Implement policy in code - event trigger (11)

This commit migrate all event trigger policies into code [1]. Like oslo.config, with oslo.policy, we can define all of default rules in code base and only change some rules via policy file. Another thing that we should use yaml format instead of json format. This commit also remove policy.json file usage completely. [1] https://governance.openstack.org/tc/goals/queens/policy-in-code.html Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com> Change-Id: Icd674fdc248e5b9c63f9e7d0f47c53288291ff07
2017-10-13 14:07:04 +07:00 · 2017-10-13 14:07:04 +07:00 · 4469cacf39
parent c73fb88c01
commit 4469cacf39
8 changed files with 112 additions and 56 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -70,9 +70,6 @@ function configure_mistral {
    oslo-config-generator --config-file $MISTRAL_DIR/tools/config/config-generator.mistral.conf --output-file $MISTRAL_CONF_FILE
    iniset $MISTRAL_CONF_FILE DEFAULT debug $MISTRAL_DEBUG

-    MISTRAL_POLICY_FILE=$MISTRAL_CONF_DIR/policy.json
-    cp $MISTRAL_DIR/etc/policy.json $MISTRAL_POLICY_FILE
-
    # Run all Mistral processes as a single process
    iniset $MISTRAL_CONF_FILE DEFAULT server all

@ -94,9 +91,6 @@ function configure_mistral {
    # Configure action execution deletion policy
    iniset $MISTRAL_CONF_FILE api allow_action_execution_deletion True

-    # Path of policy.json file.
-    iniset $MISTRAL_CONF oslo_policy policy_file $MISTRAL_POLICY_FILE
-
    if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ]; then
        setup_colorized_logging $MISTRAL_CONF_FILE DEFAULT tenant user
    fi
--- a/etc/policy.json
+++ b/etc/policy.json
@ -1,11 +1 @@
-{
-    "default": "rule:admin_or_owner",
-
-    "event_triggers:create": "rule:admin_or_owner",
-    "event_triggers:create:public": "rule:admin_only",
-    "event_triggers:delete": "rule:admin_or_owner",
-    "event_triggers:get": "rule:admin_or_owner",
-    "event_triggers:list": "rule:admin_or_owner",
-    "event_triggers:list:all_projects": "rule:admin_only",
-    "event_triggers:update": "rule:admin_or_owner"
-}
+{}
--- a/mistral/api/access_control.py
+++ b/mistral/api/access_control.py
@ -74,9 +74,9 @@ def enforce(action, context, target=None, do_raise=True,
    target_obj.update(target or {})

    policy_context = context.to_policy_values()
-    # Because policy.json example in Mistral repo still uses the rule
-    # 'is_admin: True', we insert 'is_admin' key to the default policy
-    # values.
+    # Because policy.json or policy.yaml example in Mistral repo still uses
+    # the rule 'is_admin: True', we insert 'is_admin' key to the default
+    # policy values.
    policy_context['is_admin'] = context.is_admin

    _ensure_enforcer_initialization()
--- a/mistral/policies/init.py
+++ b/mistral/policies/init.py
@ -19,6 +19,7 @@ from mistral.policies import action_executions
 from mistral.policies import base
 from mistral.policies import cron_trigger
 from mistral.policies import environment
+from mistral.policies import event_trigger
 from mistral.policies import execution
 from mistral.policies import member
 from mistral.policies import service
@ -34,6 +35,7 @@ def list_rules():
        base.list_rules(),
        cron_trigger.list_rules(),
        environment.list_rules(),
+        event_trigger.list_rules(),
        execution.list_rules(),
        member.list_rules(),
        service.list_rules(),
--- a/mistral/policies/event_trigger.py
+++ b/mistral/policies/event_trigger.py
@ -0,0 +1,104 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_policy import policy
+
+from mistral.policies import base
+
+EVENT_TRIGGERS = 'event_triggers:%s'
+
+# NOTE(hieulq): all API operations of below rules are not documented in API
+# reference docs yet.
+rules = [
+    policy.DocumentedRuleDefault(
+        name=EVENT_TRIGGERS % 'create',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Create a new event trigger.',
+        operations=[
+            {
+                'path': '/v2/event_triggers',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=EVENT_TRIGGERS % 'create:public',
+        check_str=base.RULE_ADMIN_ONLY,
+        description='Create a new event trigger for public usage.',
+        operations=[
+            {
+                'path': '/v2/event_triggers',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=EVENT_TRIGGERS % 'delete',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Delete event trigger.',
+        operations=[
+            {
+                'path': '/v2/event_triggers/{event_trigger_id}',
+                'method': 'DELETE'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=EVENT_TRIGGERS % 'get',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Returns the specified event trigger.',
+        operations=[
+            {
+                'path': '/v2/event_triggers/{event_trigger_id}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=EVENT_TRIGGERS % 'list',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Return all event triggers.',
+        operations=[
+            {
+                'path': '/v2/event_triggers',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=EVENT_TRIGGERS % 'list:all_projects',
+        check_str=base.RULE_ADMIN_ONLY,
+        description='Return all event triggers from all projects.',
+        operations=[
+            {
+                'path': '/v2/event_triggers',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=EVENT_TRIGGERS % 'update',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Updates an existing event trigger.',
+        operations=[
+            {
+                'path': '/v2/event_triggers',
+                'method': 'PUT'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules
--- a/mistral/tests/unit/api/v2/test_event_trigger.py
+++ b/mistral/tests/unit/api/v2/test_event_trigger.py
@ -133,6 +133,8 @@ class TestEventTriggerController(base.APITest):
    @mock.patch.object(db_api, "get_workflow_definition", MOCK_WF)
    @mock.patch.object(triggers, "create_event_trigger")
    def test_post_public(self, create_trigger):
+        self.ctx = unit_base.get_context(default=False, admin=True)
+        self.mock_ctx.return_value = self.ctx
        trigger = copy.deepcopy(TRIGGER)
        trigger['scope'] = 'public'
        trigger.pop('id')
--- a/mistral/tests/unit/fake_policy.py
+++ b/mistral/tests/unit/fake_policy.py
@ -1,17 +0,0 @@
-# Copyright 2016 NEC Corporation. All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-policy_data = """{
-    "default": "rule:admin_or_owner",
-}"""
--- a/mistral/tests/unit/mstrlfixtures/policy_fixtures.py
+++ b/mistral/tests/unit/mstrlfixtures/policy_fixtures.py
@ -12,8 +12,6 @@
 # License for the specific language governing permissions and limitations
 # under the License.

-import os
-
 import fixtures
 from oslo_config import cfg
 from oslo_policy import opts as policy_opts
@ -21,32 +19,15 @@ from oslo_policy import policy as oslo_policy

 from mistral.api import access_control as acl
 from mistral import policies
-from mistral.tests.unit import fake_policy


 class PolicyFixture(fixtures.Fixture):
-    """Load a fake policy from nova.tests.unit.fake_policy"""

    def setUp(self):
        super(PolicyFixture, self).setUp()

-        self.policy_dir = self.useFixture(fixtures.TempDir())
-        self.policy_file_name = os.path.join(
-            self.policy_dir.path,
-            'policy.json'
-        )
-
-        with open(self.policy_file_name, 'w') as policy_file:
-            policy_file.write(fake_policy.policy_data)
-
        policy_opts.set_defaults(cfg.CONF)

-        cfg.CONF.set_override(
-            'policy_file',
-            self.policy_file_name,
-            'oslo_policy'
-        )
-
        acl._ENFORCER = oslo_policy.Enforcer(cfg.CONF)
        acl._ENFORCER.register_defaults(policies.list_rules())
        acl._ENFORCER.load_rules()