diff --git a/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_api.py b/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_api.py index 76db168e..0ddaf59b 100644 --- a/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_api.py +++ b/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_api.py @@ -67,7 +67,7 @@ class ActionsResource(BaseResource): The actions resource represent the asyncrhonous invocations of shipyard """ - @policy.ApiEnforcer('workflow_orchestrator:list_actions') + @policy.ApiEnforcer(policy.LIST_ACTIONS) def on_get(self, req, resp, **kwargs): """ Return actions that have been invoked through shipyard. @@ -76,7 +76,7 @@ class ActionsResource(BaseResource): resp.body = self.to_json(self.get_all_actions()) resp.status = falcon.HTTP_200 - @policy.ApiEnforcer('workflow_orchestrator:create_action') + @policy.ApiEnforcer(policy.CREATE_ACTION) def on_post(self, req, resp, **kwargs): """ Accept an action into shipyard diff --git a/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_control_api.py b/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_control_api.py index 203c0fd6..308bdecf 100644 --- a/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_control_api.py +++ b/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_control_api.py @@ -34,7 +34,7 @@ class ActionsControlResource(BaseResource): 'stop': self.stop_dag } - @policy.ApiEnforcer('workflow_orchestrator:invoke_action_control') + @policy.ApiEnforcer(policy.INVOKE_ACTION_CONTROL) def on_post(self, req, resp, **kwargs): """ Returns that a control was recevied (202 response) diff --git a/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_id_api.py b/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_id_api.py index 96de421a..c71737cc 100644 --- a/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_id_api.py +++ b/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_id_api.py @@ -28,7 +28,7 @@ class ActionsIdResource(BaseResource): """ The actions resource represent the asyncrhonous invocations of shipyard """ - @policy.ApiEnforcer('workflow_orchestrator:get_action') + @policy.ApiEnforcer(policy.GET_ACTION) def on_get(self, req, resp, **kwargs): """ Return actions that have been invoked through shipyard. diff --git a/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_steps_id_api.py b/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_steps_id_api.py index a49d550a..94e8a0a1 100644 --- a/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_steps_id_api.py +++ b/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_steps_id_api.py @@ -24,7 +24,7 @@ class ActionsStepsResource(BaseResource): """ The actions steps resource is the steps of an action """ - @policy.ApiEnforcer('workflow_orchestrator:get_action_step') + @policy.ApiEnforcer(policy.GET_ACTION_STEP) def on_get(self, req, resp, **kwargs): """ Return step details for an action step diff --git a/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_steps_id_logs_api.py b/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_steps_id_logs_api.py index edb5ea90..640eb888 100644 --- a/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_steps_id_logs_api.py +++ b/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_steps_id_logs_api.py @@ -34,7 +34,7 @@ class ActionsStepsLogsResource(BaseResource): the names of the logs as 1.log, 2.log, 3.log, etc. """ - @policy.ApiEnforcer('workflow_orchestrator:get_action_step_logs') + @policy.ApiEnforcer(policy.GET_ACTION_STEP_LOGS) def on_get(self, req, resp, **kwargs): """ Returns the logs of an action step diff --git a/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_validations_id_api.py b/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_validations_id_api.py index 03798740..6e1f4da3 100644 --- a/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_validations_id_api.py +++ b/src/bin/shipyard_airflow/shipyard_airflow/control/action/actions_validations_id_api.py @@ -25,7 +25,7 @@ class ActionsValidationsResource(BaseResource): The actions validations resource is the validtions of an action """ - @policy.ApiEnforcer('workflow_orchestrator:get_action_validation') + @policy.ApiEnforcer(policy.GET_ACTION_VALIDATION) def on_get(self, req, resp, **kwargs): """ Return validation details for an action validation diff --git a/src/bin/shipyard_airflow/shipyard_airflow/control/af_monitoring/workflows_api.py b/src/bin/shipyard_airflow/shipyard_airflow/control/af_monitoring/workflows_api.py index 245482a0..6f69957c 100644 --- a/src/bin/shipyard_airflow/shipyard_airflow/control/af_monitoring/workflows_api.py +++ b/src/bin/shipyard_airflow/shipyard_airflow/control/af_monitoring/workflows_api.py @@ -30,7 +30,7 @@ class WorkflowResource(BaseResource): /api/v1.0/workflows """ - @policy.ApiEnforcer('workflow_orchestrator:list_workflows') + @policy.ApiEnforcer(policy.LIST_WORKFLOWS) def on_get(self, req, resp): """ Return actions that have been invoked through shipyard. @@ -60,7 +60,7 @@ class WorkflowIdResource(BaseResource): /api/v1/workflows/{workflow_id} """ - @policy.ApiEnforcer('workflow_orchestrator:get_workflow') + @policy.ApiEnforcer(policy.GET_WORKFLOW) def on_get(self, req, resp, workflow_id): """ Retrieve the step details of workflows invoked in Airflow. diff --git a/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py b/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py index a671c50e..9e66ae52 100644 --- a/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py +++ b/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py @@ -38,7 +38,7 @@ class ConfigDocsStatusResource(BaseResource): statuses """ - @policy.ApiEnforcer('workflow_orchestrator:get_configdocs_status') + @policy.ApiEnforcer(policy.GET_CONFIGDOCS_STATUS) def on_get(self, req, resp): """Returns a list of the configdocs and their statuses""" versions = req.params.get('versions') or None @@ -53,7 +53,7 @@ class ConfigDocsResource(BaseResource): documents into Shipyard. """ - @policy.ApiEnforcer('workflow_orchestrator:create_configdocs') + @policy.ApiEnforcer(policy.CREATE_CONFIGDOCS) @api_lock(ApiLockType.CONFIGDOCS_UPDATE) def on_post(self, req, resp, collection_id): """ @@ -92,7 +92,7 @@ class ConfigDocsResource(BaseResource): resp.location = '/api/v1.0/configdocs/{}'.format(collection_id) resp.body = self.to_json(validations) - @policy.ApiEnforcer('workflow_orchestrator:get_configdocs') + @policy.ApiEnforcer(policy.GET_CONFIGDOCS) def on_get(self, req, resp, collection_id): """ Returns a collection of documents @@ -178,7 +178,7 @@ class CommitConfigDocsResource(BaseResource): unable_to_commmit = 'Unable to commit configuration documents' - @policy.ApiEnforcer('workflow_orchestrator:commit_configdocs') + @policy.ApiEnforcer(policy.COMMIT_CONFIGDOCS) @api_lock(ApiLockType.CONFIGDOCS_UPDATE) def on_post(self, req, resp): """ diff --git a/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/rendered_configdocs_api.py b/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/rendered_configdocs_api.py index 0e9f2cc2..0bb8d476 100644 --- a/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/rendered_configdocs_api.py +++ b/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/rendered_configdocs_api.py @@ -37,7 +37,7 @@ class RenderedConfigDocsResource(BaseResource): in a complete or rendered state. """ - @policy.ApiEnforcer('workflow_orchestrator:get_renderedconfigdocs') + @policy.ApiEnforcer(policy.GET_RENDEREDCONFIGDOCS) def on_get(self, req, resp): """ Returns the whole set of rendered documents diff --git a/src/bin/shipyard_airflow/shipyard_airflow/control/status/status_api.py b/src/bin/shipyard_airflow/shipyard_airflow/control/status/status_api.py index a7d0449f..31629fa5 100644 --- a/src/bin/shipyard_airflow/shipyard_airflow/control/status/status_api.py +++ b/src/bin/shipyard_airflow/shipyard_airflow/control/status/status_api.py @@ -30,7 +30,7 @@ class StatusResource(BaseResource): node status and power state """ - @policy.ApiEnforcer('workflow_orchestrator:get_site_statuses') + @policy.ApiEnforcer(policy.GET_SITE_STATUSES) def on_get(self, req, resp, **kwargs): """ Return site based statuses that has been invoked through shipyard. diff --git a/src/bin/shipyard_airflow/shipyard_airflow/policy.py b/src/bin/shipyard_airflow/shipyard_airflow/policy.py index e68ba1ca..67ecac63 100644 --- a/src/bin/shipyard_airflow/shipyard_airflow/policy.py +++ b/src/bin/shipyard_airflow/shipyard_airflow/policy.py @@ -25,6 +25,23 @@ CONF = cfg.CONF LOG = logging.getLogger(__name__) policy_engine = None +# Policy name constants +LIST_ACTIONS = 'workflow_orchestrator:list_actions' +CREATE_ACTION = 'workflow_orchestrator:create_action' +GET_ACTION = 'workflow_orchestrator:get_action' +GET_ACTION_STEP = 'workflow_orchestrator:get_action_step' +GET_ACTION_STEP_LOGS = 'workflow_orchestrator:get_action_step_logs' +GET_ACTION_VALIDATION = 'workflow_orchestrator:get_action_validation' +INVOKE_ACTION_CONTROL = 'workflow_orchestrator:invoke_action_control' +GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status' +CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs' +GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs' +COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs' +GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs' +LIST_WORKFLOWS = 'workflow_orchestrator:list_workflows' +GET_WORKFLOW = 'workflow_orchestrator:get_workflow' +GET_SITE_STATUSES = 'workflow_orchestrator:get_site_statuses' + class ShipyardPolicy(object): """ @@ -44,7 +61,7 @@ class ShipyardPolicy(object): # Orchestrator Policy task_rules = [ policy.DocumentedRuleDefault( - 'workflow_orchestrator:list_actions', + LIST_ACTIONS, RULE_ADMIN_REQUIRED, 'List workflow actions invoked by users', [{ @@ -53,7 +70,7 @@ class ShipyardPolicy(object): }] ), policy.DocumentedRuleDefault( - 'workflow_orchestrator:create_action', + CREATE_ACTION, RULE_ADMIN_REQUIRED, 'Create a workflow action', [{ @@ -62,7 +79,7 @@ class ShipyardPolicy(object): }] ), policy.DocumentedRuleDefault( - 'workflow_orchestrator:get_action', + GET_ACTION, RULE_ADMIN_REQUIRED, 'Retrieve an action by its id', [{ @@ -71,7 +88,7 @@ class ShipyardPolicy(object): }] ), policy.DocumentedRuleDefault( - 'workflow_orchestrator:get_action_step', + GET_ACTION_STEP, RULE_ADMIN_REQUIRED, 'Retrieve an action step by its id', [{ @@ -80,7 +97,7 @@ class ShipyardPolicy(object): }] ), policy.DocumentedRuleDefault( - 'workflow_orchestrator:get_action_step_logs', + GET_ACTION_STEP_LOGS, RULE_ADMIN_REQUIRED, 'Retrieve logs of an action step by its id', [{ @@ -89,7 +106,7 @@ class ShipyardPolicy(object): }] ), policy.DocumentedRuleDefault( - 'workflow_orchestrator:get_action_validation', + GET_ACTION_VALIDATION, RULE_ADMIN_REQUIRED, 'Retrieve an action validation by its id', [{ @@ -99,7 +116,7 @@ class ShipyardPolicy(object): }] ), policy.DocumentedRuleDefault( - 'workflow_orchestrator:invoke_action_control', + INVOKE_ACTION_CONTROL, RULE_ADMIN_REQUIRED, 'Send a control to an action', [{ @@ -108,7 +125,7 @@ class ShipyardPolicy(object): }] ), policy.DocumentedRuleDefault( - 'workflow_orchestrator:get_configdocs_status', + GET_CONFIGDOCS_STATUS, RULE_ADMIN_REQUIRED, 'Retrieve the status of the configdocs', [{ @@ -117,7 +134,7 @@ class ShipyardPolicy(object): }] ), policy.DocumentedRuleDefault( - 'workflow_orchestrator:create_configdocs', + CREATE_CONFIGDOCS, RULE_ADMIN_REQUIRED, 'Ingest configuration documents for the site design', [{ @@ -126,7 +143,7 @@ class ShipyardPolicy(object): }] ), policy.DocumentedRuleDefault( - 'workflow_orchestrator:get_configdocs', + GET_CONFIGDOCS, RULE_ADMIN_REQUIRED, 'Retrieve a collection of configuration documents', [{ @@ -135,7 +152,7 @@ class ShipyardPolicy(object): }] ), policy.DocumentedRuleDefault( - 'workflow_orchestrator:commit_configdocs', + COMMIT_CONFIGDOCS, RULE_ADMIN_REQUIRED, ('Move documents from the Shipyard buffer to the committed ' 'documents'), @@ -145,7 +162,7 @@ class ShipyardPolicy(object): }] ), policy.DocumentedRuleDefault( - 'workflow_orchestrator:get_renderedconfigdocs', + GET_RENDEREDCONFIGDOCS, RULE_ADMIN_REQUIRED, ('Retrieve the configuration documents rendered by Deckhand into ' 'a complete design'), @@ -155,7 +172,7 @@ class ShipyardPolicy(object): }] ), policy.DocumentedRuleDefault( - 'workflow_orchestrator:list_workflows', + LIST_WORKFLOWS, RULE_ADMIN_REQUIRED, ('Retrieve the list of workflows (DAGs) that have been invoked ' 'in Airflow, whether via Shipyard or scheduled'), @@ -165,7 +182,7 @@ class ShipyardPolicy(object): }] ), policy.DocumentedRuleDefault( - 'workflow_orchestrator:get_workflow', + GET_WORKFLOW, RULE_ADMIN_REQUIRED, ('Retrieve the detailed information for a workflow (DAG) from ' 'Airflow'), @@ -175,7 +192,7 @@ class ShipyardPolicy(object): }] ), policy.DocumentedRuleDefault( - 'workflow_orchestrator:get_site_statuses', + GET_SITE_STATUSES, RULE_ADMIN_REQUIRED, 'Retrieve the statuses for the site', [{