openstack
/
barbican
Code Issues Proposed changes

Merge "Maintain policy in code"

This commit is contained in:
Jenkins 2017-06-23 12:23:51 +00:00 committed by Gerrit Code Review
parent da34d552d3 5e3662000e
commit 58838ce6c2
18 changed files with 524 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -72,6 +72,9 @@ ChangeLog
etc/barbican/barbican.conf
etc/barbican/barbican.conf.sample
# File created by oslopolicy-sample-generator
etc/barbican/policy.yaml.sample
# Files created by releasenotes build
releasenotes/build

43
barbican/common/policies/__init__.py Normal file
View File

@ -0,0 +1,43 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import itertools
from barbican.common.policies import acls
from barbican.common.policies import base
from barbican.common.policies import cas
from barbican.common.policies import consumers
from barbican.common.policies import containers
from barbican.common.policies import orders
from barbican.common.policies import quotas
from barbican.common.policies import secretmeta
from barbican.common.policies import secrets
from barbican.common.policies import secretstores
from barbican.common.policies import transportkeys
from barbican.common.policies import versions
def list_rules():
return itertools.chain(
acls.list_rules(),
base.list_rules(),
cas.list_rules(),
consumers.list_rules(),
containers.list_rules(),
orders.list_rules(),
quotas.list_rules(),
secretmeta.list_rules(),
secrets.list_rules(),
secretstores.list_rules(),
transportkeys.list_rules(),
versions.list_rules(),
)

38
barbican/common/policies/acls.py Normal file
View File

@ -0,0 +1,38 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('secret_acls:put_patch',
'rule:secret_project_admin or '
'rule:secret_project_creator'),
policy.RuleDefault('secret_acls:delete',
'rule:secret_project_admin or '
'rule:secret_project_creator'),
policy.RuleDefault('secret_acls:get',
'rule:all_but_audit and '
'rule:secret_project_match'),
policy.RuleDefault('container_acls:put_patch',
'rule:container_project_admin or '
'rule:container_project_creator'),
policy.RuleDefault('container_acls:delete',
'rule:container_project_admin or '
'rule:container_project_creator'),
policy.RuleDefault('container_acls:get',
'rule:all_but_audit and rule:container_project_match'),
]
def list_rules():
return rules

77
barbican/common/policies/base.py Normal file
View File

@ -0,0 +1,77 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('admin',
'role:admin'),
policy.RuleDefault('observer',
'role:observer'),
policy.RuleDefault('creator',
'role:creator'),
policy.RuleDefault('audit',
'role:audit'),
policy.RuleDefault('service_admin',
'role:key-manager:service-admin'),
policy.RuleDefault('admin_or_user_does_not_work',
'project_id:%(project_id)s'),
policy.RuleDefault('admin_or_user',
'rule:admin or project_id:%(project_id)s'),
policy.RuleDefault('admin_or_creator',
'rule:admin or rule:creator'),
policy.RuleDefault('all_but_audit',
'rule:admin or rule:observer or rule:creator'),
policy.RuleDefault('all_users',
'rule:admin or rule:observer or rule:creator or '
'rule:audit or rule:service_admin'),
policy.RuleDefault('secret_project_match',
'project:%(target.secret.project_id)s'),
policy.RuleDefault('secret_acl_read',
"'read':%(target.secret.read)s"),
policy.RuleDefault('secret_private_read',
"'False':%(target.secret.read_project_access)s"),
policy.RuleDefault('secret_creator_user',
"user:%(target.secret.creator_id)s"),
policy.RuleDefault('container_project_match',
"project:%(target.container.project_id)s"),
policy.RuleDefault('container_acl_read',
"'read':%(target.container.read)s"),
policy.RuleDefault('container_private_read',
"'False':%(target.container.read_project_access)s"),
policy.RuleDefault('container_creator_user',
"user:%(target.container.creator_id)s"),
policy.RuleDefault('secret_non_private_read',
"rule:all_users and rule:secret_project_match and "
"not rule:secret_private_read"),
policy.RuleDefault('secret_decrypt_non_private_read',
"rule:all_but_audit and rule:secret_project_match and "
"not rule:secret_private_read"),
policy.RuleDefault('container_non_private_read',
"rule:all_users and rule:container_project_match and "
"not rule:container_private_read"),
policy.RuleDefault('secret_project_admin',
"rule:admin and rule:secret_project_match"),
policy.RuleDefault('secret_project_creator',
"rule:creator and rule:secret_project_match and "
"rule:secret_creator_user"),
policy.RuleDefault('container_project_admin',
"rule:admin and rule:container_project_match"),
policy.RuleDefault('container_project_creator',
"rule:creator and rule:container_project_match and "
"rule:container_creator_user"),
]
def list_rules():
return rules

51
barbican/common/policies/cas.py Normal file
View File

@ -0,0 +1,51 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('certificate_authorities:get_limited',
'rule:all_users'),
policy.RuleDefault('certificate_authorities:get_all',
'rule:admin'),
policy.RuleDefault('certificate_authorities:post',
'rule:admin'),
policy.RuleDefault('certificate_authorities:get_preferred_ca',
'rule:all_users'),
policy.RuleDefault('certificate_authorities:get_global_preferred_ca',
'rule:service_admin'),
policy.RuleDefault('certificate_authorities:unset_global_preferred',
'rule:service_admin'),
policy.RuleDefault('certificate_authority:delete',
'rule:admin'),
policy.RuleDefault('certificate_authority:get',
'rule:all_users'),
policy.RuleDefault('certificate_authority:get_cacert',
'rule:all_users'),
policy.RuleDefault('certificate_authority:get_ca_cert_chain',
'rule:all_users'),
policy.RuleDefault('certificate_authority:get_projects',
'rule:service_admin'),
policy.RuleDefault('certificate_authority:add_to_project',
'rule:admin'),
policy.RuleDefault('certificate_authority:remove_from_project',
'rule:admin'),
policy.RuleDefault('certificate_authority:set_preferred',
'rule:admin'),
policy.RuleDefault('certificate_authority:set_global_preferred',
'rule:service_admin'),
]
def list_rules():
return rules

43
barbican/common/policies/consumers.py Normal file
View File

@ -0,0 +1,43 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('consumer:get',
'rule:admin or rule:observer or rule:creator or '
'rule:audit or rule:container_non_private_read or '
'rule:container_project_creator or '
'rule:container_project_admin or '
'rule:container_acl_read'),
policy.RuleDefault('consumers:get',
'rule:admin or rule:observer or rule:creator or '
'rule:audit or rule:container_non_private_read or '
'rule:container_project_creator or '
'rule:container_project_admin or '
'rule:container_acl_read'),
policy.RuleDefault('consumers:post',
'rule:admin or rule:container_non_private_read or '
'rule:container_project_creator or '
'rule:container_project_admin or '
'rule:container_acl_read'),
policy.RuleDefault('consumers:delete',
'rule:admin or rule:container_non_private_read or '
'rule:container_project_creator or '
'rule:container_project_admin or '
'rule:container_acl_read'),
]
def list_rules():
return rules

37
barbican/common/policies/containers.py Normal file
View File

@ -0,0 +1,37 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('containers:post',
'rule:admin_or_creator'),
policy.RuleDefault('containers:get',
'rule:all_but_audit'),
policy.RuleDefault('container:get',
'rule:container_non_private_read or '
'rule:container_project_creator or '
'rule:container_project_admin or '
'rule:container_acl_read'),
policy.RuleDefault('container:delete',
'rule:container_project_admin or '
'rule:container_project_creator'),
policy.RuleDefault('container_secret:post',
'rule:admin'),
policy.RuleDefault('container_secret:delete',
'rule:admin'),
]
def list_rules():
return rules

31
barbican/common/policies/orders.py Normal file
View File

@ -0,0 +1,31 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('orders:post',
'rule:admin_or_creator'),
policy.RuleDefault('orders:get',
'rule:all_but_audit'),
policy.RuleDefault('order:get',
'rule:all_users'),
policy.RuleDefault('order:put',
'rule:admin_or_creator'),
policy.RuleDefault('order:delete',
'rule:admin'),
]
def list_rules():
return rules

29
barbican/common/policies/quotas.py Normal file
View File

@ -0,0 +1,29 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('quotas:get',
'rule:all_users'),
policy.RuleDefault('project_quotas:get',
'rule:service_admin'),
policy.RuleDefault('project_quotas:put',
'rule:service_admin'),
policy.RuleDefault('project_quotas:delete',
'rule:service_admin'),
]
def list_rules():
return rules

29
barbican/common/policies/secretmeta.py Normal file
View File

@ -0,0 +1,29 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('secret_meta:get',
'rule:all_but_audit'),
policy.RuleDefault('secret_meta:post',
'rule:admin_or_creator'),
policy.RuleDefault('secret_meta:put',
'rule:admin_or_creator'),
policy.RuleDefault('secret_meta:delete',
'rule:admin_or_creator'),
]
def list_rules():
return rules

41
barbican/common/policies/secrets.py Normal file
View File

@ -0,0 +1,41 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('secret:decrypt',
'rule:secret_decrypt_non_private_read or '
'rule:secret_project_creator or '
'rule:secret_project_admin or '
'rule:secret_acl_read'),
policy.RuleDefault('secret:get',
'rule:secret_non_private_read or '
'rule:secret_project_creator or '
'rule:secret_project_admin or '
'rule:secret_acl_read'),
policy.RuleDefault('secret:put',
'rule:admin_or_creator and '
'rule:secret_project_match'),
policy.RuleDefault('secret:delete',
'rule:secret_project_admin or '
'rule:secret_project_creator'),
policy.RuleDefault('secrets:post',
'rule:admin_or_creator'),
policy.RuleDefault('secrets:get',
'rule:all_but_audit'),
]
def list_rules():
return rules

33
barbican/common/policies/secretstores.py Normal file
View File

@ -0,0 +1,33 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('secretstores:get',
'rule:admin'),
policy.RuleDefault('secretstores:get_global_default',
'rule:admin'),
policy.RuleDefault('secretstores:get_preferred',
'rule:admin'),
policy.RuleDefault('secretstore_preferred:post',
'rule:admin'),
policy.RuleDefault('secretstore_preferred:delete',
'rule:admin'),
policy.RuleDefault('secretstore:get',
'rule:admin'),
]
def list_rules():
return rules

29
barbican/common/policies/transportkeys.py Normal file
View File

@ -0,0 +1,29 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('transport_key:get',
'rule:all_users'),
policy.RuleDefault('transport_key:delete',
'rule:admin'),
policy.RuleDefault('transport_keys:get',
'rule:all_users'),
policy.RuleDefault('transport_keys:post',
'rule:admin'),
]
def list_rules():
return rules

23
barbican/common/policies/versions.py Normal file
View File

@ -0,0 +1,23 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.RuleDefault('version:get',
'@')
]
def list_rules():
return rules

3
etc/oslo-config-generator/policy.conf Normal file
View File

@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/barbican/policy.yaml.sample
namespace = barbican

8
releasenotes/notes/oslopolicy-genscripts-1a7b364b8ffd7c3f.yaml Normal file
View File

@ -0,0 +1,8 @@
---
features:
- Maintain the policy rules in code and add an oslo.policy CLI script
in tox to generate policy sample file.
The script can be called like
"oslopolicy-sample-generator --config-file=etc/oslo-config-generator/policy.conf"
and will generate a policy.yaml.sample file with the effective policy.

3
setup.cfg
View File

@ -28,6 +28,9 @@ dogtag =
dogtag-pki>=10.3.5.1 # LGPLv3+
[entry_points]
oslo.policy.policies =
barbican = barbican.common.policies:list_rules
console_scripts =
barbican-manage = barbican.cmd.barbican_manage:main
barbican-db-manage = barbican.cmd.db_manage:main

3
tox.ini
View File

@ -124,5 +124,8 @@ commands = sphinx-build -a -E -W -d install-guide/build/doctrees -b html install
deps = bindep
commands = bindep test
[testenv:genpolicy]
commands = oslopolicy-sample-generator --config-file=etc/oslo-config-generator/policy.conf
[hacking]
local-check-factory = barbican.hacking.checks.factory