[policy in code] Add support for share type resource [2/10]

This patch adds policy in code support for share type
resources and depends on the basic patch [1].

[1]: https://review.openstack.org/#/c/507054/

Change-Id: I9a79b5ececc587e80129cc980930e168e805b246
Partial-Implements: blueprint policy-in-code
This commit is contained in:
zhongjun 2017-10-10 19:51:04 +08:00 committed by zhongjun
parent db8b63c139
commit d7161e38bb
5 changed files with 116 additions and 10 deletions

View File

@ -67,15 +67,6 @@
"share_snapshot_instance_export_location:index": "rule:admin_api", "share_snapshot_instance_export_location:index": "rule:admin_api",
"share_snapshot_instance_export_location:show": "rule:admin_api", "share_snapshot_instance_export_location:show": "rule:admin_api",
"share_type:index": "rule:default",
"share_type:show": "rule:default",
"share_type:default": "rule:default",
"share_type:create": "rule:admin_api",
"share_type:delete": "rule:admin_api",
"share_type:add_project_access": "rule:admin_api",
"share_type:list_project_access": "rule:admin_api",
"share_type:remove_project_access": "rule:admin_api",
"share_types_extra_spec:create": "rule:admin_api", "share_types_extra_spec:create": "rule:admin_api",
"share_types_extra_spec:update": "rule:admin_api", "share_types_extra_spec:update": "rule:admin_api",
"share_types_extra_spec:show": "rule:admin_api", "share_types_extra_spec:show": "rule:admin_api",

View File

@ -18,10 +18,12 @@ import itertools
from manila.policies import base from manila.policies import base
from manila.policies import share_instance_export_location from manila.policies import share_instance_export_location
from manila.policies import share_type
def list_rules(): def list_rules():
return itertools.chain( return itertools.chain(
base.list_rules(), base.list_rules(),
share_instance_export_location.list_rules(), share_instance_export_location.list_rules(),
share_type.list_rules(),
) )

View File

@ -17,6 +17,7 @@ from oslo_policy import policy
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN_API = 'rule:admin_api' RULE_ADMIN_API = 'rule:admin_api'
RULE_DEFAULT = 'rule:default'
rules = [ rules = [
policy.RuleDefault(name='context_is_admin', check_str='role:admin'), policy.RuleDefault(name='context_is_admin', check_str='role:admin'),

View File

@ -0,0 +1,112 @@
# Copyright (c) 2017 Huawei Technologies Co., Ltd.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from manila.policies import base
BASE_POLICY_NAME = 'share_type:%s'
share_type_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'create',
check_str=base.RULE_ADMIN_API,
description='Create share type.',
operations=[
{
'method': 'POST',
'path': '/types',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'show',
check_str=base.RULE_DEFAULT,
description='Get share type.',
operations=[
{
'method': 'GET',
'path': '/types/{share_type_id}',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'index',
check_str=base.RULE_DEFAULT,
description='List share types.',
operations=[
{
'method': 'GET',
'path': '/types',
},
{
'method': 'GET',
'path': '/types?is_public=all',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'default',
check_str=base.RULE_DEFAULT,
description='Get default share type.',
operations=[
{
'method': 'GET',
'path': '/types/default',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'delete',
check_str=base.RULE_ADMIN_API,
description='Delete share type.',
operations=[
{
'method': 'DELETE',
'path': '/types/{share_type_id}',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'list_project_access',
check_str=base.RULE_ADMIN_API,
description='List share type project access.',
operations=[
{
'method': 'GET',
'path': '/types/{share_type_id}',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'add_project_access',
check_str=base.RULE_ADMIN_API,
description='Add share type to project.',
operations=[
{
'method': 'POST',
'path': '/types/{share_type_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'remove_project_access',
check_str=base.RULE_ADMIN_API,
description='Remove share type from project.',
operations=[
{
'method': 'POST',
'path': '/types/{share_type_id}/action',
}
]),
]
def list_rules():
return share_type_policies

View File

@ -208,7 +208,7 @@ def check_policy(context, resource, action, target_obj=None):
_action = '%s:%s' % (resource, action) _action = '%s:%s' % (resource, action)
# The else branch will be deleted after all policy in code patches # The else branch will be deleted after all policy in code patches
# be merged. # be merged.
if resource in ('share_instance_export_location', ): if resource in ('share_instance_export_location', 'share_type', ):
authorize(context, _action, target) authorize(context, _action, target)
else: else:
enforce(context, _action, target) enforce(context, _action, target)