Merge "Register default image policies in code"

2017-10-10 03:14:44 +00:00 · 2017-10-10 03:14:44 +00:00 · 60d94546a5
commit 60d94546a5
parent c949ac65a8 1f2ef6693f
3 changed files with 69 additions and 6 deletions
--- a/etc/zun/policy.json
+++ b/etc/zun/policy.json
@ -1,11 +1,6 @@
 {
    "default": "rule:admin_or_owner",

-    "image:pull": "rule:default",
-    "image:get_all": "rule:default",
-    "image:search": "rule:default",
-
-
    "zun-service:delete": "rule:admin_api",
    "zun-service:disable": "rule:admin_api",
    "zun-service:enable": "rule:admin_api",
--- a/zun/common/policies/init.py
+++ b/zun/common/policies/init.py
@ -14,10 +14,12 @@ import itertools

 from zun.common.policies import base
 from zun.common.policies import container
+from zun.common.policies import image


 def list_rules():
    return itertools.chain(
        base.list_rules(),
-        container.list_rules()
+        container.list_rules(),
+        image.list_rules()
    )
--- a/zun/common/policies/image.py
+++ b/zun/common/policies/image.py
@ -0,0 +1,66 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from zun.common.policies import base
+
+IMAGE = 'image:%s'
+
+rules = [
+    # FIXME(lbragstad): This API call isn't actually listed in zun's API
+    # reference:
+    # https://developer.openstack.org/api-ref/application-container/
+    policy.DocumentedRuleDefault(
+        name=IMAGE % 'pull',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Pull an image.',
+        operations=[
+            {
+                'path': '/v1/images',
+                'method': 'POST'
+            }
+        ]
+    ),
+    # FIXME(lbragstad): This API call isn't actually listed in zun's API
+    # reference:
+    # https://developer.openstack.org/api-ref/application-container/
+    policy.DocumentedRuleDefault(
+        name=IMAGE % 'get_all',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Print a list of available images.',
+        operations=[
+            {
+                'path': '/v1/images',
+                'method': 'GET'
+            }
+        ]
+    ),
+    # FIXME(lbragstad): This API call isn't actually listed in zun's API
+    # reference:
+    # https://developer.openstack.org/api-ref/application-container/
+    policy.DocumentedRuleDefault(
+        name=IMAGE % 'search',
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description='Search an image.',
+        operations=[
+            {
+                'path': '/v1/images/{image_ident}/search',
+                'method': 'GET'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules