openstack
/
karbor
Code Issues Proposed changes

Add default policy in code for the restore resource 

Leverage oslo.policy to register default policies in the
code. Administrator only need to update the specified
policy in the config file.

Change-Id: I8eb8db315766afba3e199809a7bc9041b52638cd
Partial-Implements: blueprint policy-in-code
This commit is contained in:
chenying 2017-09-26 19:55:54 +08:00
parent 3f3df9b761
commit c31902b8d9
5 changed files with 82 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
etc/policy.json
View File

@ -1,9 +1,5 @@
{
"restore:create": "rule:admin_or_owner",
"restore:update": "rule:admin_or_owner",
"restore:get": "rule:admin_or_owner",
"restore:get_all": "rule:admin_or_owner",
"protectable:get": "rule:admin_or_owner",
"protectable:get_all": "rule:admin_or_owner",

28
karbor/api/v1/restores.py
View File

@ -18,7 +18,6 @@ from oslo_utils import uuidutils
from webob import exc
import karbor
from karbor.api import common
from karbor.api.openstack import wsgi
from karbor.common import constants
@ -27,7 +26,7 @@ from karbor.i18n import _
from karbor import objects
from karbor.objects import base as objects_base
import karbor.policy
from karbor.policies import restores as restore_policy
from karbor.services.protection import api as protection_api
from karbor import utils
@ -46,23 +45,6 @@ CONF.register_opt(query_restore_filters_opt)
LOG = logging.getLogger(__name__)
def check_policy(context, action, target_obj=None):
target = {
'project_id': context.project_id,
'user_id': context.user_id,
}
if isinstance(target_obj, objects_base.KarborObject):
# Turn object into dict so target.update can work
target.update(
target_obj.obj_to_primitive() or {})
else:
target.update(target_obj or {})
_action = 'restore:%s' % action
karbor.policy.enforce(context, _action, target)
class RestoreViewBuilder(common.ViewBuilder):
"""Model a server API response as a python dictionary."""
@ -177,7 +159,7 @@ class RestoresController(wsgi.Controller):
def _get_all(self, context, marker=None, limit=None, sort_keys=None,
sort_dirs=None, filters=None, offset=None):
check_policy(context, 'get_all')
context.can(restore_policy.GET_ALL_POLICY)
if filters is None:
filters = {}
@ -226,7 +208,7 @@ class RestoresController(wsgi.Controller):
LOG.debug('Create restore request body: %s', body)
context = req.environ['karbor.context']
check_policy(context, 'create')
context.can(restore_policy.CREATE_POLICY)
restore = body['restore']
LOG.debug('Create restore request : %s', restore)
@ -276,7 +258,7 @@ class RestoresController(wsgi.Controller):
update_dict = {
"status": constants.RESTORE_STATUS_FAILURE
}
check_policy(context, 'update', restoreobj)
context.can(restore_policy.UPDATE_POLICY, restoreobj)
restoreobj = self._restore_update(context,
restoreobj.get("id"),
update_dict)
@ -292,7 +274,7 @@ class RestoresController(wsgi.Controller):
restore = objects.Restore.get_by_id(context, restore_id)
try:
check_policy(context, 'get', restore)
context.can(restore_policy.GET_POLICY, restore)
except exception.PolicyNotAuthorized:
# raise RestoreNotFound instead to make sure karbor behaves
# as it used to

4
karbor/policies/__init__.py
View File

@ -16,10 +16,12 @@ import itertools
from karbor.policies import base
from karbor.policies import plans
from karbor.policies import restores
def list_rules():
return itertools.chain(
base.list_rules(),
plans.list_rules()
plans.list_rules(),
restores.list_rules(),
)

71
karbor/policies/restores.py Normal file
View File

@ -0,0 +1,71 @@
# Copyright (c) 2017 Huawei Technologies Co., Ltd.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from karbor.policies import base
CREATE_POLICY = 'restore:create'
UPDATE_POLICY = 'restore:update'
GET_POLICY = 'restore:get'
GET_ALL_POLICY = 'restore:get_all'
restores_policies = [
policy.DocumentedRuleDefault(
name=CREATE_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""Create a restore.""",
operations=[
{
'method': 'POST',
'path': '/restores'
}
]),
policy.DocumentedRuleDefault(
name=UPDATE_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""Update a restore.""",
operations=[
{
'method': 'PUT',
'path': '/restores'
}
]),
policy.DocumentedRuleDefault(
name=GET_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""Get a restore.""",
operations=[
{
'method': 'GET',
'path': '/restores/{restore_id}'
}
]),
policy.DocumentedRuleDefault(
name=GET_ALL_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""Get restores.""",
operations=[
{
'method': 'GET',
'path': '/restores'
}
]),
]
def list_rules():
return restores_policies

2
karbor/tests/unit/api/v1/test_restores.py
View File

@ -42,6 +42,8 @@ class RestoreApiTest(base.TestCase):
super(RestoreApiTest, self).setUp()
self.controller = restores.RestoresController()
self.ctxt = context.RequestContext('demo', 'fakeproject', True)
self.mock_policy_check = self.mock_object(
context.RequestContext, 'can')
@mock.patch(
'karbor.services.protection.api.API.restore')