policy: Add defaults in code (part 4)

Partially-Implements: bp policy-in-code

Change-Id: I8ae24035ec6aee8fa93f3f55cbafc843d0e9d5ae

etc/nova/policy.json

@@ -16,39 +16,6 @@
     "os_compute_api:servers:migrations:show": "rule:admin_api",
     "os_compute_api:os-remote-consoles": "rule:admin_or_owner",
     "os_compute_api:os-remote-consoles:discoverable": "@",
-    "os_compute_api:images:discoverable": "@",
-    "os_compute_api:image-size": "rule:admin_or_owner",
-    "os_compute_api:image-size:discoverable": "@",
-    "os_compute_api:os-instance-actions": "rule:admin_or_owner",
-    "os_compute_api:os-instance-actions:discoverable": "@",
-    "os_compute_api:os-instance-actions:events": "rule:admin_api",
-    "os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
-    "os_compute_api:os-instance-usage-audit-log:discoverable": "@",
-    "os_compute_api:ips:discoverable": "@",
-    "os_compute_api:ips:index": "rule:admin_or_owner",
-    "os_compute_api:ips:show": "rule:admin_or_owner",
-    "os_compute_api:os-keypairs:discoverable": "@",
-    "os_compute_api:os-keypairs": "rule:admin_or_owner",
-    "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s",
-    "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s",
-    "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s",
-    "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s",
-    "os_compute_api:limits:discoverable": "@",
-    "os_compute_api:limits": "rule:admin_or_owner",
-    "os_compute_api:os-lock-server:discoverable": "@",
-    "os_compute_api:os-lock-server:lock": "rule:admin_or_owner",
-    "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",
-    "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api",
-    "os_compute_api:os-migrate-server:discoverable": "@",
-    "os_compute_api:os-migrate-server:migrate": "rule:admin_api",
-    "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api",
-    "os_compute_api:os-multinic": "rule:admin_or_owner",
-    "os_compute_api:os-multinic:discoverable": "@",
-    "os_compute_api:os-networks": "rule:admin_api",
-    "os_compute_api:os-networks:view": "rule:admin_or_owner",
-    "os_compute_api:os-networks:discoverable": "@",
-    "os_compute_api:os-networks-associate": "rule:admin_api",
-    "os_compute_api:os-networks-associate:discoverable": "@",
     "os_compute_api:os-pause-server:discoverable": "@",
     "os_compute_api:os-pause-server:pause": "rule:admin_or_owner",
     "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner",
@@ -123,8 +90,6 @@
     "os_compute_api:os-volumes-attachments:discoverable": "@",
     "os_compute_api:os-used-limits": "rule:admin_api",
     "os_compute_api:os-used-limits:discoverable": "@",
-    "os_compute_api:os-migrations:index": "rule:admin_api",
-    "os_compute_api:os-migrations:discoverable": "@",
     "os_compute_api:os-server-external-events:create": "rule:admin_api",
     "os_compute_api:os-server-external-events:discoverable": "@"
 }

nova/policies/__init__.py

@@ -54,6 +54,19 @@ from nova.policies import fping
 from nova.policies import hide_server_addresses
 from nova.policies import hosts
 from nova.policies import hypervisors
+from nova.policies import image_size
+from nova.policies import images
+from nova.policies import instance_actions
+from nova.policies import instance_usage_audit_log
+from nova.policies import ips
+from nova.policies import keypairs
+from nova.policies import limits
+from nova.policies import lock_server
+from nova.policies import migrate_server
+from nova.policies import migrations
+from nova.policies import multinic
+from nova.policies import networks
+from nova.policies import networks_associate
 from nova.policies import servers
 
 
@@ -100,5 +113,18 @@ def list_rules():
         hide_server_addresses.list_rules(),
         hosts.list_rules(),
         hypervisors.list_rules(),
+        image_size.list_rules(),
+        images.list_rules(),
+        instance_actions.list_rules(),
+        instance_usage_audit_log.list_rules(),
+        ips.list_rules(),
+        keypairs.list_rules(),
+        limits.list_rules(),
+        lock_server.list_rules(),
+        migrate_server.list_rules(),
+        migrations.list_rules(),
+        multinic.list_rules(),
+        networks.list_rules(),
+        networks_associate.list_rules(),
         servers.list_rules()
     )

nova/policies/image_size.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:image-size'
+POLICY_ROOT = 'os_compute_api:image-size:%s'
+
+
+image_size_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return image_size_policies

nova/policies/images.py

@@ -0,0 +1,32 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:images:%s'
+
+
+images_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return images_policies

nova/policies/instance_actions.py

@@ -0,0 +1,39 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-instance-actions'
+POLICY_ROOT = 'os_compute_api:os-instance-actions:%s'
+
+
+instance_actions_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'events',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return instance_actions_policies

nova/policies/instance_usage_audit_log.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-instance-usage-audit-log'
+POLICY_ROOT = 'os_compute_api:os-instance-usage-audit-log:%s'
+
+
+instance_usage_audit_log_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return instance_usage_audit_log_policies

nova/policies/ips.py

@@ -0,0 +1,38 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:ips:%s'
+
+
+ips_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'show',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'index',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return ips_policies

nova/policies/keypairs.py

@@ -0,0 +1,48 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-keypairs'
+POLICY_ROOT = 'os_compute_api:os-keypairs:%s'
+
+
+keypairs_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'index',
+        check_str='rule:admin_api or user_id:%(user_id)s'),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'create',
+        check_str='rule:admin_api or user_id:%(user_id)s'),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'delete',
+        check_str='rule:admin_api or user_id:%(user_id)s'),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'show',
+        check_str='rule:admin_api or user_id:%(user_id)s'),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return keypairs_policies

nova/policies/limits.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:limits'
+POLICY_ROOT = 'os_compute_api:limits:%s'
+
+
+limits_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return limits_policies

nova/policies/lock_server.py

@@ -0,0 +1,41 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-lock-server:%s'
+
+
+lock_server_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'lock',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'unlock:unlock_override',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'unlock',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return lock_server_policies

nova/policies/migrate_server.py

@@ -0,0 +1,38 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-migrate-server:%s'
+
+
+migrate_server_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'migrate',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'migrate_live',
+        check_str=base.RULE_ADMIN_API),
+]
+
+
+def list_rules():
+    return migrate_server_policies

nova/policies/migrations.py

@@ -0,0 +1,35 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+POLICY_ROOT = 'os_compute_api:os-migrations:%s'
+
+
+migrations_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'index',
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return migrations_policies

nova/policies/multinic.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-multinic'
+POLICY_ROOT = 'os_compute_api:os-multinic:%s'
+
+
+multinic_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_OR_OWNER),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return multinic_policies

nova/policies/networks.py

@@ -0,0 +1,39 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-networks'
+POLICY_ROOT = 'os_compute_api:os-networks:%s'
+
+
+networks_policies = [
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'view',
+        check_str=base.RULE_ADMIN_OR_OWNER),
+]
+
+
+def list_rules():
+    return networks_policies

nova/policies/networks_associate.py

@@ -0,0 +1,36 @@
+# Copyright 2016 Cloudbase Solutions Srl
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from nova.policies import base
+
+
+BASE_POLICY_NAME = 'os_compute_api:os-networks-associate'
+POLICY_ROOT = 'os_compute_api:os-networks-associate:%s'
+
+
+networks_associate_policies = [
+    policy.RuleDefault(
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API),
+    policy.RuleDefault(
+        name=POLICY_ROOT % 'discoverable',
+        check_str=base.RULE_ANY),
+]
+
+
+def list_rules():
+    return networks_associate_policies