Implement basic policy module in code

This change prepares the zun project to start implementing policies
in code. Subsequent patches will register more zun policies in code
and remove the corresponding entry from the policy file maintained in
source.

This is part of a community effort to provide better user experience
for those having to maintain RBAC policy. More information on this
effort can be found below:

  https://governance.openstack.org/tc/goals/queens/policy-in-code.html

bp policy-and-docs-in-code

Change-Id: I4b0cf1203f7d7ddda240106bd39ef35bce604810

.gitignore

@@ -61,5 +61,8 @@ releasenotes/build
 # generated config file
 etc/zun/zun.conf.sample
 
+# generated policy file
+etc/zun/policy.yaml.sample
+
 # etcd config file
 devstack/etcd.override

etc/zun/policy.json

@@ -1,8 +1,5 @@
 {
-    "context_is_admin":  "role:admin",
-    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
-    "admin_api": "rule:context_is_admin",
 
     "container:create": "rule:default",
     "container:delete": "rule:default",

etc/zun/zun-policy-generator.conf

@@ -0,0 +1,3 @@
+[DEFAULT]
+output_file = etc/zun/policy.yaml.sample
+namespace = zun

setup.cfg

@@ -65,6 +65,9 @@ oslo.config.opts =
 oslo.config.opts.defaults =
     zun = zun.common.config:set_cors_middleware_defaults
 
+oslo.policy.policies =
+    zun = zun.common.policies:list_rules
+
 zun.database.migration_backend =
     sqlalchemy = zun.db.sqlalchemy.migration
 

tox.ini

@@ -88,6 +88,10 @@ envdir = {toxworkdir}/venv
 commands =
     oslo-config-generator --config-file etc/zun/zun-config-generator.conf
 
+[testenv:genpolicy]
+commands =
+    oslopolicy-sample-generator --config-file etc/zun/zun-policy-generator.conf
+
 [testenv:api-ref]
 commands =
   rm -rf api-ref/build

zun/common/policies/__init__.py

@@ -0,0 +1,21 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import itertools
+
+from zun.common.policies import base
+
+
+def list_rules():
+    return itertools.chain(
+        base.list_rules()
+    )

zun/common/policies/base.py

@@ -0,0 +1,36 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+ROLE_ADMIN = 'role:admin'
+RULE_ADMIN_OR_OWNER = 'is_admin:True or project_id:%(project_id)s'
+RULE_ADMIN_API = 'rule:context_is_admin'
+
+rules = [
+    policy.RuleDefault(
+        name='context_is_admin',
+        check_str=ROLE_ADMIN
+    ),
+    policy.RuleDefault(
+        name='admin_or_owner',
+        check_str=RULE_ADMIN_OR_OWNER
+    ),
+    policy.RuleDefault(
+        name='admin_api',
+        check_str=RULE_ADMIN_API
+    )
+]
+
+
+def list_rules():
+    return rules

zun/common/policy.py

@@ -20,6 +20,7 @@ from oslo_policy import policy
 from oslo_utils import excutils
 
 from zun.common import exception
+from zun.common import policies
 import zun.conf
 
 _ENFORCER = None
@@ -58,9 +59,14 @@ def init(policy_file=None, rules=None,
                                     default_rule=default_rule,
                                     use_conf=use_conf,
                                     overwrite=overwrite)
+        register_rules(_ENFORCER)
     return _ENFORCER
 
 
+def register_rules(enforcer):
+    enforcer.register_defaults(policies.list_rules())
+
+
 def enforce(context, rule=None, target=None,
             do_raise=True, exc=None, *args, **kwargs):
 

zun/tests/fake_policy.py

@@ -15,10 +15,7 @@
 
 policy_data = """
 {
-    "context_is_admin":  "role:admin",
-    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
-    "admin_api": "rule:context_is_admin",
 
     "container:create": "",
     "container:delete": "",