diff --git a/.gitignore b/.gitignore index 9ce716b361..49755091b4 100644 --- a/.gitignore +++ b/.gitignore @@ -62,5 +62,8 @@ ChangeLog # generated config file etc/magnum/magnum.conf.sample +# generated policy file +etc/magnum/policy.yaml.sample + # Files created by releasenotes build releasenotes/build diff --git a/etc/magnum/magnum-policy-generator.conf b/etc/magnum/magnum-policy-generator.conf new file mode 100644 index 0000000000..58eb366605 --- /dev/null +++ b/etc/magnum/magnum-policy-generator.conf @@ -0,0 +1,3 @@ +[DEFAULT] +output_file = etc/magnum/policy.yaml.sample +namespace = magnum \ No newline at end of file diff --git a/etc/magnum/policy.json b/etc/magnum/policy.json index cb19ad7477..5d5c1cc4c4 100644 --- a/etc/magnum/policy.json +++ b/etc/magnum/policy.json @@ -1,11 +1,5 @@ { - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", "default": "rule:admin_or_owner", - "admin_api": "rule:context_is_admin", - "admin_or_user": "is_admin:True or user_id:%(user_id)s", - "cluster_user": "user_id:%(trustee_user_id)s", - "deny_cluster_user": "not domain_id:%(trustee_domain_id)s", "bay:create": "rule:deny_cluster_user", "bay:delete": "rule:deny_cluster_user", diff --git a/magnum/common/policies/__init__.py b/magnum/common/policies/__init__.py new file mode 100644 index 0000000000..8ad662efa4 --- /dev/null +++ b/magnum/common/policies/__init__.py @@ -0,0 +1,23 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import itertools + +from magnum.common.policies import base + + +def list_rules(): + return itertools.chain( + base.list_rules() + ) diff --git a/magnum/common/policies/base.py b/magnum/common/policies/base.py new file mode 100644 index 0000000000..44c75b7daf --- /dev/null +++ b/magnum/common/policies/base.py @@ -0,0 +1,52 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_policy import policy + +ROLE_ADMIN = 'rule:context_is_admin' +RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' +RULE_ADMIN_API = 'rule:admin_api' +RULE_ADMIN_OR_USER = 'rule:admin_or_user' +RULE_CLUSTER_USER = 'rule:cluster_user' +RULE_DENY_CLUSTER_USER = 'rule:deny_cluster_user' + +rules = [ + policy.RuleDefault( + name='context_is_admin', + check_str='role:admin' + ), + policy.RuleDefault( + name='admin_or_owner', + check_str='is_admin:True or project_id:%(project_id)s' + ), + policy.RuleDefault( + name='admin_api', + check_str='rule:context_is_admin' + ), + policy.RuleDefault( + name='admin_or_user', + check_str='is_admin:True or user_id:%(user_id)s' + ), + policy.RuleDefault( + name='cluster_user', + check_str='user_id:%(trustee_user_id)s' + ), + policy.RuleDefault( + name='deny_cluster_user', + check_str='not domain_id:%(trustee_domain_id)s' + ) +] + + +def list_rules(): + return rules diff --git a/magnum/common/policy.py b/magnum/common/policy.py index 74d9fb3f72..d00261bfa5 100644 --- a/magnum/common/policy.py +++ b/magnum/common/policy.py @@ -23,6 +23,7 @@ import pecan from magnum.common import clients from magnum.common import exception +from magnum.common import policies _ENFORCER = None @@ -60,6 +61,8 @@ def init(policy_file=None, rules=None, default_rule=default_rule, use_conf=use_conf, overwrite=overwrite) + _ENFORCER.register_defaults(policies.list_rules()) + return _ENFORCER diff --git a/magnum/tests/fake_policy.py b/magnum/tests/fake_policy.py index b051e5cb15..b2d7987a0e 100644 --- a/magnum/tests/fake_policy.py +++ b/magnum/tests/fake_policy.py @@ -15,10 +15,7 @@ policy_data = """ { - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", "default": "rule:admin_or_owner", - "admin_api": "rule:context_is_admin", "bay:create": "", "bay:delete": "", diff --git a/setup.cfg b/setup.cfg index 74647552d8..a436a65a83 100644 --- a/setup.cfg +++ b/setup.cfg @@ -63,6 +63,9 @@ oslo.config.opts = oslo.config.opts.defaults = magnum = magnum.common.config:set_cors_middleware_defaults +oslo.policy.policies = + magnum = magnum.common.policies:list_rules + magnum.drivers = k8s_fedora_atomic_v1 = magnum.drivers.k8s_fedora_atomic_v1.driver:Driver k8s_coreos_v1 = magnum.drivers.k8s_coreos_v1.driver:Driver diff --git a/tox.ini b/tox.ini index 3ad304dc89..5a6d3d8835 100644 --- a/tox.ini +++ b/tox.ini @@ -141,6 +141,10 @@ commands = commands = oslo-config-generator --config-file etc/magnum/magnum-config-generator.conf +[testenv:genpolicy] +commands = + oslopolicy-sample-generator --config-file etc/magnum/magnum-policy-generator.conf + [flake8] # H106 Don’t put vim configuration in source files # H203 Use assertIs(Not)None to check for None