Remove murano default policy.json

This commit removes the murano default policy.json file from etc/murano and references to it in murano's devstack plugin. (References to the policy.json in muranodashboard remain the same). This commit specifically: - removes the default policy.json - removes references to it in devstack plugin - adds base rules to murano.common.policies.__init__ because they are the last rules to be included - updates base admin_api rule to is_admin:True from is_admin:1 (because the latter was causing issues) - updates Murano policy documentation Partially Implements: blueprint policy-in-code Depends-On: Ia372983d2bd1010cd19f04061f3276ed16e9c1c9 Change-Id: I1a8581a559e4333a74d56a5bdce7e6d1f117907d
2017-06-14 15:46:28 +01:00 · 2017-06-14 15:46:28 +01:00 · fb1a2d5bbe
parent fa52193c87
commit fb1a2d5bbe
7 changed files with 68 additions and 61 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -161,7 +161,6 @@ function configure_murano {
                          --namespace oslo.messaging \
                          > $MURANO_CONF_FILE
    cp $MURANO_DIR/etc/murano/murano-paste.ini $MURANO_CONF_DIR
-    cp $MURANO_DIR/etc/murano/policy.json $MURANO_POLICY_FILE

    cleanup_murano

@ -362,7 +361,6 @@ function setup_core_library() {
           --is-public

    remove_core_apps_zip
-
 }

 # install_murano() - Collect source and prepare
--- a/devstack/settings
+++ b/devstack/settings
@ -16,7 +16,6 @@ MURANO_DIR=$DEST/murano
 MURANO_CONF_DIR=${MURANO_CONF_DIR:-/etc/murano}
 MURANO_CONF_FILE=${MURANO_CONF_DIR}/murano.conf
 MURANO_CFAPI_CONF_FILE=${MURANO_CONF_DIR}/murano-cfapi.conf
-MURANO_POLICY_FILE=${MURANO_CONF_DIR}/policy.json
 MURANO_DEBUG=$(trueorfalse True MURANO_DEBUG)
 MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT=$(trueorfalse False MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT)

--- a/doc/source/administrator-guide/configuration.rst
+++ b/doc/source/administrator-guide/configuration.rst
@ -121,67 +121,75 @@ To configure neutron manually, follow the steps below.
 Policy configuration
 ~~~~~~~~~~~~~~~~~~~~

-Like each service in OpenStack, murano has its own role-based access policies
-that determine who and how can access objects. These policies are defined
-in the service's :file:`policy.json` file.
+Like each service in OpenStack, Murano has its own role-based access policies
+that determine who can access objects and under what circumstances. The default
+implementation for these policies is defined in the service's source code --
+under :file:`murano.common.policies`. The default policy definitions can be
+overridden using the :file:`policy.yaml` file.

-On each API call corresponding policy check is performed.
-:file:`policy.json` file can be changed without interrupting the API service.
+.. note::

-For detailed information on :file:`policy.json` syntax, please refer to the
-`OpenStack official documentation <http://docs.openstack.org/kilo/config-reference/content/policy-json-file.html>`_
+  In previous OpenStack releases the default policy format was JSON, but
+  now the `recommended format <https://docs.openstack.org/ocata/config-reference/policy-yaml-file.html#older-json-format-policy>`_
+  is YAML.
+..
+
+On each API call the corresponding policy check is performed.
+:file:`policy.yaml` file can be changed without interrupting the API service.
+
+For detailed information on :file:`policy.yaml` syntax, please refer to the
+`OpenStack official documentation <https://docs.openstack.org/ocata/config-reference/policy-yaml-file.html>`_

 With this file you can set who may upload packages and perform other operations.

-The :file:`policy.json` example is:
+The :file:`policy.yaml` example is:

-.. code-block:: json
+.. code-block:: yaml

-    {
-       // Rule declaration
-       "context_is_admin": "role:admin",
-       "admin_api": "is_admin:True",
-       "default": "",
+    # Rule declaration
+    "context_is_admin": "role:admin"
+    "admin_api": "is_admin:True"
+    "default": ""

-       // Package operations
-       "get_package": "rule:default",
-       "upload_package": "rule:default",
-       "modify_package": "rule:default",
-       "publicize_package": "rule:admin_api",
-       "manage_public_package": "rule:default",
-       "delete_package": "rule:default",
-       "download_package": "rule:default",
+    # Package operations
+    "get_package": "rule:default"
+    "upload_package": "rule:default"
+    "modify_package": "rule:default"
+    "publicize_package": "rule:admin_api"
+    "manage_public_package": "rule:default"
+    "delete_package": "rule:default"
+    "download_package": "rule:default"

-       // Category operations
-       "get_category": "rule:default",
-       "delete_category": "rule:admin_api",
-       "add_category": "rule:admin_api",
+    # Category operations
+    "get_category": "rule:default"
+    "delete_category": "rule:admin_api"
+    "add_category": "rule:admin_api"

-       // Deployment read operations
-       "list_deployments": "rule:default",
-       "statuses_deployments": "rule:default",
+    # Deployment read operations
+    "list_deployments": "rule:default"
+    "statuses_deployments": "rule:default"

-       // Environment operations
-       "list_environments": "rule:default",
-       "list_environments_all_tenants": "rule:admin_api",
-       "show_environment": "rule:default",
-       "update_environment": "rule:default",
-       "create_environment": "rule:default",
-       "delete_environment": "rule:default",
+    # Environment operations
+    "list_environments": "rule:default"
+    "list_environments_all_tenants": "rule:admin_api"
+    "show_environment": "rule:default"
+    "update_environment": "rule:default"
+    "create_environment": "rule:default"
+    "delete_environment": "rule:default"

-       // Environment template operations
-       "list_env_templates": "rule:default",
-       "create_env_template": "rule:default",
-       "show_env_template": "rule:default",
-       "update_env_template": "rule:default",
-       "delete_env_template": "rule:default",
+    # Environment template operations
+    "list_env_templates": "rule:default"
+    "create_env_template": "rule:default"
+    "show_env_template": "rule:default"
+    "update_env_template": "rule:default"
+    "delete_env_template": "rule:default"

-       // Control on executing actions on deployment environments
-       "execute_action": "rule:default"
-    }
+    # Control on executing actions on deployment environments
+    "execute_action": "rule:default"
+..

 So, changing ``"upload_package": "rule:default"`` to ``"rule:admin_api"``
-will forbid regular users to upload packages.
+will forbid regular users from uploading packages.

 For reference:

@ -205,9 +213,12 @@ For reference:
 - ``"execute_action"`` is checked whenever a user attempts to execute
  an action on deployment environments. default: anyone

-Uploading package wizard in murano dashboard consists of several steps.
-Upload package API call requested from the first form and modify from
-the second one. It provides modifying package parameters on time of
-uploading. So, please modify both configuration together. Otherwise it
-will not be possible to browse package details on the second step
-of the wizard.
+.. note::
+
+  The package upload wizard in Murano dashboard consists of several steps:
+  The "upload_package" policy is enforced during the first step while
+  "modify_package" is enforced during the second step. Package parameters are
+  modified during package upload. So, please modify both policy definitions
+  together. Otherwise it will not be possible to browse package details on the
+  second step of the wizard.
+..
--- a/etc/murano/policy.json
+++ b/etc/murano/policy.json
@ -1,5 +0,0 @@
-{
-    "context_is_admin": "role:admin",
-    "admin_api": "is_admin:True",
-    "default": ""
-}
--- a/murano/common/policies/init.py
+++ b/murano/common/policies/init.py
@ -16,6 +16,7 @@
 import itertools

 from murano.common.policies import action
+from murano.common.policies import base
 from murano.common.policies import category
 from murano.common.policies import deployment
 from murano.common.policies import env_template
@ -25,6 +26,7 @@ from murano.common.policies import package

 def list_rules():
    return itertools.chain(
+        base.list_rules(),
        action.list_rules(),
        category.list_rules(),
        deployment.list_rules(),
--- a/murano/common/policies/base.py
+++ b/murano/common/policies/base.py
@ -25,7 +25,7 @@ rules = [
        check_str='role:admin'),
    policy.RuleDefault(
        name='admin_api',
-        check_str='is_admin:1'),
+        check_str='is_admin:True'),
    policy.RuleDefault(
        name='default',
        check_str='')
--- a/murano/common/policy.py
+++ b/murano/common/policy.py
@ -80,6 +80,8 @@ def check(rule, ctxt, target=None, do_raise=True, exc=None):
                                      specified it will raise an exception of
                                      that type.
    """
+    init()
+
    if target is None:
        target = {}
    creds = ctxt.to_dict()