Implement policy in code - client (end)
This commit migrate all client policies into code [1] and also remove policy.json usage file completely. Like oslo.config, with oslo.policy, we can define all of default rules in code base and only change some rules via policy file. Another thing that we should use yaml format instead of json format. [1] https://governance.openstack.org/tc/goals/queens/policy-in-code.html Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com> Change-Id: I7c7fd83aa2516c053e38d7598cf79e63401f7519
This commit is contained in:
parent
b4ba0018d9
commit
ae388911e0
|
@ -99,7 +99,6 @@ function configure_freezer_api {
|
|||
|
||||
sudo cp $FREEZER_API_DIR/etc/freezer/freezer-api.conf.sample $FREEZER_API_CONF_DIR/freezer-api.conf
|
||||
sudo cp $FREEZER_API_DIR/etc/freezer/freezer-paste.ini $FREEZER_API_CONF_DIR/freezer-paste.ini
|
||||
sudo cp $FREEZER_API_DIR/etc/freezer/policy.json $FREEZER_API_CONF_DIR/policy.json
|
||||
|
||||
# enable debuging
|
||||
iniset $FREEZER_API_CONF 'DEFAULT' debug True
|
||||
|
|
|
@ -1,6 +0,0 @@
|
|||
{
|
||||
"clients:get_all": "",
|
||||
"clients:create": "",
|
||||
"clients:get": "",
|
||||
"clients:delete": ""
|
||||
}
|
|
@ -20,6 +20,7 @@ import itertools
|
|||
from freezer_api.common.policies import action
|
||||
from freezer_api.common.policies import backup
|
||||
from freezer_api.common.policies import base
|
||||
from freezer_api.common.policies import client
|
||||
from freezer_api.common.policies import job
|
||||
from freezer_api.common.policies import session
|
||||
|
||||
|
@ -29,6 +30,7 @@ def list_rules():
|
|||
action.list_rules(),
|
||||
backup.list_rules(),
|
||||
base.list_rules(),
|
||||
client.list_rules(),
|
||||
job.list_rules(),
|
||||
session.list_rules()
|
||||
)
|
||||
|
|
|
@ -0,0 +1,69 @@
|
|||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
from oslo_policy import policy
|
||||
|
||||
from freezer_api.common.policies import base
|
||||
|
||||
CLIENTS = 'clients:%s'
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLIENTS % 'create',
|
||||
check_str=base.UNPROTECTED,
|
||||
description='Create client entry.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v1/clients',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLIENTS % 'delete',
|
||||
check_str=base.UNPROTECTED,
|
||||
description='Delete specified client.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v1/clients/{client_id}',
|
||||
'method': 'DELETE'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLIENTS % 'get',
|
||||
check_str=base.UNPROTECTED,
|
||||
description='Show clients.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v1/clients/{client_id}',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CLIENTS % 'get_all',
|
||||
check_str=base.UNPROTECTED,
|
||||
description='List clients.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v1/clients',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
)
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
|
@ -19,7 +19,6 @@ limitations under the License.
|
|||
import copy
|
||||
import io
|
||||
import os
|
||||
import shutil
|
||||
|
||||
import fixtures
|
||||
from oslo_config import cfg
|
||||
|
@ -27,7 +26,6 @@ from oslo_config import fixture as cfg_fixture
|
|||
import testtools
|
||||
|
||||
from freezer_api.common import config
|
||||
from freezer_api.common import exceptions
|
||||
from freezer_api import policy
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
@ -435,26 +433,8 @@ class FreezerBaseTestCase(testtools.TestCase):
|
|||
self.test_dir = self.useFixture(fixtures.TempDir()).path
|
||||
self.conf_dir = os.path.join(self.test_dir, 'etc')
|
||||
os.makedirs(self.conf_dir)
|
||||
self.configure_policy()
|
||||
policy.ENFORCER = FakePolicyEnforcer()
|
||||
|
||||
def configure_policy(self):
|
||||
src_policy_file = 'etc/freezer/policy.json'
|
||||
# copy policy file to test config dir
|
||||
shutil.copy(src_policy_file, self.conf_dir)
|
||||
policy_file = os.path.join(self.conf_dir, 'policy.json')
|
||||
self._config_fixture.config(policy_file=policy_file,
|
||||
group='oslo_policy')
|
||||
|
||||
|
||||
class FakePolicyEnforcer(object):
|
||||
def __init__(self, *args, **kwargs):
|
||||
self.rules = {}
|
||||
|
||||
def enforce(self, rule, action, ctxt, do_raise=True,
|
||||
exc=exceptions.AccessForbidden):
|
||||
if self.rules.get(rule) is False:
|
||||
raise exceptions.AccessForbidden()
|
||||
policy.ENFORCER = None
|
||||
policy.setup_policy(CONF)
|
||||
|
||||
|
||||
class FakeContext(object):
|
||||
|
@ -468,6 +448,3 @@ class FakeContext(object):
|
|||
def get_req_items(name):
|
||||
req_info = {'freezer.context': FakeContext()}
|
||||
return req_info[name]
|
||||
|
||||
|
||||
policy.ENFORCER = FakePolicyEnforcer()
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
Freezer now support policy in code, which means if users didn't modify
|
||||
any of policy rules, they can remove or comment out all of rules in
|
||||
policy file or even not deploy it at all. Because from now, Freezer
|
||||
keeps all default policies under `freezer-api/common/policies` module.
|
||||
Users can still modify/generate `policy.yaml` file which will override
|
||||
policy rules in code if those rules show in `policy.yaml` file.
|
||||
other:
|
||||
- |
|
||||
Default `policy.json` file is now removed as Freezer now generate the
|
||||
default policies in code. Please be aware that when using that file in your
|
||||
environment.
|
Loading…
Reference in New Issue