From 73420137a6faedc4b9b42175c2d1aa46f367624d Mon Sep 17 00:00:00 2001 From: Jeremy Liu Date: Sun, 3 Sep 2017 21:33:47 +0800 Subject: [PATCH] Use default policy in code Delete policy.json from repo since we can use policies registered in code. We can also change default policy rules through below steps: - generate policy.yaml and copy to /etc/barbican - configure `policy_file=policy.yaml` in `oslo_policy` section - uncomment rules in policy.yaml and make changes as we desire - restart barbican api service - test whether new rules take effect on corresponding API Change-Id: Ia64eac1eb4e30457b323c6ab99d26d3d40c28060 --- barbican/common/policy.py | 71 ++++++++++++++++ barbican/context.py | 11 +-- barbican/tests/api/test_resources_policy.py | 5 +- devstack/lib/barbican | 4 - etc/barbican/policy.json | 90 --------------------- setup.cfg | 3 + 6 files changed, 83 insertions(+), 101 deletions(-) create mode 100644 barbican/common/policy.py delete mode 100644 etc/barbican/policy.json diff --git a/barbican/common/policy.py b/barbican/common/policy.py new file mode 100644 index 000000000..00331e329 --- /dev/null +++ b/barbican/common/policy.py @@ -0,0 +1,71 @@ +# Copyright 2011-2012 OpenStack LLC. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import copy + +from oslo_policy import policy + +from barbican.common import config +from barbican.common import policies + +CONF = config.CONF +ENFORCER = None +# oslo_policy will read the policy configuration file again when the file +# is changed in runtime so the old policy rules will be saved to +# saved_file_rules and used to compare with new rules to determine the +# rules whether were updated. +saved_file_rules = [] + + +def reset(): + global ENFORCER + if ENFORCER: + ENFORCER.clear() + ENFORCER = None + + +def init(): + global ENFORCER + global saved_file_rules + + if not ENFORCER: + ENFORCER = policy.Enforcer(CONF) + register_rules(ENFORCER) + ENFORCER.load_rules() + + # Only the rules which are loaded from file may be changed. + current_file_rules = ENFORCER.file_rules + current_file_rules = _serialize_rules(current_file_rules) + + # Checks whether the rules are updated in the runtime + if saved_file_rules != current_file_rules: + saved_file_rules = copy.deepcopy(current_file_rules) + + +def _serialize_rules(rules): + """Serialize all the Rule object as string.""" + + result = [(rule_name, str(rule)) + for rule_name, rule in rules.items()] + return sorted(result, key=lambda rule: rule[0]) + + +def register_rules(enforcer): + enforcer.register_defaults(policies.list_rules()) + + +def get_enforcer(): + init() + return ENFORCER diff --git a/barbican/context.py b/barbican/context.py index a50c48329..7d6ae33f1 100644 --- a/barbican/context.py +++ b/barbican/context.py @@ -14,11 +14,8 @@ # under the License. import oslo_context -from oslo_policy import policy -from barbican.common import config - -CONF = config.CONF +from barbican.common import policy class RequestContext(oslo_context.context.RequestContext): @@ -33,7 +30,11 @@ class RequestContext(oslo_context.context.RequestContext): if project: kwargs['tenant'] = project self.project = project - self.policy_enforcer = policy_enforcer or policy.Enforcer(CONF) + if policy_enforcer: + self.policy_enforcer = policy_enforcer + else: + policy.init() + self.policy_enforcer = policy.get_enforcer() super(RequestContext, self).__init__(**kwargs) def to_dict(self): diff --git a/barbican/tests/api/test_resources_policy.py b/barbican/tests/api/test_resources_policy.py index b7b6bd8bf..fce012bf1 100644 --- a/barbican/tests/api/test_resources_policy.py +++ b/barbican/tests/api/test_resources_policy.py @@ -20,7 +20,6 @@ For typical-flow business logic tests of these classes, see the import os import mock -from oslo_policy import policy from webob import exc from barbican.api.controllers import consumers @@ -30,6 +29,7 @@ from barbican.api.controllers import secrets from barbican.api.controllers import secretstores from barbican.api.controllers import versions from barbican.common import config +from barbican.common import policy from barbican import context from barbican.model import models from barbican.tests import utils @@ -41,7 +41,8 @@ TEST_VAR_DIR = os.path.abspath(os.path.join(os.path.dirname(__file__), CONF = config.new_config() -ENFORCER = policy.Enforcer(CONF) +policy.init() +ENFORCER = policy.ENFORCER class TestableResource(object): diff --git a/devstack/lib/barbican b/devstack/lib/barbican index 50259f667..3855520f9 100644 --- a/devstack/lib/barbican +++ b/devstack/lib/barbican @@ -125,10 +125,6 @@ function configure_barbican { setup_colorized_logging $BARBICAN_CONF DEFAULT project user fi - # Install the policy file for the API server - cp $BARBICAN_DIR/etc/barbican/policy.json $BARBICAN_CONF_DIR - iniset $BARBICAN_CONF DEFAULT policy_file $BARBICAN_CONF_DIR/policy.json - # Set the database connection url iniset $BARBICAN_CONF DEFAULT sql_connection `database_connection_url barbican` diff --git a/etc/barbican/policy.json b/etc/barbican/policy.json deleted file mode 100644 index 723f1c179..000000000 --- a/etc/barbican/policy.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "admin": "role:admin", - "observer": "role:observer", - "creator": "role:creator", - "audit": "role:audit", - "service_admin": "role:key-manager:service-admin", - "admin_or_user_does_not_work": "project_id:%(project_id)s", - "admin_or_user": "rule:admin or project_id:%(project_id)s", - "admin_or_creator": "rule:admin or rule:creator", - "all_but_audit": "rule:admin or rule:observer or rule:creator", - "all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin", - "secret_project_match": "project:%(target.secret.project_id)s", - "secret_acl_read": "'read':%(target.secret.read)s", - "secret_private_read": "'False':%(target.secret.read_project_access)s", - "secret_creator_user": "user:%(target.secret.creator_id)s", - "container_project_match": "project:%(target.container.project_id)s", - "container_acl_read": "'read':%(target.container.read)s", - "container_private_read": "'False':%(target.container.read_project_access)s", - "container_creator_user": "user:%(target.container.creator_id)s", - - "secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read", - "secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read", - "container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read", - "secret_project_admin": "rule:admin and rule:secret_project_match", - "secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user", - "container_project_admin": "rule:admin and rule:container_project_match", - "container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user", - - "version:get": "@", - "secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read", - "secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read", - "secret:put": "rule:admin_or_creator and rule:secret_project_match", - "secret:delete": "rule:secret_project_admin or rule:secret_project_creator", - "secrets:post": "rule:admin_or_creator", - "secrets:get": "rule:all_but_audit", - "orders:post": "rule:admin_or_creator", - "orders:get": "rule:all_but_audit", - "order:get": "rule:all_users", - "order:put": "rule:admin_or_creator", - "order:delete": "rule:admin", - "consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", - "consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", - "consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", - "consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", - "containers:post": "rule:admin_or_creator", - "containers:get": "rule:all_but_audit", - "container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", - "container:delete": "rule:container_project_admin or rule:container_project_creator", - "container_secret:post": "rule:admin", - "container_secret:delete": "rule:admin", - "transport_key:get": "rule:all_users", - "transport_key:delete": "rule:admin", - "transport_keys:get": "rule:all_users", - "transport_keys:post": "rule:admin", - "certificate_authorities:get_limited": "rule:all_users", - "certificate_authorities:get_all": "rule:admin", - "certificate_authorities:post": "rule:admin", - "certificate_authorities:get_preferred_ca": "rule:all_users", - "certificate_authorities:get_global_preferred_ca": "rule:service_admin", - "certificate_authorities:unset_global_preferred": "rule:service_admin", - "certificate_authority:delete": "rule:admin", - "certificate_authority:get": "rule:all_users", - "certificate_authority:get_cacert": "rule:all_users", - "certificate_authority:get_ca_cert_chain": "rule:all_users", - "certificate_authority:get_projects": "rule:service_admin", - "certificate_authority:add_to_project": "rule:admin", - "certificate_authority:remove_from_project": "rule:admin", - "certificate_authority:set_preferred": "rule:admin", - "certificate_authority:set_global_preferred": "rule:service_admin", - "secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator", - "secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator", - "secret_acls:get": "rule:all_but_audit and rule:secret_project_match", - "container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator", - "container_acls:delete": "rule:container_project_admin or rule:container_project_creator", - "container_acls:get": "rule:all_but_audit and rule:container_project_match", - "quotas:get": "rule:all_users", - "project_quotas:get": "rule:service_admin", - "project_quotas:put": "rule:service_admin", - "project_quotas:delete": "rule:service_admin", - "secret_meta:get": "rule:all_but_audit", - "secret_meta:post": "rule:admin_or_creator", - "secret_meta:put": "rule:admin_or_creator", - "secret_meta:delete": "rule:admin_or_creator", - "secretstores:get": "rule:admin", - "secretstores:get_global_default": "rule:admin", - "secretstores:get_preferred": "rule:admin", - "secretstore_preferred:post": "rule:admin", - "secretstore_preferred:delete": "rule:admin", - "secretstore:get": "rule:admin" -} diff --git a/setup.cfg b/setup.cfg index 05a4e6708..923489c3c 100644 --- a/setup.cfg +++ b/setup.cfg @@ -28,6 +28,9 @@ dogtag = dogtag-pki>=10.3.5.1 # LGPLv3+ [entry_points] +oslo.policy.enforcer = + barbican = barbican.common.policy:get_enforcer + oslo.policy.policies = barbican = barbican.common.policies:list_rules