Add default policy in code for the restore resource
Leverage oslo.policy to register default policies in the code. Administrator only need to update the specified policy in the config file. Change-Id: I8eb8db315766afba3e199809a7bc9041b52638cd Partial-Implements: blueprint policy-in-code
This commit is contained in:
parent
3f3df9b761
commit
c31902b8d9
|
@ -1,9 +1,5 @@
|
|||
{
|
||||
"restore:create": "rule:admin_or_owner",
|
||||
"restore:update": "rule:admin_or_owner",
|
||||
"restore:get": "rule:admin_or_owner",
|
||||
"restore:get_all": "rule:admin_or_owner",
|
||||
|
||||
|
||||
"protectable:get": "rule:admin_or_owner",
|
||||
"protectable:get_all": "rule:admin_or_owner",
|
||||
|
||||
|
|
|
@ -18,7 +18,6 @@ from oslo_utils import uuidutils
|
|||
|
||||
from webob import exc
|
||||
|
||||
import karbor
|
||||
from karbor.api import common
|
||||
from karbor.api.openstack import wsgi
|
||||
from karbor.common import constants
|
||||
|
@ -27,7 +26,7 @@ from karbor.i18n import _
|
|||
|
||||
from karbor import objects
|
||||
from karbor.objects import base as objects_base
|
||||
import karbor.policy
|
||||
from karbor.policies import restores as restore_policy
|
||||
from karbor.services.protection import api as protection_api
|
||||
from karbor import utils
|
||||
|
||||
|
@ -46,23 +45,6 @@ CONF.register_opt(query_restore_filters_opt)
|
|||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def check_policy(context, action, target_obj=None):
|
||||
target = {
|
||||
'project_id': context.project_id,
|
||||
'user_id': context.user_id,
|
||||
}
|
||||
|
||||
if isinstance(target_obj, objects_base.KarborObject):
|
||||
# Turn object into dict so target.update can work
|
||||
target.update(
|
||||
target_obj.obj_to_primitive() or {})
|
||||
else:
|
||||
target.update(target_obj or {})
|
||||
|
||||
_action = 'restore:%s' % action
|
||||
karbor.policy.enforce(context, _action, target)
|
||||
|
||||
|
||||
class RestoreViewBuilder(common.ViewBuilder):
|
||||
"""Model a server API response as a python dictionary."""
|
||||
|
||||
|
@ -177,7 +159,7 @@ class RestoresController(wsgi.Controller):
|
|||
|
||||
def _get_all(self, context, marker=None, limit=None, sort_keys=None,
|
||||
sort_dirs=None, filters=None, offset=None):
|
||||
check_policy(context, 'get_all')
|
||||
context.can(restore_policy.GET_ALL_POLICY)
|
||||
|
||||
if filters is None:
|
||||
filters = {}
|
||||
|
@ -226,7 +208,7 @@ class RestoresController(wsgi.Controller):
|
|||
|
||||
LOG.debug('Create restore request body: %s', body)
|
||||
context = req.environ['karbor.context']
|
||||
check_policy(context, 'create')
|
||||
context.can(restore_policy.CREATE_POLICY)
|
||||
restore = body['restore']
|
||||
LOG.debug('Create restore request : %s', restore)
|
||||
|
||||
|
@ -276,7 +258,7 @@ class RestoresController(wsgi.Controller):
|
|||
update_dict = {
|
||||
"status": constants.RESTORE_STATUS_FAILURE
|
||||
}
|
||||
check_policy(context, 'update', restoreobj)
|
||||
context.can(restore_policy.UPDATE_POLICY, restoreobj)
|
||||
restoreobj = self._restore_update(context,
|
||||
restoreobj.get("id"),
|
||||
update_dict)
|
||||
|
@ -292,7 +274,7 @@ class RestoresController(wsgi.Controller):
|
|||
|
||||
restore = objects.Restore.get_by_id(context, restore_id)
|
||||
try:
|
||||
check_policy(context, 'get', restore)
|
||||
context.can(restore_policy.GET_POLICY, restore)
|
||||
except exception.PolicyNotAuthorized:
|
||||
# raise RestoreNotFound instead to make sure karbor behaves
|
||||
# as it used to
|
||||
|
|
|
@ -16,10 +16,12 @@ import itertools
|
|||
|
||||
from karbor.policies import base
|
||||
from karbor.policies import plans
|
||||
from karbor.policies import restores
|
||||
|
||||
|
||||
def list_rules():
|
||||
return itertools.chain(
|
||||
base.list_rules(),
|
||||
plans.list_rules()
|
||||
plans.list_rules(),
|
||||
restores.list_rules(),
|
||||
)
|
||||
|
|
|
@ -0,0 +1,71 @@
|
|||
# Copyright (c) 2017 Huawei Technologies Co., Ltd.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from karbor.policies import base
|
||||
|
||||
|
||||
CREATE_POLICY = 'restore:create'
|
||||
UPDATE_POLICY = 'restore:update'
|
||||
GET_POLICY = 'restore:get'
|
||||
GET_ALL_POLICY = 'restore:get_all'
|
||||
|
||||
restores_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CREATE_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="""Create a restore.""",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/restores'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=UPDATE_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="""Update a restore.""",
|
||||
operations=[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/restores'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=GET_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="""Get a restore.""",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/restores/{restore_id}'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=GET_ALL_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="""Get restores.""",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/restores'
|
||||
}
|
||||
]),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return restores_policies
|
|
@ -42,6 +42,8 @@ class RestoreApiTest(base.TestCase):
|
|||
super(RestoreApiTest, self).setUp()
|
||||
self.controller = restores.RestoresController()
|
||||
self.ctxt = context.RequestContext('demo', 'fakeproject', True)
|
||||
self.mock_policy_check = self.mock_object(
|
||||
context.RequestContext, 'can')
|
||||
|
||||
@mock.patch(
|
||||
'karbor.services.protection.api.API.restore')
|
||||
|
|
Loading…
Reference in New Issue