Merge "Add policy module to neutron-lib"

This commit is contained in:
Zuul 2019-02-20 16:03:57 +00:00 committed by Gerrit Code Review
commit 1d18cebe76
6 changed files with 62 additions and 22 deletions

View File

@ -20,8 +20,8 @@ import warnings
from oslo_context import context as oslo_context
from oslo_db.sqlalchemy import enginefacade
from neutron_lib import _policy as policy
from neutron_lib.db import api as db_api
from neutron_lib.policy import _engine as policy_engine
class ContextBase(oslo_context.RequestContext):
@ -50,9 +50,10 @@ class ContextBase(oslo_context.RequestContext):
self.timestamp = timestamp
self.is_advsvc = is_advsvc
if self.is_advsvc is None:
self.is_advsvc = self.is_admin or policy.check_is_advsvc(self)
self.is_advsvc = (self.is_admin or
policy_engine.check_is_advsvc(self))
if self.is_admin is None:
self.is_admin = policy.check_is_admin(self)
self.is_admin = policy_engine.check_is_admin(self)
@property
def tenant_id(self):

View File

@ -0,0 +1,29 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
def policy_and(*args):
return ' and '.join(args)
def policy_or(*args):
return ' or '.join(args)
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
RULE_ADMIN_ONLY = 'rule:admin_only'
RULE_ANY = 'rule:regular_user'
RULE_ADVSVC = 'rule:context_is_advsvc'
RULE_ADMIN_OR_NET_OWNER = 'rule:admin_or_network_owner'
RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC = policy_or(RULE_ADMIN_OR_NET_OWNER,
RULE_ADVSVC)
RULE_ADMIN_OR_PARENT_OWNER = 'rule:admin_or_ext_parent_owner'

View File

@ -13,8 +13,8 @@
import mock
from neutron_lib import _policy as policy
from neutron_lib import context
from neutron_lib.policy import _engine as policy_engine
from neutron_lib.tests import _base as base
@ -23,52 +23,52 @@ class TestPolicyEnforcer(base.BaseTestCase):
def setUp(self):
super(TestPolicyEnforcer, self).setUp()
# Isolate one _ROLE_ENFORCER per test case
mock.patch.object(policy, '_ROLE_ENFORCER', None).start()
mock.patch.object(policy_engine, '_ROLE_ENFORCER', None).start()
def test_init_reset(self):
self.assertIsNone(policy._ROLE_ENFORCER)
policy.init()
self.assertIsNotNone(policy._ROLE_ENFORCER)
self.assertIsNone(policy_engine._ROLE_ENFORCER)
policy_engine.init()
self.assertIsNotNone(policy_engine._ROLE_ENFORCER)
def test_check_user_is_not_admin(self):
ctx = context.Context('me', 'my_project')
self.assertFalse(policy.check_is_admin(ctx))
self.assertFalse(policy_engine.check_is_admin(ctx))
def test_check_user_elevated_is_admin(self):
ctx = context.Context('me', 'my_project', roles=['user']).elevated()
self.assertTrue(policy.check_is_admin(ctx))
self.assertTrue(policy_engine.check_is_admin(ctx))
def test_check_is_admin_no_roles_no_admin(self):
policy.init(policy_file='dummy_policy.json')
policy_engine.init(policy_file='dummy_policy.json')
ctx = context.Context('me', 'my_project', roles=['user']).elevated()
# With no admin role, elevated() should not work.
self.assertFalse(policy.check_is_admin(ctx))
self.assertFalse(policy_engine.check_is_admin(ctx))
def test_check_user_elevated_is_admin_with_default_policy(self):
policy.init(policy_file='no_policy.json')
policy_engine.init(policy_file='no_policy.json')
ctx = context.Context('me', 'my_project', roles=['user']).elevated()
self.assertTrue(policy.check_is_admin(ctx))
self.assertTrue(policy_engine.check_is_admin(ctx))
def test_check_is_advsvc_role(self):
ctx = context.Context('me', 'my_project', roles=['advsvc'])
self.assertTrue(policy.check_is_advsvc(ctx))
self.assertTrue(policy_engine.check_is_advsvc(ctx))
def test_check_is_not_advsvc_user(self):
ctx = context.Context('me', 'my_project', roles=['user'])
self.assertFalse(policy.check_is_advsvc(ctx))
self.assertFalse(policy_engine.check_is_advsvc(ctx))
def test_check_is_not_advsvc_admin(self):
ctx = context.Context('me', 'my_project').elevated()
self.assertTrue(policy.check_is_admin(ctx))
self.assertFalse(policy.check_is_advsvc(ctx))
self.assertTrue(policy_engine.check_is_admin(ctx))
self.assertFalse(policy_engine.check_is_advsvc(ctx))
def test_check_is_advsvc_no_roles_no_advsvc(self):
policy.init(policy_file='dummy_policy.json')
policy_engine.init(policy_file='dummy_policy.json')
ctx = context.Context('me', 'my_project', roles=['advsvc'])
# No advsvc role in the policy file, so cannot assume the role.
self.assertFalse(policy.check_is_advsvc(ctx))
self.assertFalse(policy_engine.check_is_advsvc(ctx))
def test_check_is_advsvc_role_with_default_policy(self):
policy.init(policy_file='no_policy.json')
policy_engine.init(policy_file='no_policy.json')
ctx = context.Context('me', 'my_project', roles=['advsvc'])
self.assertTrue(policy.check_is_advsvc(ctx))
self.assertTrue(policy_engine.check_is_advsvc(ctx))

View File

@ -0,0 +1,10 @@
---
other:
- |
New module ``neutron_lib.policy`` was added.
It contains constants: ``RULE_ADMIN_OR_OWNER``, ``RULE_ADMIN_ONLY``,
``RULE_ANY``, ``RULE_ADVSVC``, ``RULE_ADMIN_OR_NET_OWNER``,
``RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC`` and ``RULE_ADMIN_OR_PARENT_OWNER``.
It contains also helper functions ``policy_and`` and ``policy_or``.
Those constants and functions can be used in policy modules in Neutron
related projects.