[policy in code] Add support for share resource [3/10]
This patch adds policy in code support for share resources. Change-Id: I9a79b5ececc583e80129cc980930e162e805b246 Partial-Implements: blueprint policy-in-code
This commit is contained in:
parent
d7161e38bb
commit
6184063a4c
@ -11,32 +11,6 @@
|
||||
"service:index": "rule:admin_api",
|
||||
"service:update": "rule:admin_api",
|
||||
|
||||
"share:create": "",
|
||||
"share:delete": "rule:default",
|
||||
"share:get": "rule:default",
|
||||
"share:get_all": "rule:default",
|
||||
"share:list_by_share_server_id": "rule:admin_api",
|
||||
"share:list_by_host": "rule:admin_api",
|
||||
"share:update": "rule:default",
|
||||
"share:access_get": "rule:default",
|
||||
"share:access_get_all": "rule:default",
|
||||
"share:allow_access": "rule:default",
|
||||
"share:deny_access": "rule:default",
|
||||
"share:extend": "rule:default",
|
||||
"share:shrink": "rule:default",
|
||||
"share:get_share_metadata": "rule:default",
|
||||
"share:delete_share_metadata": "rule:default",
|
||||
"share:update_share_metadata": "rule:default",
|
||||
"share:migration_start": "rule:admin_api",
|
||||
"share:migration_complete": "rule:admin_api",
|
||||
"share:migration_cancel": "rule:admin_api",
|
||||
"share:migration_get_progress": "rule:admin_api",
|
||||
"share:reset_task_state": "rule:admin_api",
|
||||
"share:manage": "rule:admin_api",
|
||||
"share:unmanage": "rule:admin_api",
|
||||
"share:force_delete": "rule:admin_api",
|
||||
"share:reset_status": "rule:admin_api",
|
||||
"share:revert_to_snapshot": "rule:default",
|
||||
"share_export_location:index": "rule:default",
|
||||
"share_export_location:show": "rule:default",
|
||||
|
||||
@ -45,9 +19,6 @@
|
||||
"share_instance:force_delete": "rule:admin_api",
|
||||
"share_instance:reset_status": "rule:admin_api",
|
||||
|
||||
"share:create_snapshot": "rule:default",
|
||||
"share:delete_snapshot": "rule:default",
|
||||
"share:snapshot_update": "rule:default",
|
||||
"share_snapshot:get_snapshot": "rule:default",
|
||||
"share_snapshot:get_all_snapshots": "rule:default",
|
||||
"share_snapshot:manage_snapshot": "rule:admin_api",
|
||||
|
@ -19,11 +19,13 @@ import itertools
|
||||
from manila.policies import base
|
||||
from manila.policies import share_instance_export_location
|
||||
from manila.policies import share_type
|
||||
from manila.policies import shares
|
||||
|
||||
|
||||
def list_rules():
|
||||
return itertools.chain(
|
||||
base.list_rules(),
|
||||
shares.list_rules(),
|
||||
share_instance_export_location.list_rules(),
|
||||
share_type.list_rules(),
|
||||
)
|
||||
|
329
manila/policies/shares.py
Normal file
329
manila/policies/shares.py
Normal file
@ -0,0 +1,329 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
from manila.policies import base
|
||||
|
||||
|
||||
BASE_POLICY_NAME = 'share:%s'
|
||||
|
||||
|
||||
shares_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'create',
|
||||
check_str="",
|
||||
description="Create share.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'get',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description="Get share.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/shares/{share_id}',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'get_all',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description="List shares.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/shares',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/shares/detail',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'update',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description="Update share.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/shares',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'delete',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description="Delete share.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/shares/{share_id}',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'force_delete',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="Force Delete a share.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/shares/{share_id}',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'manage',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="Manage share.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares/manage',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'unmanage',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="Unmanage share.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares/unmanage',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'create_snapshot',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description="Create share snapshot.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/snapshots',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'list_by_host',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="List share by host.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/shares',
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/shares/detail',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'list_by_share_server_id',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="List share by server id.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/shares'
|
||||
},
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/shares/detail',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'access_get',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description="Get share access rule, it under deny access operation.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares/{share_id}/action',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'access_get_all',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description="List share access rules.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/shares/{share_id}/action',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'extend',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description="Extend share.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares/{share_id}/action',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'shrink',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description="Shrink share.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares/{share_id}/action',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'migration_start',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="Migrate a share to the specified host.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares/{share_id}/action',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'migration_complete',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="Invokes 2nd phase of share migration.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares/{share_id}/action',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'migration_cancel',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description="Attempts to cancel share migration.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares/{share_id}/action',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'migration_get_progress',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description=("Retrieve share migration progress for a given "
|
||||
"share."),
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares/{share_id}/action',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'reset_task_state',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description=("Reset task state."),
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares/{share_id}/action',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'reset_status',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description=("Reset status."),
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares/{share_id}/action',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'revert_to_snapshot',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description=("Revert a share to a snapshot."),
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares/{share_id}/action',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'allow_access',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description=("Add share access rule."),
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares/{share_id}/action',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'deny_access',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description=("Remove share access rule."),
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/shares/{share_id}/action',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'delete_snapshot',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description=("Delete share snapshot."),
|
||||
operations=[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/snapshots/{snapshot_id}',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'snapshot_update',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description=("Update share snapshot."),
|
||||
operations=[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/snapshots/{snapshot_id}/action',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'update_share_metadata',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description=("Update share metadata."),
|
||||
operations=[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/shares/{share_id}/metadata',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'delete_share_metadata',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description=("Delete share metadata."),
|
||||
operations=[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/shares/{share_id}/metadata/{key}',
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'get_share_metadata',
|
||||
check_str=base.RULE_DEFAULT,
|
||||
description=("Get share metadata."),
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/shares/{share_id}/metadata',
|
||||
}
|
||||
]),
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return shares_policies
|
@ -208,7 +208,8 @@ def check_policy(context, resource, action, target_obj=None):
|
||||
_action = '%s:%s' % (resource, action)
|
||||
# The else branch will be deleted after all policy in code patches
|
||||
# be merged.
|
||||
if resource in ('share_instance_export_location', 'share_type', ):
|
||||
if resource in ('share_instance_export_location', 'share_type',
|
||||
'share', ):
|
||||
authorize(context, _action, target)
|
||||
else:
|
||||
enforce(context, _action, target)
|
||||
|
Loading…
Reference in New Issue
Block a user