diff --git a/etc/nova/policy.json b/etc/nova/policy.json index 1ffec0251819..95719811dc35 100644 --- a/etc/nova/policy.json +++ b/etc/nova/policy.json @@ -14,31 +14,6 @@ "os_compute_api:servers:discoverable": "@", "os_compute_api:servers:migrations:index": "rule:admin_api", "os_compute_api:servers:migrations:show": "rule:admin_api", - "os_compute_api:os-access-ips:discoverable": "@", - "os_compute_api:os-access-ips": "rule:admin_or_owner", - "os_compute_api:os-admin-actions": "rule:admin_api", - "os_compute_api:os-admin-actions:discoverable": "@", - "os_compute_api:os-admin-actions:reset_network": "rule:admin_api", - "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api", - "os_compute_api:os-admin-actions:reset_state": "rule:admin_api", - "os_compute_api:os-admin-password": "rule:admin_or_owner", - "os_compute_api:os-admin-password:discoverable": "@", - "os_compute_api:os-aggregates:discoverable": "@", - "os_compute_api:os-aggregates:index": "rule:admin_api", - "os_compute_api:os-aggregates:create": "rule:admin_api", - "os_compute_api:os-aggregates:show": "rule:admin_api", - "os_compute_api:os-aggregates:update": "rule:admin_api", - "os_compute_api:os-aggregates:delete": "rule:admin_api", - "os_compute_api:os-aggregates:add_host": "rule:admin_api", - "os_compute_api:os-aggregates:remove_host": "rule:admin_api", - "os_compute_api:os-aggregates:set_metadata": "rule:admin_api", - "os_compute_api:os-agents": "rule:admin_api", - "os_compute_api:os-agents:discoverable": "@", - "os_compute_api:os-attach-interfaces": "rule:admin_or_owner", - "os_compute_api:os-attach-interfaces:discoverable": "@", - "os_compute_api:os-baremetal-nodes": "rule:admin_api", - "os_compute_api:os-baremetal-nodes:discoverable": "@", - "os_compute_api:os-block-device-mapping-v1:discoverable": "@", "os_compute_api:os-cells": "rule:admin_api", "os_compute_api:os-cells:create": "rule:admin_api", "os_compute_api:os-cells:delete": "rule:admin_api", @@ -220,16 +195,10 @@ "os_compute_api:os-volumes-attachments:update": "rule:admin_api", "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner", "os_compute_api:os-volumes-attachments:discoverable": "@", - "os_compute_api:os-availability-zone:list": "rule:admin_or_owner", - "os_compute_api:os-availability-zone:discoverable": "@", - "os_compute_api:os-availability-zone:detail": "rule:admin_api", "os_compute_api:os-used-limits": "rule:admin_api", "os_compute_api:os-used-limits:discoverable": "@", "os_compute_api:os-migrations:index": "rule:admin_api", "os_compute_api:os-migrations:discoverable": "@", - "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api", - "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api", - "os_compute_api:os-assisted-volume-snapshots:discoverable": "@", "os_compute_api:os-console-auth-tokens": "rule:admin_api", "os_compute_api:os-console-auth-tokens:discoverable": "@", "os_compute_api:os-server-external-events:create": "rule:admin_api", diff --git a/nova/policies/__init__.py b/nova/policies/__init__.py index 8b59e32d72d1..70af8a93e65a 100644 --- a/nova/policies/__init__.py +++ b/nova/policies/__init__.py @@ -13,12 +13,32 @@ import itertools +from nova.policies import access_ips +from nova.policies import admin_actions +from nova.policies import admin_password +from nova.policies import agents +from nova.policies import aggregates +from nova.policies import assisted_volume_snapshots +from nova.policies import attach_interfaces +from nova.policies import availability_zone +from nova.policies import baremetal_nodes from nova.policies import base +from nova.policies import block_device_mapping_v1 from nova.policies import servers def list_rules(): return itertools.chain( + access_ips.list_rules(), + admin_actions.list_rules(), + admin_password.list_rules(), + agents.list_rules(), + aggregates.list_rules(), + assisted_volume_snapshots.list_rules(), + attach_interfaces.list_rules(), + availability_zone.list_rules(), + baremetal_nodes.list_rules(), base.list_rules(), + block_device_mapping_v1.list_rules(), servers.list_rules() ) diff --git a/nova/policies/access_ips.py b/nova/policies/access_ips.py new file mode 100644 index 000000000000..15b40f161cd8 --- /dev/null +++ b/nova/policies/access_ips.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-access-ips' +POLICY_ROOT = 'os_compute_api:os-access-ips:%s' + + +access_ips_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return access_ips_policies diff --git a/nova/policies/admin_actions.py b/nova/policies/admin_actions.py new file mode 100644 index 000000000000..9d7742b5017f --- /dev/null +++ b/nova/policies/admin_actions.py @@ -0,0 +1,45 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-admin-actions' +POLICY_ROOT = 'os_compute_api:os-admin-actions:%s' + + +admin_actions_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'reset_state', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'inject_network_info', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'reset_network', + check_str=base.RULE_ADMIN_API), +] + + +def list_rules(): + return admin_actions_policies diff --git a/nova/policies/admin_password.py b/nova/policies/admin_password.py new file mode 100644 index 000000000000..e7b22514b5f8 --- /dev/null +++ b/nova/policies/admin_password.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-admin-password' +POLICY_ROOT = 'os_compute_api:os-admin-password:%s' + + +admin_password_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), +] + + +def list_rules(): + return admin_password_policies diff --git a/nova/policies/agents.py b/nova/policies/agents.py new file mode 100644 index 000000000000..f1c5195303fa --- /dev/null +++ b/nova/policies/agents.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-agents' +POLICY_ROOT = 'os_compute_api:os-agents:%s' + + +agents_policies = [ + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return agents_policies diff --git a/nova/policies/aggregates.py b/nova/policies/aggregates.py new file mode 100644 index 000000000000..0308159112af --- /dev/null +++ b/nova/policies/aggregates.py @@ -0,0 +1,56 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-aggregates:%s' + + +aggregates_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'set_metadata', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'add_host', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'create', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'remove_host', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'update', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'index', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'delete', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'show', + check_str=base.RULE_ADMIN_API), +] + + +def list_rules(): + return aggregates_policies diff --git a/nova/policies/assisted_volume_snapshots.py b/nova/policies/assisted_volume_snapshots.py new file mode 100644 index 000000000000..53e007ed3bd1 --- /dev/null +++ b/nova/policies/assisted_volume_snapshots.py @@ -0,0 +1,38 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-assisted-volume-snapshots:%s' + + +assisted_volume_snapshots_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'create', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'delete', + check_str=base.RULE_ADMIN_API), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return assisted_volume_snapshots_policies diff --git a/nova/policies/attach_interfaces.py b/nova/policies/attach_interfaces.py new file mode 100644 index 000000000000..4e6a34e51b75 --- /dev/null +++ b/nova/policies/attach_interfaces.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-attach-interfaces' +POLICY_ROOT = 'os_compute_api:os-attach-interfaces:%s' + + +attach_interfaces_policies = [ + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return attach_interfaces_policies diff --git a/nova/policies/availability_zone.py b/nova/policies/availability_zone.py new file mode 100644 index 000000000000..dcbbdeddf311 --- /dev/null +++ b/nova/policies/availability_zone.py @@ -0,0 +1,38 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-availability-zone:%s' + + +availability_zone_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'list', + check_str=base.RULE_ADMIN_OR_OWNER), + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=POLICY_ROOT % 'detail', + check_str=base.RULE_ADMIN_API), +] + + +def list_rules(): + return availability_zone_policies diff --git a/nova/policies/baremetal_nodes.py b/nova/policies/baremetal_nodes.py new file mode 100644 index 000000000000..a1c8a32f4f79 --- /dev/null +++ b/nova/policies/baremetal_nodes.py @@ -0,0 +1,36 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +BASE_POLICY_NAME = 'os_compute_api:os-baremetal-nodes' +POLICY_ROOT = 'os_compute_api:os-baremetal-nodes:%s' + + +baremetal_nodes_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), + policy.RuleDefault( + name=BASE_POLICY_NAME, + check_str=base.RULE_ADMIN_API), +] + + +def list_rules(): + return baremetal_nodes_policies diff --git a/nova/policies/base.py b/nova/policies/base.py index 9cff0ef02de7..5c5d13b5009e 100644 --- a/nova/policies/base.py +++ b/nova/policies/base.py @@ -12,6 +12,10 @@ from oslo_policy import policy +RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' +RULE_ADMIN_API = 'rule:admin_api' +RULE_ANY = '@' + rules = [ policy.RuleDefault('context_is_admin', 'role:admin'), policy.RuleDefault('admin_or_owner', diff --git a/nova/policies/block_device_mapping_v1.py b/nova/policies/block_device_mapping_v1.py new file mode 100644 index 000000000000..88e93d8ca5af --- /dev/null +++ b/nova/policies/block_device_mapping_v1.py @@ -0,0 +1,32 @@ +# Copyright 2016 Cloudbase Solutions Srl +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from nova.policies import base + + +POLICY_ROOT = 'os_compute_api:os-block-device-mapping-v1:%s' + + +block_device_mapping_v1_policies = [ + policy.RuleDefault( + name=POLICY_ROOT % 'discoverable', + check_str=base.RULE_ANY), +] + + +def list_rules(): + return block_device_mapping_v1_policies diff --git a/nova/tests/unit/policy_fixture.py b/nova/tests/unit/policy_fixture.py index df2c9c5800a7..b112ac1a9e48 100644 --- a/nova/tests/unit/policy_fixture.py +++ b/nova/tests/unit/policy_fixture.py @@ -21,6 +21,7 @@ import six import nova.conf from nova.conf import paths +from nova import policies import nova.policy from nova.tests.unit import fake_policy @@ -57,6 +58,18 @@ class RealPolicyFixture(fixtures.Fixture): policy = nova.policy._ENFORCER policy.set_rules(oslo_policy.Rules.from_dict(rules)) + def add_missing_default_rules(self, rules): + """Adds default rules and their values to the given rules dict. + + The given rulen dict may have an incomplete set of policy rules. + This method will add the default policy rules and their values to + the dict. It will not override the existing rules. + """ + + for rule in policies.list_rules(): + if rule.name not in rules: + rules[rule.name] = rule.check_str + class PolicyFixture(RealPolicyFixture): """Load a fake policy from nova.tests.unit.fake_policy @@ -77,8 +90,12 @@ class PolicyFixture(RealPolicyFixture): self.policy_dir = self.useFixture(fixtures.TempDir()) self.policy_file = os.path.join(self.policy_dir.path, 'policy.json') + + # load the fake_policy data and add the missing default rules. + policy_rules = jsonutils.loads(fake_policy.policy_data) + self.add_missing_default_rules(policy_rules) with open(self.policy_file, 'w') as f: - f.write(fake_policy.policy_data) + jsonutils.dump(policy_rules, f) CONF.set_override('policy_dirs', [], group='oslo_policy') @@ -103,6 +120,7 @@ class RoleBasedPolicyFixture(RealPolicyFixture): with open(CONF.oslo_policy.policy_file) as fp: policy = fp.read() policy = jsonutils.loads(policy) + self.add_missing_default_rules(policy) # Convert all actions to require specified role for action, rule in six.iteritems(policy):