Implement policy in code (1)

This commit will prepare for implementing policies in code[1].

Once we completed moving all of policies into code base,
we can also change default policy rules via policy.yaml
instead of policy.json and generate policy.yaml by command:
$ tox -e genpolicy

[1]https://governance.openstack.org/tc/goals/queens/policy-in-code.html

Change-Id: I587ee663eff9632ec355cef8152c13e1ebfffeb5
Co-authored-By: Hieu LE <hieulq@vn.fujitsu.com>

etc/freezer/freezer-policy-generator.conf

@@ -0,0 +1,3 @@
+[DEFAULT]
+output_file = etc/freezer/policy.yaml.sample
+namespace = freezer-api

etc/freezer/policy.json

@@ -1,8 +1,4 @@
 {
-    "context_is_admin": "role:admin",
-    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
-    "default": "rule:admin_or_owner",
-
     "jobs:get_all": "",
     "jobs:create": "",
     "jobs:get": "",

freezer_api/common/policies/__init__.py

@@ -0,0 +1,26 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+# Borrowed from Zun
+
+
+import itertools
+
+from freezer_api.common.policies import base
+
+
+def list_rules():
+    return itertools.chain(
+        base.list_rules()
+    )

freezer_api/common/policies/base.py

@@ -0,0 +1,32 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+# Borrowed from Zun
+
+
+from oslo_policy import policy
+
+
+rules = [
+    policy.RuleDefault(
+        "context_is_admin",
+        "role:admin"),
+    policy.RuleDefault(
+        "admin_or_owner",
+        "is_admin:True or project_id:%(project_id)s")
+]
+
+
+def list_rules():
+    return rules

freezer_api/policy.py

@@ -19,6 +19,7 @@ import functools
 from oslo_policy import policy
 
 from freezer_api.common import exceptions
+from freezer_api.common import policies
 
 ENFORCER = None
 
@@ -26,7 +27,10 @@ ENFORCER = None
 def setup_policy(conf):
     global ENFORCER
 
-    ENFORCER = policy.Enforcer(conf)
+    if not ENFORCER:
+        ENFORCER = policy.Enforcer(conf)
+        ENFORCER.register_defaults(policies.list_rules())
+        ENFORCER.load_rules()
 
 
 def enforce(rule):

setup.cfg

@@ -47,6 +47,8 @@ warning-is-error = 1
 [entry_points]
 oslo.config.opts =
     freezer-api = freezer_api.common.config:list_opts
+oslo.policy.policies =
+    freezer-api = freezer_api.common.policies:list_rules
 console_scripts =
     freezer-api = freezer_api.cmd.api:main
     freezer-manage = freezer_api.cmd.manage:main

tox.ini

@@ -97,3 +97,5 @@ commands =
 [testenv:releasenotes]
 commands = sphinx-build -W -a -E -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
 
+[testenv:genpolicy]
+commands = oslopolicy-sample-generator --config-file etc/freezer/freezer-policy-generator.conf