Merge "Move policy into code"

This commit is contained in:
Zuul 2017-12-06 20:05:25 +00:00 committed by Gerrit Code Review
commit 4043745bd4
11 changed files with 94 additions and 14 deletions

View File

@ -23,7 +23,6 @@ from oslo_config import cfg
from oslo_db import options as db_options
from oslo_log import log as logging
from oslo_middleware import cors
from oslo_policy import opts as policy_opts
from congress import version
@ -112,7 +111,6 @@ dse_opts = [
# Register dse opts
cfg.CONF.register_opts(dse_opts, group='dse')
policy_opts.set_defaults(cfg.CONF, 'policy.json')
logging.register_options(cfg.CONF)
_SQL_CONNECTION_DEFAULT = 'sqlite://'

View File

@ -0,0 +1,17 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from congress.common.policies import base
def list_rules():
return base.list_rules()

View File

@ -0,0 +1,43 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault(
name='context_is_admin',
check_str='role:admin'
),
policy.RuleDefault(
name='admin_only',
check_str='rule:context_is_admin'
),
policy.RuleDefault(
name='regular_user',
check_str='',
description='The policy rule defining who is a regular user. This '
'rule can be overridden by, for example, a role check.'
),
policy.RuleDefault(
name='default',
check_str='rule:admin_only',
description='The default policy rule to apply when enforcing API '
'permissions. By default, all APIs are admin only. '
'This rule can be overridden (say by rule:regular_user) '
'to allow non-admins to access Congress APIs.'
)
]
def list_rules():
return rules

View File

@ -21,6 +21,7 @@ from __future__ import absolute_import
from oslo_config import cfg
from oslo_policy import policy
from congress.common import policies
from congress import exception
@ -51,6 +52,11 @@ def init(policy_file=None, rules=None, default_rule=None, use_conf=True):
rules=rules,
default_rule=default_rule,
use_conf=use_conf)
register_rules(_ENFORCER)
def register_rules(enforcer):
enforcer.register_defaults(policies.list_rules())
def set_rules(rules, overwrite=True, use_conf=False):

View File

@ -21,6 +21,7 @@ import os
import fixtures
from oslo_config import cfg
from oslo_policy import opts as policy_opts
import congress.common.policy
from congress.tests import fake_policy
@ -37,6 +38,10 @@ class PolicyFixture(fixtures.Fixture):
'policy.json')
with open(self.policy_file_name, 'w') as policy_file:
policy_file.write(fake_policy.policy_data)
# Note: without the 1st line below (set_defaults), the 2nd line below
# (set_override) fails, seemingly because the oslo_policy opt group is
# not "initialized" or "recognized"
policy_opts.set_defaults(CONF)
CONF.set_override('policy_file', self.policy_file_name, 'oslo_policy')
congress.common.policy.reset()
congress.common.policy.init()

View File

@ -47,10 +47,8 @@ function configure_congress {
setup_colorized_logging $CONGRESS_CONF DEFAULT project_id
fi
CONGRESS_API_PASTE_FILE=$CONGRESS_CONF_DIR/api-paste.ini
CONGRESS_POLICY_FILE=$CONGRESS_CONF_DIR/policy.json
cp $CONGRESS_DIR/etc/api-paste.ini $CONGRESS_API_PASTE_FILE
cp $CONGRESS_DIR/etc/policy.json $CONGRESS_POLICY_FILE
if [[ ! -d $CONGRESS_LIBRARY_DIR ]]; then
mkdir $CONGRESS_LIBRARY_DIR
fi
@ -58,7 +56,6 @@ function configure_congress {
# Update either configuration file
iniset $CONGRESS_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
iniset $CONGRESS_CONF oslo_policy policy_file $CONGRESS_POLICY_FILE
iniset $CONGRESS_CONF DEFAULT auth_strategy $CONGRESS_AUTH_STRATEGY
iniset $CONGRESS_CONF DEFAULT datasource_sync_period 30
iniset $CONGRESS_CONF DEFAULT replicated_policy_engine "$CONGRESS_REPLICATED"

View File

@ -90,9 +90,18 @@ Configure Congress (Assume you put config files in /etc/congress)
$ sudo mkdir -p /etc/congress
$ sudo mkdir -p /etc/congress/snapshot
$ sudo cp etc/api-paste.ini /etc/congress
$ sudo cp etc/policy.json /etc/congress
Set-up Policy Library [optional]
(optional) Customize API access policy
Typically, the default access policy of Congress API is appropriate.
If desired, you can override the default access policy as follows:
.. code-block:: console
$ tox -e genpolicy
(edit the generated sample file etc/policy.yaml.sample then copy to conf dir)
$ sudo cp etc/policy.yaml.sample /etc/congress/policy.yaml
(optional) Set-up policy library
This step copies the bundled collection Congress policies into the Congress
policy library for easy activation by an administrator. The policies in the
library do not become active until explicitly activated by an administrator.

View File

@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/congress.policy.yaml.sample
namespace = congress

View File

@ -1,6 +0,0 @@
{
"context_is_admin": "role:admin",
"admin_only": "rule:context_is_admin",
"regular_user": "",
"default": "rule:admin_only"
}

View File

@ -51,6 +51,11 @@ oslo.config.opts =
oslo.config.opts.defaults =
congress = congress.common.config:set_config_defaults
oslo.policy.policies =
# With the move of default policy in code list_rules returns a list of
# the default defined polices.
congress = congress.common.policies:list_rules
console_scripts =
congress-server = congress.server.congress_server:main
congress-db-manage = congress.db.migration.cli:main

View File

@ -1,7 +1,7 @@
[tox]
minversion = 1.6
skipsdist = True
envlist = py35,py27,pep8
envlist = py35,py27,pep8,genpolicy
[testenv]
usedevelop = True
@ -59,6 +59,9 @@ deps =
commands = {toxinidir}/tools/pip-install-single-req.sh requirements.txt oslo.config
oslo-config-generator --config-file=etc/congress-config-generator.conf
[testenv:genpolicy]
commands = oslopolicy-sample-generator --config-file etc/congress-policy-generator.conf
[testenv:docs]
setenv = PYTHONHASHSEED=0
commands = rm -rf doc/build doc/source/api