Added support for policy.json in packaging process

This commit updates the packaging files for supporting the new
authorization mechanism based on policy.json

Change-Id: I001fba11b9c59ef34a10bf92ab7241f37efd4668
Sem-Ver: feature
This commit is contained in:
Lisa Zangrando 2017-08-10 11:25:41 +02:00
parent 91f82cc654
commit ef0bd4556d
7 changed files with 149 additions and 3 deletions

17
config/policy.json Normal file
View File

@ -0,0 +1,17 @@
{
"admin": "role:admin or is_admin:True",
"admin_or_owner": "rule:admin or project_id:%(id)s or project_name:%(name)s",
"cloud_admin": "rule:admin and project_name:admin",
"default": "rule:admin",
"ProjectManager:ADD_PROJECT": "rule:admin",
"ProjectManager:GET_PROJECT": "rule:admin_or_owner",
"ProjectManager:GET_PROJECTS": "rule:cloud_admin",
"ProjectManager:REMOVE_PROJECT": "rule:admin",
"ProjectManager:UPDATE_PROJECT": "rule:admin",
"synergy:EXECUTE": "rule:cloud_admin",
"synergy:LIST": "rule:admin",
"synergy:START": "rule:admin",
"synergy:STATUS": "rule:admin",
"synergy:STOP": "rule:admin",
}

View File

@ -1 +1,2 @@
config/synergy_scheduler.conf /etc/synergy
config/policy.json /etc/synergy

View File

@ -0,0 +1,47 @@
#!/bin/sh
# postinst script for python-synergy-service
#
# see: dh_installdeb(1)
set -e
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
# <new-version>
# * <postinst> `abort-remove'
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
case "$1" in
configure)
# Add synergy group & user
adduser --quiet --system --group --home /var/lib/synergy synergy > /dev/null 2>&1
# Change dirs and files permission/ownership
chown synergy:synergy /etc/synergy/policy.json
chown synergy:synergy /etc/synergy/synergy_scheduler.conf
chmod 0644 /etc/synergy/policy.json
chmod 0644 /etc/synergy/synergy_scheduler.conf
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0

View File

@ -0,0 +1,37 @@
#!/bin/sh
# postrm script for python-synergy-service
#
# see: dh_installdeb(1)
set -e
# summary of how this script can be called:
# * <postrm> `remove'
# * <postrm> `purge'
# * <old-postrm> `upgrade' <new-version>
# * <new-postrm> `failed-upgrade' <old-version>
# * <new-postrm> `abort-install'
# * <new-postrm> `abort-install' <old-version>
# * <new-postrm> `abort-upgrade' <old-version>
# * <disappearer's-postrm> `disappear' <overwriter>
# <overwriter-version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
case "$1" in
remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear|purge)
;;
*)
echo "postrm called with unknown argument \`$1'" >&2
exit 1
;;
esac
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0

View File

@ -0,0 +1,34 @@
#!/bin/sh
# preinst script for python-synergy-service
#
# see: dh_installdeb(1)
set -e
# summary of how this script can be called:
# * <new-preinst> `install'
# * <new-preinst> `install' <old-version>
# * <new-preinst> `upgrade' <old-version>
# * <old-preinst> `abort-upgrade' <new-version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
case "$1" in
install|upgrade)
;;
abort-upgrade)
;;
*)
echo "preinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0

View File

@ -42,12 +42,17 @@ schedulers.
rm -rf $RPM_BUILD_ROOT
%{__python} setup.py install -O1 --skip-build --root $RPM_BUILD_ROOT
install -D -m0644 config/synergy_scheduler.conf %{buildroot}%{_sysconfdir}/synergy/synergy_scheduler.conf
install -D -m0644 config/policy.json %{buildroot}%{_sysconfdir}/synergy/policy.json
%files
%doc README.rst
%{python_sitelib}/*
%{_sysconfdir}/synergy
%dir %attr(0755, synergy, synergy) %{_sysconfdir}/synergy/
%config(noreplace) %{_sysconfdir}/synergy/synergy_scheduler.conf
%config(noreplace) %{_sysconfdir}/synergy/policy.json
%attr(0644, synergy, synergy) %{_sysconfdir}/synergy/policy.json
%changelog

View File

@ -69,16 +69,21 @@ class KeystoneAuthorization(object):
self.storePolicies(ENFORCER, policy_file)
def storePolicies(self, enforcer, output_file):
output_file = (open(output_file, 'w') if output_file
else sys.stdout)
output_file = (open(output_file, 'w') if output_file else sys.stdout)
rules = {}
rules.update(enforcer.registered_rules)
rules.update(enforcer.file_rules)
output_file.write("{\n")
for rule in sorted(rules.keys(), key=lambda v: v.upper()):
section = generator._format_rule_default_yaml(rules[rule],
include_help=False)
output_file.write(section)
output_file.write(" ")
output_file.write(section.replace('\n', ',\n'))
output_file.write("}")
output_file.close()
def authorize(self, context):
managers = context.get("managers", None)