Add default policy in code for the protectable resource
Leverage oslo.policy to register default policies in the code. Administrator only need to update the specified policy in the config file. Change-Id: I330cdede9ea5e359a262510e054c79b068500c02 Partial-Implements: blueprint policy-in-code
This commit is contained in:
parent
c31902b8d9
commit
0c5ef4aacd
|
@ -1,8 +1,4 @@
|
|||
{
|
||||
|
||||
"protectable:get": "rule:admin_or_owner",
|
||||
"protectable:get_all": "rule:admin_or_owner",
|
||||
|
||||
"provider:get": "rule:admin_or_owner",
|
||||
"provider:get_all": "rule:admin_or_owner",
|
||||
"provider:checkpoint_get": "rule:admin_or_owner",
|
||||
|
|
|
@ -21,7 +21,7 @@ from karbor.api.openstack import wsgi
|
|||
from karbor import exception
|
||||
from karbor.i18n import _
|
||||
|
||||
import karbor.policy
|
||||
from karbor.policies import protectables as protectable_policy
|
||||
from karbor.services.protection import api as protection_api
|
||||
from karbor import utils
|
||||
|
||||
|
@ -42,15 +42,6 @@ CONF.register_opts(query_instance_filters_opts)
|
|||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def check_policy(context, action):
|
||||
target = {
|
||||
'project_id': context.project_id,
|
||||
'user_id': context.user_id,
|
||||
}
|
||||
_action = 'protectable:%s' % action
|
||||
karbor.policy.enforce(context, _action, target)
|
||||
|
||||
|
||||
class ProtectableViewBuilder(common.ViewBuilder):
|
||||
"""Model a server API response as a python dictionary."""
|
||||
|
||||
|
@ -135,7 +126,7 @@ class ProtectablesController(wsgi.Controller):
|
|||
msg = _("Invalid protectable type provided.")
|
||||
raise exception.InvalidInput(reason=msg)
|
||||
|
||||
check_policy(context, 'get')
|
||||
context.can(protectable_policy.GET_POLICY)
|
||||
try:
|
||||
retval_protectable_type = self.protection_api.\
|
||||
show_protectable_type(context, protectable_type)
|
||||
|
@ -162,7 +153,7 @@ class ProtectablesController(wsgi.Controller):
|
|||
return retval_protectable_types
|
||||
|
||||
def _get_all(self, context):
|
||||
check_policy(context, 'get_all')
|
||||
context.can(protectable_policy.GET_ALL_POLICY)
|
||||
|
||||
protectable_types = self.protection_api.list_protectable_types(context)
|
||||
|
||||
|
@ -220,7 +211,7 @@ class ProtectablesController(wsgi.Controller):
|
|||
def _instances_get_all(self, context, protectable_type, marker=None,
|
||||
limit=None, sort_keys=None, sort_dirs=None,
|
||||
filters=None, offset=None, parameters=None):
|
||||
check_policy(context, 'get_all')
|
||||
context.can(protectable_policy.INSTANCES_GET_ALL_POLICY)
|
||||
|
||||
if filters is None:
|
||||
filters = {}
|
||||
|
@ -275,6 +266,7 @@ class ProtectablesController(wsgi.Controller):
|
|||
msg = _("Invalid protectable type provided.")
|
||||
raise exception.InvalidInput(reason=msg)
|
||||
|
||||
context.can(protectable_policy.INSTANCES_GET_POLICY)
|
||||
try:
|
||||
instance = self.protection_api.show_protectable_instance(
|
||||
context, protectable_type, protectable_id,
|
||||
|
|
|
@ -16,6 +16,7 @@ import itertools
|
|||
|
||||
from karbor.policies import base
|
||||
from karbor.policies import plans
|
||||
from karbor.policies import protectables
|
||||
from karbor.policies import restores
|
||||
|
||||
|
||||
|
@ -24,4 +25,5 @@ def list_rules():
|
|||
base.list_rules(),
|
||||
plans.list_rules(),
|
||||
restores.list_rules(),
|
||||
protectables.list_rules(),
|
||||
)
|
||||
|
|
|
@ -0,0 +1,72 @@
|
|||
# Copyright (c) 2017 Huawei Technologies Co., Ltd.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from karbor.policies import base
|
||||
|
||||
|
||||
GET_POLICY = 'protectable:get'
|
||||
GET_ALL_POLICY = 'protectable:get_all'
|
||||
INSTANCES_GET_POLICY = 'protectable:instance_get'
|
||||
INSTANCES_GET_ALL_POLICY = 'protectable:instance_get_all'
|
||||
|
||||
protectables_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=GET_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="""Show a protectable type.""",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/protectables/{protectable_type}'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=GET_ALL_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="""List protectable types.""",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/protectables'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=INSTANCES_GET_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="""Show a protectable instance.""",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/protectables/{protectable_type}/'
|
||||
'instances/{resource_id}'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=INSTANCES_GET_ALL_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="""List protectable instances.""",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/protectables/{protectable_type}/instances'
|
||||
}
|
||||
]),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return protectables_policies
|
|
@ -28,6 +28,8 @@ class ProtectablesApiTest(base.TestCase):
|
|||
super(ProtectablesApiTest, self).setUp()
|
||||
self.controller = protectables.ProtectablesController()
|
||||
self.ctxt = context.RequestContext('demo', 'fakeproject', True)
|
||||
self.mock_policy_check = self.mock_object(
|
||||
context.RequestContext, 'can')
|
||||
|
||||
@mock.patch(
|
||||
'karbor.api.v1.protectables.ProtectablesController._get_all')
|
||||
|
|
Loading…
Reference in New Issue