policy: Add defaults in code (part 1)

Adds default values for policy rules in code and removes
them from etc/policy.json file. The change is validated
by the nova.tests.unit.test_policy unit tests.

Adds default policy rules in policy_fixture. The policy_fixture
is currently loading an incomplete set of policy rules (from
policy.json or fake_policy), resulting in unit tests running
with an incomplete set of policy rules.

Co-Authored-By: Andrew Laski <andrew@lascii.com>

Partially-Implements: bp policy-in-code

Change-Id: I7a7dc2a111d536380a763169320a0820b0715a11
This commit is contained in:
Claudiu Belu 2016-06-13 08:29:47 +03:00
parent d8891f8d45
commit eacdbc3d8e
14 changed files with 432 additions and 32 deletions

@ -14,31 +14,6 @@
"os_compute_api:servers:discoverable": "@", "os_compute_api:servers:discoverable": "@",
"os_compute_api:servers:migrations:index": "rule:admin_api", "os_compute_api:servers:migrations:index": "rule:admin_api",
"os_compute_api:servers:migrations:show": "rule:admin_api", "os_compute_api:servers:migrations:show": "rule:admin_api",
"os_compute_api:os-access-ips:discoverable": "@",
"os_compute_api:os-access-ips": "rule:admin_or_owner",
"os_compute_api:os-admin-actions": "rule:admin_api",
"os_compute_api:os-admin-actions:discoverable": "@",
"os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
"os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api",
"os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
"os_compute_api:os-admin-password": "rule:admin_or_owner",
"os_compute_api:os-admin-password:discoverable": "@",
"os_compute_api:os-aggregates:discoverable": "@",
"os_compute_api:os-aggregates:index": "rule:admin_api",
"os_compute_api:os-aggregates:create": "rule:admin_api",
"os_compute_api:os-aggregates:show": "rule:admin_api",
"os_compute_api:os-aggregates:update": "rule:admin_api",
"os_compute_api:os-aggregates:delete": "rule:admin_api",
"os_compute_api:os-aggregates:add_host": "rule:admin_api",
"os_compute_api:os-aggregates:remove_host": "rule:admin_api",
"os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
"os_compute_api:os-agents": "rule:admin_api",
"os_compute_api:os-agents:discoverable": "@",
"os_compute_api:os-attach-interfaces": "rule:admin_or_owner",
"os_compute_api:os-attach-interfaces:discoverable": "@",
"os_compute_api:os-baremetal-nodes": "rule:admin_api",
"os_compute_api:os-baremetal-nodes:discoverable": "@",
"os_compute_api:os-block-device-mapping-v1:discoverable": "@",
"os_compute_api:os-cells": "rule:admin_api", "os_compute_api:os-cells": "rule:admin_api",
"os_compute_api:os-cells:create": "rule:admin_api", "os_compute_api:os-cells:create": "rule:admin_api",
"os_compute_api:os-cells:delete": "rule:admin_api", "os_compute_api:os-cells:delete": "rule:admin_api",
@ -220,16 +195,10 @@
"os_compute_api:os-volumes-attachments:update": "rule:admin_api", "os_compute_api:os-volumes-attachments:update": "rule:admin_api",
"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner", "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner",
"os_compute_api:os-volumes-attachments:discoverable": "@", "os_compute_api:os-volumes-attachments:discoverable": "@",
"os_compute_api:os-availability-zone:list": "rule:admin_or_owner",
"os_compute_api:os-availability-zone:discoverable": "@",
"os_compute_api:os-availability-zone:detail": "rule:admin_api",
"os_compute_api:os-used-limits": "rule:admin_api", "os_compute_api:os-used-limits": "rule:admin_api",
"os_compute_api:os-used-limits:discoverable": "@", "os_compute_api:os-used-limits:discoverable": "@",
"os_compute_api:os-migrations:index": "rule:admin_api", "os_compute_api:os-migrations:index": "rule:admin_api",
"os_compute_api:os-migrations:discoverable": "@", "os_compute_api:os-migrations:discoverable": "@",
"os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api",
"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api",
"os_compute_api:os-assisted-volume-snapshots:discoverable": "@",
"os_compute_api:os-console-auth-tokens": "rule:admin_api", "os_compute_api:os-console-auth-tokens": "rule:admin_api",
"os_compute_api:os-console-auth-tokens:discoverable": "@", "os_compute_api:os-console-auth-tokens:discoverable": "@",
"os_compute_api:os-server-external-events:create": "rule:admin_api", "os_compute_api:os-server-external-events:create": "rule:admin_api",

@ -13,12 +13,32 @@
import itertools import itertools
from nova.policies import access_ips
from nova.policies import admin_actions
from nova.policies import admin_password
from nova.policies import agents
from nova.policies import aggregates
from nova.policies import assisted_volume_snapshots
from nova.policies import attach_interfaces
from nova.policies import availability_zone
from nova.policies import baremetal_nodes
from nova.policies import base from nova.policies import base
from nova.policies import block_device_mapping_v1
from nova.policies import servers from nova.policies import servers
def list_rules(): def list_rules():
return itertools.chain( return itertools.chain(
access_ips.list_rules(),
admin_actions.list_rules(),
admin_password.list_rules(),
agents.list_rules(),
aggregates.list_rules(),
assisted_volume_snapshots.list_rules(),
attach_interfaces.list_rules(),
availability_zone.list_rules(),
baremetal_nodes.list_rules(),
base.list_rules(), base.list_rules(),
block_device_mapping_v1.list_rules(),
servers.list_rules() servers.list_rules()
) )

@ -0,0 +1,36 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-access-ips'
POLICY_ROOT = 'os_compute_api:os-access-ips:%s'
access_ips_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),
]
def list_rules():
return access_ips_policies

@ -0,0 +1,45 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-admin-actions'
POLICY_ROOT = 'os_compute_api:os-admin-actions:%s'
admin_actions_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=POLICY_ROOT % 'reset_state',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'inject_network_info',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'reset_network',
check_str=base.RULE_ADMIN_API),
]
def list_rules():
return admin_actions_policies

@ -0,0 +1,36 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-admin-password'
POLICY_ROOT = 'os_compute_api:os-admin-password:%s'
admin_password_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),
]
def list_rules():
return admin_password_policies

36
nova/policies/agents.py Normal file

@ -0,0 +1,36 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-agents'
POLICY_ROOT = 'os_compute_api:os-agents:%s'
agents_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return agents_policies

@ -0,0 +1,56 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-aggregates:%s'
aggregates_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'set_metadata',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'add_host',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=POLICY_ROOT % 'create',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'remove_host',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'update',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'index',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'show',
check_str=base.RULE_ADMIN_API),
]
def list_rules():
return aggregates_policies

@ -0,0 +1,38 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-assisted-volume-snapshots:%s'
assisted_volume_snapshots_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'create',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'delete',
check_str=base.RULE_ADMIN_API),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return assisted_volume_snapshots_policies

@ -0,0 +1,36 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-attach-interfaces'
POLICY_ROOT = 'os_compute_api:os-attach-interfaces:%s'
attach_interfaces_policies = [
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_OR_OWNER),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return attach_interfaces_policies

@ -0,0 +1,38 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-availability-zone:%s'
availability_zone_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'list',
check_str=base.RULE_ADMIN_OR_OWNER),
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=POLICY_ROOT % 'detail',
check_str=base.RULE_ADMIN_API),
]
def list_rules():
return availability_zone_policies

@ -0,0 +1,36 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
BASE_POLICY_NAME = 'os_compute_api:os-baremetal-nodes'
POLICY_ROOT = 'os_compute_api:os-baremetal-nodes:%s'
baremetal_nodes_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
policy.RuleDefault(
name=BASE_POLICY_NAME,
check_str=base.RULE_ADMIN_API),
]
def list_rules():
return baremetal_nodes_policies

@ -12,6 +12,10 @@
from oslo_policy import policy from oslo_policy import policy
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN_API = 'rule:admin_api'
RULE_ANY = '@'
rules = [ rules = [
policy.RuleDefault('context_is_admin', 'role:admin'), policy.RuleDefault('context_is_admin', 'role:admin'),
policy.RuleDefault('admin_or_owner', policy.RuleDefault('admin_or_owner',

@ -0,0 +1,32 @@
# Copyright 2016 Cloudbase Solutions Srl
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from nova.policies import base
POLICY_ROOT = 'os_compute_api:os-block-device-mapping-v1:%s'
block_device_mapping_v1_policies = [
policy.RuleDefault(
name=POLICY_ROOT % 'discoverable',
check_str=base.RULE_ANY),
]
def list_rules():
return block_device_mapping_v1_policies

@ -21,6 +21,7 @@ import six
import nova.conf import nova.conf
from nova.conf import paths from nova.conf import paths
from nova import policies
import nova.policy import nova.policy
from nova.tests.unit import fake_policy from nova.tests.unit import fake_policy
@ -57,6 +58,18 @@ class RealPolicyFixture(fixtures.Fixture):
policy = nova.policy._ENFORCER policy = nova.policy._ENFORCER
policy.set_rules(oslo_policy.Rules.from_dict(rules)) policy.set_rules(oslo_policy.Rules.from_dict(rules))
def add_missing_default_rules(self, rules):
"""Adds default rules and their values to the given rules dict.
The given rulen dict may have an incomplete set of policy rules.
This method will add the default policy rules and their values to
the dict. It will not override the existing rules.
"""
for rule in policies.list_rules():
if rule.name not in rules:
rules[rule.name] = rule.check_str
class PolicyFixture(RealPolicyFixture): class PolicyFixture(RealPolicyFixture):
"""Load a fake policy from nova.tests.unit.fake_policy """Load a fake policy from nova.tests.unit.fake_policy
@ -77,8 +90,12 @@ class PolicyFixture(RealPolicyFixture):
self.policy_dir = self.useFixture(fixtures.TempDir()) self.policy_dir = self.useFixture(fixtures.TempDir())
self.policy_file = os.path.join(self.policy_dir.path, self.policy_file = os.path.join(self.policy_dir.path,
'policy.json') 'policy.json')
# load the fake_policy data and add the missing default rules.
policy_rules = jsonutils.loads(fake_policy.policy_data)
self.add_missing_default_rules(policy_rules)
with open(self.policy_file, 'w') as f: with open(self.policy_file, 'w') as f:
f.write(fake_policy.policy_data) jsonutils.dump(policy_rules, f)
CONF.set_override('policy_dirs', [], group='oslo_policy') CONF.set_override('policy_dirs', [], group='oslo_policy')
@ -103,6 +120,7 @@ class RoleBasedPolicyFixture(RealPolicyFixture):
with open(CONF.oslo_policy.policy_file) as fp: with open(CONF.oslo_policy.policy_file) as fp:
policy = fp.read() policy = fp.read()
policy = jsonutils.loads(policy) policy = jsonutils.loads(policy)
self.add_missing_default_rules(policy)
# Convert all actions to require specified role # Convert all actions to require specified role
for action, rule in six.iteritems(policy): for action, rule in six.iteritems(policy):