[policy in code] Add support for share resource [3/10]

This patch adds policy in code support for share
resources.

Change-Id: I9a79b5ececc583e80129cc980930e162e805b246
Partial-Implements: blueprint policy-in-code
This commit is contained in:
zhongjun 2017-11-24 16:29:00 +08:00 committed by zhongjun
parent d7161e38bb
commit 6184063a4c
4 changed files with 333 additions and 30 deletions

View File

@ -11,32 +11,6 @@
"service:index": "rule:admin_api",
"service:update": "rule:admin_api",
"share:create": "",
"share:delete": "rule:default",
"share:get": "rule:default",
"share:get_all": "rule:default",
"share:list_by_share_server_id": "rule:admin_api",
"share:list_by_host": "rule:admin_api",
"share:update": "rule:default",
"share:access_get": "rule:default",
"share:access_get_all": "rule:default",
"share:allow_access": "rule:default",
"share:deny_access": "rule:default",
"share:extend": "rule:default",
"share:shrink": "rule:default",
"share:get_share_metadata": "rule:default",
"share:delete_share_metadata": "rule:default",
"share:update_share_metadata": "rule:default",
"share:migration_start": "rule:admin_api",
"share:migration_complete": "rule:admin_api",
"share:migration_cancel": "rule:admin_api",
"share:migration_get_progress": "rule:admin_api",
"share:reset_task_state": "rule:admin_api",
"share:manage": "rule:admin_api",
"share:unmanage": "rule:admin_api",
"share:force_delete": "rule:admin_api",
"share:reset_status": "rule:admin_api",
"share:revert_to_snapshot": "rule:default",
"share_export_location:index": "rule:default",
"share_export_location:show": "rule:default",
@ -45,9 +19,6 @@
"share_instance:force_delete": "rule:admin_api",
"share_instance:reset_status": "rule:admin_api",
"share:create_snapshot": "rule:default",
"share:delete_snapshot": "rule:default",
"share:snapshot_update": "rule:default",
"share_snapshot:get_snapshot": "rule:default",
"share_snapshot:get_all_snapshots": "rule:default",
"share_snapshot:manage_snapshot": "rule:admin_api",

View File

@ -19,11 +19,13 @@ import itertools
from manila.policies import base
from manila.policies import share_instance_export_location
from manila.policies import share_type
from manila.policies import shares
def list_rules():
return itertools.chain(
base.list_rules(),
shares.list_rules(),
share_instance_export_location.list_rules(),
share_type.list_rules(),
)

329
manila/policies/shares.py Normal file
View File

@ -0,0 +1,329 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from manila.policies import base
BASE_POLICY_NAME = 'share:%s'
shares_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'create',
check_str="",
description="Create share.",
operations=[
{
'method': 'POST',
'path': '/shares',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'get',
check_str=base.RULE_DEFAULT,
description="Get share.",
operations=[
{
'method': 'GET',
'path': '/shares/{share_id}',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'get_all',
check_str=base.RULE_DEFAULT,
description="List shares.",
operations=[
{
'method': 'GET',
'path': '/shares',
},
{
'method': 'GET',
'path': '/shares/detail',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'update',
check_str=base.RULE_DEFAULT,
description="Update share.",
operations=[
{
'method': 'PUT',
'path': '/shares',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'delete',
check_str=base.RULE_DEFAULT,
description="Delete share.",
operations=[
{
'method': 'DELETE',
'path': '/shares/{share_id}',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'force_delete',
check_str=base.RULE_ADMIN_API,
description="Force Delete a share.",
operations=[
{
'method': 'DELETE',
'path': '/shares/{share_id}',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'manage',
check_str=base.RULE_ADMIN_API,
description="Manage share.",
operations=[
{
'method': 'POST',
'path': '/shares/manage',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'unmanage',
check_str=base.RULE_ADMIN_API,
description="Unmanage share.",
operations=[
{
'method': 'POST',
'path': '/shares/unmanage',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'create_snapshot',
check_str=base.RULE_DEFAULT,
description="Create share snapshot.",
operations=[
{
'method': 'POST',
'path': '/snapshots',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'list_by_host',
check_str=base.RULE_ADMIN_API,
description="List share by host.",
operations=[
{
'method': 'GET',
'path': '/shares',
},
{
'method': 'GET',
'path': '/shares/detail',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'list_by_share_server_id',
check_str=base.RULE_ADMIN_API,
description="List share by server id.",
operations=[
{
'method': 'GET',
'path': '/shares'
},
{
'method': 'GET',
'path': '/shares/detail',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'access_get',
check_str=base.RULE_DEFAULT,
description="Get share access rule, it under deny access operation.",
operations=[
{
'method': 'POST',
'path': '/shares/{share_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'access_get_all',
check_str=base.RULE_DEFAULT,
description="List share access rules.",
operations=[
{
'method': 'GET',
'path': '/shares/{share_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'extend',
check_str=base.RULE_DEFAULT,
description="Extend share.",
operations=[
{
'method': 'POST',
'path': '/shares/{share_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'shrink',
check_str=base.RULE_DEFAULT,
description="Shrink share.",
operations=[
{
'method': 'POST',
'path': '/shares/{share_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'migration_start',
check_str=base.RULE_ADMIN_API,
description="Migrate a share to the specified host.",
operations=[
{
'method': 'POST',
'path': '/shares/{share_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'migration_complete',
check_str=base.RULE_ADMIN_API,
description="Invokes 2nd phase of share migration.",
operations=[
{
'method': 'POST',
'path': '/shares/{share_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'migration_cancel',
check_str=base.RULE_ADMIN_API,
description="Attempts to cancel share migration.",
operations=[
{
'method': 'POST',
'path': '/shares/{share_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'migration_get_progress',
check_str=base.RULE_ADMIN_API,
description=("Retrieve share migration progress for a given "
"share."),
operations=[
{
'method': 'POST',
'path': '/shares/{share_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'reset_task_state',
check_str=base.RULE_ADMIN_API,
description=("Reset task state."),
operations=[
{
'method': 'POST',
'path': '/shares/{share_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'reset_status',
check_str=base.RULE_ADMIN_API,
description=("Reset status."),
operations=[
{
'method': 'POST',
'path': '/shares/{share_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'revert_to_snapshot',
check_str=base.RULE_DEFAULT,
description=("Revert a share to a snapshot."),
operations=[
{
'method': 'POST',
'path': '/shares/{share_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'allow_access',
check_str=base.RULE_DEFAULT,
description=("Add share access rule."),
operations=[
{
'method': 'POST',
'path': '/shares/{share_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'deny_access',
check_str=base.RULE_DEFAULT,
description=("Remove share access rule."),
operations=[
{
'method': 'POST',
'path': '/shares/{share_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'delete_snapshot',
check_str=base.RULE_DEFAULT,
description=("Delete share snapshot."),
operations=[
{
'method': 'DELETE',
'path': '/snapshots/{snapshot_id}',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'snapshot_update',
check_str=base.RULE_DEFAULT,
description=("Update share snapshot."),
operations=[
{
'method': 'PUT',
'path': '/snapshots/{snapshot_id}/action',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'update_share_metadata',
check_str=base.RULE_DEFAULT,
description=("Update share metadata."),
operations=[
{
'method': 'PUT',
'path': '/shares/{share_id}/metadata',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'delete_share_metadata',
check_str=base.RULE_DEFAULT,
description=("Delete share metadata."),
operations=[
{
'method': 'DELETE',
'path': '/shares/{share_id}/metadata/{key}',
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'get_share_metadata',
check_str=base.RULE_DEFAULT,
description=("Get share metadata."),
operations=[
{
'method': 'GET',
'path': '/shares/{share_id}/metadata',
}
]),
]
def list_rules():
return shares_policies

View File

@ -208,7 +208,8 @@ def check_policy(context, resource, action, target_obj=None):
_action = '%s:%s' % (resource, action)
# The else branch will be deleted after all policy in code patches
# be merged.
if resource in ('share_instance_export_location', 'share_type', ):
if resource in ('share_instance_export_location', 'share_type',
'share', ):
authorize(context, _action, target)
else:
enforce(context, _action, target)