From 9a201768aeb51c13235cbc8dc255e6e7684d2c35 Mon Sep 17 00:00:00 2001 From: zhongjun Date: Fri, 24 Nov 2017 18:08:29 +0800 Subject: [PATCH] [policy in code] Add support for service and quota resource [5/10] This patch adds policy in code support for service and quota resources. Change-Id: I9a79b5ececc583e80149cc980930e162e805b143 Partial-Implements: blueprint policy-in-code --- etc/manila/policy.json | 15 ----- manila/policies/__init__.py | 8 +++ manila/policies/quota_class_set.py | 54 +++++++++++++++++ manila/policies/quota_set.py | 95 ++++++++++++++++++++++++++++++ manila/policies/service.py | 70 ++++++++++++++++++++++ manila/policies/share_server.py | 70 ++++++++++++++++++++++ manila/policy.py | 4 +- 7 files changed, 300 insertions(+), 16 deletions(-) create mode 100644 manila/policies/quota_class_set.py create mode 100644 manila/policies/quota_set.py create mode 100644 manila/policies/service.py create mode 100644 manila/policies/share_server.py diff --git a/etc/manila/policy.json b/etc/manila/policy.json index ba43c008f3..0c60eb3dfa 100644 --- a/etc/manila/policy.json +++ b/etc/manila/policy.json @@ -1,16 +1,6 @@ { "availability_zone:index": "rule:default", - "quota_set:update": "rule:admin_api", - "quota_set:show": "rule:default", - "quota_set:delete": "rule:admin_api", - - "quota_class_set:show": "rule:default", - "quota_class_set:update": "rule:admin_api", - - "service:index": "rule:admin_api", - "service:update": "rule:admin_api", - "share_export_location:index": "rule:default", "share_export_location:show": "rule:default", @@ -33,11 +23,6 @@ "security_service:detail": "rule:default", "security_service:get_all_security_services": "rule:admin_api", - "share_server:index": "rule:admin_api", - "share_server:show": "rule:admin_api", - "share_server:details": "rule:admin_api", - "share_server:delete": "rule:admin_api", - "share_network:create": "rule:default", "share_network:delete": "rule:default", "share_network:update": "rule:default", diff --git a/manila/policies/__init__.py b/manila/policies/__init__.py index 937b343480..b820aba0e6 100644 --- a/manila/policies/__init__.py +++ b/manila/policies/__init__.py @@ -17,7 +17,11 @@ import itertools from manila.policies import base +from manila.policies import quota_class_set +from manila.policies import quota_set +from manila.policies import service from manila.policies import share_instance_export_location +from manila.policies import share_server from manila.policies import share_snapshot from manila.policies import share_snapshot_export_location from manila.policies import share_snapshot_instance @@ -36,4 +40,8 @@ def list_rules(): share_snapshot_export_location.list_rules(), share_snapshot_instance.list_rules(), share_snapshot_instance_export_location.list_rules(), + share_server.list_rules(), + service.list_rules(), + quota_set.list_rules(), + quota_class_set.list_rules(), ) diff --git a/manila/policies/quota_class_set.py b/manila/policies/quota_class_set.py new file mode 100644 index 0000000000..0fb7849662 --- /dev/null +++ b/manila/policies/quota_class_set.py @@ -0,0 +1,54 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from manila.policies import base + + +BASE_POLICY_NAME = 'quota_class_set:%s' + + +quota_class_set_policies = [ + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'update', + check_str=base.RULE_ADMIN_API, + description="Update quota class.", + operations=[ + { + 'method': 'PUT', + 'path': '/quota-class-sets/{class_name}' + }, + { + 'method': 'PUT', + 'path': '/os-quota-class-sets/{class_name}' + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'show', + check_str=base.RULE_DEFAULT, + description="Get quota class.", + operations=[ + { + 'method': 'GET', + 'path': '/quota-class-sets/{class_name}' + }, + { + 'method': 'GET', + 'path': '/os-quota-class-sets/{class_name}' + } + ]), +] + + +def list_rules(): + return quota_class_set_policies diff --git a/manila/policies/quota_set.py b/manila/policies/quota_set.py new file mode 100644 index 0000000000..76a6820aee --- /dev/null +++ b/manila/policies/quota_set.py @@ -0,0 +1,95 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from manila.policies import base + + +BASE_POLICY_NAME = 'quota_set:%s' + + +quota_set_policies = [ + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'update', + check_str=base.RULE_ADMIN_API, + description=("Update the quotas for a project/user and/or share " + "type."), + operations=[ + { + 'method': 'PUT', + 'path': '/quota-sets/{tenant_id}' + }, + { + 'method': 'PUT', + 'path': '/quota-sets/{tenant_id}?user_id={user_id}' + }, + { + 'method': 'PUT', + 'path': '/quota-sets/{tenant_id}?share_type={share_type_id}' + }, + { + 'method': 'PUT', + 'path': '/os-quota-sets/{tenant_id}' + }, + { + 'method': 'PUT', + 'path': '/os-quota-sets/{tenant_id}?user_id={user_id}' + }, + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'show', + check_str=base.RULE_DEFAULT, + description="List the quotas for a tenant/user.", + operations=[ + { + 'method': 'GET', + 'path': '/quota-sets/{tenant_id}/defaults' + }, + { + 'method': 'GET', + 'path': '/os-quota-sets/{tenant_id}/defaults' + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'delete', + check_str=base.RULE_ADMIN_API, + description=("Delete quota for a tenant/user or " + "tenant/share-type. The quota will revert back to " + "default (Admin only)."), + operations=[ + { + 'method': 'DELETE', + 'path': '/quota-sets/{tenant_id}' + }, + { + 'method': 'DELETE', + 'path': '/quota-sets/{tenant_id}?user_id={user_id}' + }, + { + 'method': 'DELETE', + 'path': '/quota-sets/{tenant_id}?share_type={share_type_id}' + }, + { + 'method': 'DELETE', + 'path': '/os-quota-sets/{tenant_id}' + }, + { + 'method': 'DELETE', + 'path': '/os-quota-sets/{tenant_id}?user_id={user_id}' + }, + ]), +] + + +def list_rules(): + return quota_set_policies diff --git a/manila/policies/service.py b/manila/policies/service.py new file mode 100644 index 0000000000..b536c7ef19 --- /dev/null +++ b/manila/policies/service.py @@ -0,0 +1,70 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from manila.policies import base + + +BASE_POLICY_NAME = 'service:%s' + + +service_policies = [ + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'index', + check_str=base.RULE_ADMIN_API, + description="Return a list of all running services.", + operations=[ + { + 'method': 'GET', + 'path': '/os-services', + }, + { + 'method': 'GET', + 'path': '/os-services?{query}', + }, + { + 'method': 'GET', + 'path': '/services', + }, + { + 'method': 'GET', + 'path': '/services?{query}', + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'update', + check_str=base.RULE_ADMIN_API, + description="Enable/Disable scheduling for a service.", + operations=[ + { + 'method': 'PUT', + 'path': '/os-services/disable', + }, + { + 'method': 'PUT', + 'path': '/os-services/enable', + }, + { + 'method': 'PUT', + 'path': '/services/disable', + }, + { + 'method': 'PUT', + 'path': '/services/enable', + }, + ]), +] + + +def list_rules(): + return service_policies diff --git a/manila/policies/share_server.py b/manila/policies/share_server.py new file mode 100644 index 0000000000..0b0248cd9d --- /dev/null +++ b/manila/policies/share_server.py @@ -0,0 +1,70 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from manila.policies import base + + +BASE_POLICY_NAME = 'share_server:%s' + + +share_server_policies = [ + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'index', + check_str=base.RULE_ADMIN_API, + description="Get share servers.", + operations=[ + { + 'method': 'GET', + 'path': '/share-servers', + }, + { + 'method': 'GET', + 'path': '/share-servers?{query}', + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'show', + check_str=base.RULE_ADMIN_API, + description="Show share server.", + operations=[ + { + 'method': 'GET', + 'path': '/share-servers/{server_id}', + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'details', + check_str=base.RULE_ADMIN_API, + description="Get share server details.", + operations=[ + { + 'method': 'GET', + 'path': '/share-servers/{server_id}/details', + } + ]), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'delete', + check_str=base.RULE_ADMIN_API, + description="Delete share server.", + operations=[ + { + 'method': 'DELETE', + 'path': '/share-servers/{server_id}', + } + ]), +] + + +def list_rules(): + return share_server_policies diff --git a/manila/policy.py b/manila/policy.py index 458d8805c2..a95ecc469d 100644 --- a/manila/policy.py +++ b/manila/policy.py @@ -212,7 +212,9 @@ def check_policy(context, resource, action, target_obj=None): 'share', 'share_snapshot', 'share_snapshot_export_location', 'share_snapshot_instance', - 'share_snapshot_instance_export_location'): + 'share_snapshot_instance_export_location', + 'quota_set', 'quota_class_set', 'service', + 'share_server', ): authorize(context, _action, target) else: enforce(context, _action, target)