diff --git a/.gitignore b/.gitignore index 26c75d8c..fa5f3239 100644 --- a/.gitignore +++ b/.gitignore @@ -34,6 +34,7 @@ nosetests.xml .mr.developer.cfg .project .pydevproject +.idea # Complexity output/*.html diff --git a/etc/policy-generator.conf b/etc/policy-generator.conf new file mode 100644 index 00000000..040ca211 --- /dev/null +++ b/etc/policy-generator.conf @@ -0,0 +1,3 @@ +[DEFAULT] +output_file = etc/tricircle-policy.yaml.sample +namespace = tricircle diff --git a/setup.cfg b/setup.cfg index 3bbff1f9..f59343c4 100644 --- a/setup.cfg +++ b/setup.cfg @@ -57,6 +57,8 @@ oslo.config.opts = tricircle.db = tricircle.db.opts:list_opts tricircle.network = tricircle.network.opts:list_opts tricircle.xjob = tricircle.xjob.opts:list_opts +oslo.policy.policies = + tricircle = tricircle.common.policy:list_policies tricircle.network.type_drivers = local = tricircle.network.drivers.type_local:LocalTypeDriver vlan = tricircle.network.drivers.type_vlan:VLANTypeDriver diff --git a/tox.ini b/tox.ini index 392ff650..3649cb71 100644 --- a/tox.ini +++ b/tox.ini @@ -42,6 +42,11 @@ deps = commands = oslo-config-generator --config-file=etc/api-cfg-gen.conf oslo-config-generator --config-file=etc/xjob-cfg-gen.conf +[testenv:genpolicy] +deps = + -r{toxinidir}/test-requirements.txt +commands = oslopolicy-sample-generator --config-file=etc/policy-generator.conf + [testenv:docs] deps = -r{toxinidir}/test-requirements.txt diff --git a/tricircle/common/policy.py b/tricircle/common/policy.py index ece40174..c91a3056 100644 --- a/tricircle/common/policy.py +++ b/tricircle/common/policy.py @@ -65,50 +65,132 @@ ADMIN_API_JOB_DELETE = 'admin_api:jobs:delete' tricircle_admin_api_policies = [ - policy.RuleDefault(ADMIN_API_PODS_CREATE, - 'rule:admin_api', - description='Create pod'), - policy.RuleDefault(ADMIN_API_PODS_DELETE, - 'rule:admin_api', - description='Delete pod'), - policy.RuleDefault(ADMIN_API_PODS_SHOW, - 'rule:admin_api', - description='Show pod detail'), - policy.RuleDefault(ADMIN_API_PODS_LIST, - 'rule:admin_api', - description='List pods'), - - policy.RuleDefault(ADMIN_API_ROUTINGS_CREATE, - 'rule:admin_api', - description='Create resource routing'), - policy.RuleDefault(ADMIN_API_ROUTINGS_DELETE, - 'rule:admin_api', - description='Delete resource routing'), - policy.RuleDefault(ADMIN_API_ROUTINGS_PUT, - 'rule:admin_api', - description='Update resource routing'), - policy.RuleDefault(ADMIN_API_ROUTINGS_SHOW, - 'rule:admin_api', - description='Show resource routing detail'), - policy.RuleDefault(ADMIN_API_ROUTINGS_LIST, - 'rule:admin_api', - description='List resource routings'), - - policy.RuleDefault(ADMIN_API_JOB_CREATE, - 'rule:admin_api', - description='Create job'), - policy.RuleDefault(ADMIN_API_JOB_LIST, - 'rule:admin_api', - description='List jobs'), - policy.RuleDefault(ADMIN_API_JOB_SCHEMA_LIST, - 'rule:admin_api', - description='List job schemas'), - policy.RuleDefault(ADMIN_API_JOB_REDO, - 'rule:admin_api', - description='Redo job'), - policy.RuleDefault(ADMIN_API_JOB_DELETE, - 'rule:admin_api', - description='Delete job') + policy.DocumentedRuleDefault(ADMIN_API_PODS_CREATE, + 'rule:admin_api', + description='Create pod.', + operations=[ + { + 'path': '/pods', + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault(ADMIN_API_PODS_DELETE, + 'rule:admin_api', + description='Delete specified pod.', + operations=[ + { + 'path': '/pods/{pod_id}', + 'method': 'DELETE' + } + ]), + policy.DocumentedRuleDefault(ADMIN_API_PODS_SHOW, + 'rule:admin_api', + description='Show pod details.', + operations=[ + { + 'path': '/pods/{pod_id}', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault(ADMIN_API_PODS_LIST, + 'rule:admin_api', + description='List pods.', + operations=[ + { + 'path': '/pods', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault(ADMIN_API_ROUTINGS_CREATE, + 'rule:admin_api', + description='Create resource routing', + operations=[ + { + 'path': '/routings', + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault(ADMIN_API_ROUTINGS_DELETE, + 'rule:admin_api', + description='Delete resource routing', + operations=[ + { + 'path': '/routings/{id}', + 'method': 'DELETE' + } + ]), + policy.DocumentedRuleDefault(ADMIN_API_ROUTINGS_PUT, + 'rule:admin_api', + description='Update resource routing', + operations=[ + { + 'path': '/routings/{id}', + 'method': 'PUT' + } + ]), + policy.DocumentedRuleDefault(ADMIN_API_ROUTINGS_SHOW, + 'rule:admin_api', + description='Show resource routing detail', + operations=[ + { + 'path': '/routings/{id}', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault(ADMIN_API_ROUTINGS_LIST, + 'rule:admin_api', + description='List resource routings', + operations=[ + { + 'path': '/routings', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault(ADMIN_API_JOB_CREATE, + 'rule:admin_api', + description='Create job', + operations=[ + { + 'path': '/jobs', + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault(ADMIN_API_JOB_LIST, + 'rule:admin_api', + description='List jobs', + operations=[ + { + 'path': '/jobs', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault(ADMIN_API_JOB_SCHEMA_LIST, + 'rule:admin_api', + description='List job schemas', + operations=[ + { + 'path': '/jobs/schemas', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault(ADMIN_API_JOB_REDO, + 'rule:admin_api', + description='Redo job', + operations=[ + { + 'path': '/jobs/{id}', + 'method': 'PUT' + } + ]), + policy.DocumentedRuleDefault(ADMIN_API_JOB_DELETE, + 'rule:admin_api', + description='Delete job', + operations=[ + { + 'path': '/jobs/{id}', + 'method': 'DELETE' + } + ]) ]