Implement policy in code (1)

This commit prepare for implementing policies in code[1]. Like oslo.config, with oslo.policy, we can define all of default rules in code base and only change some rules via policy file. Another thing that we should use yaml format instead of json format. [1] https://governance.openstack.org/tc/goals/queens/policy-in-code.html Co-authored-By: Hieu LE <hieulq@vn.fujitsu.com> Change-Id: I2051b6c25333c95aa9ea6786964d4ab710ea93e8
2017-10-04 09:06:35 +07:00 · 2017-10-04 09:06:35 +07:00 · 49ed570cfe
parent a944cdb98e
commit 49ed570cfe
10 changed files with 73 additions and 9 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -1,6 +1,4 @@
 {
-    "admin_only": "is_admin:True",
-    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",

    "action_executions:delete": "rule:admin_or_owner",
--- a/mistral/api/access_control.py
+++ b/mistral/api/access_control.py
@ -19,6 +19,7 @@ from oslo_config import cfg
 from oslo_policy import policy

 from mistral import exceptions as exc
+from mistral import policies


 _ENFORCER = None
@ -93,6 +94,7 @@ def _ensure_enforcer_initialization():
    global _ENFORCER
    if not _ENFORCER:
        _ENFORCER = policy.Enforcer(cfg.CONF)
+        _ENFORCER.register_defaults(policies.list_rules())
        _ENFORCER.load_rules()


--- a/mistral/policies/init.py
+++ b/mistral/policies/init.py
@ -0,0 +1,24 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+import itertools
+
+from mistral.policies import base
+
+
+def list_rules():
+    return itertools.chain(
+        base.list_rules()
+    )
--- a/mistral/policies/base.py
+++ b/mistral/policies/base.py
@ -0,0 +1,33 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+
+RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
+RULE_ADMIN_ONLY = 'rule:admin_only'
+
+rules = [
+    policy.RuleDefault(
+        "admin_only",
+        "is_admin:True"),
+    policy.RuleDefault(
+        "admin_or_owner",
+        "is_admin:True or project_id:%(project_id)s")
+]
+
+
+def list_rules():
+    return rules
--- a/mistral/tests/unit/api/test_access_control.py
+++ b/mistral/tests/unit/api/test_access_control.py
@ -26,9 +26,6 @@ class PolicyTestCase(base.BaseTest):
        self.policy = self.useFixture(policy_fixtures.PolicyFixture())

        rules = {
-            "admin_only": "is_admin:True",
-            "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
-
            "example:admin": "rule:admin_only",
            "example:admin_or_owner": "rule:admin_or_owner"
        }
--- a/mistral/tests/unit/fake_policy.py
+++ b/mistral/tests/unit/fake_policy.py
@ -13,8 +13,6 @@
 # under the License.

 policy_data = """{
-    "admin_only": "is_admin:True",
-    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",

    "action_executions:delete": "rule:admin_or_owner",
--- a/mistral/tests/unit/mstrlfixtures/policy_fixtures.py
+++ b/mistral/tests/unit/mstrlfixtures/policy_fixtures.py
@ -20,6 +20,7 @@ from oslo_policy import opts as policy_opts
 from oslo_policy import policy as oslo_policy

 from mistral.api import access_control as acl
+from mistral import policies
 from mistral.tests.unit import fake_policy


@ -47,11 +48,12 @@ class PolicyFixture(fixtures.Fixture):
        )

        acl._ENFORCER = oslo_policy.Enforcer(cfg.CONF)
+        acl._ENFORCER.register_defaults(policies.list_rules())
        acl._ENFORCER.load_rules()

        self.addCleanup(acl._ENFORCER.clear)

-    def set_rules(self, rules):
+    def set_rules(self, rules, overwrite=False):
        policy = acl._ENFORCER

-        policy.set_rules(oslo_policy.Rules.from_dict(rules))
+        policy.set_rules(oslo_policy.Rules.from_dict(rules), overwrite)
--- a/setup.cfg
+++ b/setup.cfg
@ -53,6 +53,9 @@ oslo.config.opts =
 oslo.config.opts.defaults =
    mistral.config = mistral.config:set_cors_middleware_defaults

+oslo.policy.policies =
+    mistral = mistral.policies:list_rules
+
 tempest.test_plugins =
    mistral_test = mistral_tempest_tests.plugin:MistralTempestPlugin

--- a/tools/config/policy-generator.mistral.conf
+++ b/tools/config/policy-generator.mistral.conf
@ -0,0 +1,2 @@
+[DEFAULT]
+namespace = mistral
--- a/tox.ini
+++ b/tox.ini
@ -47,6 +47,11 @@ commands =
    oslo-config-generator --config-file tools/config/config-generator.mistral.conf \
    --output-file etc/mistral.conf.sample

+[testenv:genpolicy]
+commands =
+    oslopolicy-sample-generator --config-file tools/config/policy-generator.mistral.conf \
+    --output-file etc/policy.yaml.sample
+
 #set PYTHONHASHSEED=0 to prevent wsmeext.sphinxext from randomly failing.
 [testenv:venv]
 basepython = python2.7