openstack/murano
Code Issues Proposed changes

Remove murano default policy.json

Browse Source 
This commit removes the murano default policy.json file from
etc/murano and references to it in murano's devstack plugin.
(References to the policy.json in muranodashboard remain
the same).

This commit specifically:
  - removes the default policy.json
  - removes references to it in devstack plugin
  - adds base rules to murano.common.policies.__init__ because
    they are the last rules to be included
  - updates base admin_api rule to is_admin:True from
    is_admin:1 (because the latter was causing issues)
  - updates Murano policy documentation

Partially Implements: blueprint policy-in-code
Depends-On: Ia372983d2bd1010cd19f04061f3276ed16e9c1c9
Change-Id: I1a8581a559e4333a74d56a5bdce7e6d1f117907d
This commit is contained in:
Felipe Monteiro 2017-06-14 15:46:28 +01:00
parent fa52193c87
commit fb1a2d5bbe
7 changed files with 68 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
devstack/plugin.sh
View File

@ -161,7 +161,6 @@ function configure_murano {
--namespace oslo.messaging \ --namespace oslo.messaging \
> $MURANO_CONF_FILE > $MURANO_CONF_FILE
cp $MURANO_DIR/etc/murano/murano-paste.ini $MURANO_CONF_DIR cp $MURANO_DIR/etc/murano/murano-paste.ini $MURANO_CONF_DIR
cp $MURANO_DIR/etc/murano/policy.json $MURANO_POLICY_FILE
cleanup_murano cleanup_murano
@ -362,7 +361,6 @@ function setup_core_library() {
--is-public --is-public
remove_core_apps_zip remove_core_apps_zip
} }
# install_murano() - Collect source and prepare # install_murano() - Collect source and prepare

1
devstack/settings
View File

@ -16,7 +16,6 @@ MURANO_DIR=$DEST/murano
MURANO_CONF_DIR=${MURANO_CONF_DIR:-/etc/murano} MURANO_CONF_DIR=${MURANO_CONF_DIR:-/etc/murano}
MURANO_CONF_FILE=${MURANO_CONF_DIR}/murano.conf MURANO_CONF_FILE=${MURANO_CONF_DIR}/murano.conf
MURANO_CFAPI_CONF_FILE=${MURANO_CONF_DIR}/murano-cfapi.conf MURANO_CFAPI_CONF_FILE=${MURANO_CONF_DIR}/murano-cfapi.conf
MURANO_POLICY_FILE=${MURANO_CONF_DIR}/policy.json
MURANO_DEBUG=$(trueorfalse True MURANO_DEBUG) MURANO_DEBUG=$(trueorfalse True MURANO_DEBUG)
MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT=$(trueorfalse False MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT) MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT=$(trueorfalse False MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT)

115
doc/source/administrator-guide/configuration.rst
View File

@ -121,67 +121,75 @@ To configure neutron manually, follow the steps below.
Policy configuration Policy configuration
~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
Like each service in OpenStack, murano has its own role-based access policies Like each service in OpenStack, Murano has its own role-based access policies
that determine who and how can access objects. These policies are defined that determine who can access objects and under what circumstances. The default
in the service's :file:`policy.json` file. implementation for these policies is defined in the service's source code --
under :file:`murano.common.policies`. The default policy definitions can be
overridden using the :file:`policy.yaml` file.
On each API call corresponding policy check is performed. .. note::
:file:`policy.json` file can be changed without interrupting the API service.
For detailed information on :file:`policy.json` syntax, please refer to the In previous OpenStack releases the default policy format was JSON, but
`OpenStack official documentation <http://docs.openstack.org/kilo/config-reference/content/policy-json-file.html>`_ now the `recommended format <https://docs.openstack.org/ocata/config-reference/policy-yaml-file.html#older-json-format-policy>`_
is YAML.
..
On each API call the corresponding policy check is performed.
:file:`policy.yaml` file can be changed without interrupting the API service.
For detailed information on :file:`policy.yaml` syntax, please refer to the
`OpenStack official documentation <https://docs.openstack.org/ocata/config-reference/policy-yaml-file.html>`_
With this file you can set who may upload packages and perform other operations. With this file you can set who may upload packages and perform other operations.
The :file:`policy.json` example is: The :file:`policy.yaml` example is:
.. code-block:: json .. code-block:: yaml
{ # Rule declaration
// Rule declaration "context_is_admin": "role:admin"
"context_is_admin": "role:admin", "admin_api": "is_admin:True"
"admin_api": "is_admin:True", "default": ""
"default": "",
// Package operations # Package operations
"get_package": "rule:default", "get_package": "rule:default"
"upload_package": "rule:default", "upload_package": "rule:default"
"modify_package": "rule:default", "modify_package": "rule:default"
"publicize_package": "rule:admin_api", "publicize_package": "rule:admin_api"
"manage_public_package": "rule:default", "manage_public_package": "rule:default"
"delete_package": "rule:default", "delete_package": "rule:default"
"download_package": "rule:default", "download_package": "rule:default"
// Category operations # Category operations
"get_category": "rule:default", "get_category": "rule:default"
"delete_category": "rule:admin_api", "delete_category": "rule:admin_api"
"add_category": "rule:admin_api", "add_category": "rule:admin_api"
// Deployment read operations # Deployment read operations
"list_deployments": "rule:default", "list_deployments": "rule:default"
"statuses_deployments": "rule:default", "statuses_deployments": "rule:default"
// Environment operations # Environment operations
"list_environments": "rule:default", "list_environments": "rule:default"
"list_environments_all_tenants": "rule:admin_api", "list_environments_all_tenants": "rule:admin_api"
"show_environment": "rule:default", "show_environment": "rule:default"
"update_environment": "rule:default", "update_environment": "rule:default"
"create_environment": "rule:default", "create_environment": "rule:default"
"delete_environment": "rule:default", "delete_environment": "rule:default"
// Environment template operations # Environment template operations
"list_env_templates": "rule:default", "list_env_templates": "rule:default"
"create_env_template": "rule:default", "create_env_template": "rule:default"
"show_env_template": "rule:default", "show_env_template": "rule:default"
"update_env_template": "rule:default", "update_env_template": "rule:default"
"delete_env_template": "rule:default", "delete_env_template": "rule:default"
// Control on executing actions on deployment environments # Control on executing actions on deployment environments
"execute_action": "rule:default" "execute_action": "rule:default"
} ..
So, changing ``"upload_package": "rule:default"`` to ``"rule:admin_api"`` So, changing ``"upload_package": "rule:default"`` to ``"rule:admin_api"``
will forbid regular users to upload packages. will forbid regular users from uploading packages.
For reference: For reference:
@ -205,9 +213,12 @@ For reference:
- ``"execute_action"`` is checked whenever a user attempts to execute - ``"execute_action"`` is checked whenever a user attempts to execute
an action on deployment environments. default: anyone an action on deployment environments. default: anyone
Uploading package wizard in murano dashboard consists of several steps. .. note::
Upload package API call requested from the first form and modify from
the second one. It provides modifying package parameters on time of The package upload wizard in Murano dashboard consists of several steps:
uploading. So, please modify both configuration together. Otherwise it The "upload_package" policy is enforced during the first step while
will not be possible to browse package details on the second step "modify_package" is enforced during the second step. Package parameters are
of the wizard. modified during package upload. So, please modify both policy definitions
together. Otherwise it will not be possible to browse package details on the
second step of the wizard.
..

5
etc/murano/policy.json
View File

@ -1,5 +0,0 @@
{
"context_is_admin": "role:admin",
"admin_api": "is_admin:True",
"default": ""
}

2
murano/common/policies/__init__.py
View File

@ -16,6 +16,7 @@
import itertools import itertools
from murano.common.policies import action from murano.common.policies import action
from murano.common.policies import base
from murano.common.policies import category from murano.common.policies import category
from murano.common.policies import deployment from murano.common.policies import deployment
from murano.common.policies import env_template from murano.common.policies import env_template
@ -25,6 +26,7 @@ from murano.common.policies import package
def list_rules(): def list_rules():
return itertools.chain( return itertools.chain(
base.list_rules(),
action.list_rules(), action.list_rules(),
category.list_rules(), category.list_rules(),
deployment.list_rules(), deployment.list_rules(),

2
murano/common/policies/base.py
View File

@ -25,7 +25,7 @@ rules = [
check_str='role:admin'), check_str='role:admin'),
policy.RuleDefault( policy.RuleDefault(
name='admin_api', name='admin_api',
check_str='is_admin:1'), check_str='is_admin:True'),
policy.RuleDefault( policy.RuleDefault(
name='default', name='default',
check_str='') check_str='')

2
murano/common/policy.py
View File

@ -80,6 +80,8 @@ def check(rule, ctxt, target=None, do_raise=True, exc=None):
specified it will raise an exception of specified it will raise an exception of
that type. that type.
""" """
init()
if target is None: if target is None:
target = {} target = {}
creds = ctxt.to_dict() creds = ctxt.to_dict()