policy: Add defaults in code (part 1)
Adds default values for policy rules in code and removes them from etc/policy.json file. The change is validated by the nova.tests.unit.test_policy unit tests. Adds default policy rules in policy_fixture. The policy_fixture is currently loading an incomplete set of policy rules (from policy.json or fake_policy), resulting in unit tests running with an incomplete set of policy rules. Co-Authored-By: Andrew Laski <andrew@lascii.com> Partially-Implements: bp policy-in-code Change-Id: I7a7dc2a111d536380a763169320a0820b0715a11
This commit is contained in:
Claudiu Belu
parent
fe0a103809
commit
355749b97c
56
nova/policies/aggregates.py
Normal file
56
nova/policies/aggregates.py
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
# Copyright 2016 Cloudbase Solutions Srl
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from nova.policies import base
|
||||||
|
|
||||||
|
|
||||||
|
POLICY_ROOT = 'os_compute_api:os-aggregates:%s'
|
||||||
|
|
||||||
|
|
||||||
|
aggregates_policies = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=POLICY_ROOT % 'set_metadata',
|
||||||
|
check_str=base.RULE_ADMIN_API),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=POLICY_ROOT % 'add_host',
|
||||||
|
check_str=base.RULE_ADMIN_API),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=POLICY_ROOT % 'discoverable',
|
||||||
|
check_str=base.RULE_ANY),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=POLICY_ROOT % 'create',
|
||||||
|
check_str=base.RULE_ADMIN_API),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=POLICY_ROOT % 'remove_host',
|
||||||
|
check_str=base.RULE_ADMIN_API),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=POLICY_ROOT % 'update',
|
||||||
|
check_str=base.RULE_ADMIN_API),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=POLICY_ROOT % 'index',
|
||||||
|
check_str=base.RULE_ADMIN_API),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=POLICY_ROOT % 'delete',
|
||||||
|
check_str=base.RULE_ADMIN_API),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name=POLICY_ROOT % 'show',
|
||||||
|
check_str=base.RULE_ADMIN_API),
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return aggregates_policies
|
||||||
@ -21,6 +21,7 @@ import six
|
|||||||
|
|
||||||
import nova.conf
|
import nova.conf
|
||||||
from nova.conf import paths
|
from nova.conf import paths
|
||||||
|
from nova import policies
|
||||||
import nova.policy
|
import nova.policy
|
||||||
from nova.tests.unit import fake_policy
|
from nova.tests.unit import fake_policy
|
||||||
|
|
||||||
@ -57,6 +58,18 @@ class RealPolicyFixture(fixtures.Fixture):
|
|||||||
policy = nova.policy._ENFORCER
|
policy = nova.policy._ENFORCER
|
||||||
policy.set_rules(oslo_policy.Rules.from_dict(rules))
|
policy.set_rules(oslo_policy.Rules.from_dict(rules))
|
||||||
|
|
||||||
|
def add_missing_default_rules(self, rules):
|
||||||
|
"""Adds default rules and their values to the given rules dict.
|
||||||
|
|
||||||
|
The given rulen dict may have an incomplete set of policy rules.
|
||||||
|
This method will add the default policy rules and their values to
|
||||||
|
the dict. It will not override the existing rules.
|
||||||
|
"""
|
||||||
|
|
||||||
|
for rule in policies.list_rules():
|
||||||
|
if rule.name not in rules:
|
||||||
|
rules[rule.name] = rule.check_str
|
||||||
|
|
||||||
|
|
||||||
class PolicyFixture(RealPolicyFixture):
|
class PolicyFixture(RealPolicyFixture):
|
||||||
"""Load a fake policy from nova.tests.unit.fake_policy
|
"""Load a fake policy from nova.tests.unit.fake_policy
|
||||||
@ -77,8 +90,12 @@ class PolicyFixture(RealPolicyFixture):
|
|||||||
self.policy_dir = self.useFixture(fixtures.TempDir())
|
self.policy_dir = self.useFixture(fixtures.TempDir())
|
||||||
self.policy_file = os.path.join(self.policy_dir.path,
|
self.policy_file = os.path.join(self.policy_dir.path,
|
||||||
'policy.json')
|
'policy.json')
|
||||||
|
|
||||||
|
# load the fake_policy data and add the missing default rules.
|
||||||
|
policy_rules = jsonutils.loads(fake_policy.policy_data)
|
||||||
|
self.add_missing_default_rules(policy_rules)
|
||||||
with open(self.policy_file, 'w') as f:
|
with open(self.policy_file, 'w') as f:
|
||||||
f.write(fake_policy.policy_data)
|
jsonutils.dump(policy_rules, f)
|
||||||
CONF.set_override('policy_dirs', [], group='oslo_policy')
|
CONF.set_override('policy_dirs', [], group='oslo_policy')
|
||||||
|
|
||||||
|
|
||||||
@ -103,6 +120,7 @@ class RoleBasedPolicyFixture(RealPolicyFixture):
|
|||||||
with open(CONF.oslo_policy.policy_file) as fp:
|
with open(CONF.oslo_policy.policy_file) as fp:
|
||||||
policy = fp.read()
|
policy = fp.read()
|
||||||
policy = jsonutils.loads(policy)
|
policy = jsonutils.loads(policy)
|
||||||
|
self.add_missing_default_rules(policy)
|
||||||
|
|
||||||
# Convert all actions to require specified role
|
# Convert all actions to require specified role
|
||||||
for action, rule in six.iteritems(policy):
|
for action, rule in six.iteritems(policy):
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user