Implement basic policy module in code

This change prepares the zun project to start implementing policies
in code. Subsequent patches will register more zun policies in code
and remove the corresponding entry from the policy file maintained in
source.

This is part of a community effort to provide better user experience
for those having to maintain RBAC policy. More information on this
effort can be found below:

  https://governance.openstack.org/tc/goals/queens/policy-in-code.html

bp policy-and-docs-in-code

Change-Id: I4b0cf1203f7d7ddda240106bd39ef35bce604810
This commit is contained in:
Lance Bragstad 2017-10-02 19:03:54 +00:00
parent d4ac683a6b
commit 4b46db7148
9 changed files with 76 additions and 6 deletions

3
.gitignore vendored
View File

@ -61,5 +61,8 @@ releasenotes/build
# generated config file
etc/zun/zun.conf.sample
# generated policy file
etc/zun/policy.yaml.sample
# etcd config file
devstack/etcd.override

View File

@ -1,8 +1,5 @@
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "rule:context_is_admin",
"container:create": "rule:default",
"container:delete": "rule:default",

View File

@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/zun/policy.yaml.sample
namespace = zun

View File

@ -65,6 +65,9 @@ oslo.config.opts =
oslo.config.opts.defaults =
zun = zun.common.config:set_cors_middleware_defaults
oslo.policy.policies =
zun = zun.common.policies:list_rules
zun.database.migration_backend =
sqlalchemy = zun.db.sqlalchemy.migration

View File

@ -88,6 +88,10 @@ envdir = {toxworkdir}/venv
commands =
oslo-config-generator --config-file etc/zun/zun-config-generator.conf
[testenv:genpolicy]
commands =
oslopolicy-sample-generator --config-file etc/zun/zun-policy-generator.conf
[testenv:api-ref]
commands =
rm -rf api-ref/build

View File

@ -0,0 +1,21 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import itertools
from zun.common.policies import base
def list_rules():
return itertools.chain(
base.list_rules()
)

View File

@ -0,0 +1,36 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
ROLE_ADMIN = 'role:admin'
RULE_ADMIN_OR_OWNER = 'is_admin:True or project_id:%(project_id)s'
RULE_ADMIN_API = 'rule:context_is_admin'
rules = [
policy.RuleDefault(
name='context_is_admin',
check_str=ROLE_ADMIN
),
policy.RuleDefault(
name='admin_or_owner',
check_str=RULE_ADMIN_OR_OWNER
),
policy.RuleDefault(
name='admin_api',
check_str=RULE_ADMIN_API
)
]
def list_rules():
return rules

View File

@ -20,6 +20,7 @@ from oslo_policy import policy
from oslo_utils import excutils
from zun.common import exception
from zun.common import policies
import zun.conf
_ENFORCER = None
@ -58,9 +59,14 @@ def init(policy_file=None, rules=None,
default_rule=default_rule,
use_conf=use_conf,
overwrite=overwrite)
register_rules(_ENFORCER)
return _ENFORCER
def register_rules(enforcer):
enforcer.register_defaults(policies.list_rules())
def enforce(context, rule=None, target=None,
do_raise=True, exc=None, *args, **kwargs):

View File

@ -15,10 +15,7 @@
policy_data = """
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "rule:context_is_admin",
"container:create": "",
"container:delete": "",