Merge "Register default policies in code"
This commit is contained in:
commit
aa2b213a45
@ -42,7 +42,7 @@ WATCHER_AUTH_CACHE_DIR=${WATCHER_AUTH_CACHE_DIR:-/var/cache/watcher}
|
|||||||
|
|
||||||
WATCHER_CONF_DIR=/etc/watcher
|
WATCHER_CONF_DIR=/etc/watcher
|
||||||
WATCHER_CONF=$WATCHER_CONF_DIR/watcher.conf
|
WATCHER_CONF=$WATCHER_CONF_DIR/watcher.conf
|
||||||
WATCHER_POLICY_JSON=$WATCHER_CONF_DIR/policy.json
|
WATCHER_POLICY_YAML=$WATCHER_CONF_DIR/policy.yaml.sample
|
||||||
|
|
||||||
WATCHER_DEVSTACK_DIR=$WATCHER_DIR/devstack
|
WATCHER_DEVSTACK_DIR=$WATCHER_DIR/devstack
|
||||||
WATCHER_DEVSTACK_FILES_DIR=$WATCHER_DEVSTACK_DIR/files
|
WATCHER_DEVSTACK_FILES_DIR=$WATCHER_DEVSTACK_DIR/files
|
||||||
@ -106,7 +106,25 @@ function configure_watcher {
|
|||||||
# Put config files in ``/etc/watcher`` for everyone to find
|
# Put config files in ``/etc/watcher`` for everyone to find
|
||||||
sudo install -d -o $STACK_USER $WATCHER_CONF_DIR
|
sudo install -d -o $STACK_USER $WATCHER_CONF_DIR
|
||||||
|
|
||||||
install_default_policy watcher
|
local project=watcher
|
||||||
|
local project_uc
|
||||||
|
project_uc=$(echo watcher|tr a-z A-Z)
|
||||||
|
local conf_dir="${project_uc}_CONF_DIR"
|
||||||
|
# eval conf dir to get the variable
|
||||||
|
conf_dir="${!conf_dir}"
|
||||||
|
local project_dir="${project_uc}_DIR"
|
||||||
|
# eval project dir to get the variable
|
||||||
|
project_dir="${!project_dir}"
|
||||||
|
local sample_conf_dir="${project_dir}/etc/${project}"
|
||||||
|
local sample_policy_dir="${project_dir}/etc/${project}/policy.d"
|
||||||
|
local sample_policy_generator="${project_dir}/etc/${project}/oslo-policy-generator/watcher-policy-generator.conf"
|
||||||
|
|
||||||
|
# first generate policy.yaml
|
||||||
|
oslopolicy-sample-generator --config-file $sample_policy_generator
|
||||||
|
# then optionally copy over policy.d
|
||||||
|
if [[ -d $sample_policy_dir ]]; then
|
||||||
|
cp -r $sample_policy_dir $conf_dir/policy.d
|
||||||
|
fi
|
||||||
|
|
||||||
# Rebuild the config file from scratch
|
# Rebuild the config file from scratch
|
||||||
create_watcher_conf
|
create_watcher_conf
|
||||||
@ -163,7 +181,7 @@ function create_watcher_conf {
|
|||||||
iniset $WATCHER_CONF api host "$WATCHER_SERVICE_HOST"
|
iniset $WATCHER_CONF api host "$WATCHER_SERVICE_HOST"
|
||||||
iniset $WATCHER_CONF api port "$WATCHER_SERVICE_PORT"
|
iniset $WATCHER_CONF api port "$WATCHER_SERVICE_PORT"
|
||||||
|
|
||||||
iniset $WATCHER_CONF oslo_policy policy_file $WATCHER_POLICY_JSON
|
iniset $WATCHER_CONF oslo_policy policy_file $WATCHER_POLICY_YAML
|
||||||
|
|
||||||
iniset $WATCHER_CONF oslo_messaging_rabbit rabbit_userid $RABBIT_USERID
|
iniset $WATCHER_CONF oslo_messaging_rabbit rabbit_userid $RABBIT_USERID
|
||||||
iniset $WATCHER_CONF oslo_messaging_rabbit rabbit_password $RABBIT_PASSWORD
|
iniset $WATCHER_CONF oslo_messaging_rabbit rabbit_password $RABBIT_PASSWORD
|
||||||
|
@ -0,0 +1,3 @@
|
|||||||
|
[DEFAULT]
|
||||||
|
output_file = /etc/watcher/policy.yaml.sample
|
||||||
|
namespace = watcher
|
@ -1,45 +0,0 @@
|
|||||||
{
|
|
||||||
"admin_api": "role:admin or role:administrator",
|
|
||||||
"show_password": "!",
|
|
||||||
"default": "rule:admin_api",
|
|
||||||
|
|
||||||
"action:detail": "rule:default",
|
|
||||||
"action:get": "rule:default",
|
|
||||||
"action:get_all": "rule:default",
|
|
||||||
|
|
||||||
"action_plan:delete": "rule:default",
|
|
||||||
"action_plan:detail": "rule:default",
|
|
||||||
"action_plan:get": "rule:default",
|
|
||||||
"action_plan:get_all": "rule:default",
|
|
||||||
"action_plan:update": "rule:default",
|
|
||||||
|
|
||||||
"audit:create": "rule:default",
|
|
||||||
"audit:delete": "rule:default",
|
|
||||||
"audit:detail": "rule:default",
|
|
||||||
"audit:get": "rule:default",
|
|
||||||
"audit:get_all": "rule:default",
|
|
||||||
"audit:update": "rule:default",
|
|
||||||
|
|
||||||
"audit_template:create": "rule:default",
|
|
||||||
"audit_template:delete": "rule:default",
|
|
||||||
"audit_template:detail": "rule:default",
|
|
||||||
"audit_template:get": "rule:default",
|
|
||||||
"audit_template:get_all": "rule:default",
|
|
||||||
"audit_template:update": "rule:default",
|
|
||||||
|
|
||||||
"goal:detail": "rule:default",
|
|
||||||
"goal:get": "rule:default",
|
|
||||||
"goal:get_all": "rule:default",
|
|
||||||
|
|
||||||
"scoring_engine:detail": "rule:default",
|
|
||||||
"scoring_engine:get": "rule:default",
|
|
||||||
"scoring_engine:get_all": "rule:default",
|
|
||||||
|
|
||||||
"strategy:detail": "rule:default",
|
|
||||||
"strategy:get": "rule:default",
|
|
||||||
"strategy:get_all": "rule:default",
|
|
||||||
|
|
||||||
"service:detail": "rule:default",
|
|
||||||
"service:get": "rule:default",
|
|
||||||
"service:get_all": "rule:default"
|
|
||||||
}
|
|
@ -32,6 +32,12 @@ setup-hooks =
|
|||||||
oslo.config.opts =
|
oslo.config.opts =
|
||||||
watcher = watcher.conf.opts:list_opts
|
watcher = watcher.conf.opts:list_opts
|
||||||
|
|
||||||
|
oslo.policy.policies =
|
||||||
|
watcher = watcher.common.policies:list_rules
|
||||||
|
|
||||||
|
oslo.policy.enforcer =
|
||||||
|
watcher = watcher.common.policy:get_enforcer
|
||||||
|
|
||||||
console_scripts =
|
console_scripts =
|
||||||
watcher-api = watcher.cmd.api:main
|
watcher-api = watcher.cmd.api:main
|
||||||
watcher-db-manage = watcher.cmd.dbmanage:main
|
watcher-db-manage = watcher.cmd.dbmanage:main
|
||||||
|
4
tox.ini
4
tox.ini
@ -46,6 +46,10 @@ sitepackages = False
|
|||||||
commands =
|
commands =
|
||||||
oslo-config-generator --config-file etc/watcher/oslo-config-generator/watcher.conf
|
oslo-config-generator --config-file etc/watcher/oslo-config-generator/watcher.conf
|
||||||
|
|
||||||
|
[testenv:genpolicy]
|
||||||
|
commands =
|
||||||
|
oslopolicy-sample-generator --config-file etc/watcher/oslo-policy-generator/watcher-policy-generator.conf
|
||||||
|
|
||||||
[flake8]
|
[flake8]
|
||||||
filename = *.py,app.wsgi
|
filename = *.py,app.wsgi
|
||||||
show-source=True
|
show-source=True
|
||||||
|
37
watcher/common/policies/__init__.py
Normal file
37
watcher/common/policies/__init__.py
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
import itertools
|
||||||
|
|
||||||
|
from watcher.common.policies import action
|
||||||
|
from watcher.common.policies import action_plan
|
||||||
|
from watcher.common.policies import audit
|
||||||
|
from watcher.common.policies import audit_template
|
||||||
|
from watcher.common.policies import base
|
||||||
|
from watcher.common.policies import goal
|
||||||
|
from watcher.common.policies import scoring_engine
|
||||||
|
from watcher.common.policies import service
|
||||||
|
from watcher.common.policies import strategy
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return itertools.chain(
|
||||||
|
base.list_rules(),
|
||||||
|
action.list_rules(),
|
||||||
|
action_plan.list_rules(),
|
||||||
|
audit.list_rules(),
|
||||||
|
audit_template.list_rules(),
|
||||||
|
goal.list_rules(),
|
||||||
|
scoring_engine.list_rules(),
|
||||||
|
service.list_rules(),
|
||||||
|
strategy.list_rules(),
|
||||||
|
)
|
57
watcher/common/policies/action.py
Normal file
57
watcher/common/policies/action.py
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from watcher.common.policies import base
|
||||||
|
|
||||||
|
ACTION = 'action:%s'
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=ACTION % 'detail',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Retrieve a list of actions with detail.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/actions/detail',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=ACTION % 'get',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Retrieve information about a given action.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/actions/{action_id}',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=ACTION % 'get_all',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Retrieve a list of all actions.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/actions',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return rules
|
79
watcher/common/policies/action_plan.py
Normal file
79
watcher/common/policies/action_plan.py
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from watcher.common.policies import base
|
||||||
|
|
||||||
|
ACTION_PLAN = 'action_plan:%s'
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=ACTION_PLAN % 'delete',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Delete an action plan.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/action_plans/{action_plan_uuid}',
|
||||||
|
'method': 'DELETE'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=ACTION_PLAN % 'detail',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Retrieve a list of action plans with detail.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/action_plans/detail',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=ACTION_PLAN % 'get',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Get an action plan.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/action_plans/{action_plan_id}',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=ACTION_PLAN % 'get_all',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Get all action plans.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/action_plans',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=ACTION_PLAN % 'update',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Update an action plans.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/action_plans/{action_plan_uuid}',
|
||||||
|
'method': 'PATCH'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return rules
|
90
watcher/common/policies/audit.py
Normal file
90
watcher/common/policies/audit.py
Normal file
@ -0,0 +1,90 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from watcher.common.policies import base
|
||||||
|
|
||||||
|
AUDIT = 'audit:%s'
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=AUDIT % 'create',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Create a new audit.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/audits',
|
||||||
|
'method': 'POST'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=AUDIT % 'delete',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Delete an audit.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/audits/{audit_uuid}',
|
||||||
|
'method': 'DELETE'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=AUDIT % 'detail',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Retrieve audit list with details.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/audits/detail',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=AUDIT % 'get',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Get an audit.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/audits/{audit_uuid}',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=AUDIT % 'get_all',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Get all audits.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/audits',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=AUDIT % 'update',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Update an audit.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/audits/{audit_uuid}',
|
||||||
|
'method': 'PATCH'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return rules
|
90
watcher/common/policies/audit_template.py
Normal file
90
watcher/common/policies/audit_template.py
Normal file
@ -0,0 +1,90 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from watcher.common.policies import base
|
||||||
|
|
||||||
|
AUDIT_TEMPLATE = 'audit_template:%s'
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=AUDIT_TEMPLATE % 'create',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Create an audit template.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/audit_templates',
|
||||||
|
'method': 'POST'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=AUDIT_TEMPLATE % 'delete',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Delete an audit template.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/audit_templates/{audit_template_uuid}',
|
||||||
|
'method': 'DELETE'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=AUDIT_TEMPLATE % 'detail',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Retrieve a list of audit templates with details.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/audit_templates/detail',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=AUDIT_TEMPLATE % 'get',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Get an audit template.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/audit_templates/{audit_template_uuid}',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=AUDIT_TEMPLATE % 'get_all',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Get a list of all audit templates.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/audit_templates',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=AUDIT_TEMPLATE % 'update',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Update an audit template.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/audit_templates/{audit_template_uuid}',
|
||||||
|
'method': 'PATCH'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return rules
|
32
watcher/common/policies/base.py
Normal file
32
watcher/common/policies/base.py
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
RULE_ADMIN_API = 'rule:admin_api'
|
||||||
|
ROLE_ADMIN_OR_ADMINISTRATOR = 'role:admin or role:administrator'
|
||||||
|
ALWAYS_DENY = '!'
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name='admin_api',
|
||||||
|
check_str=ROLE_ADMIN_OR_ADMINISTRATOR
|
||||||
|
),
|
||||||
|
policy.RuleDefault(
|
||||||
|
name='show_password',
|
||||||
|
check_str=ALWAYS_DENY
|
||||||
|
)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return rules
|
57
watcher/common/policies/goal.py
Normal file
57
watcher/common/policies/goal.py
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from watcher.common.policies import base
|
||||||
|
|
||||||
|
GOAL = 'goal:%s'
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=GOAL % 'detail',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Retrieve a list of goals with detail.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/goals/detail',
|
||||||
|
'method': 'DELETE'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=GOAL % 'get',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Get a goal.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/goals/{goal_uuid}',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=GOAL % 'get_all',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Get all goals.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/goals',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return rules
|
66
watcher/common/policies/scoring_engine.py
Normal file
66
watcher/common/policies/scoring_engine.py
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from watcher.common.policies import base
|
||||||
|
|
||||||
|
SCORING_ENGINE = 'scoring_engine:%s'
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
# FIXME(lbragstad): Find someone from watcher to double check this
|
||||||
|
# information. This API isn't listed in watcher's API reference
|
||||||
|
# documentation.
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=SCORING_ENGINE % 'detail',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='List scoring engines with details.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/scoring_engines/detail',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
# FIXME(lbragstad): Find someone from watcher to double check this
|
||||||
|
# information. This API isn't listed in watcher's API reference
|
||||||
|
# documentation.
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=SCORING_ENGINE % 'get',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Get a scoring engine.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/scoring_engines/{scoring_engine_id}',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
# FIXME(lbragstad): Find someone from watcher to double check this
|
||||||
|
# information. This API isn't listed in watcher's API reference
|
||||||
|
# documentation.
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=SCORING_ENGINE % 'get_all',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Get all scoring engines.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/scoring_engines',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return rules
|
57
watcher/common/policies/service.py
Normal file
57
watcher/common/policies/service.py
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from watcher.common.policies import base
|
||||||
|
|
||||||
|
SERVICE = 'service:%s'
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=SERVICE % 'detail',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='List services with detail.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/services/',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=SERVICE % 'get',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Get a specific service.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/services/{service_id}',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=SERVICE % 'get_all',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='List all services.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/services/',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return rules
|
57
watcher/common/policies/strategy.py
Normal file
57
watcher/common/policies/strategy.py
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from watcher.common.policies import base
|
||||||
|
|
||||||
|
STRATEGY = 'strategy:%s'
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=STRATEGY % 'detail',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='List strategies with detail.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/strategies/detail',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=STRATEGY % 'get',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='Get a strategy.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/strategies/{strategy_uuid}',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=STRATEGY % 'get_all',
|
||||||
|
check_str=base.RULE_ADMIN_API,
|
||||||
|
description='List all strategies.',
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'path': '/v1/strategies',
|
||||||
|
'method': 'GET'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
)
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def list_rules():
|
||||||
|
return rules
|
@ -15,11 +15,13 @@
|
|||||||
|
|
||||||
"""Policy Engine For Watcher."""
|
"""Policy Engine For Watcher."""
|
||||||
|
|
||||||
|
import sys
|
||||||
|
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
|
|
||||||
from watcher.common import exception
|
from watcher.common import exception
|
||||||
|
from watcher.common import policies
|
||||||
|
|
||||||
_ENFORCER = None
|
_ENFORCER = None
|
||||||
CONF = cfg.CONF
|
CONF = cfg.CONF
|
||||||
@ -56,6 +58,7 @@ def init(policy_file=None, rules=None,
|
|||||||
default_rule=default_rule,
|
default_rule=default_rule,
|
||||||
use_conf=use_conf,
|
use_conf=use_conf,
|
||||||
overwrite=overwrite)
|
overwrite=overwrite)
|
||||||
|
_ENFORCER.register_defaults(policies.list_rules())
|
||||||
return _ENFORCER
|
return _ENFORCER
|
||||||
|
|
||||||
|
|
||||||
@ -92,3 +95,23 @@ def enforce(context, rule=None, target=None,
|
|||||||
'user_id': context.user_id}
|
'user_id': context.user_id}
|
||||||
return enforcer.enforce(rule, target, credentials,
|
return enforcer.enforce(rule, target, credentials,
|
||||||
do_raise=do_raise, exc=exc, *args, **kwargs)
|
do_raise=do_raise, exc=exc, *args, **kwargs)
|
||||||
|
|
||||||
|
|
||||||
|
def get_enforcer():
|
||||||
|
# This method is for use by oslopolicy CLI scripts. Those scripts need the
|
||||||
|
# 'output-file' and 'namespace' options, but having those in sys.argv means
|
||||||
|
# loading the Watcher config options will fail as those are not expected
|
||||||
|
# to be present. So we pass in an arg list with those stripped out.
|
||||||
|
conf_args = []
|
||||||
|
# Start at 1 because cfg.CONF expects the equivalent of sys.argv[1:]
|
||||||
|
i = 1
|
||||||
|
while i < len(sys.argv):
|
||||||
|
if sys.argv[i].strip('-') in ['namespace', 'output-file']:
|
||||||
|
i += 2
|
||||||
|
continue
|
||||||
|
conf_args.append(sys.argv[i])
|
||||||
|
i += 1
|
||||||
|
|
||||||
|
cfg.CONF(conf_args, project='watcher')
|
||||||
|
init()
|
||||||
|
return _ENFORCER
|
||||||
|
Loading…
x
Reference in New Issue
Block a user