Added support for policy.json in packaging process

This commit updates the packaging files for supporting the new authorization mechanism based on policy.json Change-Id: I001fba11b9c59ef34a10bf92ab7241f37efd4668 Sem-Ver: feature
2017-08-10 11:25:41 +02:00 · 2017-08-10 11:25:41 +02:00 · ef0bd4556d
commit ef0bd4556d
parent 91f82cc654
7 changed files with 149 additions and 3 deletions
--- a/config/policy.json
+++ b/config/policy.json
@ -0,0 +1,17 @@
+{
+    "admin": "role:admin or is_admin:True",
+    "admin_or_owner": "rule:admin or project_id:%(id)s or project_name:%(name)s",
+    "cloud_admin": "rule:admin and project_name:admin",
+    "default": "rule:admin",
+    "ProjectManager:ADD_PROJECT": "rule:admin",
+    "ProjectManager:GET_PROJECT": "rule:admin_or_owner",
+    "ProjectManager:GET_PROJECTS": "rule:cloud_admin",
+    "ProjectManager:REMOVE_PROJECT": "rule:admin",
+    "ProjectManager:UPDATE_PROJECT": "rule:admin",
+    "synergy:EXECUTE": "rule:cloud_admin",
+    "synergy:LIST": "rule:admin",
+    "synergy:START": "rule:admin",
+    "synergy:STATUS": "rule:admin",
+    "synergy:STOP": "rule:admin",
+}
+
--- a/packaging/debian/python-synergy-scheduler-manager.install
+++ b/packaging/debian/python-synergy-scheduler-manager.install
@ -1 +1,2 @@
 config/synergy_scheduler.conf     /etc/synergy
+config/policy.json                /etc/synergy
--- a/packaging/debian/python-synergy-scheduler-manager.postinst
+++ b/packaging/debian/python-synergy-scheduler-manager.postinst
@ -0,0 +1,47 @@
+#!/bin/sh
+# postinst script for python-synergy-service
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <postinst> `abort-remove'
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+    configure)
+        # Add synergy group & user
+        adduser --quiet --system --group --home /var/lib/synergy synergy > /dev/null 2>&1
+        # Change dirs and files permission/ownership
+        chown synergy:synergy /etc/synergy/policy.json
+        chown synergy:synergy /etc/synergy/synergy_scheduler.conf
+
+        chmod 0644 /etc/synergy/policy.json
+        chmod 0644 /etc/synergy/synergy_scheduler.conf
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- a/packaging/debian/python-synergy-scheduler-manager.postrm
+++ b/packaging/debian/python-synergy-scheduler-manager.postrm
@ -0,0 +1,37 @@
+#!/bin/sh
+# postrm script for python-synergy-service
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postrm> `remove'
+#        * <postrm> `purge'
+#        * <old-postrm> `upgrade' <new-version>
+#        * <new-postrm> `failed-upgrade' <old-version>
+#        * <new-postrm> `abort-install'
+#        * <new-postrm> `abort-install' <old-version>
+#        * <new-postrm> `abort-upgrade' <old-version>
+#        * <disappearer's-postrm> `disappear' <overwriter>
+#          <overwriter-version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear|purge)
+    ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- a/packaging/debian/python-synergy-scheduler-manager.preinst
+++ b/packaging/debian/python-synergy-scheduler-manager.preinst
@ -0,0 +1,34 @@
+#!/bin/sh
+# preinst script for python-synergy-service
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <new-preinst> `install'
+#        * <new-preinst> `install' <old-version>
+#        * <new-preinst> `upgrade' <old-version>
+#        * <old-preinst> `abort-upgrade' <new-version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+    install|upgrade)
+    ;;
+
+    abort-upgrade)
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- a/packaging/rpm/python-synergy-scheduler-manager.spec
+++ b/packaging/rpm/python-synergy-scheduler-manager.spec
@ -42,12 +42,17 @@ schedulers.
 rm -rf $RPM_BUILD_ROOT
 %{__python} setup.py install -O1 --skip-build --root $RPM_BUILD_ROOT
 install -D -m0644 config/synergy_scheduler.conf       %{buildroot}%{_sysconfdir}/synergy/synergy_scheduler.conf
+install -D -m0644 config/policy.json                  %{buildroot}%{_sysconfdir}/synergy/policy.json


 %files
 %doc README.rst
 %{python_sitelib}/*
+%{_sysconfdir}/synergy
+%dir %attr(0755, synergy, synergy) %{_sysconfdir}/synergy/
 %config(noreplace) %{_sysconfdir}/synergy/synergy_scheduler.conf
+%config(noreplace) %{_sysconfdir}/synergy/policy.json
+%attr(0644, synergy, synergy) %{_sysconfdir}/synergy/policy.json


 %changelog
--- a/synergy_scheduler_manager/auth/plugin.py
+++ b/synergy_scheduler_manager/auth/plugin.py
@ -69,16 +69,21 @@ class KeystoneAuthorization(object):
            self.storePolicies(ENFORCER, policy_file)

    def storePolicies(self, enforcer, output_file):
-        output_file = (open(output_file, 'w') if output_file
-                       else sys.stdout)
+        output_file = (open(output_file, 'w') if output_file else sys.stdout)
        rules = {}
        rules.update(enforcer.registered_rules)
        rules.update(enforcer.file_rules)

+        output_file.write("{\n")
+
        for rule in sorted(rules.keys(), key=lambda v: v.upper()):
            section = generator._format_rule_default_yaml(rules[rule],
                                                          include_help=False)
-            output_file.write(section)
+            output_file.write("    ")
+            output_file.write(section.replace('\n', ',\n'))
+
+        output_file.write("}")
+        output_file.close()

    def authorize(self, context):
        managers = context.get("managers", None)