openstack
/
designate
Code Issues Proposed changes

Merge "Implement policy in code (3)"

This commit is contained in:
Zuul 2017-10-25 16:43:23 +00:00 committed by Gerrit Code Review
parent 4f67abe6b2 2fa4f50e89
commit d0d12b605e
10 changed files with 594 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
designate/common/policies/__init__.py
View File

@ -22,6 +22,13 @@ from designate.common.policies import blacklist
from designate.common.policies import context
from designate.common.policies import diagnostics
from designate.common.policies import pool
from designate.common.policies import quota
from designate.common.policies import record
from designate.common.policies import recordset
from designate.common.policies import service_status
from designate.common.policies import tenant
from designate.common.policies import tld
from designate.common.policies import tsigkey
def list_rules():
@ -30,5 +37,12 @@ def list_rules():
blacklist.list_rules(),
context.list_rules(),
diagnostics.list_rules(),
pool.list_rules()
pool.list_rules(),
quota.list_rules(),
record.list_rules(),
recordset.list_rules(),
service_status.list_rules(),
tenant.list_rules(),
tld.list_rules(),
tsigkey.list_rules(),
)

6
designate/common/policies/pool.py
View File

@ -22,7 +22,8 @@ rules = [
policy.RuleDefault(
name="create_pool",
check_str=base.RULE_ADMIN,
description='Create pool.'),
description='Create pool.'
),
policy.DocumentedRuleDefault(
name="find_pools",
check_str=base.RULE_ADMIN,
@ -59,7 +60,8 @@ rules = [
policy.RuleDefault(
name="update_pool",
check_str=base.RULE_ADMIN,
description='Update pool.'),
description='Update pool.'
),
policy.RuleDefault(
name="delete_pool",
check_str=base.RULE_ADMIN,

62
designate/common/policies/quota.py Normal file
View File

@ -0,0 +1,62 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="get_quotas",
check_str=base.RULE_ADMIN_OR_OWNER,
description="View Current Project's Quotas.",
operations=[
{
'path': '/v2/quotas',
'method': 'GET'
}
]
),
policy.RuleDefault(
name="get_quota",
check_str=base.RULE_ADMIN_OR_OWNER
),
policy.DocumentedRuleDefault(
name="set_quota",
check_str=base.RULE_ADMIN,
description='Set Quotas.',
operations=[
{
'path': '/v2/quotas/{project_id}',
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name="reset_quotas",
check_str=base.RULE_ADMIN,
description='Reset Quotas.',
operations=[
{
'path': '/v2/quotas/{project_id}',
'method': 'DELETE'
}
]
),
]
def list_rules():
return rules

114
designate/common/policies/record.py Normal file
View File

@ -0,0 +1,114 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="create_record",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Create record.',
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="get_records",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Get records.',
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="get_record",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Get record.',
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="find_records",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Find records.',
operations=[
{
'path': '/v2/reverse/floatingips/{region}:{floatingip_id}',
'method': 'GET'
}, {
'path': '/v2/reverse/floatingips',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="find_record",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Find record.',
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'GET'
}, {
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'DELETE'
}, {
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'PUT'
}
]
),
policy.DocumentedRuleDefault(
name="update_record",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Update record.',
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'PUT'
}
]
),
policy.DocumentedRuleDefault(
name="delete_record",
check_str=base.RULE_ADMIN_OR_OWNER,
description='Delete record.',
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'DELETE'
}
]
),
policy.RuleDefault(
name="count_records",
check_str=base.RULE_ADMIN_OR_OWNER)
]
def list_rules():
return rules

127
designate/common/policies/recordset.py Normal file
View File

@ -0,0 +1,127 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="create_recordset",
check_str=base.RULE_ZONE_PRIMARY_OR_ADMIN,
description="Create Recordset",
operations=[
{
'path': '/v2/zones/{zone_id}/recordsets',
'method': 'POST'
}, {
'path': '/v2/reverse/floatingips/{region}:{floatingip_id}',
'method': 'PATCH'
}
]
),
policy.RuleDefault(
name="get_recordsets",
check_str=base.RULE_ADMIN_OR_OWNER
),
policy.DocumentedRuleDefault(
name="get_recordset",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Get recordset",
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'GET'
}, {
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'PUT'
}, {
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
'method': 'GET'
}, {
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
'method': 'DELETE'
}, {
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
'method': 'PUT'
}
]
),
policy.DocumentedRuleDefault(
name="find_recordsets",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Find recordsets",
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="find_recordset",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Find recordset",
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records',
'method': 'POST'
}, {
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'DELETE'
}
]
),
policy.DocumentedRuleDefault(
name="update_recordset",
check_str=base.RULE_ZONE_PRIMARY_OR_ADMIN,
description="Update recordset",
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'PUT'
}, {
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
'method': 'PUT'
}, {
'path': '/v2/reverse/floatingips/{region}:{floatingip_id}',
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name="delete_recordset",
check_str=base.RULE_ZONE_PRIMARY_OR_ADMIN,
description="Delete RecordSet",
operations=[
{
'path': '/v1/domains/<uuid:domain_id>/records/<uuid:record_id>', # noqa
'method': 'DELETE'
}, {
'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}',
'method': 'DELETE'
}
]
),
policy.RuleDefault(
name="count_recordset",
check_str=base.RULE_ADMIN_OR_OWNER,
description="Count recordsets"
)
]
def list_rules():
return rules

50
designate/common/policies/service_status.py Normal file
View File

@ -0,0 +1,50 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="find_service_status",
check_str=base.RULE_ADMIN,
description="Find a single Service Status",
operations=[
{
'path': '/v2/service_status/{service_id}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="find_service_statuses",
check_str=base.RULE_ADMIN,
description="List service statuses.",
operations=[
{
'path': '/v2/service_status',
'method': 'GET'
}
]
),
policy.RuleDefault(
"update_service_service_status",
base.RULE_ADMIN)
]
def list_rules():
return rules

41
designate/common/policies/tenant.py Normal file
View File

@ -0,0 +1,41 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.RuleDefault(
name="find_tenants",
check_str=base.RULE_ADMIN,
description="Find all Tenants."
),
policy.RuleDefault(
name="get_tenant",
check_str=base.RULE_ADMIN,
description="Get all Tenants."
),
policy.RuleDefault(
name="count_tenants",
check_str=base.RULE_ADMIN,
description="Count tenants"
)
]
def list_rules():
return rules

80
designate/common/policies/tld.py Normal file
View File

@ -0,0 +1,80 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="create_tld",
check_str=base.RULE_ADMIN,
description="Create Tld",
operations=[
{
'path': '/v2/tlds',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="find_tlds",
check_str=base.RULE_ADMIN,
description="List Tlds",
operations=[
{
'path': '/v2/tlds',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="get_tld",
check_str=base.RULE_ADMIN,
description="Show Tld",
operations=[
{
'path': '/v2/tlds/{tld_id}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="update_tld",
check_str=base.RULE_ADMIN,
description="Update Tld",
operations=[
{
'path': '/v2/tlds/{tld_id}',
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name="delete_tld",
check_str=base.RULE_ADMIN,
description="Delete Tld",
operations=[
{
'path': '/v2/tlds/{tld_id}',
'method': 'DELETE'
}
]
)
]
def list_rules():
return rules

101
designate/common/policies/tsigkey.py Normal file
View File

@ -0,0 +1,101 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from designate.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name="create_tsigkey",
check_str=base.RULE_ADMIN,
description="Create Tsigkey",
operations=[
{
'path': '/v1/tsigkeys',
'method': 'POST'
}, {
'path': '/v2/tsigkeys',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name="find_tsigkeys",
check_str=base.RULE_ADMIN,
description="List Tsigkeys",
operations=[
{
'path': '/v1/tsigkeys',
'method': 'GET'
}, {
'path': '/v1/tsigkeys/<uuid:tsigkey_id>',
'method': 'GET'
}, {
'path': '/v1/tsigkeys/<uuid:tsigkey_id>',
'method': 'DELETE'
}, {
'path': '/v2/tsigkeys',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="get_tsigkey",
check_str=base.RULE_ADMIN,
description="Show a Tsigkey",
operations=[
{
'path': '/v2/tsigkeys/{tsigkey_id}',
'method': 'PATCH'
}, {
'path': '/v2/tsigkeys/{tsigkey_id}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name="update_tsigkey",
check_str=base.RULE_ADMIN,
description="Update Tsigkey",
operations=[
{
'path': '/v1/tsigkeys/{tsigkey_id}',
'method': 'PATCH'
}, {
'path': '/v2/tsigkeys/{tsigkey_id}',
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name="delete_tsigkey",
check_str=base.RULE_ADMIN,
description="Delete a Tsigkey",
operations=[
{
'path': '/v1/tsigkeys/{tsigkey_id}',
'method': 'DELETE'
}, {
'path': '/v2/tsigkeys/{tsigkey_id}',
'method': 'DELETE'
}
]
)
]
def list_rules():
return rules

43
etc/designate/policy.json
View File

@ -1,25 +1,4 @@
{
"get_quotas": "rule:admin_or_owner",
"get_quota": "rule:admin_or_owner",
"set_quota": "rule:admin",
"reset_quotas": "rule:admin",
"create_tld": "rule:admin",
"find_tlds": "rule:admin",
"get_tld": "rule:admin",
"update_tld": "rule:admin",
"delete_tld": "rule:admin",
"create_tsigkey": "rule:admin",
"find_tsigkeys": "rule:admin",
"get_tsigkey": "rule:admin",
"update_tsigkey": "rule:admin",
"delete_tsigkey": "rule:admin",
"find_tenants": "rule:admin",
"get_tenant": "rule:admin",
"count_tenants": "rule:admin",
"create_zone": "rule:admin_or_owner",
"get_zones": "rule:admin_or_owner",
"get_zone": "rule:admin_or_owner",
@ -35,24 +14,6 @@
"purge_zones": "rule:admin",
"touch_zone": "rule:admin_or_owner",
"create_recordset": "rule:zone_primary_or_admin",
"get_recordsets": "rule:admin_or_owner",
"get_recordset": "rule:admin_or_owner",
"find_recordsets": "rule:admin_or_owner",
"find_recordset": "rule:admin_or_owner",
"update_recordset": "rule:zone_primary_or_admin",
"delete_recordset": "rule:zone_primary_or_admin",
"count_recordset": "rule:admin_or_owner",
"create_record": "rule:admin_or_owner",
"get_records": "rule:admin_or_owner",
"get_record": "rule:admin_or_owner",
"find_records": "rule:admin_or_owner",
"find_record": "rule:admin_or_owner",
"update_record": "rule:admin_or_owner",
"delete_record": "rule:admin_or_owner",
"count_records": "rule:admin_or_owner",
"create_zone_transfer_request": "rule:admin_or_owner",
"get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s",
"get_zone_transfer_request_detailed": "rule:admin_or_owner",
@ -79,8 +40,4 @@
"find_zone_exports": "rule:admin_or_owner",
"get_zone_export": "rule:admin_or_owner",
"update_zone_export": "rule:admin_or_owner",
"find_service_status": "rule:admin",
"find_service_statuses": "rule:admin",
"update_service_service_status": "rule:admin"
}