policy: Add defaults in code (part 6)

Partially-Implements: bp policy-in-code

Change-Id: I7c2dca52f5970ad9421bf5175fcbd963deac408f

etc/nova/policy.json

@@ -7,46 +7,5 @@
 
     "admin_api": "is_admin:True",
 
-    "network:attach_external_network": "is_admin:True",
-    "os_compute_api:servers:show:host_status": "rule:admin_api",
-    "os_compute_api:servers:migrations:force_complete": "rule:admin_api",
-    "os_compute_api:servers:migrations:delete": "rule:admin_api",
-    "os_compute_api:servers:discoverable": "@",
-    "os_compute_api:servers:migrations:index": "rule:admin_api",
-    "os_compute_api:servers:migrations:show": "rule:admin_api",
-    "os_compute_api:os-server-usage": "rule:admin_or_owner",
-    "os_compute_api:os-server-usage:discoverable": "@",
-    "os_compute_api:os-server-tags:index": "@",
-    "os_compute_api:os-server-tags:show": "@",
-    "os_compute_api:os-server-tags:update": "@",
-    "os_compute_api:os-server-tags:update_all": "@",
-    "os_compute_api:os-server-tags:delete": "@",
-    "os_compute_api:os-server-tags:delete_all": "@",
-    "os_compute_api:os-services": "rule:admin_api",
-    "os_compute_api:os-services:discoverable": "@",
-    "os_compute_api:os-shelve:shelve": "rule:admin_or_owner",
-    "os_compute_api:os-shelve:shelve:discoverable": "@",
-    "os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
-    "os_compute_api:os-simple-tenant-usage:discoverable": "@",
-    "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner",
-    "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api",
-    "os_compute_api:os-suspend-server:discoverable": "@",
-    "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner",
-    "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner",
-    "os_compute_api:os-tenant-networks": "rule:admin_or_owner",
-    "os_compute_api:os-tenant-networks:discoverable": "@",
-    "os_compute_api:os-shelve:unshelve": "rule:admin_or_owner",
-    "os_compute_api:os-user-data:discoverable": "@",
-    "os_compute_api:os-virtual-interfaces": "rule:admin_or_owner",
-    "os_compute_api:os-virtual-interfaces:discoverable": "@",
-    "os_compute_api:os-volumes": "rule:admin_or_owner",
-    "os_compute_api:os-volumes:discoverable": "@",
-    "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner",
-    "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner",
-    "os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner",
-    "os_compute_api:os-volumes-attachments:update": "rule:admin_api",
-    "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner",
-    "os_compute_api:os-volumes-attachments:discoverable": "@",
-    "os_compute_api:os-used-limits": "rule:admin_api",
-    "os_compute_api:os-used-limits:discoverable": "@"
+    "network:attach_external_network": "is_admin:True"
 }

nova/policies/__init__.py

@@ -83,7 +83,20 @@ from nova.policies import server_external_events
 from nova.policies import server_groups
 from nova.policies import server_metadata
 from nova.policies import server_password
+from nova.policies import server_tags
+from nova.policies import server_usage
 from nova.policies import servers
+from nova.policies import servers_migrations
+from nova.policies import services
+from nova.policies import shelve
+from nova.policies import simple_tenant_usage
+from nova.policies import suspend_server
+from nova.policies import tenant_networks
+from nova.policies import used_limits
+from nova.policies import user_data
+from nova.policies import virtual_interfaces
+from nova.policies import volumes
+from nova.policies import volumes_attachments
 
 
 def list_rules():
@@ -158,5 +171,18 @@ def list_rules():
         server_groups.list_rules(),
         server_metadata.list_rules(),
         server_password.list_rules(),
-        servers.list_rules()
+        server_tags.list_rules(),
+        server_usage.list_rules(),
+        servers.list_rules(),
+        servers_migrations.list_rules(),
+        services.list_rules(),
+        shelve.list_rules(),
+        simple_tenant_usage.list_rules(),
+        suspend_server.list_rules(),
+        tenant_networks.list_rules(),
+        used_limits.list_rules(),
+        user_data.list_rules(),
+        virtual_interfaces.list_rules(),
+        volumes.list_rules(),
+        volumes_attachments.list_rules()
     )

nova/policies/server_tags.py

@@ -0,0 +1,47 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-server-tags:%s'
+
+
+server_tags_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'delete_all',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'index',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'update_all',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'delete',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'update',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'show',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return server_tags_policies

nova/policies/server_usage.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-server-usage'
+POLICY_ROOT = 'os_compute_api:os-server-usage:%s'
+
+
+server_usage_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return server_usage_policies

nova/policies/servers.py

@@ -13,8 +13,10 @@
 
 from oslo_policy import policy
 
+from nova.policies import base
 
-RULE_AOO = 'rule:admin_or_owner'
+
+RULE_AOO = base.RULE_ADMIN_OR_OWNER
 SERVERS = 'os_compute_api:servers:%s'
 
 rules = [
@@ -23,6 +25,9 @@ rules = [
     policy.RuleDefault(SERVERS % 'detail:get_all_tenants', RULE_AOO),
     policy.RuleDefault(SERVERS % 'index:get_all_tenants', RULE_AOO),
     policy.RuleDefault(SERVERS % 'show', RULE_AOO),
+    # the details in host_status are pretty sensitive, only admins
+    # should do that by default.
+    policy.RuleDefault(SERVERS % 'show:host_status', base.RULE_ADMIN_API),
     policy.RuleDefault(SERVERS % 'create', RULE_AOO),
     policy.RuleDefault(SERVERS % 'create:forced_host', RULE_AOO),
     policy.RuleDefault(SERVERS % 'create:attach_volume', RULE_AOO),
@@ -35,11 +40,11 @@ rules = [
     policy.RuleDefault(SERVERS % 'resize', RULE_AOO),
     policy.RuleDefault(SERVERS % 'rebuild', RULE_AOO),
     policy.RuleDefault(SERVERS % 'create_image', RULE_AOO),
-    policy.RuleDefault(SERVERS % 'create_image:allow_volume_backed',
-                       RULE_AOO),
+    policy.RuleDefault(SERVERS % 'create_image:allow_volume_backed', RULE_AOO),
     policy.RuleDefault(SERVERS % 'start', RULE_AOO),
     policy.RuleDefault(SERVERS % 'stop', RULE_AOO),
     policy.RuleDefault(SERVERS % 'trigger_crash_dump', RULE_AOO),
+    policy.RuleDefault(SERVERS % 'discoverable', base.RULE_ANY),
 ]
 
 

nova/policies/servers_migrations.py

@@ -0,0 +1,41 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:servers:migrations:%s'
+
+
+servers_migrations_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'show',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'force_complete',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'delete',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'index',
+        check_str=base.RULE_ADMIN_API),
+]
+
+
+def list_rules():
+    return servers_migrations_policies

nova/policies/services.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-services'
+POLICY_ROOT = 'os_compute_api:os-services:%s'
+
+
+services_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return services_policies

nova/policies/shelve.py

@@ -0,0 +1,41 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-shelve:%s'
+
+
+shelve_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'shelve',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'unshelve',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'shelve_offload',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'shelve:discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return shelve_policies

nova/policies/simple_tenant_usage.py

@@ -0,0 +1,38 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-simple-tenant-usage:%s'
+
+
+simple_tenant_usage_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'show',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'list',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return simple_tenant_usage_policies

nova/policies/suspend_server.py

@@ -0,0 +1,38 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-suspend-server:%s'
+
+
+suspend_server_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'resume',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'suspend',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return suspend_server_policies

nova/policies/tenant_networks.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-tenant-networks'
+POLICY_ROOT = 'os_compute_api:os-tenant-networks:%s'
+
+
+tenant_networks_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return tenant_networks_policies

nova/policies/used_limits.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-used-limits'
+POLICY_ROOT = 'os_compute_api:os-used-limits:%s'
+
+
+used_limits_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API),
+]
+
+
+def list_rules():
+    return used_limits_policies

nova/policies/user_data.py

@@ -0,0 +1,32 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-user-data:%s'
+
+
+user_data_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return user_data_policies

nova/policies/virtual_interfaces.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-virtual-interfaces'
+POLICY_ROOT = 'os_compute_api:os-virtual-interfaces:%s'
+
+
+virtual_interfaces_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return virtual_interfaces_policies

nova/policies/volumes.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-volumes'
+POLICY_ROOT = 'os_compute_api:os-volumes:%s'
+
+
+volumes_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return volumes_policies

nova/policies/volumes_attachments.py

@@ -0,0 +1,47 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-volumes-attachments:%s'
+
+
+volumes_attachments_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'index',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'create',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'show',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'update',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'delete',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return volumes_attachments_policies