diff --git a/ceilometer/api/rbac.py b/ceilometer/api/rbac.py index 50e77376..d4443e43 100644 --- a/ceilometer/api/rbac.py +++ b/ceilometer/api/rbac.py @@ -54,8 +54,8 @@ def enforce(policy_name, request): policy_dict = dict() policy_dict['roles'] = headers.get('X-Roles', "").split(",") - policy_dict['target.user_id'] = (headers.get('X-User-Id')) - policy_dict['target.project_id'] = (headers.get('X-Project-Id')) + policy_dict['user_id'] = (headers.get('X-User-Id')) + policy_dict['project_id'] = (headers.get('X-Project-Id')) # maintain backward compat with Juno and previous by allowing the action if # there is no rule defined for it @@ -82,8 +82,8 @@ def get_limited_to(headers): policy_dict = dict() policy_dict['roles'] = headers.get('X-Roles', "").split(",") - policy_dict['target.user_id'] = (headers.get('X-User-Id')) - policy_dict['target.project_id'] = (headers.get('X-Project-Id')) + policy_dict['user_id'] = (headers.get('X-User-Id')) + policy_dict['project_id'] = (headers.get('X-Project-Id')) # maintain backward compat with Juno and previous by using context_is_admin # rule if the segregation rule (added in Kilo) is not defined diff --git a/ceilometer/tests/functional/api/v2/test_acl_scenarios.py b/ceilometer/tests/functional/api/v2/test_acl_scenarios.py index b86356e9..f30e090d 100644 --- a/ceilometer/tests/functional/api/v2/test_acl_scenarios.py +++ b/ceilometer/tests/functional/api/v2/test_acl_scenarios.py @@ -24,6 +24,7 @@ import six import webtest from ceilometer.api import app +from ceilometer.event.storage import models as ev_model from ceilometer.publisher import utils from ceilometer import sample from ceilometer.tests.functional.api import v2 @@ -195,51 +196,18 @@ class TestAPIEventACL(TestAPIACL): self.assertEqual(401, data.status_int) -class TestApiEventRBAC(v2.FunctionalTest): +class TestBaseApiEventRBAC(v2.FunctionalTest): PATH = '/events' def setUp(self): - super(TestApiEventRBAC, self).setUp() - content = ('{"context_is_admin": "role:admin",' - '"segregation": "rule:context_is_admin",' - '"default" : "!",' - '"telemetry:events:index": "rule:context_is_admin",' - '"telemetry:events:show": "rule:context_is_admin"}') - if six.PY3: - content = content.encode('utf-8') - self.tempfile = fileutils.write_to_tempfile(content=content, - prefix='policy', - suffix='.json') - - self.CONF.set_override("policy_file", - self.path_get(self.tempfile), - group='oslo_policy') - self.app = self._make_app() - - def tearDown(self): - os.remove(self.tempfile) - super(TestApiEventRBAC, self).tearDown() - - def test_get_event_by_message_rbac(self): - headers_rbac = {"X-Roles": "non-admin"} - data = self.get_json(self.PATH + "/100", - expect_errors=True, - headers=headers_rbac, - status=403) - self.assertEqual(u'403 Forbidden\n\nAccess was denied to this ' - 'resource.\n\n RBAC Authorization Failed ', - data.json['error_message']) - - def test_get_events_rbac(self): - headers_rbac = {"X-Roles": "non-admin"} - data = self.get_json(self.PATH, - expect_errors=True, - headers=headers_rbac, - status=403) - self.assertEqual(u'403 Forbidden\n\nAccess was denied to this ' - 'resource.\n\n RBAC Authorization Failed ', - data.json['error_message']) + super(TestBaseApiEventRBAC, self).setUp() + traits = [ev_model.Trait('project_id', 1, 'project-good'), + ev_model.Trait('user_id', 1, 'user-good')] + self.message_id = str(uuid.uuid4()) + ev = ev_model.Event(self.message_id, 'event_type', + datetime.datetime.now(), traits, {}) + self.event_conn.record_events([ev]) def test_get_events_without_project(self): headers_no_proj = {"X-Roles": "admin", "X-User-Id": "user-good"} @@ -260,3 +228,57 @@ class TestApiEventRBAC(v2.FunctionalTest): headers=headers_no_user_proj, status=403) self.assertEqual(403, resp.status_int) + + def test_get_events(self): + headers = {"X-Roles": "Member", "X-User-Id": "user-good", + "X-Project-Id": "project-good"} + self.get_json(self.PATH, headers=headers, status=200) + + def test_get_event(self): + headers = {"X-Roles": "Member", "X-User-Id": "user-good", + "X-Project-Id": "project-good"} + self.get_json(self.PATH + "/" + self.message_id, headers=headers, + status=200) + + +class TestApiEventAdminRBAC(TestBaseApiEventRBAC): + + def _make_app(self, enable_acl=False): + content = ('{"context_is_admin": "role:admin",' + '"telemetry:events:index": "rule:context_is_admin",' + '"telemetry:events:show": "rule:context_is_admin"}') + if six.PY3: + content = content.encode('utf-8') + self.tempfile = fileutils.write_to_tempfile(content=content, + prefix='policy', + suffix='.json') + + self.CONF.set_override("policy_file", self.tempfile, + group='oslo_policy') + return super(TestApiEventAdminRBAC, self)._make_app() + + def tearDown(self): + os.remove(self.tempfile) + super(TestApiEventAdminRBAC, self).tearDown() + + def test_get_events(self): + headers_rbac = {"X-Roles": "admin", "X-User-Id": "user-good", + "X-Project-Id": "project-good"} + self.get_json(self.PATH, headers=headers_rbac, status=200) + + def test_get_events_bad(self): + headers_rbac = {"X-Roles": "Member", "X-User-Id": "user-good", + "X-Project-Id": "project-good"} + self.get_json(self.PATH, headers=headers_rbac, status=403) + + def test_get_event(self): + headers = {"X-Roles": "admin", "X-User-Id": "user-good", + "X-Project-Id": "project-good"} + self.get_json(self.PATH + "/" + self.message_id, headers=headers, + status=200) + + def test_get_event_bad(self): + headers = {"X-Roles": "Member", "X-User-Id": "user-good", + "X-Project-Id": "project-good"} + self.get_json(self.PATH + "/" + self.message_id, headers=headers, + status=403) diff --git a/ceilometer/tests/functional/api/v2/test_api_upgrade.py b/ceilometer/tests/functional/api/v2/test_api_upgrade.py index e9d6803b..7e4b427f 100644 --- a/ceilometer/tests/functional/api/v2/test_api_upgrade.py +++ b/ceilometer/tests/functional/api/v2/test_api_upgrade.py @@ -12,12 +12,25 @@ # under the License. import mock +from oslo_utils import fileutils from oslotest import mockpatch +import six from ceilometer.tests.functional.api import v2 class TestAPIUpgradePath(v2.FunctionalTest): + def _make_app(self): + content = ('{"default": ""}') + if six.PY3: + content = content.encode('utf-8') + self.tempfile = fileutils.write_to_tempfile(content=content, + prefix='policy', + suffix='.json') + self.CONF.set_override("policy_file", self.tempfile, + group='oslo_policy') + return super(TestAPIUpgradePath, self)._make_app() + def _setup_osloconfig_options(self): self.CONF.set_override('gnocchi_is_enabled', True, group='api') self.CONF.set_override('aodh_is_enabled', True, group='api') diff --git a/ceilometer/tests/functional/api/v2/test_post_samples_scenarios.py b/ceilometer/tests/functional/api/v2/test_post_samples_scenarios.py index 38740bd3..033f2925 100644 --- a/ceilometer/tests/functional/api/v2/test_post_samples_scenarios.py +++ b/ceilometer/tests/functional/api/v2/test_post_samples_scenarios.py @@ -17,10 +17,13 @@ import copy import datetime +import os import mock +from oslo_utils import fileutils from oslo_utils import timeutils from oslotest import mockpatch +import six from ceilometer.tests.functional.api import v2 @@ -32,6 +35,23 @@ class TestPostSamples(v2.FunctionalTest): del m['message_signature'] self.published.append(samples) + def _make_app(self, enable_acl=False): + content = ('{"context_is_project": "project_id:%(project_id)s",' + '"default" : "!",' + '"telemetry:create_samples": ""}') + if six.PY3: + content = content.encode('utf-8') + self.tempfile = fileutils.write_to_tempfile(content=content, + prefix='policy', + suffix='.json') + self.CONF.set_override("policy_file", self.tempfile, + group='oslo_policy') + return super(TestPostSamples, self)._make_app() + + def tearDown(self): + os.remove(self.tempfile) + super(TestPostSamples, self).tearDown() + def setUp(self): self.published = [] notifier = mock.Mock() diff --git a/ceilometer/tests/functional/gabbi/fixtures.py b/ceilometer/tests/functional/gabbi/fixtures.py index 3af34673..dc7dfb4d 100644 --- a/ceilometer/tests/functional/gabbi/fixtures.py +++ b/ceilometer/tests/functional/gabbi/fixtures.py @@ -25,6 +25,8 @@ from gabbi import fixture from oslo_config import cfg from oslo_config import fixture as fixture_config from oslo_policy import opts +from oslo_utils import fileutils +import six from six.moves.urllib import parse as urlparse from ceilometer.event.storage import models @@ -62,8 +64,15 @@ class ConfigFixture(fixture.GabbiFixture): conf.import_group('api', 'ceilometer.api.controllers.v2.root') conf.import_opt('store_events', 'ceilometer.notification', group='notification') - conf.set_override('policy_file', - os.path.abspath('etc/ceilometer/policy.json'), + + content = ('{"default": ""}') + if six.PY3: + content = content.encode('utf-8') + self.tempfile = fileutils.write_to_tempfile(content=content, + prefix='policy', + suffix='.json') + + conf.set_override("policy_file", self.tempfile, group='oslo_policy') conf.set_override( 'api_paste_config', diff --git a/etc/ceilometer/policy.json b/etc/ceilometer/policy.json index 2bcd0342..21760cdc 100644 --- a/etc/ceilometer/policy.json +++ b/etc/ceilometer/policy.json @@ -1,7 +1,18 @@ { "context_is_admin": "role:admin", - "context_is_project": "project_id:%(target.project_id)s", - "context_is_owner": "user_id:%(target.user_id)s", "segregation": "rule:context_is_admin", - "default": "" + + "telemetry:get_samples": "", + "telemetry:get_sample": "", + "telemetry:query_sample": "", + "telemetry:create_samples": "rule:context_is_admin", + + "telemetry:compute_statistics": "", + "telemetry:get_meters": "", + + "telemetry:get_resource": "", + "telemetry:get_resources": "", + + "telemetry:events:index": "", + "telemetry:events:show": "" } diff --git a/etc/ceilometer/policy.json.sample b/etc/ceilometer/policy.json.sample deleted file mode 100644 index 685f80f4..00000000 --- a/etc/ceilometer/policy.json.sample +++ /dev/null @@ -1,18 +0,0 @@ -{ - "context_is_admin": "role:admin", - "context_is_project": "project_id:%(target.project_id)s", - "context_is_owner": "user_id:%(target.user_id)s", - "segregation": "rule:context_is_admin", - "service_role": "role:service", - "iaas_role": "role:iaas", - - "telemetry:get_samples": "rule:service_role or rule:iaas_role", - "telemetry:get_sample": "rule:context_is_project", - "telemetry:query_sample": "rule:context_is_admin", - "telemetry:create_samples": "rule:context_is_admin", - - "telemetry:compute_statistics": "rule:context_is_admin", - "telemetry:get_meters": "rule:context_is_admin", - - "telemetry:get_resource": "rule:context_is_admin", - "telemetry:get_resources": "rule:context_is_admin",