Remove policy.json file

We already had default rule in code, so we should not still define all of them again in policy file. Besides, we should you yaml format for now instead json. Another thing, we don't need to config policy file in Devstack enviroment. Change-Id: I783ba51695271d358764557899fe91e84620556d
2017-10-04 10:05:31 +07:00 · 2017-10-04 10:05:31 +07:00 · dd6b22d47a
commit dd6b22d47a
parent ccb6752f69
5 changed files with 244 additions and 101 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -190,9 +190,6 @@ function configure_trove {
    # Copy api-paste file over to the trove conf dir
    cp $TROVE_LOCAL_API_PASTE_INI $TROVE_API_PASTE_INI
    # Copy the default policy file over to the trove conf dir
    cp $TROVE_LOCAL_POLICY_JSON $TROVE_POLICY_JSON
    # (Re)create trove conf files
    rm -f $TROVE_CONF
    rm -f $TROVE_TASKMANAGER_CONF
--- a/devstack/settings
+++ b/devstack/settings
@ -21,7 +21,6 @@ TROVE_TASKMANAGER_CONF=${TROVE_TASKMANAGER_CONF:-${TROVE_CONF_DIR}/trove-taskman
 TROVE_CONDUCTOR_CONF=${TROVE_CONDUCTOR_CONF:-${TROVE_CONF_DIR}/trove-conductor.conf}
 TROVE_GUESTAGENT_CONF=${TROVE_GUESTAGENT_CONF:-${TROVE_CONF_DIR}/trove-guestagent.conf}
 TROVE_API_PASTE_INI=${TROVE_API_PASTE_INI:-${TROVE_CONF_DIR}/api-paste.ini}
 TROVE_POLICY_JSON=${TROVE_POLICY_JSON:-${TROVE_CONF_DIR}/policy.json}
 TROVE_LOCAL_CONF_DIR=${TROVE_LOCAL_CONF_DIR:-${TROVE_DIR}/etc/trove}
 TROVE_LOCAL_API_PASTE_INI=${TROVE_LOCAL_API_PASTE_INI:-${TROVE_LOCAL_CONF_DIR}/api-paste.ini}
--- a/etc/trove/policy.json
+++ b/etc/trove/policy.json
@ -1,97 +0,0 @@
 {
    "admin": "role:admin or is_admin:True",
    "admin_or_owner": "rule:admin or tenant:%(tenant)s",
    "default": "rule:admin_or_owner",
    "instance:create": "rule:admin_or_owner",
    "instance:delete": "rule:admin_or_owner",
    "instance:force_delete": "rule:admin_or_owner",
    "instance:index": "rule:admin_or_owner",
    "instance:show": "rule:admin_or_owner",
    "instance:update": "rule:admin_or_owner",
    "instance:edit": "rule:admin_or_owner",
    "instance:restart": "rule:admin_or_owner",
    "instance:resize_volume": "rule:admin_or_owner",
    "instance:resize_flavor": "rule:admin_or_owner",
    "instance:reset_status": "rule:admin",
    "instance:promote_to_replica_source": "rule:admin_or_owner",
    "instance:eject_replica_source": "rule:admin_or_owner",
    "instance:configuration": "rule:admin_or_owner",
    "instance:guest_log_list": "rule:admin_or_owner",
    "instance:backups": "rule:admin_or_owner",
    "instance:module_list": "rule:admin_or_owner",
    "instance:module_apply": "rule:admin_or_owner",
    "instance:module_remove": "rule:admin_or_owner",
    "instance:extension:root:create": "rule:admin_or_owner",
    "instance:extension:root:delete": "rule:admin_or_owner",
    "instance:extension:root:index": "rule:admin_or_owner",
    "instance:extension:user:create": "rule:admin_or_owner",
    "instance:extension:user:delete": "rule:admin_or_owner",
    "instance:extension:user:index": "rule:admin_or_owner",
    "instance:extension:user:show": "rule:admin_or_owner",
    "instance:extension:user:update": "rule:admin_or_owner",
    "instance:extension:user:update_all": "rule:admin_or_owner",
    "instance:extension:user_access:update": "rule:admin_or_owner",
    "instance:extension:user_access:delete": "rule:admin_or_owner",
    "instance:extension:user_access:index": "rule:admin_or_owner",
    "instance:extension:database:create": "rule:admin_or_owner",
    "instance:extension:database:delete": "rule:admin_or_owner",
    "instance:extension:database:index": "rule:admin_or_owner",
    "instance:extension:database:show": "rule:admin_or_owner",
    "cluster:create": "rule:admin_or_owner",
    "cluster:delete": "rule:admin_or_owner",
    "cluster:force_delete": "rule:admin_or_owner",
    "cluster:index": "rule:admin_or_owner",
    "cluster:show": "rule:admin_or_owner",
    "cluster:show_instance": "rule:admin_or_owner",
    "cluster:action": "rule:admin_or_owner",
    "cluster:reset-status": "rule:admin",
    "cluster:extension:root:create": "rule:admin_or_owner",
    "cluster:extension:root:delete": "rule:admin_or_owner",
    "cluster:extension:root:index": "rule:admin_or_owner",
    "backup:create": "rule:admin_or_owner",
    "backup:delete": "rule:admin_or_owner",
    "backup:index": "rule:admin_or_owner",
    "backup:show": "rule:admin_or_owner",
    "configuration:create": "rule:admin_or_owner",
    "configuration:delete": "rule:admin_or_owner",
    "configuration:index": "rule:admin_or_owner",
    "configuration:show": "rule:admin_or_owner",
    "configuration:instances": "rule:admin_or_owner",
    "configuration:update": "rule:admin_or_owner",
    "configuration:edit": "rule:admin_or_owner",
    "configuration-parameter:index": "rule:admin_or_owner",
    "configuration-parameter:show": "rule:admin_or_owner",
    "configuration-parameter:index_by_version": "rule:admin_or_owner",
    "configuration-parameter:show_by_version": "rule:admin_or_owner",
    "datastore:index": "",
    "datastore:show": "",
    "datastore:version_show": "",
    "datastore:version_show_by_uuid": "",
    "datastore:version_index": "",
    "datastore:list_associated_flavors": "",
    "datastore:list_associated_volume_types": "",
    "flavor:index": "",
    "flavor:show": "",
    "limits:index": "rule:admin_or_owner",
    "module:create": "rule:admin_or_owner",
    "module:delete": "rule:admin_or_owner",
    "module:index": "rule:admin_or_owner",
    "module:show": "rule:admin_or_owner",
    "module:instances": "rule:admin_or_owner",
    "module:update": "rule:admin_or_owner",
    "module:reapply": "rule:admin_or_owner"
 }
--- a/etc/trove/policy.yaml.sample
+++ b/etc/trove/policy.yaml.sample
@ -0,0 +1,243 @@
 # Must be an administrator.
 #"admin": "role:admin or is_admin:True"
 # Must be an administrator or owner of the object.
 #"admin_or_owner": "rule:admin or tenant:%(tenant)s"
 # Must be an administrator or owner of the object.
 #"default": "rule:admin_or_owner"
 #
 #"instance:create": "rule:admin_or_owner"
 #
 #"instance:delete": "rule:admin_or_owner"
 #
 #"instance:force_delete": "rule:admin_or_owner"
 #
 #"instance:index": "rule:admin_or_owner"
 #
 #"instance:show": "rule:admin_or_owner"
 #
 #"instance:update": "rule:admin_or_owner"
 #
 #"instance:edit": "rule:admin_or_owner"
 #
 #"instance:restart": "rule:admin_or_owner"
 #
 #"instance:resize_volume": "rule:admin_or_owner"
 #
 #"instance:resize_flavor": "rule:admin_or_owner"
 #
 #"instance:reset_status": "rule:admin"
 #
 #"instance:promote_to_replica_source": "rule:admin_or_owner"
 #
 #"instance:eject_replica_source": "rule:admin_or_owner"
 #
 #"instance:configuration": "rule:admin_or_owner"
 #
 #"instance:guest_log_list": "rule:admin_or_owner"
 #
 #"instance:backups": "rule:admin_or_owner"
 #
 #"instance:module_list": "rule:admin_or_owner"
 #
 #"instance:module_apply": "rule:admin_or_owner"
 #
 #"instance:module_remove": "rule:admin_or_owner"
 #
 #"instance:extension:root:create": "rule:admin_or_owner"
 #
 #"instance:extension:root:delete": "rule:admin_or_owner"
 #
 #"instance:extension:root:index": "rule:admin_or_owner"
 #
 #"instance:extension:user:create": "rule:admin_or_owner"
 #
 #"instance:extension:user:delete": "rule:admin_or_owner"
 #
 #"instance:extension:user:index": "rule:admin_or_owner"
 #
 #"instance:extension:user:show": "rule:admin_or_owner"
 #
 #"instance:extension:user:update": "rule:admin_or_owner"
 #
 #"instance:extension:user:update_all": "rule:admin_or_owner"
 #
 #"instance:extension:user_access:update": "rule:admin_or_owner"
 #
 #"instance:extension:user_access:delete": "rule:admin_or_owner"
 #
 #"instance:extension:user_access:index": "rule:admin_or_owner"
 #
 #"instance:extension:database:create": "rule:admin_or_owner"
 #
 #"instance:extension:database:delete": "rule:admin_or_owner"
 #
 #"instance:extension:database:index": "rule:admin_or_owner"
 #
 #"instance:extension:database:show": "rule:admin_or_owner"
 #
 #"cluster:create": "rule:admin_or_owner"
 #
 #"cluster:delete": "rule:admin_or_owner"
 #
 #"cluster:force_delete": "rule:admin_or_owner"
 #
 #"cluster:index": "rule:admin_or_owner"
 #
 #"cluster:show": "rule:admin_or_owner"
 #
 #"cluster:show_instance": "rule:admin_or_owner"
 #
 #"cluster:action": "rule:admin_or_owner"
 #
 #"cluster:reset-status": "rule:admin"
 #
 #"cluster:extension:root:create": "rule:admin_or_owner"
 #
 #"cluster:extension:root:delete": "rule:admin_or_owner"
 #
 #"cluster:extension:root:index": "rule:admin_or_owner"
 #
 #"backup:create": "rule:admin_or_owner"
 #
 #"backup:delete": "rule:admin_or_owner"
 #
 #"backup:index": "rule:admin_or_owner"
 #
 #"backup:show": "rule:admin_or_owner"
 #
 #"configuration:create": "rule:admin_or_owner"
 #
 #"configuration:delete": "rule:admin_or_owner"
 #
 #"configuration:index": "rule:admin_or_owner"
 #
 #"configuration:show": "rule:admin_or_owner"
 #
 #"configuration:instances": "rule:admin_or_owner"
 #
 #"configuration:update": "rule:admin_or_owner"
 #
 #"configuration:edit": "rule:admin_or_owner"
 #
 #"configuration-parameter:index": "rule:admin_or_owner"
 #
 #"configuration-parameter:show": "rule:admin_or_owner"
 #
 #"configuration-parameter:index_by_version": "rule:admin_or_owner"
 #
 #"configuration-parameter:show_by_version": "rule:admin_or_owner"
 #
 #"datastore:index": ""
 #
 #"datastore:show": ""
 #
 #"datastore:version_show": ""
 #
 #"datastore:version_show_by_uuid": ""
 #
 #"datastore:version_index": ""
 #
 #"datastore:list_associated_flavors": ""
 #
 #"datastore:list_associated_volume_types": ""
 #
 #"flavor:index": ""
 #
 #"flavor:show": ""
 #
 #"limits:index": "rule:admin_or_owner"
 #
 #"module:create": "rule:admin_or_owner"
 #
 #"module:delete": "rule:admin_or_owner"
 #
 #"module:index": "rule:admin_or_owner"
 #
 #"module:show": "rule:admin_or_owner"
 #
 #"module:instances": "rule:admin_or_owner"
 #
 #"module:update": "rule:admin_or_owner"
 #
 #"module:reapply": "rule:admin_or_owner"
--- a/trove/common/policy.py
+++ b/trove/common/policy.py
@ -217,6 +217,7 @@ def get_enforcer():
        _ENFORCER = policy.Enforcer(CONF)
        _ENFORCER.register_defaults(base_rules)
        _ENFORCER.register_defaults(instance_rules)
        _ENFORCER.load_rules()
    return _ENFORCER