Making policy namespaces more unique

This adds "data-processing:" to the beginning of all namespaces for sahara's policy based actions. This will help ensure that we minimize the possibility for name collisions in unified policy files. * change policy names in policy.json * change policy names in v10 and v11 api functions * change policy tests to reflect newer names (not strictly necessary but added for consistency) Change-Id: Ieef8c8de25764197a2ed59ba9f71c37fc62a75ca Closes-Bug: 1460196
2015-05-29 15:47:11 -04:00 · 2015-05-29 15:47:11 -04:00 · 8636c71e1a
parent 4c048161e0
commit 8636c71e1a
4 changed files with 106 additions and 106 deletions
--- a/etc/sahara/policy.json
+++ b/etc/sahara/policy.json
@ -2,65 +2,65 @@
    "context_is_admin": "role:admin",
    "default": "",

-    "clusters:get_all": "",
-    "clusters:create": "",
-    "clusters:scale": "",
-    "clusters:get": "",
-    "clusters:delete": "",
+    "data-processing:clusters:get_all": "",
+    "data-processing:clusters:create": "",
+    "data-processing:clusters:scale": "",
+    "data-processing:clusters:get": "",
+    "data-processing:clusters:delete": "",

-    "cluster-templates:get_all": "",
-    "cluster-templates:create": "",
-    "cluster-templates:get": "",
-    "cluster-templates:modify": "",
-    "cluster-templates:delete": "",
+    "data-processing:cluster-templates:get_all": "",
+    "data-processing:cluster-templates:create": "",
+    "data-processing:cluster-templates:get": "",
+    "data-processing:cluster-templates:modify": "",
+    "data-processing:cluster-templates:delete": "",

-    "node-group-templates:get_all": "",
-    "node-group-templates:create": "",
-    "node-group-templates:get": "",
-    "node-group-templates:modify": "",
-    "node-group-templates:delete": "",
+    "data-processing:node-group-templates:get_all": "",
+    "data-processing:node-group-templates:create": "",
+    "data-processing:node-group-templates:get": "",
+    "data-processing:node-group-templates:modify": "",
+    "data-processing:node-group-templates:delete": "",

-    "plugins:get_all": "",
-    "plugins:get": "",
-    "plugins:get_version": "",
-    "plugins:convert_config": "",
+    "data-processing:plugins:get_all": "",
+    "data-processing:plugins:get": "",
+    "data-processing:plugins:get_version": "",
+    "data-processing:plugins:convert_config": "",

-    "images:get_all": "",
-    "images:get": "",
-    "images:register": "",
-    "images:unregister": "",
-    "images:add_tags": "",
-    "images:remove_tags": "",
+    "data-processing:images:get_all": "",
+    "data-processing:images:get": "",
+    "data-processing:images:register": "",
+    "data-processing:images:unregister": "",
+    "data-processing:images:add_tags": "",
+    "data-processing:images:remove_tags": "",

-    "job-executions:get_all": "",
-    "job-executions:get": "",
-    "job-executions:refresh_status": "",
-    "job-executions:cancel": "",
-    "job-executions:delete": "",
+    "data-processing:job-executions:get_all": "",
+    "data-processing:job-executions:get": "",
+    "data-processing:job-executions:refresh_status": "",
+    "data-processing:job-executions:cancel": "",
+    "data-processing:job-executions:delete": "",

-    "data-sources:get_all": "",
-    "data-sources:get": "",
-    "data-sources:register": "",
-    "data-sources:delete": "",
+    "data-processing:data-sources:get_all": "",
+    "data-processing:data-sources:get": "",
+    "data-processing:data-sources:register": "",
+    "data-processing:data-sources:delete": "",

-    "jobs:get_all": "",
-    "jobs:create": "",
-    "jobs:get": "",
-    "jobs:delete": "",
-    "jobs:get_config_hints": "",
-    "jobs:execute": "",
+    "data-processing:jobs:get_all": "",
+    "data-processing:jobs:create": "",
+    "data-processing:jobs:get": "",
+    "data-processing:jobs:delete": "",
+    "data-processing:jobs:get_config_hints": "",
+    "data-processing:jobs:execute": "",

-    "job-binaries:get_all": "",
-    "job-binaries:create": "",
-    "job-binaries:get": "",
-    "job-binaries:delete": "",
-    "job-binaries:get_data": "",
+    "data-processing:job-binaries:get_all": "",
+    "data-processing:job-binaries:create": "",
+    "data-processing:job-binaries:get": "",
+    "data-processing:job-binaries:delete": "",
+    "data-processing:job-binaries:get_data": "",

-    "job-binary-internals:get_all": "",
-    "job-binary-internals:create": "",
-    "job-binary-internals:get": "",
-    "job-binary-internals:delete": "",
-    "job-binary-internals:get_data": "",
+    "data-processing:job-binary-internals:get_all": "",
+    "data-processing:job-binary-internals:create": "",
+    "data-processing:job-binary-internals:get": "",
+    "data-processing:job-binary-internals:delete": "",
+    "data-processing:job-binary-internals:get_data": "",

-    "job-types:get_all": ""
+    "data-processing:job-types:get_all": ""
 }
--- a/sahara/api/v10.py
+++ b/sahara/api/v10.py
@ -37,21 +37,21 @@ rest = u.Rest('v10', __name__)
 # Cluster ops

@rest.get('/clusters')
-@acl.enforce("clusters:get_all")
+@acl.enforce("data-processing:clusters:get_all")
 def clusters_list():
    return u.render(clusters=[c.to_dict() for c in api.get_clusters(
        **u.get_request_args().to_dict())])


@rest.post('/clusters')
-@acl.enforce("clusters:create")
+@acl.enforce("data-processing:clusters:create")
@v.validate(v_c.CLUSTER_SCHEMA, v_c.check_cluster_create)
 def clusters_create(data):
    return u.render(api.create_cluster(data).to_wrapped_dict())


@rest.put('/clusters/<cluster_id>')
-@acl.enforce("clusters:scale")
+@acl.enforce("data-processing:clusters:scale")
@v.check_exists(api.get_cluster, 'cluster_id')
@v.validate(v_c_s.CLUSTER_SCALING_SCHEMA, v_c_s.check_cluster_scaling)
 def clusters_scale(cluster_id, data):
@ -59,7 +59,7 @@ def clusters_scale(cluster_id, data):


@rest.get('/clusters/<cluster_id>')
-@acl.enforce("clusters:get")
+@acl.enforce("data-processing:clusters:get")
@v.check_exists(api.get_cluster, 'cluster_id')
 def clusters_get(cluster_id):
    data = u.get_request_args()
@ -68,7 +68,7 @@ def clusters_get(cluster_id):


@rest.delete('/clusters/<cluster_id>')
-@acl.enforce("clusters:delete")
+@acl.enforce("data-processing:clusters:delete")
@v.check_exists(api.get_cluster, 'cluster_id')
 def clusters_delete(cluster_id):
    api.terminate_cluster(cluster_id)
@ -78,7 +78,7 @@ def clusters_delete(cluster_id):
 # ClusterTemplate ops

@rest.get('/cluster-templates')
-@acl.enforce("cluster-templates:get_all")
+@acl.enforce("data-processing:cluster-templates:get_all")
 def cluster_templates_list():
    return u.render(
        cluster_templates=[t.to_dict() for t in api.get_cluster_templates(
@ -86,7 +86,7 @@ def cluster_templates_list():


@rest.post('/cluster-templates')
-@acl.enforce("cluster-templates:create")
+@acl.enforce("data-processing:cluster-templates:create")
@v.validate(ct_schema.CLUSTER_TEMPLATE_SCHEMA,
            v_ct.check_cluster_template_create)
 def cluster_templates_create(data):
@ -94,7 +94,7 @@ def cluster_templates_create(data):


@rest.get('/cluster-templates/<cluster_template_id>')
-@acl.enforce("cluster-templates:get")
+@acl.enforce("data-processing:cluster-templates:get")
@v.check_exists(api.get_cluster_template, 'cluster_template_id')
 def cluster_templates_get(cluster_template_id):
    return u.render(
@ -102,7 +102,7 @@ def cluster_templates_get(cluster_template_id):


@rest.put('/cluster-templates/<cluster_template_id>')
-@acl.enforce("cluster-templates:modify")
+@acl.enforce("data-processing:cluster-templates:modify")
@v.check_exists(api.get_cluster_template, 'cluster_template_id')
@v.validate(ct_schema.CLUSTER_TEMPLATE_UPDATE_SCHEMA,
            v_ct.check_cluster_template_update)
@ -113,7 +113,7 @@ def cluster_templates_update(cluster_template_id, data):


@rest.delete('/cluster-templates/<cluster_template_id>')
-@acl.enforce("cluster-templates:delete")
+@acl.enforce("data-processing:cluster-templates:delete")
@v.check_exists(api.get_cluster_template, 'cluster_template_id')
@v.validate(None, v_ct.check_cluster_template_usage)
 def cluster_templates_delete(cluster_template_id):
@ -124,7 +124,7 @@ def cluster_templates_delete(cluster_template_id):
 # NodeGroupTemplate ops

@rest.get('/node-group-templates')
-@acl.enforce("node-group-templates:get_all")
+@acl.enforce("data-processing:node-group-templates:get_all")
 def node_group_templates_list():
    return u.render(
        node_group_templates=[t.to_dict()
@ -133,7 +133,7 @@ def node_group_templates_list():


@rest.post('/node-group-templates')
-@acl.enforce("node-group-templates:create")
+@acl.enforce("data-processing:node-group-templates:create")
@v.validate(ngt_schema.NODE_GROUP_TEMPLATE_SCHEMA,
            v_ngt.check_node_group_template_create)
 def node_group_templates_create(data):
@ -141,7 +141,7 @@ def node_group_templates_create(data):


@rest.get('/node-group-templates/<node_group_template_id>')
-@acl.enforce("node-group-templates:get")
+@acl.enforce("data-processing:node-group-templates:get")
@v.check_exists(api.get_node_group_template, 'node_group_template_id')
 def node_group_templates_get(node_group_template_id):
    return u.render(
@ -149,7 +149,7 @@ def node_group_templates_get(node_group_template_id):


@rest.put('/node-group-templates/<node_group_template_id>')
-@acl.enforce("node-group-templates:modify")
+@acl.enforce("data-processing:node-group-templates:modify")
@v.check_exists(api.get_node_group_template, 'node_group_template_id')
@v.validate(ngt_schema.NODE_GROUP_TEMPLATE_UPDATE_SCHEMA,
            v_ngt.check_node_group_template_update)
@ -160,7 +160,7 @@ def node_group_templates_update(node_group_template_id, data):


@rest.delete('/node-group-templates/<node_group_template_id>')
-@acl.enforce("node-group-templates:delete")
+@acl.enforce("data-processing:node-group-templates:delete")
@v.check_exists(api.get_node_group_template, 'node_group_template_id')
@v.validate(None, v_ngt.check_node_group_template_usage)
 def node_group_templates_delete(node_group_template_id):
@ -171,27 +171,27 @@ def node_group_templates_delete(node_group_template_id):
 # Plugins ops

@rest.get('/plugins')
-@acl.enforce("plugins:get_all")
+@acl.enforce("data-processing:plugins:get_all")
 def plugins_list():
    return u.render(plugins=[p.dict for p in api.get_plugins()])


@rest.get('/plugins/<plugin_name>')
-@acl.enforce("plugins:get")
+@acl.enforce("data-processing:plugins:get")
@v.check_exists(api.get_plugin, plugin_name='plugin_name')
 def plugins_get(plugin_name):
    return u.render(api.get_plugin(plugin_name).wrapped_dict)


@rest.get('/plugins/<plugin_name>/<version>')
-@acl.enforce("plugins:get_version")
+@acl.enforce("data-processing:plugins:get_version")
@v.check_exists(api.get_plugin, plugin_name='plugin_name', version='version')
 def plugins_get_version(plugin_name, version):
    return u.render(api.get_plugin(plugin_name, version).wrapped_dict)


@rest.post_file('/plugins/<plugin_name>/<version>/convert-config/<name>')
-@acl.enforce("plugins:convert_config")
+@acl.enforce("data-processing:plugins:convert_config")
@v.check_exists(api.get_plugin, plugin_name='plugin_name', version='version')
@v.validate(v_p.CONVERT_TO_TEMPLATE_SCHEMA, v_p.check_convert_to_template)
 def plugins_convert_to_cluster_template(plugin_name, version, name, data):
@ -204,7 +204,7 @@ def plugins_convert_to_cluster_template(plugin_name, version, name, data):
 # Image Registry ops

@rest.get('/images')
-@acl.enforce("images:get_all")
+@acl.enforce("data-processing:images:get_all")
 def images_list():
    tags = u.get_request_args().getlist('tags')
    name = u.get_request_args().get('name', None)
@ -212,14 +212,14 @@ def images_list():


@rest.get('/images/<image_id>')
-@acl.enforce("images:get")
+@acl.enforce("data-processing:images:get")
@v.check_exists(api.get_image, id='image_id')
 def images_get(image_id):
    return u.render(api.get_registered_image(id=image_id).wrapped_dict)


@rest.post('/images/<image_id>')
-@acl.enforce("images:register")
+@acl.enforce("data-processing:images:register")
@v.check_exists(api.get_image, id='image_id')
@v.validate(v_images.image_register_schema, v_images.check_image_register)
 def images_set(image_id, data):
@ -227,7 +227,7 @@ def images_set(image_id, data):


@rest.delete('/images/<image_id>')
-@acl.enforce("images:unregister")
+@acl.enforce("data-processing:images:unregister")
@v.check_exists(api.get_image, id='image_id')
 def images_unset(image_id):
    api.unregister_image(image_id)
@ -235,7 +235,7 @@ def images_unset(image_id):


@rest.post('/images/<image_id>/tag')
-@acl.enforce("images:add_tags")
+@acl.enforce("data-processing:images:add_tags")
@v.check_exists(api.get_image, id='image_id')
@v.validate(v_images.image_tags_schema, v_images.check_tags)
 def image_tags_add(image_id, data):
@ -243,7 +243,7 @@ def image_tags_add(image_id, data):


@rest.post('/images/<image_id>/untag')
-@acl.enforce("images:remove_tags")
+@acl.enforce("data-processing:images:remove_tags")
@v.check_exists(api.get_image, id='image_id')
@v.validate(v_images.image_tags_schema)
 def image_tags_delete(image_id, data):
--- a/sahara/api/v11.py
+++ b/sahara/api/v11.py
@ -34,7 +34,7 @@ rest = u.Rest('v11', __name__)
 # Job execution ops

@rest.get('/job-executions')
-@acl.enforce("job-executions:get_all")
+@acl.enforce("data-processing:job-executions:get_all")
 def job_executions_list():
    job_executions = [je.to_dict() for je in api.job_execution_list(
        **u.get_request_args().to_dict())]
@ -42,7 +42,7 @@ def job_executions_list():


@rest.get('/job-executions/<job_execution_id>')
-@acl.enforce("job-executions:get")
+@acl.enforce("data-processing:job-executions:get")
@v.check_exists(api.get_job_execution, id='job_execution_id')
 def job_executions(job_execution_id):
    job_execution = api.get_job_execution(job_execution_id)
@ -50,7 +50,7 @@ def job_executions(job_execution_id):


@rest.get('/job-executions/<job_execution_id>/refresh-status')
-@acl.enforce("job-executions:refresh_status")
+@acl.enforce("data-processing:job-executions:refresh_status")
@v.check_exists(api.get_job_execution, id='job_execution_id')
 def job_executions_status(job_execution_id):
    job_execution = api.get_job_execution_status(job_execution_id)
@ -58,7 +58,7 @@ def job_executions_status(job_execution_id):


@rest.get('/job-executions/<job_execution_id>/cancel')
-@acl.enforce("job-executions:cancel")
+@acl.enforce("data-processing:job-executions:cancel")
@v.check_exists(api.get_job_execution, id='job_execution_id')
 def job_executions_cancel(job_execution_id):
    job_execution = api.cancel_job_execution(job_execution_id)
@ -66,7 +66,7 @@ def job_executions_cancel(job_execution_id):


@rest.delete('/job-executions/<job_execution_id>')
-@acl.enforce("job-executions:delete")
+@acl.enforce("data-processing:job-executions:delete")
@v.check_exists(api.get_job_execution, id='job_execution_id')
 def job_executions_delete(job_execution_id):
    api.delete_job_execution(job_execution_id)
@ -76,7 +76,7 @@ def job_executions_delete(job_execution_id):
 # Data source ops

@rest.get('/data-sources')
-@acl.enforce("data-sources:get_all")
+@acl.enforce("data-processing:data-sources:get_all")
 def data_sources_list():
    return u.render(
        data_sources=[ds.to_dict() for ds in api.get_data_sources(
@ -84,21 +84,21 @@ def data_sources_list():


@rest.post('/data-sources')
-@acl.enforce("data-sources:register")
+@acl.enforce("data-processing:data-sources:register")
@v.validate(v_d_s.DATA_SOURCE_SCHEMA, v_d_s.check_data_source_create)
 def data_source_register(data):
    return u.render(api.register_data_source(data).to_wrapped_dict())


@rest.get('/data-sources/<data_source_id>')
-@acl.enforce("data-sources:get")
+@acl.enforce("data-processing:data-sources:get")
@v.check_exists(api.get_data_source, 'data_source_id')
 def data_source_get(data_source_id):
    return u.render(api.get_data_source(data_source_id).to_wrapped_dict())


@rest.delete('/data-sources/<data_source_id>')
-@acl.enforce("data-sources:delete")
+@acl.enforce("data-processing:data-sources:delete")
@v.check_exists(api.get_data_source, 'data_source_id')
 def data_source_delete(data_source_id):
    api.delete_data_source(data_source_id)
@ -108,28 +108,28 @@ def data_source_delete(data_source_id):
 # Job ops

@rest.get('/jobs')
-@acl.enforce("jobs:get_all")
+@acl.enforce("data-processing:jobs:get_all")
 def job_list():
    return u.render(jobs=[j.to_dict() for j in api.get_jobs(
        **u.get_request_args().to_dict())])


@rest.post('/jobs')
-@acl.enforce("jobs:create")
+@acl.enforce("data-processing:jobs:create")
@v.validate(v_j.JOB_SCHEMA, v_j.check_mains_libs)
 def job_create(data):
    return u.render(api.create_job(data).to_wrapped_dict())


@rest.get('/jobs/<job_id>')
-@acl.enforce("jobs:get")
+@acl.enforce("data-processing:jobs:get")
@v.check_exists(api.get_job, id='job_id')
 def job_get(job_id):
    return u.render(api.get_job(job_id).to_wrapped_dict())


@rest.delete('/jobs/<job_id>')
-@acl.enforce("jobs:delete")
+@acl.enforce("data-processing:jobs:delete")
@v.check_exists(api.get_job, id='job_id')
 def job_delete(job_id):
    api.delete_job(job_id)
@ -137,7 +137,7 @@ def job_delete(job_id):


@rest.post('/jobs/<job_id>/execute')
-@acl.enforce("jobs:execute")
+@acl.enforce("data-processing:jobs:execute")
@v.check_exists(api.get_job, id='job_id')
@v.validate(v_j_e.JOB_EXEC_SCHEMA, v_j_e.check_job_execution)
 def job_execute(job_id, data):
@ -145,14 +145,14 @@ def job_execute(job_id, data):


@rest.get('/jobs/config-hints/<job_type>')
-@acl.enforce("jobs:get_config_hints")
+@acl.enforce("data-processing:jobs:get_config_hints")
@v.check_exists(api.get_job_config_hints, job_type='job_type')
 def job_config_hints_get(job_type):
    return u.render(api.get_job_config_hints(job_type))


@rest.get('/job-types')
-@acl.enforce("job-types:get_all")
+@acl.enforce("data-processing:job-types:get_all")
 def job_types_get():
    # We want to use flat=False with to_dict() so that
    # the value of each arg is given as a list. This supports
@ -164,28 +164,28 @@ def job_types_get():


@rest.post('/job-binaries')
-@acl.enforce("job-binaries:create")
+@acl.enforce("data-processing:job-binaries:create")
@v.validate(v_j_b.JOB_BINARY_SCHEMA, v_j_b.check_job_binary)
 def job_binary_create(data):
    return u.render(api.create_job_binary(data).to_wrapped_dict())


@rest.get('/job-binaries')
-@acl.enforce("job-binaries:get_all")
+@acl.enforce("data-processing:job-binaries:get_all")
 def job_binary_list():
    return u.render(binaries=[j.to_dict() for j in api.get_job_binaries(
        **u.get_request_args().to_dict())])


@rest.get('/job-binaries/<job_binary_id>')
-@acl.enforce("job-binaries:get")
+@acl.enforce("data-processing:job-binaries:get")
@v.check_exists(api.get_job_binary, 'job_binary_id')
 def job_binary_get(job_binary_id):
    return u.render(api.get_job_binary(job_binary_id).to_wrapped_dict())


@rest.delete('/job-binaries/<job_binary_id>')
-@acl.enforce("job-binaries:delete")
+@acl.enforce("data-processing:job-binaries:delete")
@v.check_exists(api.get_job_binary, id='job_binary_id')
 def job_binary_delete(job_binary_id):
    api.delete_job_binary(job_binary_id)
@ -193,7 +193,7 @@ def job_binary_delete(job_binary_id):


@rest.get('/job-binaries/<job_binary_id>/data')
-@acl.enforce("job-binaries:get_data")
+@acl.enforce("data-processing:job-binaries:get_data")
@v.check_exists(api.get_job_binary, 'job_binary_id')
 def job_binary_data(job_binary_id):
    data = api.get_job_binary_data(job_binary_id)
@ -205,14 +205,14 @@ def job_binary_data(job_binary_id):
 # Job binary internals ops

@rest.put_file('/job-binary-internals/<name>')
-@acl.enforce("job-binary-internals:create")
+@acl.enforce("data-processing:job-binary-internals:create")
@v.validate(None, v_j_b_i.check_job_binary_internal)
 def job_binary_internal_create(**values):
    return u.render(api.create_job_binary_internal(values).to_wrapped_dict())


@rest.get('/job-binary-internals')
-@acl.enforce("job-binary-internals:get_all")
+@acl.enforce("data-processing:job-binary-internals:get_all")
 def job_binary_internal_list():
    return u.render(binaries=[j.to_dict() for j in
                              api.get_job_binary_internals(
@ -220,7 +220,7 @@ def job_binary_internal_list():


@rest.get('/job-binary-internals/<job_binary_internal_id>')
-@acl.enforce("job-binary-internals:get")
+@acl.enforce("data-processing:job-binary-internals:get")
@v.check_exists(api.get_job_binary_internal, 'job_binary_internal_id')
 def job_binary_internal_get(job_binary_internal_id):
    return u.render(api.get_job_binary_internal(job_binary_internal_id
@ -228,7 +228,7 @@ def job_binary_internal_get(job_binary_internal_id):


@rest.delete('/job-binary-internals/<job_binary_internal_id>')
-@acl.enforce("job-binary-internals:delete")
+@acl.enforce("data-processing:job-binary-internals:delete")
@v.check_exists(api.get_job_binary_internal, 'job_binary_internal_id')
 def job_binary_internal_delete(job_binary_internal_id):
    api.delete_job_binary_internal(job_binary_internal_id)
@ -236,7 +236,7 @@ def job_binary_internal_delete(job_binary_internal_id):


@rest.get('/job-binary-internals/<job_binary_internal_id>/data')
-@acl.enforce("job-binary-internals:get_data")
+@acl.enforce("data-processing:job-binary-internals:get_data")
@v.check_exists(api.get_job_binary_internal, 'job_binary_internal_id')
 def job_binary_internal_data(job_binary_internal_id):
    return api.get_job_binary_internal_data(job_binary_internal_id)
--- a/sahara/tests/unit/api/test_acl.py
+++ b/sahara/tests/unit/api/test_acl.py
@ -28,21 +28,21 @@ class TestAcl(base.SaharaTestCase):
        acl.ENFORCER.set_rules(rules, use_conf=False)

    def test_policy_allow(self):
-        @acl.enforce("clusters:get_all")
+        @acl.enforce("data-processing:clusters:get_all")
        def test():
            pass

-        json = '{"clusters:get_all": ""}'
+        json = '{"data-processing:clusters:get_all": ""}'
        self._set_policy(json)

        test()

    def test_policy_deny(self):
-        @acl.enforce("clusters:get_all")
+        @acl.enforce("data-processing:clusters:get_all")
        def test():
            pass

-        json = '{"clusters:get_all": "!"}'
+        json = '{"data-processing:clusters:get_all": "!"}'
        self._set_policy(json)

        self.assertRaises(ex.Forbidden, test)