From dd6b22d47ab8529afb7126bfde491b625058f319 Mon Sep 17 00:00:00 2001 From: Dai Dang Van Date: Wed, 4 Oct 2017 10:05:31 +0700 Subject: [PATCH] Remove policy.json file We already had default rule in code, so we should not still define all of them again in policy file. Besides, we should you yaml format for now instead json. Another thing, we don't need to config policy file in Devstack enviroment. Change-Id: I783ba51695271d358764557899fe91e84620556d --- devstack/plugin.sh | 3 - devstack/settings | 1 - etc/trove/policy.json | 97 -------------- etc/trove/policy.yaml.sample | 243 +++++++++++++++++++++++++++++++++++ trove/common/policy.py | 1 + 5 files changed, 244 insertions(+), 101 deletions(-) delete mode 100644 etc/trove/policy.json create mode 100644 etc/trove/policy.yaml.sample diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 2ff506e3d5..6746bc1fcc 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -190,9 +190,6 @@ function configure_trove { # Copy api-paste file over to the trove conf dir cp $TROVE_LOCAL_API_PASTE_INI $TROVE_API_PASTE_INI - # Copy the default policy file over to the trove conf dir - cp $TROVE_LOCAL_POLICY_JSON $TROVE_POLICY_JSON - # (Re)create trove conf files rm -f $TROVE_CONF rm -f $TROVE_TASKMANAGER_CONF diff --git a/devstack/settings b/devstack/settings index 45cd862c30..1bd065be64 100644 --- a/devstack/settings +++ b/devstack/settings @@ -21,7 +21,6 @@ TROVE_TASKMANAGER_CONF=${TROVE_TASKMANAGER_CONF:-${TROVE_CONF_DIR}/trove-taskman TROVE_CONDUCTOR_CONF=${TROVE_CONDUCTOR_CONF:-${TROVE_CONF_DIR}/trove-conductor.conf} TROVE_GUESTAGENT_CONF=${TROVE_GUESTAGENT_CONF:-${TROVE_CONF_DIR}/trove-guestagent.conf} TROVE_API_PASTE_INI=${TROVE_API_PASTE_INI:-${TROVE_CONF_DIR}/api-paste.ini} -TROVE_POLICY_JSON=${TROVE_POLICY_JSON:-${TROVE_CONF_DIR}/policy.json} TROVE_LOCAL_CONF_DIR=${TROVE_LOCAL_CONF_DIR:-${TROVE_DIR}/etc/trove} TROVE_LOCAL_API_PASTE_INI=${TROVE_LOCAL_API_PASTE_INI:-${TROVE_LOCAL_CONF_DIR}/api-paste.ini} diff --git a/etc/trove/policy.json b/etc/trove/policy.json deleted file mode 100644 index 902f4303e7..0000000000 --- a/etc/trove/policy.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "admin": "role:admin or is_admin:True", - "admin_or_owner": "rule:admin or tenant:%(tenant)s", - "default": "rule:admin_or_owner", - - "instance:create": "rule:admin_or_owner", - "instance:delete": "rule:admin_or_owner", - "instance:force_delete": "rule:admin_or_owner", - "instance:index": "rule:admin_or_owner", - "instance:show": "rule:admin_or_owner", - "instance:update": "rule:admin_or_owner", - "instance:edit": "rule:admin_or_owner", - "instance:restart": "rule:admin_or_owner", - "instance:resize_volume": "rule:admin_or_owner", - "instance:resize_flavor": "rule:admin_or_owner", - "instance:reset_status": "rule:admin", - "instance:promote_to_replica_source": "rule:admin_or_owner", - "instance:eject_replica_source": "rule:admin_or_owner", - "instance:configuration": "rule:admin_or_owner", - "instance:guest_log_list": "rule:admin_or_owner", - "instance:backups": "rule:admin_or_owner", - "instance:module_list": "rule:admin_or_owner", - "instance:module_apply": "rule:admin_or_owner", - "instance:module_remove": "rule:admin_or_owner", - - "instance:extension:root:create": "rule:admin_or_owner", - "instance:extension:root:delete": "rule:admin_or_owner", - "instance:extension:root:index": "rule:admin_or_owner", - - "instance:extension:user:create": "rule:admin_or_owner", - "instance:extension:user:delete": "rule:admin_or_owner", - "instance:extension:user:index": "rule:admin_or_owner", - "instance:extension:user:show": "rule:admin_or_owner", - "instance:extension:user:update": "rule:admin_or_owner", - "instance:extension:user:update_all": "rule:admin_or_owner", - - "instance:extension:user_access:update": "rule:admin_or_owner", - "instance:extension:user_access:delete": "rule:admin_or_owner", - "instance:extension:user_access:index": "rule:admin_or_owner", - - "instance:extension:database:create": "rule:admin_or_owner", - "instance:extension:database:delete": "rule:admin_or_owner", - "instance:extension:database:index": "rule:admin_or_owner", - "instance:extension:database:show": "rule:admin_or_owner", - - "cluster:create": "rule:admin_or_owner", - "cluster:delete": "rule:admin_or_owner", - "cluster:force_delete": "rule:admin_or_owner", - "cluster:index": "rule:admin_or_owner", - "cluster:show": "rule:admin_or_owner", - "cluster:show_instance": "rule:admin_or_owner", - "cluster:action": "rule:admin_or_owner", - "cluster:reset-status": "rule:admin", - - "cluster:extension:root:create": "rule:admin_or_owner", - "cluster:extension:root:delete": "rule:admin_or_owner", - "cluster:extension:root:index": "rule:admin_or_owner", - - "backup:create": "rule:admin_or_owner", - "backup:delete": "rule:admin_or_owner", - "backup:index": "rule:admin_or_owner", - "backup:show": "rule:admin_or_owner", - - "configuration:create": "rule:admin_or_owner", - "configuration:delete": "rule:admin_or_owner", - "configuration:index": "rule:admin_or_owner", - "configuration:show": "rule:admin_or_owner", - "configuration:instances": "rule:admin_or_owner", - "configuration:update": "rule:admin_or_owner", - "configuration:edit": "rule:admin_or_owner", - - "configuration-parameter:index": "rule:admin_or_owner", - "configuration-parameter:show": "rule:admin_or_owner", - "configuration-parameter:index_by_version": "rule:admin_or_owner", - "configuration-parameter:show_by_version": "rule:admin_or_owner", - - "datastore:index": "", - "datastore:show": "", - "datastore:version_show": "", - "datastore:version_show_by_uuid": "", - "datastore:version_index": "", - "datastore:list_associated_flavors": "", - "datastore:list_associated_volume_types": "", - - "flavor:index": "", - "flavor:show": "", - - "limits:index": "rule:admin_or_owner", - - "module:create": "rule:admin_or_owner", - "module:delete": "rule:admin_or_owner", - "module:index": "rule:admin_or_owner", - "module:show": "rule:admin_or_owner", - "module:instances": "rule:admin_or_owner", - "module:update": "rule:admin_or_owner", - "module:reapply": "rule:admin_or_owner" -} diff --git a/etc/trove/policy.yaml.sample b/etc/trove/policy.yaml.sample new file mode 100644 index 0000000000..823144dcb0 --- /dev/null +++ b/etc/trove/policy.yaml.sample @@ -0,0 +1,243 @@ +# Must be an administrator. +#"admin": "role:admin or is_admin:True" + +# Must be an administrator or owner of the object. +#"admin_or_owner": "rule:admin or tenant:%(tenant)s" + +# Must be an administrator or owner of the object. +#"default": "rule:admin_or_owner" + +# +#"instance:create": "rule:admin_or_owner" + +# +#"instance:delete": "rule:admin_or_owner" + +# +#"instance:force_delete": "rule:admin_or_owner" + +# +#"instance:index": "rule:admin_or_owner" + +# +#"instance:show": "rule:admin_or_owner" + +# +#"instance:update": "rule:admin_or_owner" + +# +#"instance:edit": "rule:admin_or_owner" + +# +#"instance:restart": "rule:admin_or_owner" + +# +#"instance:resize_volume": "rule:admin_or_owner" + +# +#"instance:resize_flavor": "rule:admin_or_owner" + +# +#"instance:reset_status": "rule:admin" + +# +#"instance:promote_to_replica_source": "rule:admin_or_owner" + +# +#"instance:eject_replica_source": "rule:admin_or_owner" + +# +#"instance:configuration": "rule:admin_or_owner" + +# +#"instance:guest_log_list": "rule:admin_or_owner" + +# +#"instance:backups": "rule:admin_or_owner" + +# +#"instance:module_list": "rule:admin_or_owner" + +# +#"instance:module_apply": "rule:admin_or_owner" + +# +#"instance:module_remove": "rule:admin_or_owner" + +# +#"instance:extension:root:create": "rule:admin_or_owner" + +# +#"instance:extension:root:delete": "rule:admin_or_owner" + +# +#"instance:extension:root:index": "rule:admin_or_owner" + +# +#"instance:extension:user:create": "rule:admin_or_owner" + +# +#"instance:extension:user:delete": "rule:admin_or_owner" + +# +#"instance:extension:user:index": "rule:admin_or_owner" + +# +#"instance:extension:user:show": "rule:admin_or_owner" + +# +#"instance:extension:user:update": "rule:admin_or_owner" + +# +#"instance:extension:user:update_all": "rule:admin_or_owner" + +# +#"instance:extension:user_access:update": "rule:admin_or_owner" + +# +#"instance:extension:user_access:delete": "rule:admin_or_owner" + +# +#"instance:extension:user_access:index": "rule:admin_or_owner" + +# +#"instance:extension:database:create": "rule:admin_or_owner" + +# +#"instance:extension:database:delete": "rule:admin_or_owner" + +# +#"instance:extension:database:index": "rule:admin_or_owner" + +# +#"instance:extension:database:show": "rule:admin_or_owner" + +# +#"cluster:create": "rule:admin_or_owner" + +# +#"cluster:delete": "rule:admin_or_owner" + +# +#"cluster:force_delete": "rule:admin_or_owner" + +# +#"cluster:index": "rule:admin_or_owner" + +# +#"cluster:show": "rule:admin_or_owner" + +# +#"cluster:show_instance": "rule:admin_or_owner" + +# +#"cluster:action": "rule:admin_or_owner" + +# +#"cluster:reset-status": "rule:admin" + +# +#"cluster:extension:root:create": "rule:admin_or_owner" + +# +#"cluster:extension:root:delete": "rule:admin_or_owner" + +# +#"cluster:extension:root:index": "rule:admin_or_owner" + +# +#"backup:create": "rule:admin_or_owner" + +# +#"backup:delete": "rule:admin_or_owner" + +# +#"backup:index": "rule:admin_or_owner" + +# +#"backup:show": "rule:admin_or_owner" + +# +#"configuration:create": "rule:admin_or_owner" + +# +#"configuration:delete": "rule:admin_or_owner" + +# +#"configuration:index": "rule:admin_or_owner" + +# +#"configuration:show": "rule:admin_or_owner" + +# +#"configuration:instances": "rule:admin_or_owner" + +# +#"configuration:update": "rule:admin_or_owner" + +# +#"configuration:edit": "rule:admin_or_owner" + +# +#"configuration-parameter:index": "rule:admin_or_owner" + +# +#"configuration-parameter:show": "rule:admin_or_owner" + +# +#"configuration-parameter:index_by_version": "rule:admin_or_owner" + +# +#"configuration-parameter:show_by_version": "rule:admin_or_owner" + +# +#"datastore:index": "" + +# +#"datastore:show": "" + +# +#"datastore:version_show": "" + +# +#"datastore:version_show_by_uuid": "" + +# +#"datastore:version_index": "" + +# +#"datastore:list_associated_flavors": "" + +# +#"datastore:list_associated_volume_types": "" + +# +#"flavor:index": "" + +# +#"flavor:show": "" + +# +#"limits:index": "rule:admin_or_owner" + +# +#"module:create": "rule:admin_or_owner" + +# +#"module:delete": "rule:admin_or_owner" + +# +#"module:index": "rule:admin_or_owner" + +# +#"module:show": "rule:admin_or_owner" + +# +#"module:instances": "rule:admin_or_owner" + +# +#"module:update": "rule:admin_or_owner" + +# +#"module:reapply": "rule:admin_or_owner" + diff --git a/trove/common/policy.py b/trove/common/policy.py index b34f5df413..3137ef8a0a 100644 --- a/trove/common/policy.py +++ b/trove/common/policy.py @@ -217,6 +217,7 @@ def get_enforcer(): _ENFORCER = policy.Enforcer(CONF) _ENFORCER.register_defaults(base_rules) _ENFORCER.register_defaults(instance_rules) + _ENFORCER.load_rules() return _ENFORCER