Move default policies into code

This is part of a community effort to provide better user experience
for those having to maintain RBAC policy. More information on this
effort can be found below:

  https://governance.openstack.org/tc/goals/queens/policy-in-code.html

bp policy-and-docs-in-code
Co-authored-By: Hieu LE <hieulq@vn.fujitsu.com>
Change-Id: I9bad70abcf5543c3e5e5da25c56c408ee3ff0346
This commit is contained in:
Lance Bragstad 2017-10-03 02:12:02 +00:00 committed by Dai Dang Van
parent 88c21d99c9
commit 52417d4ab8
12 changed files with 148 additions and 14 deletions

1
.gitignore vendored
View File

@ -13,3 +13,4 @@ doc/build
doc/source/api/
etc/panko/panko.conf
subunit.log
etc/panko/policy.yaml.sample

View File

@ -187,15 +187,13 @@ function configure_panko {
setup_colorized_logging $PANKO_CONF DEFAULT
fi
# Install the policy file and declarative configuration files to
# Install the declarative configuration files to
# the conf dir.
# NOTE(cdent): Do not make this a glob as it will conflict
# with rootwrap installation done elsewhere and also clobber
# panko.conf settings that have already been made.
# Anyway, explicit is better than implicit.
for conffile in policy.json api_paste.ini; do
cp $PANKO_DIR/etc/panko/$conffile $PANKO_CONF_DIR
done
cp $PANKO_DIR/etc/panko/api_paste.ini $PANKO_CONF_DIR
configure_auth_token_middleware $PANKO_CONF panko $PANKO_AUTH_CACHE_DIR

View File

@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/panko/policy.yaml.sample
namespace = panko

View File

@ -1,7 +0,0 @@
{
"context_is_admin": "role:admin",
"segregation": "rule:context_is_admin",
"telemetry:events:index": "",
"telemetry:events:show": ""
}

View File

@ -19,6 +19,8 @@
from oslo_policy import policy
import pecan
from panko import policies
_ENFORCER = None
@ -27,6 +29,7 @@ def init():
if not _ENFORCER:
_ENFORCER = policy.Enforcer(pecan.request.cfg)
_ENFORCER.load_rules()
_ENFORCER.register_defaults(policies.list_policies())
def reset():

View File

@ -0,0 +1,25 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import itertools
from panko.policies import base
from panko.policies import segregation
from panko.policies import telemetry
def list_policies():
return itertools.chain(
base.list_rules(),
segregation.list_rules(),
telemetry.list_rules()
)

27
panko/policies/base.py Normal file
View File

@ -0,0 +1,27 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
ROLE_ADMIN = 'role:admin'
UNPROTECTED = ''
rules = [
policy.RuleDefault(
name='context_is_admin',
check_str=ROLE_ADMIN
)
]
def list_rules():
return rules

View File

@ -0,0 +1,36 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
rules = [
policy.DocumentedRuleDefault(
name='segregation',
check_str='rule:context_is_admin',
description='Return the user and project the request'
'should be limited to',
operations=[
{
'path': '/v2/events',
'method': 'GET'
},
{
'path': '/v2/events/{message_id}',
'method': 'GET'
}
]
)
]
def list_rules():
return rules

View File

@ -0,0 +1,45 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from panko.policies import base
TELEMETRY_EVENTS = 'telemetry:events:%s'
rules = [
policy.DocumentedRuleDefault(
name=TELEMETRY_EVENTS % 'index',
check_str=base.UNPROTECTED,
description='Return all events matching the query filters.',
operations=[
{
'path': '/v2/events',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=TELEMETRY_EVENTS % 'show',
check_str=base.UNPROTECTED,
description='Return a single event with the given message id.',
operations=[
{
'path': '/v2/events/{message_id}',
'method': 'GET'
}
]
)
]
def list_rules():
return rules

View File

@ -38,9 +38,6 @@ class FunctionalTest(db_test_base.TestBase):
self.CONF = service.prepare_service([], [])
opts.set_defaults(self.CONF)
self.CONF.set_override("policy_file",
self.path_get('etc/panko/policy.json'),
group='oslo_policy')
self.CONF.set_override('api_paste_config',
self.path_get('etc/panko/api_paste.ini'))
self.app = self._make_app(self.CONF)

View File

@ -53,6 +53,9 @@ ceilometer.event.publisher =
oslo.config.opts =
panko = panko.opts:list_opts
oslo.policy.policies =
panko = panko.policies:list_policies
oslo.config.opts.defaults =
panko = panko.conf.defaults:set_cors_middleware_defaults

View File

@ -77,6 +77,9 @@ commands = sphinx-build -a -E -d releasenotes/build/doctrees -b html releasenote
[testenv:genconfig]
commands = oslo-config-generator --config-file=etc/panko/panko-config-generator.conf
[testenv:genpolicy]
commands = oslopolicy-sample-generator --config-file=etc/panko/panko-policy-generator.conf
[testenv:docs]
commands = python setup.py build_sphinx
setenv = PYTHONHASHSEED=0