Merge "Move policy into code"
This commit is contained in:
commit
4043745bd4
|
@ -23,7 +23,6 @@ from oslo_config import cfg
|
|||
from oslo_db import options as db_options
|
||||
from oslo_log import log as logging
|
||||
from oslo_middleware import cors
|
||||
from oslo_policy import opts as policy_opts
|
||||
|
||||
from congress import version
|
||||
|
||||
|
@ -112,7 +111,6 @@ dse_opts = [
|
|||
# Register dse opts
|
||||
cfg.CONF.register_opts(dse_opts, group='dse')
|
||||
|
||||
policy_opts.set_defaults(cfg.CONF, 'policy.json')
|
||||
logging.register_options(cfg.CONF)
|
||||
|
||||
_SQL_CONNECTION_DEFAULT = 'sqlite://'
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from congress.common.policies import base
|
||||
|
||||
|
||||
def list_rules():
|
||||
return base.list_rules()
|
|
@ -0,0 +1,43 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
name='context_is_admin',
|
||||
check_str='role:admin'
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name='admin_only',
|
||||
check_str='rule:context_is_admin'
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name='regular_user',
|
||||
check_str='',
|
||||
description='The policy rule defining who is a regular user. This '
|
||||
'rule can be overridden by, for example, a role check.'
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name='default',
|
||||
check_str='rule:admin_only',
|
||||
description='The default policy rule to apply when enforcing API '
|
||||
'permissions. By default, all APIs are admin only. '
|
||||
'This rule can be overridden (say by rule:regular_user) '
|
||||
'to allow non-admins to access Congress APIs.'
|
||||
)
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -21,6 +21,7 @@ from __future__ import absolute_import
|
|||
from oslo_config import cfg
|
||||
from oslo_policy import policy
|
||||
|
||||
from congress.common import policies
|
||||
from congress import exception
|
||||
|
||||
|
||||
|
@ -51,6 +52,11 @@ def init(policy_file=None, rules=None, default_rule=None, use_conf=True):
|
|||
rules=rules,
|
||||
default_rule=default_rule,
|
||||
use_conf=use_conf)
|
||||
register_rules(_ENFORCER)
|
||||
|
||||
|
||||
def register_rules(enforcer):
|
||||
enforcer.register_defaults(policies.list_rules())
|
||||
|
||||
|
||||
def set_rules(rules, overwrite=True, use_conf=False):
|
||||
|
|
|
@ -21,6 +21,7 @@ import os
|
|||
|
||||
import fixtures
|
||||
from oslo_config import cfg
|
||||
from oslo_policy import opts as policy_opts
|
||||
|
||||
import congress.common.policy
|
||||
from congress.tests import fake_policy
|
||||
|
@ -37,6 +38,10 @@ class PolicyFixture(fixtures.Fixture):
|
|||
'policy.json')
|
||||
with open(self.policy_file_name, 'w') as policy_file:
|
||||
policy_file.write(fake_policy.policy_data)
|
||||
# Note: without the 1st line below (set_defaults), the 2nd line below
|
||||
# (set_override) fails, seemingly because the oslo_policy opt group is
|
||||
# not "initialized" or "recognized"
|
||||
policy_opts.set_defaults(CONF)
|
||||
CONF.set_override('policy_file', self.policy_file_name, 'oslo_policy')
|
||||
congress.common.policy.reset()
|
||||
congress.common.policy.init()
|
||||
|
|
|
@ -47,10 +47,8 @@ function configure_congress {
|
|||
setup_colorized_logging $CONGRESS_CONF DEFAULT project_id
|
||||
fi
|
||||
CONGRESS_API_PASTE_FILE=$CONGRESS_CONF_DIR/api-paste.ini
|
||||
CONGRESS_POLICY_FILE=$CONGRESS_CONF_DIR/policy.json
|
||||
|
||||
cp $CONGRESS_DIR/etc/api-paste.ini $CONGRESS_API_PASTE_FILE
|
||||
cp $CONGRESS_DIR/etc/policy.json $CONGRESS_POLICY_FILE
|
||||
if [[ ! -d $CONGRESS_LIBRARY_DIR ]]; then
|
||||
mkdir $CONGRESS_LIBRARY_DIR
|
||||
fi
|
||||
|
@ -58,7 +56,6 @@ function configure_congress {
|
|||
|
||||
# Update either configuration file
|
||||
iniset $CONGRESS_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
|
||||
iniset $CONGRESS_CONF oslo_policy policy_file $CONGRESS_POLICY_FILE
|
||||
iniset $CONGRESS_CONF DEFAULT auth_strategy $CONGRESS_AUTH_STRATEGY
|
||||
iniset $CONGRESS_CONF DEFAULT datasource_sync_period 30
|
||||
iniset $CONGRESS_CONF DEFAULT replicated_policy_engine "$CONGRESS_REPLICATED"
|
||||
|
|
|
@ -90,9 +90,18 @@ Configure Congress (Assume you put config files in /etc/congress)
|
|||
$ sudo mkdir -p /etc/congress
|
||||
$ sudo mkdir -p /etc/congress/snapshot
|
||||
$ sudo cp etc/api-paste.ini /etc/congress
|
||||
$ sudo cp etc/policy.json /etc/congress
|
||||
|
||||
Set-up Policy Library [optional]
|
||||
(optional) Customize API access policy
|
||||
Typically, the default access policy of Congress API is appropriate.
|
||||
If desired, you can override the default access policy as follows:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ tox -e genpolicy
|
||||
(edit the generated sample file etc/policy.yaml.sample then copy to conf dir)
|
||||
$ sudo cp etc/policy.yaml.sample /etc/congress/policy.yaml
|
||||
|
||||
(optional) Set-up policy library
|
||||
This step copies the bundled collection Congress policies into the Congress
|
||||
policy library for easy activation by an administrator. The policies in the
|
||||
library do not become active until explicitly activated by an administrator.
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
[DEFAULT]
|
||||
output_file = etc/congress.policy.yaml.sample
|
||||
namespace = congress
|
|
@ -1,6 +0,0 @@
|
|||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"admin_only": "rule:context_is_admin",
|
||||
"regular_user": "",
|
||||
"default": "rule:admin_only"
|
||||
}
|
|
@ -51,6 +51,11 @@ oslo.config.opts =
|
|||
oslo.config.opts.defaults =
|
||||
congress = congress.common.config:set_config_defaults
|
||||
|
||||
oslo.policy.policies =
|
||||
# With the move of default policy in code list_rules returns a list of
|
||||
# the default defined polices.
|
||||
congress = congress.common.policies:list_rules
|
||||
|
||||
console_scripts =
|
||||
congress-server = congress.server.congress_server:main
|
||||
congress-db-manage = congress.db.migration.cli:main
|
||||
|
|
5
tox.ini
5
tox.ini
|
@ -1,7 +1,7 @@
|
|||
[tox]
|
||||
minversion = 1.6
|
||||
skipsdist = True
|
||||
envlist = py35,py27,pep8
|
||||
envlist = py35,py27,pep8,genpolicy
|
||||
|
||||
[testenv]
|
||||
usedevelop = True
|
||||
|
@ -59,6 +59,9 @@ deps =
|
|||
commands = {toxinidir}/tools/pip-install-single-req.sh requirements.txt oslo.config
|
||||
oslo-config-generator --config-file=etc/congress-config-generator.conf
|
||||
|
||||
[testenv:genpolicy]
|
||||
commands = oslopolicy-sample-generator --config-file etc/congress-policy-generator.conf
|
||||
|
||||
[testenv:docs]
|
||||
setenv = PYTHONHASHSEED=0
|
||||
commands = rm -rf doc/build doc/source/api
|
||||
|
|
Loading…
Reference in New Issue