
+
+from magnum.common.policies import base
+
+
+def list_rules():
+    return itertools.chain(
+        base.list_rules()
+    )
--- a/magnum/common/policies/base.py
+++ b/magnum/common/policies/base.py
@ -0,0 +1,52 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_policy import policy
+
+ROLE_ADMIN = 'rule:context_is_admin'
+RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
+RULE_ADMIN_API = 'rule:admin_api'
+RULE_ADMIN_OR_USER = 'rule:admin_or_user'
+RULE_CLUSTER_USER = 'rule:cluster_user'
+RULE_DENY_CLUSTER_USER = 'rule:deny_cluster_user'
+
+rules = [
+    policy.RuleDefault(
+        name='context_is_admin',
+        check_str='role:admin'
+    ),
+    policy.RuleDefault(
+        name='admin_or_owner',
+        check_str='is_admin:True or project_id:%(project_id)s'
+    ),
+    policy.RuleDefault(
+        name='admin_api',
+        check_str='rule:context_is_admin'
+    ),
+    policy.RuleDefault(
+        name='admin_or_user',
+        check_str='is_admin:True or user_id:%(user_id)s'
+    ),
+    policy.RuleDefault(
+        name='cluster_user',
+        check_str='user_id:%(trustee_user_id)s'
+    ),
+    policy.RuleDefault(
+        name='deny_cluster_user',
+        check_str='not domain_id:%(trustee_domain_id)s'
+    )
+]
+
+
+def list_rules():
+    return rules
--- a/magnum/common/policy.py
+++ b/magnum/common/policy.py
@ -23,6 +23,7 @@ import pecan

 from magnum.common import clients
 from magnum.common import exception
+from magnum.common import policies


 _ENFORCER = None
@ -60,6 +61,8 @@ def init(policy_file=None, rules=None,
                                    default_rule=default_rule,
                                    use_conf=use_conf,
                                    overwrite=overwrite)
+        _ENFORCER.register_defaults(policies.list_rules())
+
    return _ENFORCER


--- a/magnum/tests/fake_policy.py
+++ b/magnum/tests/fake_policy.py
@ -15,10 +15,7 @@

 policy_data = """
 {
-    "context_is_admin":  "role:admin",
-    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",
-    "admin_api": "rule:context_is_admin",

    "bay:create": "",
    "bay:delete": "",
--- a/setup.cfg
+++ b/setup.cfg
@ -63,6 +63,9 @@ oslo.config.opts =
 oslo.config.opts.defaults =
    magnum = magnum.common.config:set_cors_middleware_defaults

+oslo.policy.policies =
+    magnum = magnum.common.policies:list_rules
+
 magnum.drivers =
    k8s_fedora_atomic_v1 = magnum.drivers.k8s_fedora_atomic_v1.driver:Driver
    k8s_coreos_v1 = magnum.drivers.k8s_coreos_v1.driver:Driver
--- a/tox.ini
+++ b/tox.ini
@ -141,6 +141,10 @@ commands =
 commands =
    oslo-config-generator --config-file etc/magnum/magnum-config-generator.conf

+[testenv:genpolicy]
+commands =
+    oslopolicy-sample-generator --config-file etc/magnum/magnum-policy-generator.conf
+
 [flake8]
 # H106 Don’t put vim configuration in source files
 # H203 Use assertIs(Not)None to check for None