Remove policy.json file

We already had default rule in code, so we should not
still define all of them again in policy file.
Besides, we should you yaml format for now instead json.

Another thing, we don't need to config policy file in
Devstack enviroment.

Change-Id: I783ba51695271d358764557899fe91e84620556d

devstack/plugin.sh

@@ -190,9 +190,6 @@ function configure_trove {
     # Copy api-paste file over to the trove conf dir
     cp $TROVE_LOCAL_API_PASTE_INI $TROVE_API_PASTE_INI
 
-    # Copy the default policy file over to the trove conf dir
-    cp $TROVE_LOCAL_POLICY_JSON $TROVE_POLICY_JSON
-
     # (Re)create trove conf files
     rm -f $TROVE_CONF
     rm -f $TROVE_TASKMANAGER_CONF

devstack/settings

@@ -21,7 +21,6 @@ TROVE_TASKMANAGER_CONF=${TROVE_TASKMANAGER_CONF:-${TROVE_CONF_DIR}/trove-taskman
 TROVE_CONDUCTOR_CONF=${TROVE_CONDUCTOR_CONF:-${TROVE_CONF_DIR}/trove-conductor.conf}
 TROVE_GUESTAGENT_CONF=${TROVE_GUESTAGENT_CONF:-${TROVE_CONF_DIR}/trove-guestagent.conf}
 TROVE_API_PASTE_INI=${TROVE_API_PASTE_INI:-${TROVE_CONF_DIR}/api-paste.ini}
-TROVE_POLICY_JSON=${TROVE_POLICY_JSON:-${TROVE_CONF_DIR}/policy.json}
 
 TROVE_LOCAL_CONF_DIR=${TROVE_LOCAL_CONF_DIR:-${TROVE_DIR}/etc/trove}
 TROVE_LOCAL_API_PASTE_INI=${TROVE_LOCAL_API_PASTE_INI:-${TROVE_LOCAL_CONF_DIR}/api-paste.ini}

etc/trove/policy.json

@@ -1,97 +0,0 @@
-{
-    "admin": "role:admin or is_admin:True",
-    "admin_or_owner": "rule:admin or tenant:%(tenant)s",
-    "default": "rule:admin_or_owner",
-
-    "instance:create": "rule:admin_or_owner",
-    "instance:delete": "rule:admin_or_owner",
-    "instance:force_delete": "rule:admin_or_owner",
-    "instance:index": "rule:admin_or_owner",
-    "instance:show": "rule:admin_or_owner",
-    "instance:update": "rule:admin_or_owner",
-    "instance:edit": "rule:admin_or_owner",
-    "instance:restart": "rule:admin_or_owner",
-    "instance:resize_volume": "rule:admin_or_owner",
-    "instance:resize_flavor": "rule:admin_or_owner",
-    "instance:reset_status": "rule:admin",
-    "instance:promote_to_replica_source": "rule:admin_or_owner",
-    "instance:eject_replica_source": "rule:admin_or_owner",
-    "instance:configuration": "rule:admin_or_owner",
-    "instance:guest_log_list": "rule:admin_or_owner",
-    "instance:backups": "rule:admin_or_owner",
-    "instance:module_list": "rule:admin_or_owner",
-    "instance:module_apply": "rule:admin_or_owner",
-    "instance:module_remove": "rule:admin_or_owner",
-
-    "instance:extension:root:create": "rule:admin_or_owner",
-    "instance:extension:root:delete": "rule:admin_or_owner",
-    "instance:extension:root:index": "rule:admin_or_owner",
-
-    "instance:extension:user:create": "rule:admin_or_owner",
-    "instance:extension:user:delete": "rule:admin_or_owner",
-    "instance:extension:user:index": "rule:admin_or_owner",
-    "instance:extension:user:show": "rule:admin_or_owner",
-    "instance:extension:user:update": "rule:admin_or_owner",
-    "instance:extension:user:update_all": "rule:admin_or_owner",
-
-    "instance:extension:user_access:update": "rule:admin_or_owner",
-    "instance:extension:user_access:delete": "rule:admin_or_owner",
-    "instance:extension:user_access:index": "rule:admin_or_owner",
-
-    "instance:extension:database:create": "rule:admin_or_owner",
-    "instance:extension:database:delete": "rule:admin_or_owner",
-    "instance:extension:database:index": "rule:admin_or_owner",
-    "instance:extension:database:show": "rule:admin_or_owner",
-
-    "cluster:create": "rule:admin_or_owner",
-    "cluster:delete": "rule:admin_or_owner",
-    "cluster:force_delete": "rule:admin_or_owner",
-    "cluster:index": "rule:admin_or_owner",
-    "cluster:show": "rule:admin_or_owner",
-    "cluster:show_instance": "rule:admin_or_owner",
-    "cluster:action": "rule:admin_or_owner",
-    "cluster:reset-status": "rule:admin",
-
-    "cluster:extension:root:create": "rule:admin_or_owner",
-    "cluster:extension:root:delete": "rule:admin_or_owner",
-    "cluster:extension:root:index": "rule:admin_or_owner",
-
-    "backup:create": "rule:admin_or_owner",
-    "backup:delete": "rule:admin_or_owner",
-    "backup:index": "rule:admin_or_owner",
-    "backup:show": "rule:admin_or_owner",
-
-    "configuration:create": "rule:admin_or_owner",
-    "configuration:delete": "rule:admin_or_owner",
-    "configuration:index": "rule:admin_or_owner",
-    "configuration:show": "rule:admin_or_owner",
-    "configuration:instances": "rule:admin_or_owner",
-    "configuration:update": "rule:admin_or_owner",
-    "configuration:edit": "rule:admin_or_owner",
-
-    "configuration-parameter:index": "rule:admin_or_owner",
-    "configuration-parameter:show": "rule:admin_or_owner",
-    "configuration-parameter:index_by_version": "rule:admin_or_owner",
-    "configuration-parameter:show_by_version": "rule:admin_or_owner",
-
-    "datastore:index": "",
-    "datastore:show": "",
-    "datastore:version_show": "",
-    "datastore:version_show_by_uuid": "",
-    "datastore:version_index": "",
-    "datastore:list_associated_flavors": "",
-    "datastore:list_associated_volume_types": "",
-
-    "flavor:index": "",
-    "flavor:show": "",
-
-    "limits:index": "rule:admin_or_owner",
-
-    "module:create": "rule:admin_or_owner",
-    "module:delete": "rule:admin_or_owner",
-    "module:index": "rule:admin_or_owner",
-    "module:show": "rule:admin_or_owner",
-    "module:instances": "rule:admin_or_owner",
-    "module:update": "rule:admin_or_owner",
-    "module:reapply": "rule:admin_or_owner"
-}

etc/trove/policy.yaml.sample

@@ -0,0 +1,243 @@
+# Must be an administrator.
+#"admin": "role:admin or is_admin:True"
+
+# Must be an administrator or owner of the object.
+#"admin_or_owner": "rule:admin or tenant:%(tenant)s"
+
+# Must be an administrator or owner of the object.
+#"default": "rule:admin_or_owner"
+
+#
+#"instance:create": "rule:admin_or_owner"
+
+#
+#"instance:delete": "rule:admin_or_owner"
+
+#
+#"instance:force_delete": "rule:admin_or_owner"
+
+#
+#"instance:index": "rule:admin_or_owner"
+
+#
+#"instance:show": "rule:admin_or_owner"
+
+#
+#"instance:update": "rule:admin_or_owner"
+
+#
+#"instance:edit": "rule:admin_or_owner"
+
+#
+#"instance:restart": "rule:admin_or_owner"
+
+#
+#"instance:resize_volume": "rule:admin_or_owner"
+
+#
+#"instance:resize_flavor": "rule:admin_or_owner"
+
+#
+#"instance:reset_status": "rule:admin"
+
+#
+#"instance:promote_to_replica_source": "rule:admin_or_owner"
+
+#
+#"instance:eject_replica_source": "rule:admin_or_owner"
+
+#
+#"instance:configuration": "rule:admin_or_owner"
+
+#
+#"instance:guest_log_list": "rule:admin_or_owner"
+
+#
+#"instance:backups": "rule:admin_or_owner"
+
+#
+#"instance:module_list": "rule:admin_or_owner"
+
+#
+#"instance:module_apply": "rule:admin_or_owner"
+
+#
+#"instance:module_remove": "rule:admin_or_owner"
+
+#
+#"instance:extension:root:create": "rule:admin_or_owner"
+
+#
+#"instance:extension:root:delete": "rule:admin_or_owner"
+
+#
+#"instance:extension:root:index": "rule:admin_or_owner"
+
+#
+#"instance:extension:user:create": "rule:admin_or_owner"
+
+#
+#"instance:extension:user:delete": "rule:admin_or_owner"
+
+#
+#"instance:extension:user:index": "rule:admin_or_owner"
+
+#
+#"instance:extension:user:show": "rule:admin_or_owner"
+
+#
+#"instance:extension:user:update": "rule:admin_or_owner"
+
+#
+#"instance:extension:user:update_all": "rule:admin_or_owner"
+
+#
+#"instance:extension:user_access:update": "rule:admin_or_owner"
+
+#
+#"instance:extension:user_access:delete": "rule:admin_or_owner"
+
+#
+#"instance:extension:user_access:index": "rule:admin_or_owner"
+
+#
+#"instance:extension:database:create": "rule:admin_or_owner"
+
+#
+#"instance:extension:database:delete": "rule:admin_or_owner"
+
+#
+#"instance:extension:database:index": "rule:admin_or_owner"
+
+#
+#"instance:extension:database:show": "rule:admin_or_owner"
+
+#
+#"cluster:create": "rule:admin_or_owner"
+
+#
+#"cluster:delete": "rule:admin_or_owner"
+
+#
+#"cluster:force_delete": "rule:admin_or_owner"
+
+#
+#"cluster:index": "rule:admin_or_owner"
+
+#
+#"cluster:show": "rule:admin_or_owner"
+
+#
+#"cluster:show_instance": "rule:admin_or_owner"
+
+#
+#"cluster:action": "rule:admin_or_owner"
+
+#
+#"cluster:reset-status": "rule:admin"
+
+#
+#"cluster:extension:root:create": "rule:admin_or_owner"
+
+#
+#"cluster:extension:root:delete": "rule:admin_or_owner"
+
+#
+#"cluster:extension:root:index": "rule:admin_or_owner"
+
+#
+#"backup:create": "rule:admin_or_owner"
+
+#
+#"backup:delete": "rule:admin_or_owner"
+
+#
+#"backup:index": "rule:admin_or_owner"
+
+#
+#"backup:show": "rule:admin_or_owner"
+
+#
+#"configuration:create": "rule:admin_or_owner"
+
+#
+#"configuration:delete": "rule:admin_or_owner"
+
+#
+#"configuration:index": "rule:admin_or_owner"
+
+#
+#"configuration:show": "rule:admin_or_owner"
+
+#
+#"configuration:instances": "rule:admin_or_owner"
+
+#
+#"configuration:update": "rule:admin_or_owner"
+
+#
+#"configuration:edit": "rule:admin_or_owner"
+
+#
+#"configuration-parameter:index": "rule:admin_or_owner"
+
+#
+#"configuration-parameter:show": "rule:admin_or_owner"
+
+#
+#"configuration-parameter:index_by_version": "rule:admin_or_owner"
+
+#
+#"configuration-parameter:show_by_version": "rule:admin_or_owner"
+
+#
+#"datastore:index": ""
+
+#
+#"datastore:show": ""
+
+#
+#"datastore:version_show": ""
+
+#
+#"datastore:version_show_by_uuid": ""
+
+#
+#"datastore:version_index": ""
+
+#
+#"datastore:list_associated_flavors": ""
+
+#
+#"datastore:list_associated_volume_types": ""
+
+#
+#"flavor:index": ""
+
+#
+#"flavor:show": ""
+
+#
+#"limits:index": "rule:admin_or_owner"
+
+#
+#"module:create": "rule:admin_or_owner"
+
+#
+#"module:delete": "rule:admin_or_owner"
+
+#
+#"module:index": "rule:admin_or_owner"
+
+#
+#"module:show": "rule:admin_or_owner"
+
+#
+#"module:instances": "rule:admin_or_owner"
+
+#
+#"module:update": "rule:admin_or_owner"
+
+#
+#"module:reapply": "rule:admin_or_owner"
+

trove/common/policy.py

@@ -217,6 +217,7 @@ def get_enforcer():
         _ENFORCER = policy.Enforcer(CONF)
         _ENFORCER.register_defaults(base_rules)
         _ENFORCER.register_defaults(instance_rules)
+        _ENFORCER.load_rules()
     return _ENFORCER