policy check for rc
add policy check for rc Partial-implements: blueprint policy-enforce Change-Id: Ie858b39682e7611e6793fbdcbdcad209b8cab3c3
This commit is contained in:
parent
09c669abf8
commit
ffb2840892
|
@ -30,6 +30,13 @@
|
|||
"pod:detail": "rule:default",
|
||||
"pod:get": "rule:default",
|
||||
"pod:get_all": "rule:default",
|
||||
"pod:update": "rule:default"
|
||||
"pod:update": "rule:default",
|
||||
|
||||
"rc:create": "rule:default",
|
||||
"rc:delete": "rule:default",
|
||||
"rc:detail": "rule:default",
|
||||
"rc:get": "rule:default",
|
||||
"rc:get_all": "rule:default",
|
||||
"rc:update": "rule:default"
|
||||
|
||||
}
|
||||
|
|
|
@ -28,6 +28,7 @@ from magnum.api import expose
|
|||
from magnum.api import validation
|
||||
from magnum.common import exception
|
||||
from magnum.common import k8s_manifest
|
||||
from magnum.common import policy
|
||||
from magnum import objects
|
||||
|
||||
|
||||
|
@ -228,6 +229,7 @@ class ReplicationControllersController(rest.RestController):
|
|||
sort_key=sort_key,
|
||||
sort_dir=sort_dir)
|
||||
|
||||
@policy.enforce_wsgi("rc")
|
||||
@expose.expose(ReplicationControllerCollection, types.uuid,
|
||||
types.uuid, int, wtypes.text, wtypes.text)
|
||||
def get_all(self, rc_uuid=None, marker=None, limit=None,
|
||||
|
@ -242,6 +244,7 @@ class ReplicationControllersController(rest.RestController):
|
|||
return self._get_rcs_collection(marker, limit, sort_key,
|
||||
sort_dir)
|
||||
|
||||
@policy.enforce_wsgi("rc")
|
||||
@expose.expose(ReplicationControllerCollection, types.uuid,
|
||||
types.uuid, int, wtypes.text, wtypes.text)
|
||||
def detail(self, rc_uuid=None, marker=None, limit=None,
|
||||
|
@ -266,6 +269,7 @@ class ReplicationControllersController(rest.RestController):
|
|||
sort_key, sort_dir, expand,
|
||||
resource_url)
|
||||
|
||||
@policy.enforce_wsgi("rc", "get")
|
||||
@expose.expose(ReplicationController, types.uuid_or_name)
|
||||
def get_one(self, rc_ident):
|
||||
"""Retrieve information about the given ReplicationController.
|
||||
|
@ -275,6 +279,7 @@ class ReplicationControllersController(rest.RestController):
|
|||
rpc_rc = api_utils.get_rpc_resource('ReplicationController', rc_ident)
|
||||
return ReplicationController.convert_with_links(rpc_rc)
|
||||
|
||||
@policy.enforce_wsgi("rc", "create")
|
||||
@expose.expose(ReplicationController, body=ReplicationController,
|
||||
status_code=201)
|
||||
@validation.enforce_bay_types('kubernetes')
|
||||
|
@ -298,6 +303,7 @@ class ReplicationControllersController(rest.RestController):
|
|||
pecan.response.location = link.build_url('rcs', new_rc.uuid)
|
||||
return ReplicationController.convert_with_links(new_rc)
|
||||
|
||||
@policy.enforce_wsgi("rc", "update")
|
||||
@wsme.validate(types.uuid, [ReplicationControllerPatchType])
|
||||
@expose.expose(ReplicationController, types.uuid_or_name,
|
||||
body=[ReplicationControllerPatchType])
|
||||
|
@ -339,6 +345,7 @@ class ReplicationControllersController(rest.RestController):
|
|||
rpc_rc.save()
|
||||
return ReplicationController.convert_with_links(rpc_rc)
|
||||
|
||||
@policy.enforce_wsgi("rc")
|
||||
@expose.expose(None, types.uuid_or_name, status_code=204)
|
||||
def delete(self, rc_ident):
|
||||
"""Delete a ReplicationController.
|
||||
|
|
|
@ -46,7 +46,14 @@ policy_data = """
|
|||
"pod:detail": "",
|
||||
"pod:get": "",
|
||||
"pod:get_all": "",
|
||||
"pod:update": ""
|
||||
"pod:update": "",
|
||||
|
||||
"rc:create": "",
|
||||
"rc:delete": "",
|
||||
"rc:detail": "",
|
||||
"rc:get": "",
|
||||
"rc:get_all": "",
|
||||
"rc:update": ""
|
||||
}
|
||||
"""
|
||||
|
||||
|
|
|
@ -14,6 +14,7 @@ import datetime
|
|||
|
||||
import mock
|
||||
from oslo_config import cfg
|
||||
from oslo_policy import policy
|
||||
from oslo_utils import timeutils
|
||||
from six.moves.urllib import parse as urlparse
|
||||
from wsme import types as wtypes
|
||||
|
@ -496,3 +497,49 @@ class TestDelete(api_base.FunctionalTest):
|
|||
self.assertEqual(409, response.status_int)
|
||||
self.assertEqual('application/json', response.content_type)
|
||||
self.assertTrue(response.json['error_message'])
|
||||
|
||||
|
||||
class TestRCEnforcement(api_base.FunctionalTest):
|
||||
|
||||
def _common_policy_check(self, rule, func, *arg, **kwarg):
|
||||
self.policy.set_rules({rule: 'project:non_fake'})
|
||||
exc = self.assertRaises(policy.PolicyNotAuthorized,
|
||||
func, *arg, **kwarg)
|
||||
self.assertTrue(exc.message.startswith(rule))
|
||||
self.assertTrue(exc.message.endswith('disallowed by policy'))
|
||||
|
||||
def test_policy_disallow_get_all(self):
|
||||
self._common_policy_check(
|
||||
'rc:get_all', self.get_json, '/rcs')
|
||||
|
||||
def test_policy_disallow_get_one(self):
|
||||
self._common_policy_check(
|
||||
'rc:get', self.get_json, '/rcs/111-222-333')
|
||||
|
||||
def test_policy_disallow_detail(self):
|
||||
self._common_policy_check(
|
||||
'rc:detail', self.get_json, '/rcs/111-222-333/detail')
|
||||
|
||||
def test_policy_disallow_update(self):
|
||||
rc = obj_utils.create_test_rc(self.context,
|
||||
desc='test rc',
|
||||
uuid=utils.generate_uuid())
|
||||
|
||||
new_image = 'rc_example_B_image'
|
||||
self._common_policy_check(
|
||||
'rc:update', self.patch_json,
|
||||
'/rcs/%s' % rc.uuid,
|
||||
[{'path': '/images/0', 'value': new_image, 'op': 'replace'}])
|
||||
|
||||
def test_policy_disallow_create(self):
|
||||
pdict = apiutils.rc_post_data()
|
||||
self._common_policy_check(
|
||||
'rc:create', self.post_json, '/rcs', pdict)
|
||||
|
||||
def test_policy_disallow_delete(self):
|
||||
rc = obj_utils.create_test_rc(self.context,
|
||||
name='test_rc',
|
||||
uuid=utils.generate_uuid())
|
||||
self._common_policy_check(
|
||||
'rc:delete', self.delete,
|
||||
'/rcs/%s' % rc.uuid)
|
||||
|
|
Loading…
Reference in New Issue