Merge "Implement policy in code (1)"

2017-12-01 14:22:53 +00:00 · 2017-12-01 14:22:53 +00:00 · 329c78c7c3
parent c5fd23cda7 49ed570cfe
commit 329c78c7c3
10 changed files with 73 additions and 9 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -1,6 +1,4 @@
 {
-    "admin_only": "is_admin:True",
-    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",

    "action_executions:delete": "rule:admin_or_owner",
--- a/mistral/api/access_control.py
+++ b/mistral/api/access_control.py
@ -19,6 +19,7 @@ from oslo_config import cfg
 from oslo_policy import policy

 from mistral import exceptions as exc
+from mistral import policies


 _ENFORCER = None
@ -93,6 +94,7 @@ def _ensure_enforcer_initialization():
    global _ENFORCER
    if not _ENFORCER:
        _ENFORCER = policy.Enforcer(cfg.CONF)
+        _ENFORCER.register_defaults(policies.list_rules())
        _ENFORCER.load_rules()


--- a/mistral/policies/init.py
+++ b/mistral/policies/init.py
@ -0,0 +1,24 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+import itertools
+
+from mistral.policies import base
+
+
+def list_rules():
+    return itertools.chain(
+        base.list_rules()
+    )
--- a/mistral/policies/base.py
+++ b/mistral/policies/base.py
@ -0,0 +1,33 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+
+RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
+RULE_ADMIN_ONLY = 'rule:admin_only'
+
+rules = [
+    policy.RuleDefault(
+        "admin_only",
+        "is_admin:True"),
+    policy.RuleDefault(
+        "admin_or_owner",
+        "is_admin:True or project_id:%(project_id)s")
+]
+
+
+def list_rules():
+    return rules
--- a/mistral/tests/unit/api/test_access_control.py
+++ b/mistral/tests/unit/api/test_access_control.py
@ -26,9 +26,6 @@ class PolicyTestCase(base.BaseTest):
        self.policy = self.useFixture(policy_fixtures.PolicyFixture())

        rules = {
-            "admin_only": "is_admin:True",
-            "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
-
            "example:admin": "rule:admin_only",
            "example:admin_or_owner": "rule:admin_or_owner"
        }
--- a/mistral/tests/unit/fake_policy.py
+++ b/mistral/tests/unit/fake_policy.py
@ -13,8 +13,6 @@
 # under the License.

 policy_data = """{
-    "admin_only": "is_admin:True",
-    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",

    "action_executions:delete": "rule:admin_or_owner",
--- a/mistral/tests/unit/mstrlfixtures/policy_fixtures.py
+++ b/mistral/tests/unit/mstrlfixtures/policy_fixtures.py
@ -20,6 +20,7 @@ from oslo_policy import opts as policy_opts
 from oslo_policy import policy as oslo_policy

 from mistral.api import access_control as acl
+from mistral import policies
 from mistral.tests.unit import fake_policy


@ -47,11 +48,12 @@ class PolicyFixture(fixtures.Fixture):
        )

        acl._ENFORCER = oslo_policy.Enforcer(cfg.CONF)
+        acl._ENFORCER.register_defaults(policies.list_rules())
        acl._ENFORCER.load_rules()

        self.addCleanup(acl._ENFORCER.clear)

-    def set_rules(self, rules):
+    def set_rules(self, rules, overwrite=False):
        policy = acl._ENFORCER

-        policy.set_rules(oslo_policy.Rules.from_dict(rules))
+        policy.set_rules(oslo_policy.Rules.from_dict(rules), overwrite)
--- a/setup.cfg
+++ b/setup.cfg
@ -53,6 +53,9 @@ oslo.config.opts =
 oslo.config.opts.defaults =
    mistral.config = mistral.config:set_cors_middleware_defaults

+oslo.policy.policies =
+    mistral = mistral.policies:list_rules
+
 tempest.test_plugins =
    mistral_test = mistral_tempest_tests.plugin:MistralTempestPlugin

--- a/tools/config/policy-generator.mistral.conf
+++ b/tools/config/policy-generator.mistral.conf
@ -0,0 +1,2 @@
+[DEFAULT]
+namespace = mistral
--- a/tox.ini
+++ b/tox.ini
@ -47,6 +47,11 @@ commands =
    oslo-config-generator --config-file tools/config/config-generator.mistral.conf \
    --output-file etc/mistral.conf.sample

+[testenv:genpolicy]
+commands =
+    oslopolicy-sample-generator --config-file tools/config/policy-generator.mistral.conf \
+    --output-file etc/policy.yaml.sample
+
 #set PYTHONHASHSEED=0 to prevent wsmeext.sphinxext from randomly failing.
 [testenv:venv]
 basepython = python2.7