Merge "Remove murano default policy.json"

devstack/plugin.sh

@@ -161,7 +161,6 @@ function configure_murano {
                           --namespace oslo.messaging \
                           > $MURANO_CONF_FILE
     cp $MURANO_DIR/etc/murano/murano-paste.ini $MURANO_CONF_DIR
-    cp $MURANO_DIR/etc/murano/policy.json $MURANO_POLICY_FILE
 
     cleanup_murano
 
@@ -362,7 +361,6 @@ function setup_core_library() {
            --is-public
 
     remove_core_apps_zip
-
 }
 
 # install_murano() - Collect source and prepare

devstack/settings

@@ -16,7 +16,6 @@ MURANO_DIR=$DEST/murano
 MURANO_CONF_DIR=${MURANO_CONF_DIR:-/etc/murano}
 MURANO_CONF_FILE=${MURANO_CONF_DIR}/murano.conf
 MURANO_CFAPI_CONF_FILE=${MURANO_CONF_DIR}/murano-cfapi.conf
-MURANO_POLICY_FILE=${MURANO_CONF_DIR}/policy.json
 MURANO_DEBUG=$(trueorfalse True MURANO_DEBUG)
 MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT=$(trueorfalse False MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT)
 

doc/source/administrator-guide/configuration.rst

@@ -121,67 +121,75 @@ To configure neutron manually, follow the steps below.
 Policy configuration
 ~~~~~~~~~~~~~~~~~~~~
 
-Like each service in OpenStack, murano has its own role-based access policies
-that determine who and how can access objects. These policies are defined
-in the service's :file:`policy.json` file.
+Like each service in OpenStack, Murano has its own role-based access policies
+that determine who can access objects and under what circumstances. The default
+implementation for these policies is defined in the service's source code --
+under :file:`murano.common.policies`. The default policy definitions can be
+overridden using the :file:`policy.yaml` file.
 
-On each API call corresponding policy check is performed.
-:file:`policy.json` file can be changed without interrupting the API service.
+.. note::
 
-For detailed information on :file:`policy.json` syntax, please refer to the
-`OpenStack official documentation <http://docs.openstack.org/kilo/config-reference/content/policy-json-file.html>`_
+  In previous OpenStack releases the default policy format was JSON, but
+  now the `recommended format <https://docs.openstack.org/ocata/config-reference/policy-yaml-file.html#older-json-format-policy>`_
+  is YAML.
+..
+
+On each API call the corresponding policy check is performed.
+:file:`policy.yaml` file can be changed without interrupting the API service.
+
+For detailed information on :file:`policy.yaml` syntax, please refer to the
+`OpenStack official documentation <https://docs.openstack.org/ocata/config-reference/policy-yaml-file.html>`_
 
 With this file you can set who may upload packages and perform other operations.
 
-The :file:`policy.json` example is:
+The :file:`policy.yaml` example is:
 
-.. code-block:: json
+.. code-block:: yaml
 
-    {
-       // Rule declaration
-       "context_is_admin": "role:admin",
-       "admin_api": "is_admin:True",
-       "default": "",
+    # Rule declaration
+    "context_is_admin": "role:admin"
+    "admin_api": "is_admin:True"
+    "default": ""
 
-       // Package operations
-       "get_package": "rule:default",
-       "upload_package": "rule:default",
-       "modify_package": "rule:default",
-       "publicize_package": "rule:admin_api",
-       "manage_public_package": "rule:default",
-       "delete_package": "rule:default",
-       "download_package": "rule:default",
+    # Package operations
+    "get_package": "rule:default"
+    "upload_package": "rule:default"
+    "modify_package": "rule:default"
+    "publicize_package": "rule:admin_api"
+    "manage_public_package": "rule:default"
+    "delete_package": "rule:default"
+    "download_package": "rule:default"
 
-       // Category operations
-       "get_category": "rule:default",
-       "delete_category": "rule:admin_api",
-       "add_category": "rule:admin_api",
+    # Category operations
+    "get_category": "rule:default"
+    "delete_category": "rule:admin_api"
+    "add_category": "rule:admin_api"
 
-       // Deployment read operations
-       "list_deployments": "rule:default",
-       "statuses_deployments": "rule:default",
+    # Deployment read operations
+    "list_deployments": "rule:default"
+    "statuses_deployments": "rule:default"
 
-       // Environment operations
-       "list_environments": "rule:default",
-       "list_environments_all_tenants": "rule:admin_api",
-       "show_environment": "rule:default",
-       "update_environment": "rule:default",
-       "create_environment": "rule:default",
-       "delete_environment": "rule:default",
+    # Environment operations
+    "list_environments": "rule:default"
+    "list_environments_all_tenants": "rule:admin_api"
+    "show_environment": "rule:default"
+    "update_environment": "rule:default"
+    "create_environment": "rule:default"
+    "delete_environment": "rule:default"
 
-       // Environment template operations
-       "list_env_templates": "rule:default",
-       "create_env_template": "rule:default",
-       "show_env_template": "rule:default",
-       "update_env_template": "rule:default",
-       "delete_env_template": "rule:default",
+    # Environment template operations
+    "list_env_templates": "rule:default"
+    "create_env_template": "rule:default"
+    "show_env_template": "rule:default"
+    "update_env_template": "rule:default"
+    "delete_env_template": "rule:default"
 
-       // Control on executing actions on deployment environments
-       "execute_action": "rule:default"
-    }
+    # Control on executing actions on deployment environments
+    "execute_action": "rule:default"
+..
 
 So, changing ``"upload_package": "rule:default"`` to ``"rule:admin_api"``
-will forbid regular users to upload packages.
+will forbid regular users from uploading packages.
 
 For reference:
 
@@ -205,9 +213,12 @@ For reference:
 - ``"execute_action"`` is checked whenever a user attempts to execute
   an action on deployment environments. default: anyone
 
-Uploading package wizard in murano dashboard consists of several steps.
-Upload package API call requested from the first form and modify from
-the second one. It provides modifying package parameters on time of
-uploading. So, please modify both configuration together. Otherwise it
-will not be possible to browse package details on the second step
-of the wizard.
+.. note::
+
+  The package upload wizard in Murano dashboard consists of several steps:
+  The "upload_package" policy is enforced during the first step while
+  "modify_package" is enforced during the second step. Package parameters are
+  modified during package upload. So, please modify both policy definitions
+  together. Otherwise it will not be possible to browse package details on the
+  second step of the wizard.
+..

etc/murano/policy.json

@@ -1,5 +0,0 @@
-{
-    "context_is_admin": "role:admin",
-    "admin_api": "is_admin:True",
-    "default": ""
-}

murano/common/policies/__init__.py

@@ -16,6 +16,7 @@
 import itertools
 
 from murano.common.policies import action
+from murano.common.policies import base
 from murano.common.policies import category
 from murano.common.policies import deployment
 from murano.common.policies import env_template
@@ -25,6 +26,7 @@ from murano.common.policies import package
 
 def list_rules():
     return itertools.chain(
+        base.list_rules(),
         action.list_rules(),
         category.list_rules(),
         deployment.list_rules(),

murano/common/policies/base.py

@@ -25,7 +25,7 @@ rules = [
         check_str='role:admin'),
     policy.RuleDefault(
         name='admin_api',
-        check_str='is_admin:1'),
+        check_str='is_admin:True'),
     policy.RuleDefault(
         name='default',
         check_str='')

murano/common/policy.py

@@ -80,6 +80,8 @@ def check(rule, ctxt, target=None, do_raise=True, exc=None):
                                       specified it will raise an exception of
                                       that type.
     """
+    init()
+
     if target is None:
         target = {}
     creds = ctxt.to_dict()