Implement basic policy module in code

This change prepares the magnum project to start implementing
policies in code. Subsequent patches will register more magnum
policies in code and remove the corresponding entry from the
policy file maintained in source.

This is part of a community effort to provide better user
experience for those having to maintain RBAC policy. More
information on this effort can be found below:
https://governance.openstack.org/tc/goals/queens/policy-in-code.html

Change-Id: I0e2b34067ea1e4d5868df544a9f65ae3f1944c43
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
This commit is contained in:
Hieu LE 2017-10-03 17:48:56 +07:00
parent 4b88f7b780
commit e06004d9f5
9 changed files with 91 additions and 9 deletions

3
.gitignore vendored
View File

@ -62,5 +62,8 @@ ChangeLog
# generated config file # generated config file
etc/magnum/magnum.conf.sample etc/magnum/magnum.conf.sample
# generated policy file
etc/magnum/policy.yaml.sample
# Files created by releasenotes build # Files created by releasenotes build
releasenotes/build releasenotes/build

View File

@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/magnum/policy.yaml.sample
namespace = magnum

View File

@ -1,11 +1,5 @@
{ {
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner", "default": "rule:admin_or_owner",
"admin_api": "rule:context_is_admin",
"admin_or_user": "is_admin:True or user_id:%(user_id)s",
"cluster_user": "user_id:%(trustee_user_id)s",
"deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
"bay:create": "rule:deny_cluster_user", "bay:create": "rule:deny_cluster_user",
"bay:delete": "rule:deny_cluster_user", "bay:delete": "rule:deny_cluster_user",

View File

@ -0,0 +1,23 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import itertools
from magnum.common.policies import base
def list_rules():
return itertools.chain(
base.list_rules()
)

View File

@ -0,0 +1,52 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
ROLE_ADMIN = 'rule:context_is_admin'
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN_API = 'rule:admin_api'
RULE_ADMIN_OR_USER = 'rule:admin_or_user'
RULE_CLUSTER_USER = 'rule:cluster_user'
RULE_DENY_CLUSTER_USER = 'rule:deny_cluster_user'
rules = [
policy.RuleDefault(
name='context_is_admin',
check_str='role:admin'
),
policy.RuleDefault(
name='admin_or_owner',
check_str='is_admin:True or project_id:%(project_id)s'
),
policy.RuleDefault(
name='admin_api',
check_str='rule:context_is_admin'
),
policy.RuleDefault(
name='admin_or_user',
check_str='is_admin:True or user_id:%(user_id)s'
),
policy.RuleDefault(
name='cluster_user',
check_str='user_id:%(trustee_user_id)s'
),
policy.RuleDefault(
name='deny_cluster_user',
check_str='not domain_id:%(trustee_domain_id)s'
)
]
def list_rules():
return rules

View File

@ -23,6 +23,7 @@ import pecan
from magnum.common import clients from magnum.common import clients
from magnum.common import exception from magnum.common import exception
from magnum.common import policies
_ENFORCER = None _ENFORCER = None
@ -60,6 +61,8 @@ def init(policy_file=None, rules=None,
default_rule=default_rule, default_rule=default_rule,
use_conf=use_conf, use_conf=use_conf,
overwrite=overwrite) overwrite=overwrite)
_ENFORCER.register_defaults(policies.list_rules())
return _ENFORCER return _ENFORCER

View File

@ -15,10 +15,7 @@
policy_data = """ policy_data = """
{ {
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner", "default": "rule:admin_or_owner",
"admin_api": "rule:context_is_admin",
"bay:create": "", "bay:create": "",
"bay:delete": "", "bay:delete": "",

View File

@ -63,6 +63,9 @@ oslo.config.opts =
oslo.config.opts.defaults = oslo.config.opts.defaults =
magnum = magnum.common.config:set_cors_middleware_defaults magnum = magnum.common.config:set_cors_middleware_defaults
oslo.policy.policies =
magnum = magnum.common.policies:list_rules
magnum.drivers = magnum.drivers =
k8s_fedora_atomic_v1 = magnum.drivers.k8s_fedora_atomic_v1.driver:Driver k8s_fedora_atomic_v1 = magnum.drivers.k8s_fedora_atomic_v1.driver:Driver
k8s_coreos_v1 = magnum.drivers.k8s_coreos_v1.driver:Driver k8s_coreos_v1 = magnum.drivers.k8s_coreos_v1.driver:Driver

View File

@ -141,6 +141,10 @@ commands =
commands = commands =
oslo-config-generator --config-file etc/magnum/magnum-config-generator.conf oslo-config-generator --config-file etc/magnum/magnum-config-generator.conf
[testenv:genpolicy]
commands =
oslopolicy-sample-generator --config-file etc/magnum/magnum-policy-generator.conf
[flake8] [flake8]
# H106 Dont put vim configuration in source files # H106 Dont put vim configuration in source files
# H203 Use assertIs(Not)None to check for None # H203 Use assertIs(Not)None to check for None