diff --git a/etc/policy.json b/etc/policy.json index 12c71b0fe..bc6d8020e 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -1,13 +1,6 @@ { "default": "rule:admin_or_owner", - "workflows:create": "rule:admin_or_owner", - "workflows:delete": "rule:admin_or_owner", - "workflows:get": "rule:admin_or_owner", - "workflows:list": "rule:admin_or_owner", - "workflows:list:all_projects": "rule:admin_only", - "workflows:update": "rule:admin_or_owner", - "event_triggers:create": "rule:admin_or_owner", "event_triggers:create:public": "rule:admin_only", "event_triggers:delete": "rule:admin_or_owner", diff --git a/mistral/policies/__init__.py b/mistral/policies/__init__.py index 4bb16931c..b8f5b2256 100644 --- a/mistral/policies/__init__.py +++ b/mistral/policies/__init__.py @@ -24,6 +24,7 @@ from mistral.policies import member from mistral.policies import service from mistral.policies import task from mistral.policies import workbook +from mistral.policies import workflow def list_rules(): @@ -37,5 +38,6 @@ def list_rules(): member.list_rules(), service.list_rules(), task.list_rules(), - workbook.list_rules() + workbook.list_rules(), + workflow.list_rules() ) diff --git a/mistral/policies/workflow.py b/mistral/policies/workflow.py new file mode 100644 index 000000000..161e585c2 --- /dev/null +++ b/mistral/policies/workflow.py @@ -0,0 +1,91 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_policy import policy + +from mistral.policies import base + +WORKFLOWS = 'workflows:%s' + +rules = [ + policy.DocumentedRuleDefault( + name=WORKFLOWS % 'create', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Create a new workflow.', + operations=[ + { + 'path': '/v2/workflows', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=WORKFLOWS % 'delete', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Delete a workflow.', + operations=[ + { + 'path': '/v2/workflows', + 'method': 'DELETE' + } + ] + ), + policy.DocumentedRuleDefault( + name=WORKFLOWS % 'get', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Return the named workflow.', + operations=[ + { + 'path': '/v2/workflows/{workflow_id}', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=WORKFLOWS % 'list', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Return a list of workflows.', + operations=[ + { + 'path': '/v2/workflows', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=WORKFLOWS % 'list:all_projects', + check_str=base.RULE_ADMIN_ONLY, + description='Return a list of workflows from all projects.', + operations=[ + { + 'path': '/v2/workflows', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=WORKFLOWS % 'update', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Update one or more workflows.', + operations=[ + { + 'path': '/v2/workflows', + 'method': 'PUT' + } + ] + ) +] + + +def list_rules(): + return rules diff --git a/mistral/tests/unit/fake_policy.py b/mistral/tests/unit/fake_policy.py index 2f931f315..cd47453af 100644 --- a/mistral/tests/unit/fake_policy.py +++ b/mistral/tests/unit/fake_policy.py @@ -14,11 +14,4 @@ policy_data = """{ "default": "rule:admin_or_owner", - - "workflows:create": "rule:admin_or_owner", - "workflows:delete": "rule:admin_or_owner", - "workflows:get": "rule:admin_or_owner", - "workflows:list": "rule:admin_or_owner", - "workflows:list:all_projects": "rule:admin_only", - "workflows:update": "rule:admin_or_owner", }"""