From f7b9a2a5b3d63ceeb19fc79783d7b5a1c689eecc Mon Sep 17 00:00:00 2001 From: liusheng Date: Wed, 25 Jan 2017 11:30:45 +0800 Subject: [PATCH] Use policy-generator to generate policy sample file This change will avoid the maintenance of policy.sample file in every policy change. Change-Id: Ia460a5e3c44f1d9306866414edced53d29559d36 --- etc/mogan/README.policy.json.txt | 4 +++ etc/mogan/policy.json.sample | 38 ------------------------ tools/config/mogan-policy-generator.conf | 3 ++ tox.ini | 2 +- 4 files changed, 8 insertions(+), 39 deletions(-) create mode 100644 etc/mogan/README.policy.json.txt delete mode 100644 etc/mogan/policy.json.sample create mode 100644 tools/config/mogan-policy-generator.conf diff --git a/etc/mogan/README.policy.json.txt b/etc/mogan/README.policy.json.txt new file mode 100644 index 00000000..ffc89cfb --- /dev/null +++ b/etc/mogan/README.policy.json.txt @@ -0,0 +1,4 @@ +To generate the sample policy.json file, run the following command from the top +level of the mogan directory: + + tox -egenpolicy diff --git a/etc/mogan/policy.json.sample b/etc/mogan/policy.json.sample deleted file mode 100644 index f4400c5d..00000000 --- a/etc/mogan/policy.json.sample +++ /dev/null @@ -1,38 +0,0 @@ -# Legacy rule for cloud admin access -"admin_api": "role:admin or role:administrator" -# Internal flag for public API routes -"public_api": "is_public_api:True" -# Show or mask secrets within instance information in API responses -"show_instance_secrets": "!" -# any access will be passed -"allow": "@" -# all access will be forbidden -"deny": "!" -# Full read/write API access -"is_admin": "rule:admin_api or (rule:is_member and role:mogan_admin)" -# Admin or owner API access -"admin_or_owner": "is_admin:True or project_id:%(project_id)s" -# Admin or user API access -"admin_or_user": "is_admin:True or user_id:%(user_id)s" -# Default API access rule -"default": "rule:admin_or_owner" -# Retrieve Instance records -"mogan:instance:get": "rule:default" -# View Instance power and provision state -"mogan:instance:get_states": "rule:default" -# Create Instance records -"mogan:instance:create": "rule:allow" -# Delete Instance records -"mogan:instance:delete": "rule:default" -# Update Instance records -"mogan:instance:update": "rule:default" -# Start an instance -"mogan:instance:set_power_state:on": "rule:default" -# Stop an instance -"mogan:instance:set_power_state:off": "rule:default" -# Reboot an instance -"mogan:instance:set_power_state:reboot": "rule:default" -# Get Instance network information -"mogan:instance:get_networks": "rule:default" -# Associate floating IP to instance -"mogan:instance:associate_floatingip": "rule:default" diff --git a/tools/config/mogan-policy-generator.conf b/tools/config/mogan-policy-generator.conf new file mode 100644 index 00000000..4f2a5631 --- /dev/null +++ b/tools/config/mogan-policy-generator.conf @@ -0,0 +1,3 @@ +[DEFAULT] +output_file = etc/mogan/policy.json.sample +namespace = mogan.api diff --git a/tox.ini b/tox.ini index 25f05eb2..09095ce0 100644 --- a/tox.ini +++ b/tox.ini @@ -72,7 +72,7 @@ commands = sitepackages = False envdir = {toxworkdir}/venv commands = - oslopolicy-sample-generator --namespace=mogan.api --output-file=etc/mogan/policy.json.sample + oslopolicy-sample-generator --config-file=tools/config/mogan-policy-generator.conf [testenv:api-ref] # This environment is called from CI scripts to test and publish