Register default queue policies in code

This commit uses the existing policy-in-code module to move all default policies for queues into code. This commit also adds helpful documetation about each API those policies protect, which will be generated in sample policy files. bp policy-and-docs-in-code Change-Id: I750e860e156e16d0bf5296bd1af0fff1f34a17e4
2017-10-02 17:16:50 +00:00 · 2017-10-02 17:16:50 +00:00 · 5b70af852a
parent 3f7cc0a460
commit 5b70af852a
5 changed files with 116 additions and 21 deletions
--- a/etc/policy.json.sample
+++ b/etc/policy.json.sample
@ -1,15 +1,6 @@
 {
    "default": "rule:admin_or_owner",

-    "queues:get_all": "",
-    "queues:create": "",
-    "queues:get": "",
-    "queues:delete": "",
-    "queues:update": "",
-    "queues:stats": "",
-    "queues:share": "",
-    "queues:purge": "",
-
    "messages:get_all": "",
    "messages:create": "",
    "messages:get": "",
--- a/zaqar/common/policies/init.py
+++ b/zaqar/common/policies/init.py
@ -13,9 +13,11 @@
 import itertools

 from zaqar.common.policies import base
+from zaqar.common.policies import queues


 def list_rules():
    return itertools.chain(
-        base.list_rules()
+        base.list_rules(),
+        queues.list_rules()
    )
--- a/zaqar/common/policies/base.py
+++ b/zaqar/common/policies/base.py
@ -14,6 +14,7 @@ from oslo_policy import policy

 ROLE_ADMIN = 'role:admin'
 RULE_ADMIN_OR_OWNER = 'is_admin:True or project_id:%(project_id)s'
+UNPROTECTED = ''

 rules = [
    policy.RuleDefault(
--- a/zaqar/common/policies/queues.py
+++ b/zaqar/common/policies/queues.py
@ -0,0 +1,112 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from zaqar.common.policies import base
+
+QUEUES = 'queues:%s'
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name=QUEUES % 'get_all',
+        check_str=base.UNPROTECTED,
+        description='List all message queues.',
+        operations=[
+            {
+                'path': '/v2/queues',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=QUEUES % 'create',
+        check_str=base.UNPROTECTED,
+        description='Create a message queue.',
+        operations=[
+            {
+                'path': '/v2/queues/{queue_name}',
+                'method': 'PUT'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=QUEUES % 'get',
+        check_str=base.UNPROTECTED,
+        description='Get details about a specific message queue.',
+        operations=[
+            {
+                'path': '/v2/queues/{queue_name}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=QUEUES % 'delete',
+        check_str=base.UNPROTECTED,
+        description='Delete a message queue.',
+        operations=[
+            {
+                'path': '/v2/queues/{queue_name}',
+                'method': 'DELETE'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=QUEUES % 'update',
+        check_str=base.UNPROTECTED,
+        description='Update a message queue.',
+        operations=[
+            {
+                'path': '/v2/queues/{queue_name}',
+                'method': 'PATCH'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=QUEUES % 'stats',
+        check_str=base.UNPROTECTED,
+        description='Get statistics about a specific message queue.',
+        operations=[
+            {
+                'path': '/v2/queues/{queue_name}/stats',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=QUEUES % 'share',
+        check_str=base.UNPROTECTED,
+        description='Create a pre-signed URL for a given message queue.',
+        operations=[
+            {
+                'path': '/v2/queues/{queue_name}/share',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=QUEUES % 'purge',
+        check_str=base.UNPROTECTED,
+        description='Purge resources from a particular message queue.',
+        operations=[
+            {
+                'path': '/v2/queues/{queue_name}/purge',
+                'method': 'POST'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules
--- a/zaqar/tests/etc/policy.json
+++ b/zaqar/tests/etc/policy.json
@ -1,17 +1,6 @@
 {
-    "context_is_admin": "role:admin",
-    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",

-    "queues:get_all": "",
-    "queues:create": "",
-    "queues:get": "",
-    "queues:delete": "",
-    "queues:update": "",
-    "queues:stats": "",
-    "queues:share": "",
-    "queues:purge": "",
-
    "messages:get_all": "",
    "messages:create": "",
    "messages:get": "",