airship
/
shipyard
Code Issues Proposed changes

Merge "Add Oslo Policy options for policy file location"

This commit is contained in:
Zuul 2018-08-13 21:15:57 +00:00 committed by Gerrit Code Review
parent f32dc97272 4713149b63
commit 1fa5c547d1
4 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
charts/shipyard/values.yaml
View File

@ -361,12 +361,17 @@ conf:
workflow_orchestrator:create_action: rule:admin_required
workflow_orchestrator:get_action: rule:admin_required
workflow_orchestrator:get_action_step: rule:admin_required
workflow_orchestrator:get_action_step_logs: rule:admin_required
workflow_orchestrator:get_action_validation: rule:admin_required
workflow_orchestrator:invoke_action_control: rule:admin_required
workflow_orchestrator:get_configdocs_status: rule:admin_required
workflow_orchestrator:create_configdocs: rule:admin_required
workflow_orchestrator:get_configdocs: rule:admin_required
workflow_orchestrator:commit_configdocs: rule:admin_required
workflow_orchestrator:get_renderedconfigdocs: rule:admin_required
workflow_orchestrator:list_workflows: rule:admin_required
workflow_orchestrator:get_workflow: rule:admin_required
workflow_orchestrator:get_site_statuses: rule:admin_required
paste:
app:shipyard-api:
paste.app_factory: shipyard_airflow.shipyard_api:paste_start_shipyard
@ -385,17 +390,6 @@ conf:
service_type: armada
drydock:
service_type: physicalprovisioner
verify_site_query_interval: 10
verify_site_task_timeout: 60
prepare_site_query_interval: 10
prepare_site_task_timeout: 300
prepare_node_query_interval: 30
prepare_node_task_timeout: 1800
deploy_node_query_interval: 30
deploy_node_task_timeout: 3600
destroy_node_query_interval: 30
destroy_node_task_timeout: 900
cluster_join_check_backoff_time: 120
promenade:
service_type: kubernetesprovisioner
keystone_authtoken:
@ -416,6 +410,11 @@ conf:
worker_port: 8793
k8s_logs:
ucp_namespace: 'ucp'
oslo_policy:
policy_file: /etc/shipyard/policy.yaml
# If non-existent rule is used, the request should be denied. The
# deny_all rule is hard coded in the policy.py code to allow no access.
policy_default_rule: deny_all
airflow_config_file:
path: /usr/local/airflow/airflow.cfg
airflow:

11
src/bin/shipyard_airflow/shipyard_airflow/policy.py
View File

@ -49,13 +49,20 @@ class ShipyardPolicy(object):
"""
RULE_ADMIN_REQUIRED = 'rule:admin_required'
RULE_DENY_ALL = 'rule:deny_all'
# Base Policy
base_rules = [
policy.RuleDefault(
'admin_required',
'role:admin',
description='Actions requiring admin authority'),
description='Actions requiring admin authority'
),
policy.RuleDefault(
'deny_all',
'!',
description='Rule to deny all access. Used for default denial'
),
]
# Orchestrator Policy
@ -251,7 +258,7 @@ class ApiEnforcer(object):
authorized = True
except:
# couldn't service the auth request
LOG.error(
LOG.exception(
"Error - Expectation Failed - action: %s", self.action)
raise ApiError(
title="Expectation Failed",

4
src/bin/shipyard_airflow/tests/unit/control/test.conf
View File

@ -44,4 +44,6 @@ validation_read_timeout = 300
service_type = shipyard
[logging]
named_log_levels = keystoneauth:ERROR,cheese:WARN,pumpkins:INFO
[oslo_policy]
policy_file = /etc/shipyard/policy.yaml
policy_default_rule = deny_all

14
tools/resources/shipyard.conf
View File

@ -13,18 +13,7 @@ upgrade_db = false
[deckhand]
service_type = deckhand
[drydock]
cluster_join_check_backoff_time = 120
deploy_node_query_interval = 30
deploy_node_task_timeout = 3600
destroy_node_query_interval = 30
destroy_node_task_timeout = 900
prepare_node_query_interval = 30
prepare_node_task_timeout = 1800
prepare_site_query_interval = 10
prepare_site_task_timeout = 300
service_type = physicalprovisioner
verify_site_query_interval = 10
verify_site_task_timeout = 60
[keystone_authtoken]
auth_section = keystone_authtoken
auth_type = password
@ -53,3 +42,6 @@ validation_connect_timeout = 5
validation_read_timeout = 300
[shipyard]
service_type = shipyard
[oslo_policy]
policy_file = /etc/shipyard/policy.yaml
policy_default_rule = deny_all