Switch to new style policy language

New style policy language is much more human readable and the prefered way to describe policies. Change-Id: Ib741e2222ad36fa481ca8003387ecc1d9e8231e6 Implements: blueprint switch-to-new-style-policy-lang
2015-04-14 07:27:07 +02:00 · 2015-04-14 07:27:07 +02:00 · f4efdb7721
commit f4efdb7721
parent 5208abfddb
2 changed files with 63 additions and 63 deletions
--- a/etc/manila/policy.json
+++ b/etc/manila/policy.json
@ -1,74 +1,74 @@
 {
-    "context_is_admin": [["role:admin"]],
-    "admin_or_owner":  [["is_admin:True"], ["project_id:%(project_id)s"]],
-    "default": [["rule:admin_or_owner"]],
+    "context_is_admin": "role:admin",
+    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
+    "default": "rule:admin_or_owner",

-    "admin_api": [["is_admin:True"]],
+    "admin_api": "is_admin:True",

-    "share:create": [],
-    "share:delete": [["rule:default"]],
-    "share:get": [["rule:default"]],
-    "share:get_all": [["rule:default"]],
-    "share:list_by_share_server_id": [["rule:admin_api"]],
-    "share:update": [["rule:default"]],
-    "share:snapshot_update": [["rule:default"]],
-    "share:create_snapshot": [["rule:default"]],
-    "share:delete_snapshot": [["rule:default"]],
-    "share:get_snapshot": [["rule:default"]],
-    "share:get_all_snapshots": [["rule:default"]],
-    "share:access_get": [["rule:default"]],
-    "share:access_get_all": [["rule:default"]],
-    "share:allow_access": [["rule:default"]],
-    "share:deny_access": [["rule:default"]],
-    "share:get_share_metadata": [["rule:default"]],
-    "share:delete_share_metadata": [["rule:default"]],
-    "share:update_share_metadata": [["rule:default"]],
+    "share:create": "",
+    "share:delete": "rule:default",
+    "share:get": "rule:default",
+    "share:get_all": "rule:default",
+    "share:list_by_share_server_id": "rule:admin_api",
+    "share:update": "rule:default",
+    "share:snapshot_update": "rule:default",
+    "share:create_snapshot": "rule:default",
+    "share:delete_snapshot": "rule:default",
+    "share:get_snapshot": "rule:default",
+    "share:get_all_snapshots": "rule:default",
+    "share:access_get": "rule:default",
+    "share:access_get_all": "rule:default",
+    "share:allow_access": "rule:default",
+    "share:deny_access": "rule:default",
+    "share:get_share_metadata": "rule:default",
+    "share:delete_share_metadata": "rule:default",
+    "share:update_share_metadata": "rule:default",

-    "share_extension:quotas:show": [],
-    "share_extension:quotas:update": [["rule:admin_api"]],
-    "share_extension:quotas:delete": [["rule:admin_api"]],
-    "share_extension:quota_classes": [],
+    "share_extension:quotas:show": "",
+    "share_extension:quotas:update": "rule:admin_api",
+    "share_extension:quotas:delete": "rule:admin_api",
+    "share_extension:quota_classes": "",

-    "share_extension:share_admin_actions:force_delete": [["rule:admin_api"]],
-    "share_extension:share_admin_actions:reset_status": [["rule:admin_api"]],
-    "share_extension:snapshot_admin_actions:force_delete": [["rule:admin_api"]],
-    "share_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]],
+    "share_extension:share_admin_actions:force_delete": "rule:admin_api",
+    "share_extension:share_admin_actions:reset_status": "rule:admin_api",
+    "share_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
+    "share_extension:snapshot_admin_actions:reset_status": "rule:admin_api",

-    "share_extension:services": [["rule:admin_api"]],
+    "share_extension:services": "rule:admin_api",

-    "share_extension:types_manage": [["rule:admin_api"]],
-    "share_extension:types_extra_specs": [["rule:admin_api"]],
+    "share_extension:types_manage": "rule:admin_api",
+    "share_extension:types_extra_specs": "rule:admin_api",

-    "share_extension:share_type_access": [],
-    "share_extension:share_type_access:addProjectAccess": [["rule:admin_api"]],
-    "share_extension:share_type_access:removeProjectAccess": [["rule:admin_api"]],
+    "share_extension:share_type_access": "",
+    "share_extension:share_type_access:addProjectAccess": "rule:admin_api",
+    "share_extension:share_type_access:removeProjectAccess": "rule:admin_api",

-    "share_extension:manage": [["rule:admin_api"]],
-    "share_extension:unmanage": [["rule:admin_api"]],
+    "share_extension:manage": "rule:admin_api",
+    "share_extension:unmanage": "rule:admin_api",

-    "security_service:create": [["rule:default"]],
-    "security_service:delete": [["rule:default"]],
-    "security_service:update": [["rule:default"]],
-    "security_service:show": [["rule:default"]],
-    "security_service:index": [["rule:default"]],
-    "security_service:detail": [["rule:default"]],
-    "security_service:get_all_security_services": [["rule:admin_api"]],
+    "security_service:create": "rule:default",
+    "security_service:delete": "rule:default",
+    "security_service:update": "rule:default",
+    "security_service:show": "rule:default",
+    "security_service:index": "rule:default",
+    "security_service:detail": "rule:default",
+    "security_service:get_all_security_services": "rule:admin_api",

-    "share_server:index": [["rule:admin_api"]],
-    "share_server:show": [["rule:admin_api"]],
-    "share_server:details": [["rule:admin_api"]],
-    "share_server:delete": [["rule:admin_api"]],
+    "share_server:index": "rule:admin_api",
+    "share_server:show": "rule:admin_api",
+    "share_server:details": "rule:admin_api",
+    "share_server:delete": "rule:admin_api",

-    "share_network:create": [["rule:default"]],
-    "share_network:delete": [["rule:default"]],
-    "share_network:update": [["rule:default"]],
-    "share_network:index": [["rule:default"]],
-    "share_network:detail": [["rule:default"]],
-    "share_network:show": [["rule:default"]],
-    "share_network:add_security_service": [["rule:default"]],
-    "share_network:remove_security_service": [["rule:default"]],
-    "share_network:get_all_share_networks": [["rule:admin_api"]],
+    "share_network:create": "rule:default",
+    "share_network:delete": "rule:default",
+    "share_network:update": "rule:default",
+    "share_network:index": "rule:default",
+    "share_network:detail": "rule:default",
+    "share_network:show": "rule:default",
+    "share_network:add_security_service": "rule:default",
+    "share_network:remove_security_service": "rule:default",
+    "share_network:get_all_share_networks": "rule:admin_api",

-    "scheduler_stats:pools:index": [["rule:admin_api"]],
-    "scheduler_stats:pools:detail": [["rule:admin_api"]]
+    "scheduler_stats:pools:index": "rule:admin_api",
+    "scheduler_stats:pools:detail": "rule:admin_api"
 }
--- a/manila/tests/test_policy.py
+++ b/manila/tests/test_policy.py
@ -169,7 +169,7 @@ class DefaultPolicyTestCase(test.TestCase):

        self.rules = {
            "default": [],
-            "example:exist": [["false:false"]]
+            "example:exist": "false:false"
        }
        self._set_rules('default')
        self.context = context.RequestContext('fake', 'fake')
@ -238,8 +238,8 @@ class ContextIsAdminPolicyTestCase(test.TestCase):

    def test_context_is_admin_undefined(self):
        rules = {
-            "admin_or_owner": [["role:admin"], ["project_id:%(project_id)s"]],
-            "default": [["rule:admin_or_owner"]],
+            "admin_or_owner": "role:admin or project_id:%(project_id)s",
+            "default": "rule:admin_or_owner",
        }
        self._set_rules(rules, CONF.policy_default_rule)
        ctx = context.RequestContext('fake', 'fake')