Generate policy sample file automatically.
A new entrypoint in setup.cfg and a config file are added for using olso.policy helper script to generate the sample file. A new tox target also is added to simplify the environment setting up. Now policy sample file can be generated automatically, so the in-repo sample file is no longer needed. Co-Authored-By: Andrew Laski <andrew@lascii.com> Partial-Implements: blueprint policy-in-code Change-Id: Ic336fa154ccc05b5e9db3a8e751a484b1cc5aa9c Signed-off-by: Zhao Chao <zhaochao1984@gmail.com>
This commit is contained in:
parent
f0c03c114e
commit
71ebd353ca
3
.gitignore
vendored
3
.gitignore
vendored
@ -45,3 +45,6 @@ publish-docs/
|
|||||||
*~
|
*~
|
||||||
.*.swp
|
.*.swp
|
||||||
.bak
|
.bak
|
||||||
|
|
||||||
|
# Policy sample
|
||||||
|
etc/trove/policy.yaml.sample
|
||||||
|
19
etc/trove/README-policy.generated.md
Normal file
19
etc/trove/README-policy.generated.md
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
Generate Trove policies sample
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
Trove policies sample are no longer provided, instead it could be generated
|
||||||
|
by running the following command from the top of the trove directory:
|
||||||
|
|
||||||
|
tox -egenpolicy
|
||||||
|
|
||||||
|
|
||||||
|
Use customized policy file
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
As Trove uses policy in code now, it's not necessary to add a policy file for
|
||||||
|
Trove components to run. But when a customized policy is needed, Trove will
|
||||||
|
take ``/etc/trove/policy.json`` by default. The location of the policy file
|
||||||
|
can also be overriden by adding following lines in Trove config file:
|
||||||
|
|
||||||
|
[oslo_policy]
|
||||||
|
policy_file = /path/to/policy/file
|
@ -1,243 +0,0 @@
|
|||||||
# Must be an administrator.
|
|
||||||
#"admin": "role:admin or is_admin:True"
|
|
||||||
|
|
||||||
# Must be an administrator or owner of the object.
|
|
||||||
#"admin_or_owner": "rule:admin or tenant:%(tenant)s"
|
|
||||||
|
|
||||||
# Must be an administrator or owner of the object.
|
|
||||||
#"default": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:create": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:delete": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:force_delete": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:index": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:show": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:update": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:edit": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:restart": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:resize_volume": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:resize_flavor": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:reset_status": "rule:admin"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:promote_to_replica_source": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:eject_replica_source": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:configuration": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:guest_log_list": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:backups": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:module_list": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:module_apply": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:module_remove": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:root:create": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:root:delete": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:root:index": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:user:create": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:user:delete": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:user:index": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:user:show": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:user:update": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:user:update_all": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:user_access:update": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:user_access:delete": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:user_access:index": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:database:create": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:database:delete": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:database:index": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"instance:extension:database:show": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"cluster:create": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"cluster:delete": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"cluster:force_delete": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"cluster:index": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"cluster:show": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"cluster:show_instance": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"cluster:action": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"cluster:reset-status": "rule:admin"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"cluster:extension:root:create": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"cluster:extension:root:delete": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"cluster:extension:root:index": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"backup:create": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"backup:delete": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"backup:index": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"backup:show": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"configuration:create": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"configuration:delete": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"configuration:index": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"configuration:show": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"configuration:instances": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"configuration:update": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"configuration:edit": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"configuration-parameter:index": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"configuration-parameter:show": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"configuration-parameter:index_by_version": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"configuration-parameter:show_by_version": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"datastore:index": ""
|
|
||||||
|
|
||||||
#
|
|
||||||
#"datastore:show": ""
|
|
||||||
|
|
||||||
#
|
|
||||||
#"datastore:version_show": ""
|
|
||||||
|
|
||||||
#
|
|
||||||
#"datastore:version_show_by_uuid": ""
|
|
||||||
|
|
||||||
#
|
|
||||||
#"datastore:version_index": ""
|
|
||||||
|
|
||||||
#
|
|
||||||
#"datastore:list_associated_flavors": ""
|
|
||||||
|
|
||||||
#
|
|
||||||
#"datastore:list_associated_volume_types": ""
|
|
||||||
|
|
||||||
#
|
|
||||||
#"flavor:index": ""
|
|
||||||
|
|
||||||
#
|
|
||||||
#"flavor:show": ""
|
|
||||||
|
|
||||||
#
|
|
||||||
#"limits:index": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"module:create": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"module:delete": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"module:index": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"module:show": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"module:instances": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"module:update": "rule:admin_or_owner"
|
|
||||||
|
|
||||||
#
|
|
||||||
#"module:reapply": "rule:admin_or_owner"
|
|
||||||
|
|
@ -50,6 +50,13 @@ oslo.messaging.notify.drivers =
|
|||||||
trove.openstack.common.notifier.rpc_notifier = oslo_messaging.notify.messaging:MessagingDriver
|
trove.openstack.common.notifier.rpc_notifier = oslo_messaging.notify.messaging:MessagingDriver
|
||||||
trove.openstack.common.notifier.test_notifier = oslo_messaging.notify._impl_test:TestDriver
|
trove.openstack.common.notifier.test_notifier = oslo_messaging.notify._impl_test:TestDriver
|
||||||
|
|
||||||
|
oslo.policy.policies =
|
||||||
|
# The sample policies will be ordered by entry point and then by list
|
||||||
|
# returned from that entry point. If more control is desired split out each
|
||||||
|
# list_rules method into a separate entry point rather than using the
|
||||||
|
# aggregate method.
|
||||||
|
trove = trove.common.policies:list_rules
|
||||||
|
|
||||||
[global]
|
[global]
|
||||||
setup-hooks =
|
setup-hooks =
|
||||||
pbr.hooks.setup_hook
|
pbr.hooks.setup_hook
|
||||||
|
3
tools/trove-policy-generator.conf
Normal file
3
tools/trove-policy-generator.conf
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
[DEFAULT]
|
||||||
|
output_file = etc/trove/policy.yaml.sample
|
||||||
|
namespace = trove
|
3
tox.ini
3
tox.ini
@ -104,6 +104,9 @@ commands = bandit -r trove -n5 -x tests
|
|||||||
envdir = {toxworkdir}/bandit
|
envdir = {toxworkdir}/bandit
|
||||||
commands = bandit-baseline -r trove -n5 -x tests -ii -ll
|
commands = bandit-baseline -r trove -n5 -x tests -ii -ll
|
||||||
|
|
||||||
|
[testenv:genpolicy]
|
||||||
|
commands = oslopolicy-sample-generator --config-file=tools/trove-policy-generator.conf
|
||||||
|
|
||||||
[testenv:install-guide]
|
[testenv:install-guide]
|
||||||
commands = sphinx-build -a -E -W -d install-guide/build/doctrees -b html install-guide/source install-guide/build/html
|
commands = sphinx-build -a -E -W -d install-guide/build/doctrees -b html install-guide/source install-guide/build/html
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user