Merge "Remove murano default policy.json"

This commit is contained in:
Jenkins 2017-06-17 05:02:39 +00:00 committed by Gerrit Code Review
commit 6b1fb69fb0
7 changed files with 68 additions and 61 deletions

View File

@ -161,7 +161,6 @@ function configure_murano {
--namespace oslo.messaging \
> $MURANO_CONF_FILE
cp $MURANO_DIR/etc/murano/murano-paste.ini $MURANO_CONF_DIR
cp $MURANO_DIR/etc/murano/policy.json $MURANO_POLICY_FILE
cleanup_murano
@ -362,7 +361,6 @@ function setup_core_library() {
--is-public
remove_core_apps_zip
}
# install_murano() - Collect source and prepare

View File

@ -16,7 +16,6 @@ MURANO_DIR=$DEST/murano
MURANO_CONF_DIR=${MURANO_CONF_DIR:-/etc/murano}
MURANO_CONF_FILE=${MURANO_CONF_DIR}/murano.conf
MURANO_CFAPI_CONF_FILE=${MURANO_CONF_DIR}/murano-cfapi.conf
MURANO_POLICY_FILE=${MURANO_CONF_DIR}/policy.json
MURANO_DEBUG=$(trueorfalse True MURANO_DEBUG)
MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT=$(trueorfalse False MURANO_ENABLE_MODEL_POLICY_ENFORCEMENT)

View File

@ -121,67 +121,75 @@ To configure neutron manually, follow the steps below.
Policy configuration
~~~~~~~~~~~~~~~~~~~~
Like each service in OpenStack, murano has its own role-based access policies
that determine who and how can access objects. These policies are defined
in the service's :file:`policy.json` file.
Like each service in OpenStack, Murano has its own role-based access policies
that determine who can access objects and under what circumstances. The default
implementation for these policies is defined in the service's source code --
under :file:`murano.common.policies`. The default policy definitions can be
overridden using the :file:`policy.yaml` file.
On each API call corresponding policy check is performed.
:file:`policy.json` file can be changed without interrupting the API service.
.. note::
For detailed information on :file:`policy.json` syntax, please refer to the
`OpenStack official documentation <http://docs.openstack.org/kilo/config-reference/content/policy-json-file.html>`_
In previous OpenStack releases the default policy format was JSON, but
now the `recommended format <https://docs.openstack.org/ocata/config-reference/policy-yaml-file.html#older-json-format-policy>`_
is YAML.
..
On each API call the corresponding policy check is performed.
:file:`policy.yaml` file can be changed without interrupting the API service.
For detailed information on :file:`policy.yaml` syntax, please refer to the
`OpenStack official documentation <https://docs.openstack.org/ocata/config-reference/policy-yaml-file.html>`_
With this file you can set who may upload packages and perform other operations.
The :file:`policy.json` example is:
The :file:`policy.yaml` example is:
.. code-block:: json
.. code-block:: yaml
{
// Rule declaration
"context_is_admin": "role:admin",
"admin_api": "is_admin:True",
"default": "",
# Rule declaration
"context_is_admin": "role:admin"
"admin_api": "is_admin:True"
"default": ""
// Package operations
"get_package": "rule:default",
"upload_package": "rule:default",
"modify_package": "rule:default",
"publicize_package": "rule:admin_api",
"manage_public_package": "rule:default",
"delete_package": "rule:default",
"download_package": "rule:default",
# Package operations
"get_package": "rule:default"
"upload_package": "rule:default"
"modify_package": "rule:default"
"publicize_package": "rule:admin_api"
"manage_public_package": "rule:default"
"delete_package": "rule:default"
"download_package": "rule:default"
// Category operations
"get_category": "rule:default",
"delete_category": "rule:admin_api",
"add_category": "rule:admin_api",
# Category operations
"get_category": "rule:default"
"delete_category": "rule:admin_api"
"add_category": "rule:admin_api"
// Deployment read operations
"list_deployments": "rule:default",
"statuses_deployments": "rule:default",
# Deployment read operations
"list_deployments": "rule:default"
"statuses_deployments": "rule:default"
// Environment operations
"list_environments": "rule:default",
"list_environments_all_tenants": "rule:admin_api",
"show_environment": "rule:default",
"update_environment": "rule:default",
"create_environment": "rule:default",
"delete_environment": "rule:default",
# Environment operations
"list_environments": "rule:default"
"list_environments_all_tenants": "rule:admin_api"
"show_environment": "rule:default"
"update_environment": "rule:default"
"create_environment": "rule:default"
"delete_environment": "rule:default"
// Environment template operations
"list_env_templates": "rule:default",
"create_env_template": "rule:default",
"show_env_template": "rule:default",
"update_env_template": "rule:default",
"delete_env_template": "rule:default",
# Environment template operations
"list_env_templates": "rule:default"
"create_env_template": "rule:default"
"show_env_template": "rule:default"
"update_env_template": "rule:default"
"delete_env_template": "rule:default"
// Control on executing actions on deployment environments
"execute_action": "rule:default"
}
# Control on executing actions on deployment environments
"execute_action": "rule:default"
..
So, changing ``"upload_package": "rule:default"`` to ``"rule:admin_api"``
will forbid regular users to upload packages.
will forbid regular users from uploading packages.
For reference:
@ -205,9 +213,12 @@ For reference:
- ``"execute_action"`` is checked whenever a user attempts to execute
an action on deployment environments. default: anyone
Uploading package wizard in murano dashboard consists of several steps.
Upload package API call requested from the first form and modify from
the second one. It provides modifying package parameters on time of
uploading. So, please modify both configuration together. Otherwise it
will not be possible to browse package details on the second step
of the wizard.
.. note::
The package upload wizard in Murano dashboard consists of several steps:
The "upload_package" policy is enforced during the first step while
"modify_package" is enforced during the second step. Package parameters are
modified during package upload. So, please modify both policy definitions
together. Otherwise it will not be possible to browse package details on the
second step of the wizard.
..

View File

@ -1,5 +0,0 @@
{
"context_is_admin": "role:admin",
"admin_api": "is_admin:True",
"default": ""
}

View File

@ -16,6 +16,7 @@
import itertools
from murano.common.policies import action
from murano.common.policies import base
from murano.common.policies import category
from murano.common.policies import deployment
from murano.common.policies import env_template
@ -25,6 +26,7 @@ from murano.common.policies import package
def list_rules():
return itertools.chain(
base.list_rules(),
action.list_rules(),
category.list_rules(),
deployment.list_rules(),

View File

@ -25,7 +25,7 @@ rules = [
check_str='role:admin'),
policy.RuleDefault(
name='admin_api',
check_str='is_admin:1'),
check_str='is_admin:True'),
policy.RuleDefault(
name='default',
check_str='')

View File

@ -80,6 +80,8 @@ def check(rule, ctxt, target=None, do_raise=True, exc=None):
specified it will raise an exception of
that type.
"""
init()
if target is None:
target = {}
creds = ctxt.to_dict()