From 64eaeae6bd6ce70c80076809199544770c4234c6 Mon Sep 17 00:00:00 2001 From: zhongjun Date: Wed, 29 Nov 2017 17:32:51 +0800 Subject: [PATCH] [policy in code] Add support for AZ, scheduler and message resource [9/10] This patch adds policy in code support for availability_zone, scheduler_stats and message resources. Change-Id: I9a79b5ececc583e85149cc920321e461e832b245 Partial-Implements: blueprint policy-in-code --- devstack/plugin.sh | 4 +- .../shared-file-systems/samples/index.rst | 1 - .../samples/policy.json.rst | 9 --- etc/manila/policy.json | 10 ---- manila/policies/__init__.py | 6 ++ manila/policies/availability_zone.py | 40 +++++++++++++ manila/policies/message.py | 60 +++++++++++++++++++ manila/policies/scheduler_stats.py | 56 +++++++++++++++++ manila/policy.py | 17 +----- setup.cfg | 1 - 10 files changed, 166 insertions(+), 38 deletions(-) delete mode 100644 doc/source/configuration/shared-file-systems/samples/policy.json.rst delete mode 100644 etc/manila/policy.json create mode 100644 manila/policies/availability_zone.py create mode 100644 manila/policies/message.py create mode 100644 manila/policies/scheduler_stats.py diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 68036c612b..d53f1259e4 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -145,7 +145,9 @@ function configure_manila { fi sudo chown $STACK_USER $MANILA_CONF_DIR - cp -p $MANILA_DIR/etc/manila/policy.json $MANILA_CONF_DIR + if [[ -f $MANILA_DIR/etc/manila/policy.json ]]; then + cp -p $MANILA_DIR/etc/manila/policy.json $MANILA_CONF_DIR + fi # Set the paths of certain binaries MANILA_ROOTWRAP=$(get_rootwrap_location manila) diff --git a/doc/source/configuration/shared-file-systems/samples/index.rst b/doc/source/configuration/shared-file-systems/samples/index.rst index 6085025447..da7d124db4 100644 --- a/doc/source/configuration/shared-file-systems/samples/index.rst +++ b/doc/source/configuration/shared-file-systems/samples/index.rst @@ -8,5 +8,4 @@ All the files in this section can be found in ``/etc/manila``. manila.conf.rst api-paste.ini.rst - policy.json.rst rootwrap.conf.rst diff --git a/doc/source/configuration/shared-file-systems/samples/policy.json.rst b/doc/source/configuration/shared-file-systems/samples/policy.json.rst deleted file mode 100644 index cd2c67738f..0000000000 --- a/doc/source/configuration/shared-file-systems/samples/policy.json.rst +++ /dev/null @@ -1,9 +0,0 @@ -=========== -policy.json -=========== - -The ``policy.json`` file defines additional access controls that apply -to the Shared File Systems service. - -.. literalinclude:: ../../../../../etc/manila/policy.json - :language: json diff --git a/etc/manila/policy.json b/etc/manila/policy.json deleted file mode 100644 index 6062094135..0000000000 --- a/etc/manila/policy.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "availability_zone:index": "rule:default", - - "scheduler_stats:pools:index": "rule:admin_api", - "scheduler_stats:pools:detail": "rule:admin_api", - - "message:delete": "rule:default", - "message:get": "rule:default", - "message:get_all": "rule:default" -} diff --git a/manila/policies/__init__.py b/manila/policies/__init__.py index ad445840a3..ae9b057912 100644 --- a/manila/policies/__init__.py +++ b/manila/policies/__init__.py @@ -16,9 +16,12 @@ import itertools +from manila.policies import availability_zone from manila.policies import base +from manila.policies import message from manila.policies import quota_class_set from manila.policies import quota_set +from manila.policies import scheduler_stats from manila.policies import security_service from manila.policies import service from manila.policies import share_export_location @@ -43,6 +46,8 @@ from manila.policies import shares def list_rules(): return itertools.chain( base.list_rules(), + availability_zone.list_rules(), + scheduler_stats.list_rules(), shares.list_rules(), share_instance_export_location.list_rules(), share_type.list_rules(), @@ -64,4 +69,5 @@ def list_rules(): security_service.list_rules(), share_export_location.list_rules(), share_instance.list_rules(), + message.list_rules(), ) diff --git a/manila/policies/availability_zone.py b/manila/policies/availability_zone.py new file mode 100644 index 0000000000..9726ea01c3 --- /dev/null +++ b/manila/policies/availability_zone.py @@ -0,0 +1,40 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from manila.policies import base + + +BASE_POLICY_NAME = 'availability_zone:%s' + + +availability_zone_policies = [ + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'index', + check_str=base.RULE_DEFAULT, + description=("Get all storage availability zones."), + operations=[ + { + 'method': 'GET', + 'path': '/os-availability-zone', + }, + { + 'method': 'GET', + 'path': '/availability-zone', + }, + ]), +] + + +def list_rules(): + return availability_zone_policies diff --git a/manila/policies/message.py b/manila/policies/message.py new file mode 100644 index 0000000000..38d65ae07e --- /dev/null +++ b/manila/policies/message.py @@ -0,0 +1,60 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from manila.policies import base + + +BASE_POLICY_NAME = 'message:%s' + + +message_policies = [ + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'get', + check_str=base.RULE_DEFAULT, + description="Get details of a given message.", + operations=[ + { + 'method': 'GET', + 'path': '/messages/{message_id}' + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'get_all', + check_str=base.RULE_DEFAULT, + description="Get all messages.", + operations=[ + { + 'method': 'GET', + 'path': '/messages' + }, + { + 'method': 'GET', + 'path': '/messages?{query}' + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'delete', + check_str=base.RULE_DEFAULT, + description="Delete a message.", + operations=[ + { + 'method': 'DELETE', + 'path': '/messages/{message_id}' + } + ]), +] + + +def list_rules(): + return message_policies diff --git a/manila/policies/scheduler_stats.py b/manila/policies/scheduler_stats.py new file mode 100644 index 0000000000..eff49030c0 --- /dev/null +++ b/manila/policies/scheduler_stats.py @@ -0,0 +1,56 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from manila.policies import base + + +BASE_POLICY_NAME = 'scheduler_stats:pools:%s' + + +scheduler_stats_policies = [ + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'index', + check_str=base.RULE_ADMIN_API, + description="Get information regarding backends " + "(and storage pools) known to the scheduler.", + operations=[ + { + 'method': 'GET', + 'path': '/scheduler-stats/pools' + }, + { + 'method': 'GET', + 'path': '/scheduler-stats/pools?{query}' + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'detail', + check_str=base.RULE_ADMIN_API, + description="Get detailed information regarding backends " + "(and storage pools) known to the scheduler.", + operations=[ + { + 'method': 'GET', + 'path': '/scheduler-stats/pools/detail?{query}' + }, + { + 'method': 'GET', + 'path': '/scheduler-stats/pools/detail' + } + ]), +] + + +def list_rules(): + return scheduler_stats_policies diff --git a/manila/policy.py b/manila/policy.py index 63904cf1ea..c4f0928451 100644 --- a/manila/policy.py +++ b/manila/policy.py @@ -206,19 +206,4 @@ def check_policy(context, resource, action, target_obj=None): } target.update(target_obj or {}) _action = '%s:%s' % (resource, action) - # The else branch will be deleted after all policy in code patches - # be merged. - if resource in ('share_instance_export_location', 'share_type', - 'share', 'share_snapshot', - 'share_snapshot_export_location', - 'share_snapshot_instance', - 'share_snapshot_instance_export_location', - 'quota_set', 'quota_class_set', 'service', - 'share_server', 'share_group', 'share_group_snapshot', - 'share_group_type', 'share_group_types_spec', - 'share_replica', 'share_network', 'security_service', - 'share_types_extra_spec', 'share_instance', - 'share_export_location', ): - authorize(context, _action, target) - else: - enforce(context, _action, target) + authorize(context, _action, target) diff --git a/setup.cfg b/setup.cfg index 96ac4a120f..19106dc22d 100644 --- a/setup.cfg +++ b/setup.cfg @@ -25,7 +25,6 @@ setup-hooks = data_files = etc/manila = etc/manila/api-paste.ini - etc/manila/policy.json etc/manila/rootwrap.conf etc/manila/rootwrap.d = etc/manila/rootwrap.d/* packages =