summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-06-17 05:02:39 +0000
committerGerrit Code Review <review@openstack.org>2017-06-17 05:02:39 +0000
commit6b1fb69fb016223a693a392b7964e0d27d11f7a4 (patch)
tree337cd87fd2afb615ced657d48af7cb98e64f22f2
parent764135fc480da2750e40c8ba66931c33156e9e9e (diff)
parentfb1a2d5bbe8bf4d00267b2927051aed4249b209f (diff)
Merge "Remove murano default policy.json"
-rwxr-xr-xdevstack/plugin.sh2
-rw-r--r--devstack/settings1
-rw-r--r--doc/source/administrator-guide/configuration.rst131
-rw-r--r--etc/murano/policy.json5
-rw-r--r--murano/common/policies/__init__.py2
-rw-r--r--murano/common/policies/base.py2
-rw-r--r--murano/common/policy.py2
7 files changed, 76 insertions, 69 deletions
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 9466ce0..1dbd317 100755
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -161,7 +161,6 @@ function configure_murano {
161 --namespace oslo.messaging \ 161 --namespace oslo.messaging \
162 > $MURANO_CONF_FILE 162 > $MURANO_CONF_FILE
163 cp $MURANO_DIR/etc/murano/murano-paste.ini $MURANO_CONF_DIR 163 cp $MURANO_DIR/etc/murano/murano-paste.ini $MURANO_CONF_DIR
164 cp $MURANO_DIR/etc/murano/policy.json $MURANO_POLICY_FILE
165 164
166 cleanup_murano 165 cleanup_murano
167 166
@@ -362,7 +361,6 @@ function setup_core_library() {
362 --is-public 361 --is-public
363 362
364 remove_core_apps_zip 363 remove_core_apps_zip
365
366} 364}
367 365
368# install_murano() - Collect source and prepare 366# install_murano() - Collect source and prepare
diff --git a/devstack/settings b/devstack/settings
index ec9e2ae..cbc8860 100644
--- a/devstack/settings
+++ b/devstack/settings
@@ -16,7 +16,6 @@ MURANO_DIR=$DEST/murano
16MURANO_CONF_DIR=${MURANO_CONF_DIR:-/etc/murano} 16MURANO_CONF_DIR=${MURANO_CONF_DIR:-/etc/murano}
17MURANO_CONF_FILE=${MURANO_CONF_DIR}/murano.conf 17MURANO_CONF_FILE=${MURANO_CONF_DIR}/murano.conf
18MURANO_CFAPI_CONF_FILE=${MURANO_CONF_DIR}/murano-cfapi.conf 18MURANO_CFAPI_CONF_FILE=${MURANO_CONF_DIR}/murano-cfapi.conf
19MURANO_POLICY_FILE=${MURANO_CONF_DIR}/policy.json
20MURANO_DEBUG=$(trueorfalse True MURANO_DEBUG) 19MURANO_DEBUG=$(trueorfalse True MURANO_DEBUG)
21MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT=$(trueorfalse False MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT) 20MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT=$(trueorfalse False MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT)
22 21
diff --git a/doc/source/administrator-guide/configuration.rst b/doc/source/administrator-guide/configuration.rst
index c59058c..9990db4 100644
--- a/doc/source/administrator-guide/configuration.rst
+++ b/doc/source/administrator-guide/configuration.rst
@@ -121,67 +121,75 @@ To configure neutron manually, follow the steps below.
121Policy configuration 121Policy configuration
122~~~~~~~~~~~~~~~~~~~~ 122~~~~~~~~~~~~~~~~~~~~
123 123
124Like each service in OpenStack, murano has its own role-based access policies 124Like each service in OpenStack, Murano has its own role-based access policies
125that determine who and how can access objects. These policies are defined 125that determine who can access objects and under what circumstances. The default
126in the service's :file:`policy.json` file. 126implementation for these policies is defined in the service's source code --
127under :file:`murano.common.policies`. The default policy definitions can be
128overridden using the :file:`policy.yaml` file.
127 129
128On each API call corresponding policy check is performed. 130.. note::
129:file:`policy.json` file can be changed without interrupting the API service.
130 131
131For detailed information on :file:`policy.json` syntax, please refer to the 132 In previous OpenStack releases the default policy format was JSON, but
132`OpenStack official documentation <http://docs.openstack.org/kilo/config-reference/content/policy-json-file.html>`_ 133 now the `recommended format <https://docs.openstack.org/ocata/config-reference/policy-yaml-file.html#older-json-format-policy>`_
134 is YAML.
135..
136
137On each API call the corresponding policy check is performed.
138:file:`policy.yaml` file can be changed without interrupting the API service.
139
140For detailed information on :file:`policy.yaml` syntax, please refer to the
141`OpenStack official documentation <https://docs.openstack.org/ocata/config-reference/policy-yaml-file.html>`_
133 142
134With this file you can set who may upload packages and perform other operations. 143With this file you can set who may upload packages and perform other operations.
135 144
136The :file:`policy.json` example is: 145The :file:`policy.yaml` example is:
137 146
138.. code-block:: json 147.. code-block:: yaml
139 148
140 { 149 # Rule declaration
141 // Rule declaration 150 "context_is_admin": "role:admin"
142 "context_is_admin": "role:admin", 151 "admin_api": "is_admin:True"
143 "admin_api": "is_admin:True", 152 "default": ""
144 "default": "", 153
145 154 # Package operations
146 // Package operations 155 "get_package": "rule:default"
147 "get_package": "rule:default", 156 "upload_package": "rule:default"
148 "upload_package": "rule:default", 157 "modify_package": "rule:default"
149 "modify_package": "rule:default", 158 "publicize_package": "rule:admin_api"
150 "publicize_package": "rule:admin_api", 159 "manage_public_package": "rule:default"
151 "manage_public_package": "rule:default", 160 "delete_package": "rule:default"
152 "delete_package": "rule:default", 161 "download_package": "rule:default"
153 "download_package": "rule:default", 162
154 163 # Category operations
155 // Category operations 164 "get_category": "rule:default"
156 "get_category": "rule:default", 165 "delete_category": "rule:admin_api"
157 "delete_category": "rule:admin_api", 166 "add_category": "rule:admin_api"
158 "add_category": "rule:admin_api", 167
159 168 # Deployment read operations
160 // Deployment read operations 169 "list_deployments": "rule:default"
161 "list_deployments": "rule:default", 170 "statuses_deployments": "rule:default"
162 "statuses_deployments": "rule:default", 171
163 172 # Environment operations
164 // Environment operations 173 "list_environments": "rule:default"
165 "list_environments": "rule:default", 174 "list_environments_all_tenants": "rule:admin_api"
166 "list_environments_all_tenants": "rule:admin_api", 175 "show_environment": "rule:default"
167 "show_environment": "rule:default", 176 "update_environment": "rule:default"
168 "update_environment": "rule:default", 177 "create_environment": "rule:default"
169 "create_environment": "rule:default", 178 "delete_environment": "rule:default"
170 "delete_environment": "rule:default", 179
171 180 # Environment template operations
172 // Environment template operations 181 "list_env_templates": "rule:default"
173 "list_env_templates": "rule:default", 182 "create_env_template": "rule:default"
174 "create_env_template": "rule:default", 183 "show_env_template": "rule:default"
175 "show_env_template": "rule:default", 184 "update_env_template": "rule:default"
176 "update_env_template": "rule:default", 185 "delete_env_template": "rule:default"
177 "delete_env_template": "rule:default", 186
178 187 # Control on executing actions on deployment environments
179 // Control on executing actions on deployment environments 188 "execute_action": "rule:default"
180 "execute_action": "rule:default" 189..
181 }
182 190
183So, changing ``"upload_package": "rule:default"`` to ``"rule:admin_api"`` 191So, changing ``"upload_package": "rule:default"`` to ``"rule:admin_api"``
184will forbid regular users to upload packages. 192will forbid regular users from uploading packages.
185 193
186For reference: 194For reference:
187 195
@@ -205,9 +213,12 @@ For reference:
205- ``"execute_action"`` is checked whenever a user attempts to execute 213- ``"execute_action"`` is checked whenever a user attempts to execute
206 an action on deployment environments. default: anyone 214 an action on deployment environments. default: anyone
207 215
208Uploading package wizard in murano dashboard consists of several steps. 216.. note::
209Upload package API call requested from the first form and modify from 217
210the second one. It provides modifying package parameters on time of 218 The package upload wizard in Murano dashboard consists of several steps:
211uploading. So, please modify both configuration together. Otherwise it 219 The "upload_package" policy is enforced during the first step while
212will not be possible to browse package details on the second step 220 "modify_package" is enforced during the second step. Package parameters are
213of the wizard. 221 modified during package upload. So, please modify both policy definitions
222 together. Otherwise it will not be possible to browse package details on the
223 second step of the wizard.
224..
diff --git a/etc/murano/policy.json b/etc/murano/policy.json
deleted file mode 100644
index 7ca710f..0000000
--- a/etc/murano/policy.json
+++ /dev/null
@@ -1,5 +0,0 @@
1{
2 "context_is_admin": "role:admin",
3 "admin_api": "is_admin:True",
4 "default": ""
5}
diff --git a/murano/common/policies/__init__.py b/murano/common/policies/__init__.py
index 6737550..3694bd0 100644
--- a/murano/common/policies/__init__.py
+++ b/murano/common/policies/__init__.py
@@ -16,6 +16,7 @@
16import itertools 16import itertools
17 17
18from murano.common.policies import action 18from murano.common.policies import action
19from murano.common.policies import base
19from murano.common.policies import category 20from murano.common.policies import category
20from murano.common.policies import deployment 21from murano.common.policies import deployment
21from murano.common.policies import env_template 22from murano.common.policies import env_template
@@ -25,6 +26,7 @@ from murano.common.policies import package
25 26
26def list_rules(): 27def list_rules():
27 return itertools.chain( 28 return itertools.chain(
29 base.list_rules(),
28 action.list_rules(), 30 action.list_rules(),
29 category.list_rules(), 31 category.list_rules(),
30 deployment.list_rules(), 32 deployment.list_rules(),
diff --git a/murano/common/policies/base.py b/murano/common/policies/base.py
index 290840c..f5e9ff6 100644
--- a/murano/common/policies/base.py
+++ b/murano/common/policies/base.py
@@ -25,7 +25,7 @@ rules = [
25 check_str='role:admin'), 25 check_str='role:admin'),
26 policy.RuleDefault( 26 policy.RuleDefault(
27 name='admin_api', 27 name='admin_api',
28 check_str='is_admin:1'), 28 check_str='is_admin:True'),
29 policy.RuleDefault( 29 policy.RuleDefault(
30 name='default', 30 name='default',
31 check_str='') 31 check_str='')
diff --git a/murano/common/policy.py b/murano/common/policy.py
index 9a7ee80..1b1d9aa 100644
--- a/murano/common/policy.py
+++ b/murano/common/policy.py
@@ -80,6 +80,8 @@ def check(rule, ctxt, target=None, do_raise=True, exc=None):
80 specified it will raise an exception of 80 specified it will raise an exception of
81 that type. 81 that type.
82 """ 82 """
83 init()
84
83 if target is None: 85 if target is None:
84 target = {} 86 target = {}
85 creds = ctxt.to_dict() 87 creds = ctxt.to_dict()