Merge "Implement policy in code (1)"

2017-11-07 19:11:19 +00:00 · 2017-11-07 19:11:19 +00:00 · 2b45331b73
parent aee678c0c2 c150d00dee
commit 2b45331b73
5 changed files with 50 additions and 5 deletions
--- a/aodh/api/hooks.py
+++ b/aodh/api/hooks.py
@ -16,6 +16,8 @@
 from oslo_policy import policy
 from pecan import hooks

+from aodh.api import policies
+

 class ConfigHook(hooks.PecanHook):
    """Attach the configuration and policy enforcer object to the request.
@ -26,6 +28,7 @@ class ConfigHook(hooks.PecanHook):
    def __init__(self, conf):
        self.conf = conf
        self.enforcer = policy.Enforcer(conf, default_rule="default")
+        self.enforcer.register_defaults(policies.list_rules())

    def before(self, state):
        state.request.cfg = self.conf
--- a/aodh/api/policies.py
+++ b/aodh/api/policies.py
@ -0,0 +1,42 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+
+RULE_CONTEXT_IS_ADMIN = 'rule:context_is_admin'
+RULE_ADMIN_OR_OWNER = 'rule:context_is_admin or project_id:%(project_id)s'
+
+rules = [
+    policy.RuleDefault(
+        name="context_is_admin",
+        check_str="role:admin"
+    ),
+    policy.RuleDefault(
+        name="segregation",
+        check_str=RULE_CONTEXT_IS_ADMIN),
+    policy.RuleDefault(
+        name="admin_or_owner",
+        check_str=RULE_ADMIN_OR_OWNER
+    ),
+    policy.RuleDefault(
+        name="default",
+        check_str=RULE_ADMIN_OR_OWNER
+    )
+]
+
+
+def list_rules():
+    return rules
--- a/aodh/api/policy.json
+++ b/aodh/api/policy.json
@ -1,9 +1,4 @@
 {
-    "context_is_admin": "role:admin",
-    "segregation": "rule:context_is_admin",
-    "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
-    "default": "rule:admin_or_owner",
-
    "telemetry:get_alarm": "rule:admin_or_owner",
    "telemetry:get_alarms": "rule:admin_or_owner",
    "telemetry:query_alarm": "rule:admin_or_owner",
--- a/aodh/cmd/aodh-policy-generator.conf
+++ b/aodh/cmd/aodh-policy-generator.conf
@ -0,0 +1,2 @@
+[DEFAULT]
+namespace = aodh
--- a/setup.cfg
+++ b/setup.cfg
@ -117,6 +117,9 @@ oslo.config.opts =
 oslo.config.opts.defaults =
    aodh = aodh.conf.defaults:set_cors_middleware_defaults

+oslo.policy.policies =
+    aodh = aodh.api.policies:list_rules
+
 tempest.test_plugins =
    aodh_tests = aodh.tests.tempest.plugin:AodhTempestPlugin