Merge "Register default bay policies in code"

etc/magnum/policy.json

@@ -1,13 +1,6 @@
 {
     "default": "rule:admin_or_owner",
 
-    "bay:create": "rule:deny_cluster_user",
-    "bay:delete": "rule:deny_cluster_user",
-    "bay:detail": "rule:deny_cluster_user",
-    "bay:get": "rule:deny_cluster_user",
-    "bay:get_all": "rule:deny_cluster_user",
-    "bay:update": "rule:deny_cluster_user",
-
     "baymodel:create": "rule:deny_cluster_user",
     "baymodel:delete": "rule:deny_cluster_user",
     "baymodel:detail": "rule:deny_cluster_user",

magnum/common/policies/__init__.py

@@ -15,9 +15,11 @@
 import itertools
 
 from magnum.common.policies import base
+from magnum.common.policies import bay
 
 
 def list_rules():
     return itertools.chain(
-        base.list_rules()
+        base.list_rules(),
+        bay.list_rules()
     )

magnum/common/policies/bay.py

@@ -0,0 +1,91 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_policy import policy
+
+from magnum.common.policies import base
+
+BAY = 'bay:%s'
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name=BAY % 'create',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Create a new bay.',
+        operations=[
+            {
+                'path': '/v1/bays',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAY % 'delete',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Delete a bay.',
+        operations=[
+            {
+                'path': '/v1/bays/{bay_ident}',
+                'method': 'DELETE'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAY % 'detail',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Retrieve a list of bays with detail.',
+        operations=[
+            {
+                'path': '/v1/bays',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAY % 'get',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Retrieve information about the given bay.',
+        operations=[
+            {
+                'path': '/v1/bays/{bay_ident}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAY % 'get_all',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Retrieve a list of bays.',
+        operations=[
+            {
+                'path': '/v1/bays/',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAY % 'update',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Update an existing bay.',
+        operations=[
+            {
+                'path': '/v1/bays/{bay_ident}',
+                'method': 'PATCH'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules

magnum/tests/fake_policy.py

@@ -17,13 +17,6 @@ policy_data = """
 {
     "default": "rule:admin_or_owner",
 
-    "bay:create": "",
-    "bay:delete": "",
-    "bay:detail": "",
-    "bay:get": "",
-    "bay:get_all": "",
-    "bay:update": "",
-
     "baymodel:create": "",
     "baymodel:delete": "",
     "baymodel:detail": "",