Merge "Implement policy in code - event trigger (11)"
This commit is contained in:
commit
11d3f07e7a
|
@ -70,9 +70,6 @@ function configure_mistral {
|
|||
oslo-config-generator --config-file $MISTRAL_DIR/tools/config/config-generator.mistral.conf --output-file $MISTRAL_CONF_FILE
|
||||
iniset $MISTRAL_CONF_FILE DEFAULT debug $MISTRAL_DEBUG
|
||||
|
||||
MISTRAL_POLICY_FILE=$MISTRAL_CONF_DIR/policy.json
|
||||
cp $MISTRAL_DIR/etc/policy.json $MISTRAL_POLICY_FILE
|
||||
|
||||
# Run all Mistral processes as a single process
|
||||
iniset $MISTRAL_CONF_FILE DEFAULT server all
|
||||
|
||||
|
@ -94,9 +91,6 @@ function configure_mistral {
|
|||
# Configure action execution deletion policy
|
||||
iniset $MISTRAL_CONF_FILE api allow_action_execution_deletion True
|
||||
|
||||
# Path of policy.json file.
|
||||
iniset $MISTRAL_CONF oslo_policy policy_file $MISTRAL_POLICY_FILE
|
||||
|
||||
if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ]; then
|
||||
setup_colorized_logging $MISTRAL_CONF_FILE DEFAULT tenant user
|
||||
fi
|
||||
|
|
|
@ -1,11 +1 @@
|
|||
{
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"event_triggers:create": "rule:admin_or_owner",
|
||||
"event_triggers:create:public": "rule:admin_only",
|
||||
"event_triggers:delete": "rule:admin_or_owner",
|
||||
"event_triggers:get": "rule:admin_or_owner",
|
||||
"event_triggers:list": "rule:admin_or_owner",
|
||||
"event_triggers:list:all_projects": "rule:admin_only",
|
||||
"event_triggers:update": "rule:admin_or_owner"
|
||||
}
|
||||
{}
|
||||
|
|
|
@ -74,9 +74,9 @@ def enforce(action, context, target=None, do_raise=True,
|
|||
target_obj.update(target or {})
|
||||
|
||||
policy_context = context.to_policy_values()
|
||||
# Because policy.json example in Mistral repo still uses the rule
|
||||
# 'is_admin: True', we insert 'is_admin' key to the default policy
|
||||
# values.
|
||||
# Because policy.json or policy.yaml example in Mistral repo still uses
|
||||
# the rule 'is_admin: True', we insert 'is_admin' key to the default
|
||||
# policy values.
|
||||
policy_context['is_admin'] = context.is_admin
|
||||
|
||||
_ensure_enforcer_initialization()
|
||||
|
|
|
@ -19,6 +19,7 @@ from mistral.policies import action_executions
|
|||
from mistral.policies import base
|
||||
from mistral.policies import cron_trigger
|
||||
from mistral.policies import environment
|
||||
from mistral.policies import event_trigger
|
||||
from mistral.policies import execution
|
||||
from mistral.policies import member
|
||||
from mistral.policies import service
|
||||
|
@ -34,6 +35,7 @@ def list_rules():
|
|||
base.list_rules(),
|
||||
cron_trigger.list_rules(),
|
||||
environment.list_rules(),
|
||||
event_trigger.list_rules(),
|
||||
execution.list_rules(),
|
||||
member.list_rules(),
|
||||
service.list_rules(),
|
||||
|
|
|
@ -0,0 +1,104 @@
|
|||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
from oslo_policy import policy
|
||||
|
||||
from mistral.policies import base
|
||||
|
||||
EVENT_TRIGGERS = 'event_triggers:%s'
|
||||
|
||||
# NOTE(hieulq): all API operations of below rules are not documented in API
|
||||
# reference docs yet.
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=EVENT_TRIGGERS % 'create',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description='Create a new event trigger.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/event_triggers',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=EVENT_TRIGGERS % 'create:public',
|
||||
check_str=base.RULE_ADMIN_ONLY,
|
||||
description='Create a new event trigger for public usage.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/event_triggers',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=EVENT_TRIGGERS % 'delete',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description='Delete event trigger.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/event_triggers/{event_trigger_id}',
|
||||
'method': 'DELETE'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=EVENT_TRIGGERS % 'get',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description='Returns the specified event trigger.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/event_triggers/{event_trigger_id}',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=EVENT_TRIGGERS % 'list',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description='Return all event triggers.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/event_triggers',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=EVENT_TRIGGERS % 'list:all_projects',
|
||||
check_str=base.RULE_ADMIN_ONLY,
|
||||
description='Return all event triggers from all projects.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/event_triggers',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=EVENT_TRIGGERS % 'update',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description='Updates an existing event trigger.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/event_triggers',
|
||||
'method': 'PUT'
|
||||
}
|
||||
]
|
||||
)
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -133,6 +133,8 @@ class TestEventTriggerController(base.APITest):
|
|||
@mock.patch.object(db_api, "get_workflow_definition", MOCK_WF)
|
||||
@mock.patch.object(triggers, "create_event_trigger")
|
||||
def test_post_public(self, create_trigger):
|
||||
self.ctx = unit_base.get_context(default=False, admin=True)
|
||||
self.mock_ctx.return_value = self.ctx
|
||||
trigger = copy.deepcopy(TRIGGER)
|
||||
trigger['scope'] = 'public'
|
||||
trigger.pop('id')
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
# Copyright 2016 NEC Corporation. All rights reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
policy_data = """{
|
||||
"default": "rule:admin_or_owner",
|
||||
}"""
|
|
@ -12,8 +12,6 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import os
|
||||
|
||||
import fixtures
|
||||
from oslo_config import cfg
|
||||
from oslo_policy import opts as policy_opts
|
||||
|
@ -21,32 +19,15 @@ from oslo_policy import policy as oslo_policy
|
|||
|
||||
from mistral.api import access_control as acl
|
||||
from mistral import policies
|
||||
from mistral.tests.unit import fake_policy
|
||||
|
||||
|
||||
class PolicyFixture(fixtures.Fixture):
|
||||
"""Load a fake policy from nova.tests.unit.fake_policy"""
|
||||
|
||||
def setUp(self):
|
||||
super(PolicyFixture, self).setUp()
|
||||
|
||||
self.policy_dir = self.useFixture(fixtures.TempDir())
|
||||
self.policy_file_name = os.path.join(
|
||||
self.policy_dir.path,
|
||||
'policy.json'
|
||||
)
|
||||
|
||||
with open(self.policy_file_name, 'w') as policy_file:
|
||||
policy_file.write(fake_policy.policy_data)
|
||||
|
||||
policy_opts.set_defaults(cfg.CONF)
|
||||
|
||||
cfg.CONF.set_override(
|
||||
'policy_file',
|
||||
self.policy_file_name,
|
||||
'oslo_policy'
|
||||
)
|
||||
|
||||
acl._ENFORCER = oslo_policy.Enforcer(cfg.CONF)
|
||||
acl._ENFORCER.register_defaults(policies.list_rules())
|
||||
acl._ENFORCER.load_rules()
|
||||
|
|
Loading…
Reference in New Issue