Move default policies into code
This is part of a community effort to provide better user experience for those having to maintain RBAC policy. More information on this effort can be found below: https://governance.openstack.org/tc/goals/queens/policy-in-code.html bp policy-and-docs-in-code Co-authored-By: Hieu LE <hieulq@vn.fujitsu.com> Change-Id: I9bad70abcf5543c3e5e5da25c56c408ee3ff0346
This commit is contained in:
parent
88c21d99c9
commit
52417d4ab8
|
@ -13,3 +13,4 @@ doc/build
|
|||
doc/source/api/
|
||||
etc/panko/panko.conf
|
||||
subunit.log
|
||||
etc/panko/policy.yaml.sample
|
||||
|
|
|
@ -187,15 +187,13 @@ function configure_panko {
|
|||
setup_colorized_logging $PANKO_CONF DEFAULT
|
||||
fi
|
||||
|
||||
# Install the policy file and declarative configuration files to
|
||||
# Install the declarative configuration files to
|
||||
# the conf dir.
|
||||
# NOTE(cdent): Do not make this a glob as it will conflict
|
||||
# with rootwrap installation done elsewhere and also clobber
|
||||
# panko.conf settings that have already been made.
|
||||
# Anyway, explicit is better than implicit.
|
||||
for conffile in policy.json api_paste.ini; do
|
||||
cp $PANKO_DIR/etc/panko/$conffile $PANKO_CONF_DIR
|
||||
done
|
||||
cp $PANKO_DIR/etc/panko/api_paste.ini $PANKO_CONF_DIR
|
||||
|
||||
configure_auth_token_middleware $PANKO_CONF panko $PANKO_AUTH_CACHE_DIR
|
||||
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
[DEFAULT]
|
||||
output_file = etc/panko/policy.yaml.sample
|
||||
namespace = panko
|
|
@ -1,7 +0,0 @@
|
|||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"segregation": "rule:context_is_admin",
|
||||
|
||||
"telemetry:events:index": "",
|
||||
"telemetry:events:show": ""
|
||||
}
|
|
@ -19,6 +19,8 @@
|
|||
from oslo_policy import policy
|
||||
import pecan
|
||||
|
||||
from panko import policies
|
||||
|
||||
_ENFORCER = None
|
||||
|
||||
|
||||
|
@ -27,6 +29,7 @@ def init():
|
|||
if not _ENFORCER:
|
||||
_ENFORCER = policy.Enforcer(pecan.request.cfg)
|
||||
_ENFORCER.load_rules()
|
||||
_ENFORCER.register_defaults(policies.list_policies())
|
||||
|
||||
|
||||
def reset():
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import itertools
|
||||
|
||||
from panko.policies import base
|
||||
from panko.policies import segregation
|
||||
from panko.policies import telemetry
|
||||
|
||||
|
||||
def list_policies():
|
||||
return itertools.chain(
|
||||
base.list_rules(),
|
||||
segregation.list_rules(),
|
||||
telemetry.list_rules()
|
||||
)
|
|
@ -0,0 +1,27 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
ROLE_ADMIN = 'role:admin'
|
||||
UNPROTECTED = ''
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
name='context_is_admin',
|
||||
check_str=ROLE_ADMIN
|
||||
)
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,36 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='segregation',
|
||||
check_str='rule:context_is_admin',
|
||||
description='Return the user and project the request'
|
||||
'should be limited to',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/events',
|
||||
'method': 'GET'
|
||||
},
|
||||
{
|
||||
'path': '/v2/events/{message_id}',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
)
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -0,0 +1,45 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
from panko.policies import base
|
||||
|
||||
TELEMETRY_EVENTS = 'telemetry:events:%s'
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=TELEMETRY_EVENTS % 'index',
|
||||
check_str=base.UNPROTECTED,
|
||||
description='Return all events matching the query filters.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/events',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=TELEMETRY_EVENTS % 'show',
|
||||
check_str=base.UNPROTECTED,
|
||||
description='Return a single event with the given message id.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/events/{message_id}',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
)
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -38,9 +38,6 @@ class FunctionalTest(db_test_base.TestBase):
|
|||
self.CONF = service.prepare_service([], [])
|
||||
opts.set_defaults(self.CONF)
|
||||
|
||||
self.CONF.set_override("policy_file",
|
||||
self.path_get('etc/panko/policy.json'),
|
||||
group='oslo_policy')
|
||||
self.CONF.set_override('api_paste_config',
|
||||
self.path_get('etc/panko/api_paste.ini'))
|
||||
self.app = self._make_app(self.CONF)
|
||||
|
|
|
@ -53,6 +53,9 @@ ceilometer.event.publisher =
|
|||
oslo.config.opts =
|
||||
panko = panko.opts:list_opts
|
||||
|
||||
oslo.policy.policies =
|
||||
panko = panko.policies:list_policies
|
||||
|
||||
oslo.config.opts.defaults =
|
||||
panko = panko.conf.defaults:set_cors_middleware_defaults
|
||||
|
||||
|
|
3
tox.ini
3
tox.ini
|
@ -77,6 +77,9 @@ commands = sphinx-build -a -E -d releasenotes/build/doctrees -b html releasenote
|
|||
[testenv:genconfig]
|
||||
commands = oslo-config-generator --config-file=etc/panko/panko-config-generator.conf
|
||||
|
||||
[testenv:genpolicy]
|
||||
commands = oslopolicy-sample-generator --config-file=etc/panko/panko-policy-generator.conf
|
||||
|
||||
[testenv:docs]
|
||||
commands = python setup.py build_sphinx
|
||||
setenv = PYTHONHASHSEED=0
|
||||
|
|
Loading…
Reference in New Issue