Remove murano default policy.json
This commit removes the murano default policy.json file from etc/murano and references to it in murano's devstack plugin. (References to the policy.json in muranodashboard remain the same). This commit specifically: - removes the default policy.json - removes references to it in devstack plugin - adds base rules to murano.common.policies.__init__ because they are the last rules to be included - updates base admin_api rule to is_admin:True from is_admin:1 (because the latter was causing issues) - updates Murano policy documentation Partially Implements: blueprint policy-in-code Depends-On: Ia372983d2bd1010cd19f04061f3276ed16e9c1c9 Change-Id: I1a8581a559e4333a74d56a5bdce7e6d1f117907d
This commit is contained in:
parent
fa52193c87
commit
fb1a2d5bbe
@ -161,7 +161,6 @@ function configure_murano {
|
||||
--namespace oslo.messaging \
|
||||
> $MURANO_CONF_FILE
|
||||
cp $MURANO_DIR/etc/murano/murano-paste.ini $MURANO_CONF_DIR
|
||||
cp $MURANO_DIR/etc/murano/policy.json $MURANO_POLICY_FILE
|
||||
|
||||
cleanup_murano
|
||||
|
||||
@ -362,7 +361,6 @@ function setup_core_library() {
|
||||
--is-public
|
||||
|
||||
remove_core_apps_zip
|
||||
|
||||
}
|
||||
|
||||
# install_murano() - Collect source and prepare
|
||||
|
@ -16,7 +16,6 @@ MURANO_DIR=$DEST/murano
|
||||
MURANO_CONF_DIR=${MURANO_CONF_DIR:-/etc/murano}
|
||||
MURANO_CONF_FILE=${MURANO_CONF_DIR}/murano.conf
|
||||
MURANO_CFAPI_CONF_FILE=${MURANO_CONF_DIR}/murano-cfapi.conf
|
||||
MURANO_POLICY_FILE=${MURANO_CONF_DIR}/policy.json
|
||||
MURANO_DEBUG=$(trueorfalse True MURANO_DEBUG)
|
||||
MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT=$(trueorfalse False MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT)
|
||||
|
||||
|
@ -121,67 +121,75 @@ To configure neutron manually, follow the steps below.
|
||||
Policy configuration
|
||||
~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Like each service in OpenStack, murano has its own role-based access policies
|
||||
that determine who and how can access objects. These policies are defined
|
||||
in the service's :file:`policy.json` file.
|
||||
Like each service in OpenStack, Murano has its own role-based access policies
|
||||
that determine who can access objects and under what circumstances. The default
|
||||
implementation for these policies is defined in the service's source code --
|
||||
under :file:`murano.common.policies`. The default policy definitions can be
|
||||
overridden using the :file:`policy.yaml` file.
|
||||
|
||||
On each API call corresponding policy check is performed.
|
||||
:file:`policy.json` file can be changed without interrupting the API service.
|
||||
.. note::
|
||||
|
||||
For detailed information on :file:`policy.json` syntax, please refer to the
|
||||
`OpenStack official documentation <http://docs.openstack.org/kilo/config-reference/content/policy-json-file.html>`_
|
||||
In previous OpenStack releases the default policy format was JSON, but
|
||||
now the `recommended format <https://docs.openstack.org/ocata/config-reference/policy-yaml-file.html#older-json-format-policy>`_
|
||||
is YAML.
|
||||
..
|
||||
|
||||
On each API call the corresponding policy check is performed.
|
||||
:file:`policy.yaml` file can be changed without interrupting the API service.
|
||||
|
||||
For detailed information on :file:`policy.yaml` syntax, please refer to the
|
||||
`OpenStack official documentation <https://docs.openstack.org/ocata/config-reference/policy-yaml-file.html>`_
|
||||
|
||||
With this file you can set who may upload packages and perform other operations.
|
||||
|
||||
The :file:`policy.json` example is:
|
||||
The :file:`policy.yaml` example is:
|
||||
|
||||
.. code-block:: json
|
||||
.. code-block:: yaml
|
||||
|
||||
{
|
||||
// Rule declaration
|
||||
"context_is_admin": "role:admin",
|
||||
"admin_api": "is_admin:True",
|
||||
"default": "",
|
||||
# Rule declaration
|
||||
"context_is_admin": "role:admin"
|
||||
"admin_api": "is_admin:True"
|
||||
"default": ""
|
||||
|
||||
// Package operations
|
||||
"get_package": "rule:default",
|
||||
"upload_package": "rule:default",
|
||||
"modify_package": "rule:default",
|
||||
"publicize_package": "rule:admin_api",
|
||||
"manage_public_package": "rule:default",
|
||||
"delete_package": "rule:default",
|
||||
"download_package": "rule:default",
|
||||
# Package operations
|
||||
"get_package": "rule:default"
|
||||
"upload_package": "rule:default"
|
||||
"modify_package": "rule:default"
|
||||
"publicize_package": "rule:admin_api"
|
||||
"manage_public_package": "rule:default"
|
||||
"delete_package": "rule:default"
|
||||
"download_package": "rule:default"
|
||||
|
||||
// Category operations
|
||||
"get_category": "rule:default",
|
||||
"delete_category": "rule:admin_api",
|
||||
"add_category": "rule:admin_api",
|
||||
# Category operations
|
||||
"get_category": "rule:default"
|
||||
"delete_category": "rule:admin_api"
|
||||
"add_category": "rule:admin_api"
|
||||
|
||||
// Deployment read operations
|
||||
"list_deployments": "rule:default",
|
||||
"statuses_deployments": "rule:default",
|
||||
# Deployment read operations
|
||||
"list_deployments": "rule:default"
|
||||
"statuses_deployments": "rule:default"
|
||||
|
||||
// Environment operations
|
||||
"list_environments": "rule:default",
|
||||
"list_environments_all_tenants": "rule:admin_api",
|
||||
"show_environment": "rule:default",
|
||||
"update_environment": "rule:default",
|
||||
"create_environment": "rule:default",
|
||||
"delete_environment": "rule:default",
|
||||
# Environment operations
|
||||
"list_environments": "rule:default"
|
||||
"list_environments_all_tenants": "rule:admin_api"
|
||||
"show_environment": "rule:default"
|
||||
"update_environment": "rule:default"
|
||||
"create_environment": "rule:default"
|
||||
"delete_environment": "rule:default"
|
||||
|
||||
// Environment template operations
|
||||
"list_env_templates": "rule:default",
|
||||
"create_env_template": "rule:default",
|
||||
"show_env_template": "rule:default",
|
||||
"update_env_template": "rule:default",
|
||||
"delete_env_template": "rule:default",
|
||||
# Environment template operations
|
||||
"list_env_templates": "rule:default"
|
||||
"create_env_template": "rule:default"
|
||||
"show_env_template": "rule:default"
|
||||
"update_env_template": "rule:default"
|
||||
"delete_env_template": "rule:default"
|
||||
|
||||
// Control on executing actions on deployment environments
|
||||
# Control on executing actions on deployment environments
|
||||
"execute_action": "rule:default"
|
||||
}
|
||||
..
|
||||
|
||||
So, changing ``"upload_package": "rule:default"`` to ``"rule:admin_api"``
|
||||
will forbid regular users to upload packages.
|
||||
will forbid regular users from uploading packages.
|
||||
|
||||
For reference:
|
||||
|
||||
@ -205,9 +213,12 @@ For reference:
|
||||
- ``"execute_action"`` is checked whenever a user attempts to execute
|
||||
an action on deployment environments. default: anyone
|
||||
|
||||
Uploading package wizard in murano dashboard consists of several steps.
|
||||
Upload package API call requested from the first form and modify from
|
||||
the second one. It provides modifying package parameters on time of
|
||||
uploading. So, please modify both configuration together. Otherwise it
|
||||
will not be possible to browse package details on the second step
|
||||
of the wizard.
|
||||
.. note::
|
||||
|
||||
The package upload wizard in Murano dashboard consists of several steps:
|
||||
The "upload_package" policy is enforced during the first step while
|
||||
"modify_package" is enforced during the second step. Package parameters are
|
||||
modified during package upload. So, please modify both policy definitions
|
||||
together. Otherwise it will not be possible to browse package details on the
|
||||
second step of the wizard.
|
||||
..
|
||||
|
@ -1,5 +0,0 @@
|
||||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"admin_api": "is_admin:True",
|
||||
"default": ""
|
||||
}
|
@ -16,6 +16,7 @@
|
||||
import itertools
|
||||
|
||||
from murano.common.policies import action
|
||||
from murano.common.policies import base
|
||||
from murano.common.policies import category
|
||||
from murano.common.policies import deployment
|
||||
from murano.common.policies import env_template
|
||||
@ -25,6 +26,7 @@ from murano.common.policies import package
|
||||
|
||||
def list_rules():
|
||||
return itertools.chain(
|
||||
base.list_rules(),
|
||||
action.list_rules(),
|
||||
category.list_rules(),
|
||||
deployment.list_rules(),
|
||||
|
@ -25,7 +25,7 @@ rules = [
|
||||
check_str='role:admin'),
|
||||
policy.RuleDefault(
|
||||
name='admin_api',
|
||||
check_str='is_admin:1'),
|
||||
check_str='is_admin:True'),
|
||||
policy.RuleDefault(
|
||||
name='default',
|
||||
check_str='')
|
||||
|
@ -80,6 +80,8 @@ def check(rule, ctxt, target=None, do_raise=True, exc=None):
|
||||
specified it will raise an exception of
|
||||
that type.
|
||||
"""
|
||||
init()
|
||||
|
||||
if target is None:
|
||||
target = {}
|
||||
creds = ctxt.to_dict()
|
||||
|
Loading…
Reference in New Issue
Block a user