From 4b46db7148b88239425d7567bfef2421a8e692c7 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Mon, 2 Oct 2017 19:03:54 +0000 Subject: [PATCH] Implement basic policy module in code This change prepares the zun project to start implementing policies in code. Subsequent patches will register more zun policies in code and remove the corresponding entry from the policy file maintained in source. This is part of a community effort to provide better user experience for those having to maintain RBAC policy. More information on this effort can be found below: https://governance.openstack.org/tc/goals/queens/policy-in-code.html bp policy-and-docs-in-code Change-Id: I4b0cf1203f7d7ddda240106bd39ef35bce604810 --- .gitignore | 3 +++ etc/zun/policy.json | 3 --- etc/zun/zun-policy-generator.conf | 3 +++ setup.cfg | 3 +++ tox.ini | 4 ++++ zun/common/policies/__init__.py | 21 ++++++++++++++++++ zun/common/policies/base.py | 36 +++++++++++++++++++++++++++++++ zun/common/policy.py | 6 ++++++ zun/tests/fake_policy.py | 3 --- 9 files changed, 76 insertions(+), 6 deletions(-) create mode 100644 etc/zun/zun-policy-generator.conf create mode 100644 zun/common/policies/__init__.py create mode 100644 zun/common/policies/base.py diff --git a/.gitignore b/.gitignore index e15fa534d..16aaa1a63 100644 --- a/.gitignore +++ b/.gitignore @@ -61,5 +61,8 @@ releasenotes/build # generated config file etc/zun/zun.conf.sample +# generated policy file +etc/zun/policy.yaml.sample + # etcd config file devstack/etcd.override diff --git a/etc/zun/policy.json b/etc/zun/policy.json index 7637b196a..453ea93d9 100644 --- a/etc/zun/policy.json +++ b/etc/zun/policy.json @@ -1,8 +1,5 @@ { - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", "default": "rule:admin_or_owner", - "admin_api": "rule:context_is_admin", "container:create": "rule:default", "container:delete": "rule:default", diff --git a/etc/zun/zun-policy-generator.conf b/etc/zun/zun-policy-generator.conf new file mode 100644 index 000000000..9ea1bb009 --- /dev/null +++ b/etc/zun/zun-policy-generator.conf @@ -0,0 +1,3 @@ +[DEFAULT] +output_file = etc/zun/policy.yaml.sample +namespace = zun diff --git a/setup.cfg b/setup.cfg index 51e675e8c..aeb21efe6 100644 --- a/setup.cfg +++ b/setup.cfg @@ -65,6 +65,9 @@ oslo.config.opts = oslo.config.opts.defaults = zun = zun.common.config:set_cors_middleware_defaults +oslo.policy.policies = + zun = zun.common.policies:list_rules + zun.database.migration_backend = sqlalchemy = zun.db.sqlalchemy.migration diff --git a/tox.ini b/tox.ini index 4e7abe81f..2ffcc1b28 100644 --- a/tox.ini +++ b/tox.ini @@ -88,6 +88,10 @@ envdir = {toxworkdir}/venv commands = oslo-config-generator --config-file etc/zun/zun-config-generator.conf +[testenv:genpolicy] +commands = + oslopolicy-sample-generator --config-file etc/zun/zun-policy-generator.conf + [testenv:api-ref] commands = rm -rf api-ref/build diff --git a/zun/common/policies/__init__.py b/zun/common/policies/__init__.py new file mode 100644 index 000000000..07725382a --- /dev/null +++ b/zun/common/policies/__init__.py @@ -0,0 +1,21 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import itertools + +from zun.common.policies import base + + +def list_rules(): + return itertools.chain( + base.list_rules() + ) diff --git a/zun/common/policies/base.py b/zun/common/policies/base.py new file mode 100644 index 000000000..e4d55e0d2 --- /dev/null +++ b/zun/common/policies/base.py @@ -0,0 +1,36 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +ROLE_ADMIN = 'role:admin' +RULE_ADMIN_OR_OWNER = 'is_admin:True or project_id:%(project_id)s' +RULE_ADMIN_API = 'rule:context_is_admin' + +rules = [ + policy.RuleDefault( + name='context_is_admin', + check_str=ROLE_ADMIN + ), + policy.RuleDefault( + name='admin_or_owner', + check_str=RULE_ADMIN_OR_OWNER + ), + policy.RuleDefault( + name='admin_api', + check_str=RULE_ADMIN_API + ) +] + + +def list_rules(): + return rules diff --git a/zun/common/policy.py b/zun/common/policy.py index 7f3a75200..3e54bf600 100644 --- a/zun/common/policy.py +++ b/zun/common/policy.py @@ -20,6 +20,7 @@ from oslo_policy import policy from oslo_utils import excutils from zun.common import exception +from zun.common import policies import zun.conf _ENFORCER = None @@ -58,9 +59,14 @@ def init(policy_file=None, rules=None, default_rule=default_rule, use_conf=use_conf, overwrite=overwrite) + register_rules(_ENFORCER) return _ENFORCER +def register_rules(enforcer): + enforcer.register_defaults(policies.list_rules()) + + def enforce(context, rule=None, target=None, do_raise=True, exc=None, *args, **kwargs): diff --git a/zun/tests/fake_policy.py b/zun/tests/fake_policy.py index bbcfde70b..43e957a96 100644 --- a/zun/tests/fake_policy.py +++ b/zun/tests/fake_policy.py @@ -15,10 +15,7 @@ policy_data = """ { - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", "default": "rule:admin_or_owner", - "admin_api": "rule:context_is_admin", "container:create": "", "container:delete": "",