diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 9466ce016..1dbd317d0 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -161,7 +161,6 @@ function configure_murano { --namespace oslo.messaging \ > $MURANO_CONF_FILE cp $MURANO_DIR/etc/murano/murano-paste.ini $MURANO_CONF_DIR - cp $MURANO_DIR/etc/murano/policy.json $MURANO_POLICY_FILE cleanup_murano @@ -362,7 +361,6 @@ function setup_core_library() { --is-public remove_core_apps_zip - } # install_murano() - Collect source and prepare diff --git a/devstack/settings b/devstack/settings index ec9e2ae68..cbc88608e 100644 --- a/devstack/settings +++ b/devstack/settings @@ -16,7 +16,6 @@ MURANO_DIR=$DEST/murano MURANO_CONF_DIR=${MURANO_CONF_DIR:-/etc/murano} MURANO_CONF_FILE=${MURANO_CONF_DIR}/murano.conf MURANO_CFAPI_CONF_FILE=${MURANO_CONF_DIR}/murano-cfapi.conf -MURANO_POLICY_FILE=${MURANO_CONF_DIR}/policy.json MURANO_DEBUG=$(trueorfalse True MURANO_DEBUG) MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT=$(trueorfalse False MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT) diff --git a/doc/source/administrator-guide/configuration.rst b/doc/source/administrator-guide/configuration.rst index c59058c57..9990db4fc 100644 --- a/doc/source/administrator-guide/configuration.rst +++ b/doc/source/administrator-guide/configuration.rst @@ -121,67 +121,75 @@ To configure neutron manually, follow the steps below. Policy configuration ~~~~~~~~~~~~~~~~~~~~ -Like each service in OpenStack, murano has its own role-based access policies -that determine who and how can access objects. These policies are defined -in the service's :file:`policy.json` file. +Like each service in OpenStack, Murano has its own role-based access policies +that determine who can access objects and under what circumstances. The default +implementation for these policies is defined in the service's source code -- +under :file:`murano.common.policies`. The default policy definitions can be +overridden using the :file:`policy.yaml` file. -On each API call corresponding policy check is performed. -:file:`policy.json` file can be changed without interrupting the API service. +.. note:: -For detailed information on :file:`policy.json` syntax, please refer to the -`OpenStack official documentation `_ + In previous OpenStack releases the default policy format was JSON, but + now the `recommended format `_ + is YAML. +.. + +On each API call the corresponding policy check is performed. +:file:`policy.yaml` file can be changed without interrupting the API service. + +For detailed information on :file:`policy.yaml` syntax, please refer to the +`OpenStack official documentation `_ With this file you can set who may upload packages and perform other operations. -The :file:`policy.json` example is: +The :file:`policy.yaml` example is: -.. code-block:: json +.. code-block:: yaml - { - // Rule declaration - "context_is_admin": "role:admin", - "admin_api": "is_admin:True", - "default": "", + # Rule declaration + "context_is_admin": "role:admin" + "admin_api": "is_admin:True" + "default": "" - // Package operations - "get_package": "rule:default", - "upload_package": "rule:default", - "modify_package": "rule:default", - "publicize_package": "rule:admin_api", - "manage_public_package": "rule:default", - "delete_package": "rule:default", - "download_package": "rule:default", + # Package operations + "get_package": "rule:default" + "upload_package": "rule:default" + "modify_package": "rule:default" + "publicize_package": "rule:admin_api" + "manage_public_package": "rule:default" + "delete_package": "rule:default" + "download_package": "rule:default" - // Category operations - "get_category": "rule:default", - "delete_category": "rule:admin_api", - "add_category": "rule:admin_api", + # Category operations + "get_category": "rule:default" + "delete_category": "rule:admin_api" + "add_category": "rule:admin_api" - // Deployment read operations - "list_deployments": "rule:default", - "statuses_deployments": "rule:default", + # Deployment read operations + "list_deployments": "rule:default" + "statuses_deployments": "rule:default" - // Environment operations - "list_environments": "rule:default", - "list_environments_all_tenants": "rule:admin_api", - "show_environment": "rule:default", - "update_environment": "rule:default", - "create_environment": "rule:default", - "delete_environment": "rule:default", + # Environment operations + "list_environments": "rule:default" + "list_environments_all_tenants": "rule:admin_api" + "show_environment": "rule:default" + "update_environment": "rule:default" + "create_environment": "rule:default" + "delete_environment": "rule:default" - // Environment template operations - "list_env_templates": "rule:default", - "create_env_template": "rule:default", - "show_env_template": "rule:default", - "update_env_template": "rule:default", - "delete_env_template": "rule:default", + # Environment template operations + "list_env_templates": "rule:default" + "create_env_template": "rule:default" + "show_env_template": "rule:default" + "update_env_template": "rule:default" + "delete_env_template": "rule:default" - // Control on executing actions on deployment environments - "execute_action": "rule:default" - } + # Control on executing actions on deployment environments + "execute_action": "rule:default" +.. So, changing ``"upload_package": "rule:default"`` to ``"rule:admin_api"`` -will forbid regular users to upload packages. +will forbid regular users from uploading packages. For reference: @@ -205,9 +213,12 @@ For reference: - ``"execute_action"`` is checked whenever a user attempts to execute an action on deployment environments. default: anyone -Uploading package wizard in murano dashboard consists of several steps. -Upload package API call requested from the first form and modify from -the second one. It provides modifying package parameters on time of -uploading. So, please modify both configuration together. Otherwise it -will not be possible to browse package details on the second step -of the wizard. +.. note:: + + The package upload wizard in Murano dashboard consists of several steps: + The "upload_package" policy is enforced during the first step while + "modify_package" is enforced during the second step. Package parameters are + modified during package upload. So, please modify both policy definitions + together. Otherwise it will not be possible to browse package details on the + second step of the wizard. +.. diff --git a/etc/murano/policy.json b/etc/murano/policy.json deleted file mode 100644 index 7ca710fba..000000000 --- a/etc/murano/policy.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "context_is_admin": "role:admin", - "admin_api": "is_admin:True", - "default": "" -} diff --git a/murano/common/policies/__init__.py b/murano/common/policies/__init__.py index 67375500b..3694bd048 100644 --- a/murano/common/policies/__init__.py +++ b/murano/common/policies/__init__.py @@ -16,6 +16,7 @@ import itertools from murano.common.policies import action +from murano.common.policies import base from murano.common.policies import category from murano.common.policies import deployment from murano.common.policies import env_template @@ -25,6 +26,7 @@ from murano.common.policies import package def list_rules(): return itertools.chain( + base.list_rules(), action.list_rules(), category.list_rules(), deployment.list_rules(), diff --git a/murano/common/policies/base.py b/murano/common/policies/base.py index 290840cb9..f5e9ff641 100644 --- a/murano/common/policies/base.py +++ b/murano/common/policies/base.py @@ -25,7 +25,7 @@ rules = [ check_str='role:admin'), policy.RuleDefault( name='admin_api', - check_str='is_admin:1'), + check_str='is_admin:True'), policy.RuleDefault( name='default', check_str='') diff --git a/murano/common/policy.py b/murano/common/policy.py index 9a7ee8064..1b1d9aacd 100644 --- a/murano/common/policy.py +++ b/murano/common/policy.py @@ -80,6 +80,8 @@ def check(rule, ctxt, target=None, do_raise=True, exc=None): specified it will raise an exception of that type. """ + init() + if target is None: target = {} creds = ctxt.to_dict()