Implement policy in code (1)
This commit will prepare for implementing policies in code[1]. Once we completed moving all of policies into code base, we can also change default policy rules via policy.yaml instead of policy.json and generate policy.yaml by command: $ tox -e genpolicy [1]https://governance.openstack.org/tc/goals/queens/policy-in-code.html Change-Id: I587ee663eff9632ec355cef8152c13e1ebfffeb5 Co-authored-By: Hieu LE <hieulq@vn.fujitsu.com>
This commit is contained in:
parent
2a5fc3fd3e
commit
8f3039508a
|
@ -0,0 +1,3 @@
|
|||
[DEFAULT]
|
||||
output_file = etc/freezer/policy.yaml.sample
|
||||
namespace = freezer-api
|
|
@ -1,8 +1,4 @@
|
|||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"jobs:get_all": "",
|
||||
"jobs:create": "",
|
||||
"jobs:get": "",
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Borrowed from Zun
|
||||
|
||||
|
||||
import itertools
|
||||
|
||||
from freezer_api.common.policies import base
|
||||
|
||||
|
||||
def list_rules():
|
||||
return itertools.chain(
|
||||
base.list_rules()
|
||||
)
|
|
@ -0,0 +1,32 @@
|
|||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# Borrowed from Zun
|
||||
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
"context_is_admin",
|
||||
"role:admin"),
|
||||
policy.RuleDefault(
|
||||
"admin_or_owner",
|
||||
"is_admin:True or project_id:%(project_id)s")
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -19,6 +19,7 @@ import functools
|
|||
from oslo_policy import policy
|
||||
|
||||
from freezer_api.common import exceptions
|
||||
from freezer_api.common import policies
|
||||
|
||||
ENFORCER = None
|
||||
|
||||
|
@ -26,7 +27,10 @@ ENFORCER = None
|
|||
def setup_policy(conf):
|
||||
global ENFORCER
|
||||
|
||||
ENFORCER = policy.Enforcer(conf)
|
||||
if not ENFORCER:
|
||||
ENFORCER = policy.Enforcer(conf)
|
||||
ENFORCER.register_defaults(policies.list_rules())
|
||||
ENFORCER.load_rules()
|
||||
|
||||
|
||||
def enforce(rule):
|
||||
|
|
|
@ -47,6 +47,8 @@ warning-is-error = 1
|
|||
[entry_points]
|
||||
oslo.config.opts =
|
||||
freezer-api = freezer_api.common.config:list_opts
|
||||
oslo.policy.policies =
|
||||
freezer-api = freezer_api.common.policies:list_rules
|
||||
console_scripts =
|
||||
freezer-api = freezer_api.cmd.api:main
|
||||
freezer-manage = freezer_api.cmd.manage:main
|
||||
|
|
2
tox.ini
2
tox.ini
|
@ -97,3 +97,5 @@ commands =
|
|||
[testenv:releasenotes]
|
||||
commands = sphinx-build -W -a -E -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
|
||||
|
||||
[testenv:genpolicy]
|
||||
commands = oslopolicy-sample-generator --config-file etc/freezer/freezer-policy-generator.conf
|
||||
|
|
Loading…
Reference in New Issue