Browse Source
* Added policy in code as per community goals [1] for vnf packages. * Modified tox to generate policy sample json file. [1]: https://governance.openstack.org/tc/goals/queens/policy-in-code.html Partial-Implements: blueprint tosca-csar-mgmt-driver Co-Author: Neha Alhat <neha.alhat@nttdata.com> Co-Author: Bhagyashri Shewale <bhagyashri.shewale@nttdata.com> Change-Id: I7cedbca4abe41223e3f8d6211a74b4347299e9e5changes/97/675597/14
19 changed files with 303 additions and 35 deletions
@ -0,0 +1,9 @@
|
||||
=============== |
||||
Tacker Policies |
||||
=============== |
||||
|
||||
The following is an overview of all available policies in Tacker. |
||||
For a sample configuration file, refer to :doc:`/configuration/sample_policy`. |
||||
|
||||
.. show-policy:: |
||||
:config-file: etc/tacker-policy-generator.conf |
@ -0,0 +1,16 @@
|
||||
========================= |
||||
Sample Tacker Policy File |
||||
========================= |
||||
|
||||
The following is a sample tacker policy file for adaptation and use. |
||||
|
||||
The sample policy can also be viewed in :download:`file form |
||||
</_static/tacker.policy.yaml.sample>`. |
||||
|
||||
.. important:: |
||||
|
||||
The sample policy file is auto-generated from tacker when this documentation |
||||
is built. You must ensure your version of tacker matches the version of this |
||||
documentation. |
||||
|
||||
.. literalinclude:: /_static/tacker.policy.yaml.sample |
@ -0,0 +1,3 @@
|
||||
[DEFAULT] |
||||
output_file = etc/tacker/policy.yaml.sample |
||||
namespace = tacker |
@ -0,0 +1,7 @@
|
||||
Tacker |
||||
====== |
||||
|
||||
To generate the sample tacker policy.yaml file, run the following command from |
||||
the top level of the tacker directory: |
||||
|
||||
tox -egenpolicy |
@ -1,10 +0,0 @@
|
||||
{ |
||||
"context_is_admin": "role:admin", |
||||
"admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s", |
||||
"admin_only": "rule:context_is_admin", |
||||
"regular_user": "", |
||||
"shared": "field:vims:shared=True", |
||||
"default": "rule:admin_or_owner", |
||||
|
||||
"get_vim": "rule:admin_or_owner or rule:shared" |
||||
} |
@ -0,0 +1,27 @@
|
||||
# Copyright (C) 2019 NTT DATA |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
||||
|
||||
|
||||
import itertools |
||||
|
||||
from tacker.policies import base |
||||
from tacker.policies import vnf_package |
||||
|
||||
|
||||
def list_rules(): |
||||
return itertools.chain( |
||||
base.list_rules(), |
||||
vnf_package.list_rules(), |
||||
) |
@ -0,0 +1,49 @@
|
||||
# Copyright (C) 2019 NTT DATA |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
||||
|
||||
from oslo_policy import policy |
||||
|
||||
TACKER_API = 'os_nfv_orchestration_api' |
||||
|
||||
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' |
||||
RULE_ADMIN_API = 'rule:admin_only' |
||||
RULE_ANY = '@' |
||||
|
||||
rules = [ |
||||
policy.RuleDefault( |
||||
"context_is_admin", |
||||
"role:admin", |
||||
"Decides what is required for the 'is_admin:True' check to succeed."), |
||||
policy.RuleDefault( |
||||
"admin_or_owner", |
||||
"is_admin:True or tenant_id:%(tenant_id)s", |
||||
"Default rule for most non-Admin APIs."), |
||||
policy.RuleDefault( |
||||
"admin_only", |
||||
"is_admin:True", |
||||
"Default rule for most Admin APIs."), |
||||
policy.RuleDefault( |
||||
"shared", |
||||
"field:vims:shared=True", |
||||
"Default rule for sharing vims."), |
||||
policy.RuleDefault( |
||||
"default", |
||||
"rule:admin_or_owner", |
||||
"Default rule for most non-Admin APIs.") |
||||
] |
||||
|
||||
|
||||
def list_rules(): |
||||
return rules |
@ -0,0 +1,91 @@
|
||||
# Copyright (C) 2019 NTT DATA |
||||
# All Rights Reserved. |
||||
# |
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
||||
# not use this file except in compliance with the License. You may obtain |
||||
# a copy of the License at |
||||
# |
||||
# http://www.apache.org/licenses/LICENSE-2.0 |
||||
# |
||||
# Unless required by applicable law or agreed to in writing, software |
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
||||
# License for the specific language governing permissions and limitations |
||||
# under the License. |
||||
|
||||
|
||||
from oslo_policy import policy |
||||
|
||||
from tacker.policies import base |
||||
|
||||
|
||||
VNFPKGM = 'os_nfv_orchestration_api:vnf_packages:%s' |
||||
|
||||
rules = [ |
||||
policy.DocumentedRuleDefault( |
||||
name=VNFPKGM % 'create', |
||||
check_str=base.RULE_ADMIN_OR_OWNER, |
||||
description="Creates a vnf package.", |
||||
operations=[ |
||||
{ |
||||
'method': 'POST', |
||||
'path': '/vnf_packages' |
||||
} |
||||
]), |
||||
policy.DocumentedRuleDefault( |
||||
name=VNFPKGM % 'show', |
||||
check_str=base.RULE_ADMIN_OR_OWNER, |
||||
description="Show a vnf package.", |
||||
operations=[ |
||||
{ |
||||
'method': 'GET', |
||||
'path': '/vnf_packages/{vnf_package_id}' |
||||
} |
||||
]), |
||||
policy.DocumentedRuleDefault( |
||||
name=VNFPKGM % 'index', |
||||
check_str=base.RULE_ADMIN_OR_OWNER, |
||||
description="List all vnf packages.", |
||||
operations=[ |
||||
{ |
||||
'method': 'GET', |
||||
'path': '/vnf_packages/' |
||||
} |
||||
]), |
||||
policy.DocumentedRuleDefault( |
||||
name=VNFPKGM % 'delete', |
||||
check_str=base.RULE_ADMIN_OR_OWNER, |
||||
description="Delete a vnf package.", |
||||
operations=[ |
||||
{ |
||||
'method': 'DELETE', |
||||
'path': '/vnf_packages/{vnf_package_id}' |
||||
} |
||||
]), |
||||
policy.DocumentedRuleDefault( |
||||
name=VNFPKGM % 'upload_package_content', |
||||
check_str=base.RULE_ADMIN_OR_OWNER, |
||||
description="upload a vnf package content.", |
||||
operations=[ |
||||
{ |
||||
'method': 'PUT', |
||||
'path': '/vnf_packages/{vnf_package_id}/' |
||||
'package_content' |
||||
} |
||||
]), |
||||
policy.DocumentedRuleDefault( |
||||
name=VNFPKGM % 'upload_from_uri', |
||||
check_str=base.RULE_ADMIN_OR_OWNER, |
||||
description="upload a vnf package content from uri.", |
||||
operations=[ |
||||
{ |
||||
'method': 'POST', |
||||
'path': '/vnf_packages/{vnf_package_id}/package_content/' |
||||
'upload_from_uri' |
||||
} |
||||
]), |
||||
] |
||||
|
||||
|
||||
def list_rules(): |
||||
return rules |
Loading…
Reference in new issue