Implement policy in code (2)

This commit will move all default policies to code for:
- telemetry:get_alarm
- telemetry:get_alarms
- telemetry:query_alarm
- telemetry:create_alarm
- telemetry:change_alarm
- telemetry:delete_alarm

Change-Id: Iae86738119882c49b9488f78f206ecd2f6fa26d7
Co-authored-By: Hieu LE <hieulq@vn.fujitsu.com>
This commit is contained in:
Dai Dang Van 2017-10-19 11:26:03 +07:00
parent 2b45331b73
commit 84f27adcb8
4 changed files with 69 additions and 18 deletions

View File

@ -15,9 +15,9 @@
from oslo_policy import policy
RULE_CONTEXT_IS_ADMIN = 'rule:context_is_admin'
RULE_ADMIN_OR_OWNER = 'rule:context_is_admin or project_id:%(project_id)s'
UNPROTECTED = ''
rules = [
policy.RuleDefault(
@ -34,6 +34,72 @@ rules = [
policy.RuleDefault(
name="default",
check_str=RULE_ADMIN_OR_OWNER
),
policy.DocumentedRuleDefault(
name="telemetry:get_alarm",
check_str=RULE_ADMIN_OR_OWNER,
description='Get an alarm.',
operations=[
{
'path': '/v2/alarms/{alarm_id}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="telemetry:get_alarms",
check_str=RULE_ADMIN_OR_OWNER,
description='Get all alarms, based on the query provided.',
operations=[
{
'path': '/v2/alarms',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="telemetry:query_alarm",
check_str=RULE_ADMIN_OR_OWNER,
description='Get all alarms, based on the query provided.',
operations=[
{
'path': '/v2/query/alarms',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="telemetry:create_alarm",
check_str=UNPROTECTED,
description='Create a new alarm.',
operations=[
{
'path': '/v2/alarms',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="telemetry:change_alarm",
check_str=RULE_ADMIN_OR_OWNER,
description='Modify this alarm.',
operations=[
{
'path': '/v2/alarms/{alarm_id}',
'method': 'PUT'
}
]
),
policy.DocumentedRuleDefault(
name="telemetry:delete_alarm",
check_str=RULE_ADMIN_OR_OWNER,
description='Delete this alarm.',
operations=[
{
'path': '/v2/alarms/{alarm_id}',
'method': 'DELETE'
}
]
)
]

View File

@ -1,12 +1,4 @@
{
"telemetry:get_alarm": "rule:admin_or_owner",
"telemetry:get_alarms": "rule:admin_or_owner",
"telemetry:query_alarm": "rule:admin_or_owner",
"telemetry:create_alarm": "",
"telemetry:change_alarm": "rule:admin_or_owner",
"telemetry:delete_alarm": "rule:admin_or_owner",
"telemetry:get_alarm_state": "rule:admin_or_owner",
"telemetry:change_alarm_state": "rule:admin_or_owner",

View File

@ -27,6 +27,7 @@ from six.moves.urllib import parse as urlparse
import sqlalchemy_utils
from aodh.api import app
from aodh.api import rbac
from aodh import service
from aodh import storage
@ -76,10 +77,7 @@ class ConfigFixture(fixture.GabbiFixture):
self.conf = conf
opts.set_defaults(self.conf)
conf.set_override('policy_file',
os.path.abspath(
'aodh/tests/open-policy.json'),
group='oslo_policy')
rbac.enforce = mock.Mock()
conf.set_override('auth_mode', None, group='api')
parsed_url = urlparse.urlparse(db_url)

View File

@ -1,5 +0,0 @@
{
"context_is_admin": "role:admin",
"segregation": "rule:context_is_admin",
"default": ""
}