Remove leftovers of retirement
Change-Id: I5acab95813ac3d0604f73c377bf111f423a008bc
This commit is contained in:
parent
ca45bbdca0
commit
d1d5d917b0
|
@ -1,25 +0,0 @@
|
|||
===================
|
||||
Panko Sample Policy
|
||||
===================
|
||||
|
||||
.. warning::
|
||||
|
||||
JSON formatted policy file is deprecated since Panko 10.0.0 (Wallaby).
|
||||
This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
|
||||
JSON-formatted policy file to YAML in a backward-compatible way.
|
||||
|
||||
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
|
||||
|
||||
|
||||
The following is a sample panko policy file that has been auto-generated
|
||||
from default policy values in code. If you're using the default policies, then
|
||||
the maintenance of this file is not necessary, and it should not be copied into
|
||||
a deployment. Doing so will result in duplicate policy definitions. It is here
|
||||
to help explain which policy operations protect specific panko APIs, but it
|
||||
is not suggested to copy and paste into a deployment unless you're planning on
|
||||
providing a different policy for an operation that is not the default.
|
||||
|
||||
The sample policy file can also be viewed in
|
||||
:download:`file form <../_static/panko.policy.yaml.sample>`.
|
||||
|
||||
.. literalinclude:: ../_static/panko.policy.yaml.sample
|
|
@ -1,116 +0,0 @@
|
|||
#
|
||||
# Copyright 2012 New Dream Network, LLC (DreamHost)
|
||||
# Copyright 2014 Hewlett-Packard Company
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
"""Access Control Lists (ACL's) control access the API server."""
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_policy import opts
|
||||
from oslo_policy import policy
|
||||
import pecan
|
||||
|
||||
from panko import policies
|
||||
|
||||
_ENFORCER = None
|
||||
|
||||
# TODO(gmann): Remove setting the default value of config policy_file
|
||||
# once oslo_policy change the default value to 'policy.yaml'.
|
||||
# https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
|
||||
DEFAULT_POLICY_FILE = 'policy.yaml'
|
||||
opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
|
||||
|
||||
|
||||
def init():
|
||||
global _ENFORCER
|
||||
if not _ENFORCER:
|
||||
_ENFORCER = policy.Enforcer(pecan.request.cfg)
|
||||
_ENFORCER.load_rules()
|
||||
_ENFORCER.register_defaults(policies.list_policies())
|
||||
|
||||
|
||||
def reset():
|
||||
global _ENFORCER
|
||||
if _ENFORCER:
|
||||
_ENFORCER.clear()
|
||||
_ENFORCER = None
|
||||
|
||||
|
||||
def _has_rule(name):
|
||||
return name in _ENFORCER.rules.keys()
|
||||
|
||||
|
||||
def enforce(policy_name, request):
|
||||
"""Return the user and project the request should be limited to.
|
||||
|
||||
:param request: HTTP request
|
||||
:param policy_name: the policy name to validate authz against.
|
||||
|
||||
|
||||
"""
|
||||
init()
|
||||
|
||||
rule_method = "telemetry:" + policy_name
|
||||
headers = request.headers
|
||||
|
||||
policy_dict = dict()
|
||||
policy_dict['roles'] = headers.get('X-Roles', "").split(",")
|
||||
policy_dict['user_id'] = (headers.get('X-User-Id'))
|
||||
policy_dict['project_id'] = (headers.get('X-Project-Id'))
|
||||
|
||||
# maintain backward compat with Juno and previous by allowing the action if
|
||||
# there is no rule defined for it
|
||||
if ((_has_rule('default') or _has_rule(rule_method)) and
|
||||
not _ENFORCER.enforce(rule_method, {}, policy_dict)):
|
||||
pecan.core.abort(status_code=403, detail='RBAC Authorization Failed')
|
||||
|
||||
|
||||
# TODO(fabiog): these methods are still used because the scoping part is really
|
||||
# convoluted and difficult to separate out.
|
||||
|
||||
def get_limited_to(headers):
|
||||
"""Return the user and project the request should be limited to.
|
||||
|
||||
:param headers: HTTP headers dictionary
|
||||
:return: A tuple of (user, project), set to None if there's no limit on
|
||||
one of these.
|
||||
"""
|
||||
|
||||
init()
|
||||
|
||||
policy_dict = dict()
|
||||
policy_dict['roles'] = headers.get('X-Roles', "").split(",")
|
||||
policy_dict['user_id'] = (headers.get('X-User-Id'))
|
||||
policy_dict['project_id'] = (headers.get('X-Project-Id'))
|
||||
|
||||
# maintain backward compat with Juno and previous by using context_is_admin
|
||||
# rule if the segregation rule (added in Kilo) is not defined
|
||||
rule_name = 'segregation' if _has_rule(
|
||||
'segregation') else 'context_is_admin'
|
||||
if not _ENFORCER.enforce(rule_name,
|
||||
{},
|
||||
policy_dict):
|
||||
return headers.get('X-User-Id'), headers.get('X-Project-Id')
|
||||
|
||||
return None, None
|
||||
|
||||
|
||||
def get_limited_to_project(headers):
|
||||
"""Return the project the request should be limited to.
|
||||
|
||||
:param headers: HTTP headers dictionary
|
||||
:return: A project, or None if there's no limit on it.
|
||||
|
||||
"""
|
||||
return get_limited_to(headers)[1]
|
|
@ -1,53 +0,0 @@
|
|||
# Copyright 2016 Hewlett Packard Enterprise Development Company, L.P.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_middleware import cors
|
||||
from oslo_policy import opts as policy_opts
|
||||
|
||||
|
||||
def set_lib_defaults():
|
||||
"""Update default value for configuration options from other namespace.
|
||||
|
||||
Example, oslo lib config options. This is needed for
|
||||
config generator tool to pick these default value changes.
|
||||
https://docs.openstack.org/oslo.config/latest/cli/
|
||||
generator.html#modifying-defaults-from-other-namespaces
|
||||
"""
|
||||
set_cors_middleware_defaults()
|
||||
|
||||
# Update default value of oslo.policy policy_file config option.
|
||||
policy_opts.set_defaults(cfg.CONF, 'policy.yaml')
|
||||
|
||||
|
||||
def set_cors_middleware_defaults():
|
||||
"""Update default configuration options for oslo.middleware."""
|
||||
cors.set_defaults(
|
||||
allow_headers=['X-Auth-Token',
|
||||
'X-Identity-Status',
|
||||
'X-Roles',
|
||||
'X-Service-Catalog',
|
||||
'X-User-Id',
|
||||
'X-Tenant-Id',
|
||||
'X-Openstack-Request-Id'],
|
||||
expose_headers=['X-Auth-Token',
|
||||
'X-Subject-Token',
|
||||
'X-Service-Token',
|
||||
'X-Openstack-Request-Id'],
|
||||
allow_methods=['GET',
|
||||
'PUT',
|
||||
'POST',
|
||||
'DELETE',
|
||||
'PATCH']
|
||||
)
|
|
@ -1,20 +0,0 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
The default value of ``[oslo_policy] policy_file`` config option has
|
||||
been changed from ``policy.json`` to ``policy.yaml``.
|
||||
Operators who are utilizing customized or previously generated
|
||||
static policy JSON files (which are not needed by default), should
|
||||
generate new policy files or convert them in YAML format. Use the
|
||||
`oslopolicy-convert-json-to-yaml
|
||||
<https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html>`_
|
||||
tool to convert a JSON to YAML formatted policy file in
|
||||
backward compatible way.
|
||||
deprecations:
|
||||
- |
|
||||
Use of JSON policy files was deprecated by the ``oslo.policy`` library
|
||||
during the Victoria development cycle. As a result, this deprecation is
|
||||
being noted in the Wallaby cycle with an anticipated future removal of support
|
||||
by ``oslo.policy``. As such operators will need to convert to YAML policy
|
||||
files. Please see the upgrade notes for details on migration of any
|
||||
custom policy files.
|
|
@ -1,33 +0,0 @@
|
|||
# The order of packages is significant, because pip processes them in the order
|
||||
# of appearance. Changing the order has an impact on the overall integration
|
||||
# process, which may cause wedges in the gate later.
|
||||
|
||||
debtcollector>=1.2.0 # Apache-2.0
|
||||
tenacity>=3.1.0 # Apache-2.0
|
||||
keystonemiddleware>=5.1.0 # Apache-2.0
|
||||
lxml>=2.3 # BSD
|
||||
oslo.db>=4.1.0 # Apache-2.0
|
||||
oslo.config>=6.8.0 # Apache-2.0
|
||||
oslo.context>=2.22.0 # Apache-2.0
|
||||
oslo.i18n>=2.1.0 # Apache-2.0
|
||||
oslo.log>=4.3.0 # Apache-2.0
|
||||
oslo.policy>=3.6.0 # Apache-2.0
|
||||
oslo.reports>=0.6.0 # Apache-2.0
|
||||
Paste
|
||||
PasteDeploy>=1.5.0 # MIT
|
||||
pbr>=2.0.0 # Apache-2.0
|
||||
pecan>=1.0.0 # BSD
|
||||
oslo.middleware>=3.10.0 # Apache-2.0
|
||||
oslo.serialization>=2.25.0 # Apache-2.0
|
||||
oslo.utils>=3.5.0 # Apache-2.0
|
||||
PyYAML>=5.1.0 # MIT
|
||||
SQLAlchemy!=1.1.5,!=1.1.6,!=1.1.7,!=1.1.8,>=1.0.10 # MIT
|
||||
stevedore>=1.9.0 # Apache-2.0
|
||||
WebOb>=1.2.3 # MIT
|
||||
WSME>=0.8 # MIT
|
||||
alembic>=0.7.6,!=0.8.1,!=0.9.0
|
||||
# NOTE(jd) We do not import it directly, but WSME datetime string parsing
|
||||
# behaviour changes when this library is installed
|
||||
python-dateutil>=2.4.2 # BSD
|
||||
pymongo!=3.1 # Apache-2.0
|
||||
elasticsearch<3.0.0 # Apache-2.0
|
57
setup.cfg
57
setup.cfg
|
@ -1,57 +0,0 @@
|
|||
[metadata]
|
||||
name = panko
|
||||
summary = Event storage publisher and API for Ceilometer
|
||||
description_file =
|
||||
README.rst
|
||||
author = OpenStack
|
||||
author_email = openstack-dev@lists.openstack.org
|
||||
home_page = https://docs.openstack.org/panko/latest/
|
||||
python_requires = >=3.6
|
||||
classifier =
|
||||
Environment :: OpenStack
|
||||
Intended Audience :: Information Technology
|
||||
Intended Audience :: System Administrators
|
||||
License :: OSI Approved :: Apache Software License
|
||||
Operating System :: POSIX :: Linux
|
||||
Programming Language :: Python
|
||||
Programming Language :: Python :: Implementation :: CPython
|
||||
Programming Language :: Python :: 3 :: Only
|
||||
Programming Language :: Python :: 3
|
||||
Programming Language :: Python :: 3.6
|
||||
Programming Language :: Python :: 3.7
|
||||
Programming Language :: Python :: 3.8
|
||||
Topic :: System :: Monitoring
|
||||
|
||||
[files]
|
||||
packages =
|
||||
panko
|
||||
|
||||
[entry_points]
|
||||
panko.storage =
|
||||
es = panko.storage.impl_elasticsearch:Connection
|
||||
log = panko.storage.impl_log:Connection
|
||||
mongodb = panko.storage.impl_mongodb:Connection
|
||||
mysql = panko.storage.impl_sqlalchemy:Connection
|
||||
postgresql = panko.storage.impl_sqlalchemy:Connection
|
||||
sqlite = panko.storage.impl_sqlalchemy:Connection
|
||||
hbase = panko.storage.impl_hbase:Connection
|
||||
|
||||
console_scripts =
|
||||
panko-dbsync = panko.cmd.storage:dbsync
|
||||
panko-expirer = panko.cmd.storage:expirer
|
||||
|
||||
wsgi_scripts =
|
||||
panko-api = panko.api.app:build_wsgi_app
|
||||
|
||||
ceilometer.event.publisher =
|
||||
panko = panko.publisher.database:DatabasePublisher
|
||||
|
||||
oslo.config.opts =
|
||||
panko = panko.opts:list_opts
|
||||
|
||||
oslo.policy.policies =
|
||||
panko = panko.policies:list_policies
|
||||
|
||||
oslo.config.opts.defaults =
|
||||
panko = panko.conf.defaults:set_lib_defaults
|
||||
|
Loading…
Reference in New Issue