Merge "Implement policy in code (1)"
This commit is contained in:
commit
329c78c7c3
|
@ -1,6 +1,4 @@
|
|||
{
|
||||
"admin_only": "is_admin:True",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"action_executions:delete": "rule:admin_or_owner",
|
||||
|
|
|
@ -19,6 +19,7 @@ from oslo_config import cfg
|
|||
from oslo_policy import policy
|
||||
|
||||
from mistral import exceptions as exc
|
||||
from mistral import policies
|
||||
|
||||
|
||||
_ENFORCER = None
|
||||
|
@ -93,6 +94,7 @@ def _ensure_enforcer_initialization():
|
|||
global _ENFORCER
|
||||
if not _ENFORCER:
|
||||
_ENFORCER = policy.Enforcer(cfg.CONF)
|
||||
_ENFORCER.register_defaults(policies.list_rules())
|
||||
_ENFORCER.load_rules()
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
import itertools
|
||||
|
||||
from mistral.policies import base
|
||||
|
||||
|
||||
def list_rules():
|
||||
return itertools.chain(
|
||||
base.list_rules()
|
||||
)
|
|
@ -0,0 +1,33 @@
|
|||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||
RULE_ADMIN_ONLY = 'rule:admin_only'
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
"admin_only",
|
||||
"is_admin:True"),
|
||||
policy.RuleDefault(
|
||||
"admin_or_owner",
|
||||
"is_admin:True or project_id:%(project_id)s")
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -26,9 +26,6 @@ class PolicyTestCase(base.BaseTest):
|
|||
self.policy = self.useFixture(policy_fixtures.PolicyFixture())
|
||||
|
||||
rules = {
|
||||
"admin_only": "is_admin:True",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
|
||||
"example:admin": "rule:admin_only",
|
||||
"example:admin_or_owner": "rule:admin_or_owner"
|
||||
}
|
||||
|
|
|
@ -13,8 +13,6 @@
|
|||
# under the License.
|
||||
|
||||
policy_data = """{
|
||||
"admin_only": "is_admin:True",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"action_executions:delete": "rule:admin_or_owner",
|
||||
|
|
|
@ -20,6 +20,7 @@ from oslo_policy import opts as policy_opts
|
|||
from oslo_policy import policy as oslo_policy
|
||||
|
||||
from mistral.api import access_control as acl
|
||||
from mistral import policies
|
||||
from mistral.tests.unit import fake_policy
|
||||
|
||||
|
||||
|
@ -47,11 +48,12 @@ class PolicyFixture(fixtures.Fixture):
|
|||
)
|
||||
|
||||
acl._ENFORCER = oslo_policy.Enforcer(cfg.CONF)
|
||||
acl._ENFORCER.register_defaults(policies.list_rules())
|
||||
acl._ENFORCER.load_rules()
|
||||
|
||||
self.addCleanup(acl._ENFORCER.clear)
|
||||
|
||||
def set_rules(self, rules):
|
||||
def set_rules(self, rules, overwrite=False):
|
||||
policy = acl._ENFORCER
|
||||
|
||||
policy.set_rules(oslo_policy.Rules.from_dict(rules))
|
||||
policy.set_rules(oslo_policy.Rules.from_dict(rules), overwrite)
|
||||
|
|
|
@ -53,6 +53,9 @@ oslo.config.opts =
|
|||
oslo.config.opts.defaults =
|
||||
mistral.config = mistral.config:set_cors_middleware_defaults
|
||||
|
||||
oslo.policy.policies =
|
||||
mistral = mistral.policies:list_rules
|
||||
|
||||
tempest.test_plugins =
|
||||
mistral_test = mistral_tempest_tests.plugin:MistralTempestPlugin
|
||||
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
[DEFAULT]
|
||||
namespace = mistral
|
5
tox.ini
5
tox.ini
|
@ -47,6 +47,11 @@ commands =
|
|||
oslo-config-generator --config-file tools/config/config-generator.mistral.conf \
|
||||
--output-file etc/mistral.conf.sample
|
||||
|
||||
[testenv:genpolicy]
|
||||
commands =
|
||||
oslopolicy-sample-generator --config-file tools/config/policy-generator.mistral.conf \
|
||||
--output-file etc/policy.yaml.sample
|
||||
|
||||
#set PYTHONHASHSEED=0 to prevent wsmeext.sphinxext from randomly failing.
|
||||
[testenv:venv]
|
||||
basepython = python2.7
|
||||
|
|
Loading…
Reference in New Issue