diff --git a/devstack/plugin.sh b/devstack/plugin.sh index b331a923..f9fa8013 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -121,7 +121,11 @@ function configure_karbor { cp $KARBOR_DIR/etc/karbor.conf $KARBOR_CONF cp $KARBOR_DIR/etc/api-paste.ini $KARBOR_CONF_DIR - cp $KARBOR_DIR/etc/policy.json $KARBOR_CONF_DIR + + if [[ -f $KARBOR_DIR/etc/policy.json ]]; then + cp $KARBOR_DIR/etc/policy.json $KARBOR_CONF_DIR + fi + cp -R $KARBOR_DIR/etc/providers.d $KARBOR_CONF_DIR cp $KARBOR_DIR/devstack/providers.d/* $KARBOR_CONF_DIR/providers.d diff --git a/etc/policy.json b/etc/policy.json deleted file mode 100644 index 5efa7a47..00000000 --- a/etc/policy.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "operation_log:get": "rule:admin_or_owner", - "operation_log:get_all": "rule:admin_or_owner" -} diff --git a/karbor/api/v1/operation_logs.py b/karbor/api/v1/operation_logs.py index 8e15dfb9..adf5e7c1 100644 --- a/karbor/api/v1/operation_logs.py +++ b/karbor/api/v1/operation_logs.py @@ -18,15 +18,13 @@ from oslo_utils import uuidutils from webob import exc -import karbor from karbor.api import common from karbor.api.openstack import wsgi from karbor import exception from karbor.i18n import _ from karbor import objects -from karbor.objects import base as objects_base -import karbor.policy +from karbor.policies import operation_logs as operation_log_policy from karbor.services.operationengine import api as operationengine_api from karbor.services.protection import api as protection_api from karbor import utils @@ -47,23 +45,6 @@ CONF.register_opt(query_operation_log_filters_opt) LOG = logging.getLogger(__name__) -def check_policy(context, action, target_obj=None): - target = { - 'project_id': context.project_id, - 'user_id': context.user_id, - } - - if isinstance(target_obj, objects_base.KarborObject): - # Turn object into dict so target.update can work - target.update( - target_obj.obj_to_primitive() or {}) - else: - target.update(target_obj or {}) - - _action = 'operation_log:%s' % action - karbor.policy.enforce(context, _action, target) - - class OperationLogViewBuilder(common.ViewBuilder): """Model a server API response as a python dictionary.""" @@ -181,7 +162,7 @@ class OperationLogsController(wsgi.Controller): def _get_all(self, context, marker=None, limit=None, sort_keys=None, sort_dirs=None, filters=None, offset=None): - check_policy(context, 'get_all') + context.can(operation_log_policy.GET_ALL_POLICY) if filters is None: filters = {} @@ -231,7 +212,7 @@ class OperationLogsController(wsgi.Controller): operation_log = objects.OperationLog.get_by_id( context, operation_log_id) try: - check_policy(context, 'get', operation_log) + context.can(operation_log_policy.GET_POLICY, operation_log) except exception.PolicyNotAuthorized: raise exception.OperationLogFound( operation_log_id=operation_log_id) diff --git a/karbor/policies/__init__.py b/karbor/policies/__init__.py index 7674782a..65bb16af 100644 --- a/karbor/policies/__init__.py +++ b/karbor/policies/__init__.py @@ -15,6 +15,7 @@ import itertools from karbor.policies import base +from karbor.policies import operation_logs from karbor.policies import plans from karbor.policies import protectables from karbor.policies import providers @@ -32,4 +33,5 @@ def list_rules(): providers.list_rules(), triggers.list_rules(), scheduled_operations.list_rules(), + operation_logs.list_rules(), ) diff --git a/karbor/policies/operation_logs.py b/karbor/policies/operation_logs.py new file mode 100644 index 00000000..4935b46d --- /dev/null +++ b/karbor/policies/operation_logs.py @@ -0,0 +1,49 @@ +# Copyright (c) 2017 Huawei Technologies Co., Ltd. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from karbor.policies import base + + +GET_POLICY = 'operation_log:get' +GET_ALL_POLICY = 'operation_log:list' + +operation_logs_policies = [ + policy.DocumentedRuleDefault( + name=GET_POLICY, + check_str=base.RULE_ADMIN_OR_OWNER, + description='Get an operation_log.', + operations=[ + { + 'method': 'GET', + 'path': '/operation_logs/{operation_log_id}' + } + ]), + policy.DocumentedRuleDefault( + name=GET_ALL_POLICY, + check_str=base.RULE_ADMIN_OR_OWNER, + description='Get operation_logs.', + operations=[ + { + 'method': 'GET', + 'path': '/operation_logs' + } + ]), +] + + +def list_rules(): + return operation_logs_policies diff --git a/karbor/tests/unit/api/v1/test_operation_logs.py b/karbor/tests/unit/api/v1/test_operation_logs.py index 69bace82..611ed770 100644 --- a/karbor/tests/unit/api/v1/test_operation_logs.py +++ b/karbor/tests/unit/api/v1/test_operation_logs.py @@ -28,6 +28,8 @@ class OperationLogTest(base.TestCase): super(OperationLogTest, self).setUp() self.controller = operation_logs.OperationLogsController() self.ctxt = context.RequestContext('demo', 'fakeproject', True) + self.mock_policy_check = self.mock_object( + context.RequestContext, 'can') @mock.patch( 'karbor.api.v1.operation_logs.'