openstack
/
mistral
Code Issues Proposed changes

Merge "Implement policy in code - event trigger (11)"

This commit is contained in:
Zuul 2017-12-01 14:59:46 +00:00 committed by Gerrit Code Review
parent da4cd934a0 4469cacf39
commit 11d3f07e7a
8 changed files with 112 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
devstack/plugin.sh
View File

@ -70,9 +70,6 @@ function configure_mistral {
oslo-config-generator --config-file $MISTRAL_DIR/tools/config/config-generator.mistral.conf --output-file $MISTRAL_CONF_FILE
iniset $MISTRAL_CONF_FILE DEFAULT debug $MISTRAL_DEBUG
MISTRAL_POLICY_FILE=$MISTRAL_CONF_DIR/policy.json
cp $MISTRAL_DIR/etc/policy.json $MISTRAL_POLICY_FILE
# Run all Mistral processes as a single process
iniset $MISTRAL_CONF_FILE DEFAULT server all
@ -94,9 +91,6 @@ function configure_mistral {
# Configure action execution deletion policy
iniset $MISTRAL_CONF_FILE api allow_action_execution_deletion True
# Path of policy.json file.
iniset $MISTRAL_CONF oslo_policy policy_file $MISTRAL_POLICY_FILE
if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ]; then
setup_colorized_logging $MISTRAL_CONF_FILE DEFAULT tenant user
fi

12
etc/policy.json
View File

@ -1,11 +1 @@
{
"default": "rule:admin_or_owner",
"event_triggers:create": "rule:admin_or_owner",
"event_triggers:create:public": "rule:admin_only",
"event_triggers:delete": "rule:admin_or_owner",
"event_triggers:get": "rule:admin_or_owner",
"event_triggers:list": "rule:admin_or_owner",
"event_triggers:list:all_projects": "rule:admin_only",
"event_triggers:update": "rule:admin_or_owner"
}
{}

6
mistral/api/access_control.py
View File

@ -74,9 +74,9 @@ def enforce(action, context, target=None, do_raise=True,
target_obj.update(target or {})
policy_context = context.to_policy_values()
# Because policy.json example in Mistral repo still uses the rule
# 'is_admin: True', we insert 'is_admin' key to the default policy
# values.
# Because policy.json or policy.yaml example in Mistral repo still uses
# the rule 'is_admin: True', we insert 'is_admin' key to the default
# policy values.
policy_context['is_admin'] = context.is_admin
_ensure_enforcer_initialization()

2
mistral/policies/__init__.py
View File

@ -19,6 +19,7 @@ from mistral.policies import action_executions
from mistral.policies import base
from mistral.policies import cron_trigger
from mistral.policies import environment
from mistral.policies import event_trigger
from mistral.policies import execution
from mistral.policies import member
from mistral.policies import service
@ -34,6 +35,7 @@ def list_rules():
base.list_rules(),
cron_trigger.list_rules(),
environment.list_rules(),
event_trigger.list_rules(),
execution.list_rules(),
member.list_rules(),
service.list_rules(),

104
mistral/policies/event_trigger.py Normal file
View File

@ -0,0 +1,104 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from mistral.policies import base
EVENT_TRIGGERS = 'event_triggers:%s'
# NOTE(hieulq): all API operations of below rules are not documented in API
# reference docs yet.
rules = [
policy.DocumentedRuleDefault(
name=EVENT_TRIGGERS % 'create',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Create a new event trigger.',
operations=[
{
'path': '/v2/event_triggers',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=EVENT_TRIGGERS % 'create:public',
check_str=base.RULE_ADMIN_ONLY,
description='Create a new event trigger for public usage.',
operations=[
{
'path': '/v2/event_triggers',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=EVENT_TRIGGERS % 'delete',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Delete event trigger.',
operations=[
{
'path': '/v2/event_triggers/{event_trigger_id}',
'method': 'DELETE'
}
]
),
policy.DocumentedRuleDefault(
name=EVENT_TRIGGERS % 'get',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Returns the specified event trigger.',
operations=[
{
'path': '/v2/event_triggers/{event_trigger_id}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=EVENT_TRIGGERS % 'list',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Return all event triggers.',
operations=[
{
'path': '/v2/event_triggers',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=EVENT_TRIGGERS % 'list:all_projects',
check_str=base.RULE_ADMIN_ONLY,
description='Return all event triggers from all projects.',
operations=[
{
'path': '/v2/event_triggers',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=EVENT_TRIGGERS % 'update',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Updates an existing event trigger.',
operations=[
{
'path': '/v2/event_triggers',
'method': 'PUT'
}
]
)
]
def list_rules():
return rules

2
mistral/tests/unit/api/v2/test_event_trigger.py
View File

@ -133,6 +133,8 @@ class TestEventTriggerController(base.APITest):
@mock.patch.object(db_api, "get_workflow_definition", MOCK_WF)
@mock.patch.object(triggers, "create_event_trigger")
def test_post_public(self, create_trigger):
self.ctx = unit_base.get_context(default=False, admin=True)
self.mock_ctx.return_value = self.ctx
trigger = copy.deepcopy(TRIGGER)
trigger['scope'] = 'public'
trigger.pop('id')

17
mistral/tests/unit/fake_policy.py
View File

@ -1,17 +0,0 @@
# Copyright 2016 NEC Corporation. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
policy_data = """{
"default": "rule:admin_or_owner",
}"""

19
mistral/tests/unit/mstrlfixtures/policy_fixtures.py
View File

@ -12,8 +12,6 @@
# License for the specific language governing permissions and limitations
# under the License.
import os
import fixtures
from oslo_config import cfg
from oslo_policy import opts as policy_opts
@ -21,32 +19,15 @@ from oslo_policy import policy as oslo_policy
from mistral.api import access_control as acl
from mistral import policies
from mistral.tests.unit import fake_policy
class PolicyFixture(fixtures.Fixture):
"""Load a fake policy from nova.tests.unit.fake_policy"""
def setUp(self):
super(PolicyFixture, self).setUp()
self.policy_dir = self.useFixture(fixtures.TempDir())
self.policy_file_name = os.path.join(
self.policy_dir.path,
'policy.json'
)
with open(self.policy_file_name, 'w') as policy_file:
policy_file.write(fake_policy.policy_data)
policy_opts.set_defaults(cfg.CONF)
cfg.CONF.set_override(
'policy_file',
self.policy_file_name,
'oslo_policy'
)
acl._ENFORCER = oslo_policy.Enforcer(cfg.CONF)
acl._ENFORCER.register_defaults(policies.list_rules())
acl._ENFORCER.load_rules()