From d7161e38bb29eadcc97d52a175f00c640e10af54 Mon Sep 17 00:00:00 2001 From: zhongjun Date: Tue, 10 Oct 2017 19:51:04 +0800 Subject: [PATCH] [policy in code] Add support for share type resource [2/10] This patch adds policy in code support for share type resources and depends on the basic patch [1]. [1]: https://review.openstack.org/#/c/507054/ Change-Id: I9a79b5ececc587e80129cc980930e168e805b246 Partial-Implements: blueprint policy-in-code --- etc/manila/policy.json | 9 --- manila/policies/__init__.py | 2 + manila/policies/base.py | 1 + manila/policies/share_type.py | 112 ++++++++++++++++++++++++++++++++++ manila/policy.py | 2 +- 5 files changed, 116 insertions(+), 10 deletions(-) create mode 100644 manila/policies/share_type.py diff --git a/etc/manila/policy.json b/etc/manila/policy.json index 801c6492d4..7bfdc1dc47 100644 --- a/etc/manila/policy.json +++ b/etc/manila/policy.json @@ -67,15 +67,6 @@ "share_snapshot_instance_export_location:index": "rule:admin_api", "share_snapshot_instance_export_location:show": "rule:admin_api", - "share_type:index": "rule:default", - "share_type:show": "rule:default", - "share_type:default": "rule:default", - "share_type:create": "rule:admin_api", - "share_type:delete": "rule:admin_api", - "share_type:add_project_access": "rule:admin_api", - "share_type:list_project_access": "rule:admin_api", - "share_type:remove_project_access": "rule:admin_api", - "share_types_extra_spec:create": "rule:admin_api", "share_types_extra_spec:update": "rule:admin_api", "share_types_extra_spec:show": "rule:admin_api", diff --git a/manila/policies/__init__.py b/manila/policies/__init__.py index 248e2f52c8..bbe723d7dc 100644 --- a/manila/policies/__init__.py +++ b/manila/policies/__init__.py @@ -18,10 +18,12 @@ import itertools from manila.policies import base from manila.policies import share_instance_export_location +from manila.policies import share_type def list_rules(): return itertools.chain( base.list_rules(), share_instance_export_location.list_rules(), + share_type.list_rules(), ) diff --git a/manila/policies/base.py b/manila/policies/base.py index 26a4a2a4ec..ca9dc00992 100644 --- a/manila/policies/base.py +++ b/manila/policies/base.py @@ -17,6 +17,7 @@ from oslo_policy import policy RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' RULE_ADMIN_API = 'rule:admin_api' +RULE_DEFAULT = 'rule:default' rules = [ policy.RuleDefault(name='context_is_admin', check_str='role:admin'), diff --git a/manila/policies/share_type.py b/manila/policies/share_type.py new file mode 100644 index 0000000000..b8a3629a0f --- /dev/null +++ b/manila/policies/share_type.py @@ -0,0 +1,112 @@ +# Copyright (c) 2017 Huawei Technologies Co., Ltd. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from manila.policies import base + + +BASE_POLICY_NAME = 'share_type:%s' + +share_type_policies = [ + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'create', + check_str=base.RULE_ADMIN_API, + description='Create share type.', + operations=[ + { + 'method': 'POST', + 'path': '/types', + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'show', + check_str=base.RULE_DEFAULT, + description='Get share type.', + operations=[ + { + 'method': 'GET', + 'path': '/types/{share_type_id}', + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'index', + check_str=base.RULE_DEFAULT, + description='List share types.', + operations=[ + { + 'method': 'GET', + 'path': '/types', + }, + { + 'method': 'GET', + 'path': '/types?is_public=all', + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'default', + check_str=base.RULE_DEFAULT, + description='Get default share type.', + operations=[ + { + 'method': 'GET', + 'path': '/types/default', + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'delete', + check_str=base.RULE_ADMIN_API, + description='Delete share type.', + operations=[ + { + 'method': 'DELETE', + 'path': '/types/{share_type_id}', + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'list_project_access', + check_str=base.RULE_ADMIN_API, + description='List share type project access.', + operations=[ + { + 'method': 'GET', + 'path': '/types/{share_type_id}', + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'add_project_access', + check_str=base.RULE_ADMIN_API, + description='Add share type to project.', + operations=[ + { + 'method': 'POST', + 'path': '/types/{share_type_id}/action', + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'remove_project_access', + check_str=base.RULE_ADMIN_API, + description='Remove share type from project.', + operations=[ + { + 'method': 'POST', + 'path': '/types/{share_type_id}/action', + } + ]), +] + + +def list_rules(): + return share_type_policies diff --git a/manila/policy.py b/manila/policy.py index d84698f352..a91a1af311 100644 --- a/manila/policy.py +++ b/manila/policy.py @@ -208,7 +208,7 @@ def check_policy(context, resource, action, target_obj=None): _action = '%s:%s' % (resource, action) # The else branch will be deleted after all policy in code patches # be merged. - if resource in ('share_instance_export_location', ): + if resource in ('share_instance_export_location', 'share_type', ): authorize(context, _action, target) else: enforce(context, _action, target)