Implement policy in code (1)
This commit prepare for implementing policies in code[1]. Like oslo.config, with oslo.policy, we can define all of default rules in code base and only change some rules via policy file. Another thing that we should use yaml format instead of json format. [1] https://governance.openstack.org/tc/goals/queens/policy-in-code.html Co-authored-By: Hieu LE <hieulq@vn.fujitsu.com> Change-Id: I2051b6c25333c95aa9ea6786964d4ab710ea93e8
This commit is contained in:
parent
a944cdb98e
commit
49ed570cfe
|
@ -1,6 +1,4 @@
|
|||
{
|
||||
"admin_only": "is_admin:True",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"action_executions:delete": "rule:admin_or_owner",
|
||||
|
|
|
@ -19,6 +19,7 @@ from oslo_config import cfg
|
|||
from oslo_policy import policy
|
||||
|
||||
from mistral import exceptions as exc
|
||||
from mistral import policies
|
||||
|
||||
|
||||
_ENFORCER = None
|
||||
|
@ -93,6 +94,7 @@ def _ensure_enforcer_initialization():
|
|||
global _ENFORCER
|
||||
if not _ENFORCER:
|
||||
_ENFORCER = policy.Enforcer(cfg.CONF)
|
||||
_ENFORCER.register_defaults(policies.list_rules())
|
||||
_ENFORCER.load_rules()
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
import itertools
|
||||
|
||||
from mistral.policies import base
|
||||
|
||||
|
||||
def list_rules():
|
||||
return itertools.chain(
|
||||
base.list_rules()
|
||||
)
|
|
@ -0,0 +1,33 @@
|
|||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||
RULE_ADMIN_ONLY = 'rule:admin_only'
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
"admin_only",
|
||||
"is_admin:True"),
|
||||
policy.RuleDefault(
|
||||
"admin_or_owner",
|
||||
"is_admin:True or project_id:%(project_id)s")
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -26,9 +26,6 @@ class PolicyTestCase(base.BaseTest):
|
|||
self.policy = self.useFixture(policy_fixtures.PolicyFixture())
|
||||
|
||||
rules = {
|
||||
"admin_only": "is_admin:True",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
|
||||
"example:admin": "rule:admin_only",
|
||||
"example:admin_or_owner": "rule:admin_or_owner"
|
||||
}
|
||||
|
|
|
@ -13,8 +13,6 @@
|
|||
# under the License.
|
||||
|
||||
policy_data = """{
|
||||
"admin_only": "is_admin:True",
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"action_executions:delete": "rule:admin_or_owner",
|
||||
|
|
|
@ -20,6 +20,7 @@ from oslo_policy import opts as policy_opts
|
|||
from oslo_policy import policy as oslo_policy
|
||||
|
||||
from mistral.api import access_control as acl
|
||||
from mistral import policies
|
||||
from mistral.tests.unit import fake_policy
|
||||
|
||||
|
||||
|
@ -47,11 +48,12 @@ class PolicyFixture(fixtures.Fixture):
|
|||
)
|
||||
|
||||
acl._ENFORCER = oslo_policy.Enforcer(cfg.CONF)
|
||||
acl._ENFORCER.register_defaults(policies.list_rules())
|
||||
acl._ENFORCER.load_rules()
|
||||
|
||||
self.addCleanup(acl._ENFORCER.clear)
|
||||
|
||||
def set_rules(self, rules):
|
||||
def set_rules(self, rules, overwrite=False):
|
||||
policy = acl._ENFORCER
|
||||
|
||||
policy.set_rules(oslo_policy.Rules.from_dict(rules))
|
||||
policy.set_rules(oslo_policy.Rules.from_dict(rules), overwrite)
|
||||
|
|
|
@ -53,6 +53,9 @@ oslo.config.opts =
|
|||
oslo.config.opts.defaults =
|
||||
mistral.config = mistral.config:set_cors_middleware_defaults
|
||||
|
||||
oslo.policy.policies =
|
||||
mistral = mistral.policies:list_rules
|
||||
|
||||
tempest.test_plugins =
|
||||
mistral_test = mistral_tempest_tests.plugin:MistralTempestPlugin
|
||||
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
[DEFAULT]
|
||||
namespace = mistral
|
5
tox.ini
5
tox.ini
|
@ -47,6 +47,11 @@ commands =
|
|||
oslo-config-generator --config-file tools/config/config-generator.mistral.conf \
|
||||
--output-file etc/mistral.conf.sample
|
||||
|
||||
[testenv:genpolicy]
|
||||
commands =
|
||||
oslopolicy-sample-generator --config-file tools/config/policy-generator.mistral.conf \
|
||||
--output-file etc/policy.yaml.sample
|
||||
|
||||
#set PYTHONHASHSEED=0 to prevent wsmeext.sphinxext from randomly failing.
|
||||
[testenv:venv]
|
||||
basepython = python2.7
|
||||
|
|
Loading…
Reference in New Issue