Merge "[policy in code] Add support for AZ, scheduler and message resource [9/10]"

This commit is contained in:
Zuul 2017-12-21 19:59:16 +00:00 committed by Gerrit Code Review
commit b7935e4e38
10 changed files with 166 additions and 38 deletions

View File

@ -145,7 +145,9 @@ function configure_manila {
fi fi
sudo chown $STACK_USER $MANILA_CONF_DIR sudo chown $STACK_USER $MANILA_CONF_DIR
cp -p $MANILA_DIR/etc/manila/policy.json $MANILA_CONF_DIR if [[ -f $MANILA_DIR/etc/manila/policy.json ]]; then
cp -p $MANILA_DIR/etc/manila/policy.json $MANILA_CONF_DIR
fi
# Set the paths of certain binaries # Set the paths of certain binaries
MANILA_ROOTWRAP=$(get_rootwrap_location manila) MANILA_ROOTWRAP=$(get_rootwrap_location manila)

View File

@ -8,5 +8,4 @@ All the files in this section can be found in ``/etc/manila``.
manila.conf.rst manila.conf.rst
api-paste.ini.rst api-paste.ini.rst
policy.json.rst
rootwrap.conf.rst rootwrap.conf.rst

View File

@ -1,9 +0,0 @@
===========
policy.json
===========
The ``policy.json`` file defines additional access controls that apply
to the Shared File Systems service.
.. literalinclude:: ../../../../../etc/manila/policy.json
:language: json

View File

@ -1,10 +0,0 @@
{
"availability_zone:index": "rule:default",
"scheduler_stats:pools:index": "rule:admin_api",
"scheduler_stats:pools:detail": "rule:admin_api",
"message:delete": "rule:default",
"message:get": "rule:default",
"message:get_all": "rule:default"
}

View File

@ -16,9 +16,12 @@
import itertools import itertools
from manila.policies import availability_zone
from manila.policies import base from manila.policies import base
from manila.policies import message
from manila.policies import quota_class_set from manila.policies import quota_class_set
from manila.policies import quota_set from manila.policies import quota_set
from manila.policies import scheduler_stats
from manila.policies import security_service from manila.policies import security_service
from manila.policies import service from manila.policies import service
from manila.policies import share_export_location from manila.policies import share_export_location
@ -43,6 +46,8 @@ from manila.policies import shares
def list_rules(): def list_rules():
return itertools.chain( return itertools.chain(
base.list_rules(), base.list_rules(),
availability_zone.list_rules(),
scheduler_stats.list_rules(),
shares.list_rules(), shares.list_rules(),
share_instance_export_location.list_rules(), share_instance_export_location.list_rules(),
share_type.list_rules(), share_type.list_rules(),
@ -64,4 +69,5 @@ def list_rules():
security_service.list_rules(), security_service.list_rules(),
share_export_location.list_rules(), share_export_location.list_rules(),
share_instance.list_rules(), share_instance.list_rules(),
message.list_rules(),
) )

View File

@ -0,0 +1,40 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from manila.policies import base
BASE_POLICY_NAME = 'availability_zone:%s'
availability_zone_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'index',
check_str=base.RULE_DEFAULT,
description=("Get all storage availability zones."),
operations=[
{
'method': 'GET',
'path': '/os-availability-zone',
},
{
'method': 'GET',
'path': '/availability-zone',
},
]),
]
def list_rules():
return availability_zone_policies

View File

@ -0,0 +1,60 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from manila.policies import base
BASE_POLICY_NAME = 'message:%s'
message_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'get',
check_str=base.RULE_DEFAULT,
description="Get details of a given message.",
operations=[
{
'method': 'GET',
'path': '/messages/{message_id}'
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'get_all',
check_str=base.RULE_DEFAULT,
description="Get all messages.",
operations=[
{
'method': 'GET',
'path': '/messages'
},
{
'method': 'GET',
'path': '/messages?{query}'
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'delete',
check_str=base.RULE_DEFAULT,
description="Delete a message.",
operations=[
{
'method': 'DELETE',
'path': '/messages/{message_id}'
}
]),
]
def list_rules():
return message_policies

View File

@ -0,0 +1,56 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from manila.policies import base
BASE_POLICY_NAME = 'scheduler_stats:pools:%s'
scheduler_stats_policies = [
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'index',
check_str=base.RULE_ADMIN_API,
description="Get information regarding backends "
"(and storage pools) known to the scheduler.",
operations=[
{
'method': 'GET',
'path': '/scheduler-stats/pools'
},
{
'method': 'GET',
'path': '/scheduler-stats/pools?{query}'
}
]),
policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'detail',
check_str=base.RULE_ADMIN_API,
description="Get detailed information regarding backends "
"(and storage pools) known to the scheduler.",
operations=[
{
'method': 'GET',
'path': '/scheduler-stats/pools/detail?{query}'
},
{
'method': 'GET',
'path': '/scheduler-stats/pools/detail'
}
]),
]
def list_rules():
return scheduler_stats_policies

View File

@ -206,19 +206,4 @@ def check_policy(context, resource, action, target_obj=None):
} }
target.update(target_obj or {}) target.update(target_obj or {})
_action = '%s:%s' % (resource, action) _action = '%s:%s' % (resource, action)
# The else branch will be deleted after all policy in code patches authorize(context, _action, target)
# be merged.
if resource in ('share_instance_export_location', 'share_type',
'share', 'share_snapshot',
'share_snapshot_export_location',
'share_snapshot_instance',
'share_snapshot_instance_export_location',
'quota_set', 'quota_class_set', 'service',
'share_server', 'share_group', 'share_group_snapshot',
'share_group_type', 'share_group_types_spec',
'share_replica', 'share_network', 'security_service',
'share_types_extra_spec', 'share_instance',
'share_export_location', ):
authorize(context, _action, target)
else:
enforce(context, _action, target)

View File

@ -25,7 +25,6 @@ setup-hooks =
data_files = data_files =
etc/manila = etc/manila =
etc/manila/api-paste.ini etc/manila/api-paste.ini
etc/manila/policy.json
etc/manila/rootwrap.conf etc/manila/rootwrap.conf
etc/manila/rootwrap.d = etc/manila/rootwrap.d/* etc/manila/rootwrap.d = etc/manila/rootwrap.d/*
packages = packages =