openstack
/
karbor
Code Issues Proposed changes

Add default policy in code for the protectable resource 

Leverage oslo.policy to register default policies in the
code. Administrator only need to update the specified
policy in the config file.

Change-Id: I330cdede9ea5e359a262510e054c79b068500c02
Partial-Implements: blueprint policy-in-code
This commit is contained in:
chenying 2017-09-27 16:33:02 +08:00
parent c31902b8d9
commit 0c5ef4aacd
5 changed files with 81 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
etc/policy.json
View File

@ -1,8 +1,4 @@
{
"protectable:get": "rule:admin_or_owner",
"protectable:get_all": "rule:admin_or_owner",
"provider:get": "rule:admin_or_owner",
"provider:get_all": "rule:admin_or_owner",
"provider:checkpoint_get": "rule:admin_or_owner",

18
karbor/api/v1/protectables.py
View File

@ -21,7 +21,7 @@ from karbor.api.openstack import wsgi
from karbor import exception
from karbor.i18n import _
import karbor.policy
from karbor.policies import protectables as protectable_policy
from karbor.services.protection import api as protection_api
from karbor import utils
@ -42,15 +42,6 @@ CONF.register_opts(query_instance_filters_opts)
LOG = logging.getLogger(__name__)
def check_policy(context, action):
target = {
'project_id': context.project_id,
'user_id': context.user_id,
}
_action = 'protectable:%s' % action
karbor.policy.enforce(context, _action, target)
class ProtectableViewBuilder(common.ViewBuilder):
"""Model a server API response as a python dictionary."""
@ -135,7 +126,7 @@ class ProtectablesController(wsgi.Controller):
msg = _("Invalid protectable type provided.")
raise exception.InvalidInput(reason=msg)
check_policy(context, 'get')
context.can(protectable_policy.GET_POLICY)
try:
retval_protectable_type = self.protection_api.\
show_protectable_type(context, protectable_type)
@ -162,7 +153,7 @@ class ProtectablesController(wsgi.Controller):
return retval_protectable_types
def _get_all(self, context):
check_policy(context, 'get_all')
context.can(protectable_policy.GET_ALL_POLICY)
protectable_types = self.protection_api.list_protectable_types(context)
@ -220,7 +211,7 @@ class ProtectablesController(wsgi.Controller):
def _instances_get_all(self, context, protectable_type, marker=None,
limit=None, sort_keys=None, sort_dirs=None,
filters=None, offset=None, parameters=None):
check_policy(context, 'get_all')
context.can(protectable_policy.INSTANCES_GET_ALL_POLICY)
if filters is None:
filters = {}
@ -275,6 +266,7 @@ class ProtectablesController(wsgi.Controller):
msg = _("Invalid protectable type provided.")
raise exception.InvalidInput(reason=msg)
context.can(protectable_policy.INSTANCES_GET_POLICY)
try:
instance = self.protection_api.show_protectable_instance(
context, protectable_type, protectable_id,

2
karbor/policies/__init__.py
View File

@ -16,6 +16,7 @@ import itertools
from karbor.policies import base
from karbor.policies import plans
from karbor.policies import protectables
from karbor.policies import restores
@ -24,4 +25,5 @@ def list_rules():
base.list_rules(),
plans.list_rules(),
restores.list_rules(),
protectables.list_rules(),
)

72
karbor/policies/protectables.py Normal file
View File

@ -0,0 +1,72 @@
# Copyright (c) 2017 Huawei Technologies Co., Ltd.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from karbor.policies import base
GET_POLICY = 'protectable:get'
GET_ALL_POLICY = 'protectable:get_all'
INSTANCES_GET_POLICY = 'protectable:instance_get'
INSTANCES_GET_ALL_POLICY = 'protectable:instance_get_all'
protectables_policies = [
policy.DocumentedRuleDefault(
name=GET_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""Show a protectable type.""",
operations=[
{
'method': 'GET',
'path': '/protectables/{protectable_type}'
}
]),
policy.DocumentedRuleDefault(
name=GET_ALL_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""List protectable types.""",
operations=[
{
'method': 'GET',
'path': '/protectables'
}
]),
policy.DocumentedRuleDefault(
name=INSTANCES_GET_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""Show a protectable instance.""",
operations=[
{
'method': 'GET',
'path': '/protectables/{protectable_type}/'
'instances/{resource_id}'
}
]),
policy.DocumentedRuleDefault(
name=INSTANCES_GET_ALL_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""List protectable instances.""",
operations=[
{
'method': 'GET',
'path': '/protectables/{protectable_type}/instances'
}
]),
]
def list_rules():
return protectables_policies

2
karbor/tests/unit/api/v1/test_protectables.py
View File

@ -28,6 +28,8 @@ class ProtectablesApiTest(base.TestCase):
super(ProtectablesApiTest, self).setUp()
self.controller = protectables.ProtectablesController()
self.ctxt = context.RequestContext('demo', 'fakeproject', True)
self.mock_policy_check = self.mock_object(
context.RequestContext, 'can')
@mock.patch(
'karbor.api.v1.protectables.ProtectablesController._get_all')