From 1f2ef6693f1da2e7abd5a626c80ff653d2542383 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Mon, 2 Oct 2017 19:48:47 +0000 Subject: [PATCH] Register default image policies in code This commit uses the existing policy-in-code module to move all default policies for images into code. This commit also adds helpful documetation about each API those policies protect, which will be generated in sample policy files. bp policy-and-docs-in-code Change-Id: I019d6b6c975f796b4384e4d5b27a28b6da8478f4 --- etc/zun/policy.json | 5 --- zun/common/policies/__init__.py | 4 +- zun/common/policies/image.py | 66 +++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+), 6 deletions(-) create mode 100644 zun/common/policies/image.py diff --git a/etc/zun/policy.json b/etc/zun/policy.json index f45678fd8..ee7b39de5 100644 --- a/etc/zun/policy.json +++ b/etc/zun/policy.json @@ -1,11 +1,6 @@ { "default": "rule:admin_or_owner", - "image:pull": "rule:default", - "image:get_all": "rule:default", - "image:search": "rule:default", - - "zun-service:delete": "rule:admin_api", "zun-service:disable": "rule:admin_api", "zun-service:enable": "rule:admin_api", diff --git a/zun/common/policies/__init__.py b/zun/common/policies/__init__.py index 6beda1a5a..009b57d52 100644 --- a/zun/common/policies/__init__.py +++ b/zun/common/policies/__init__.py @@ -14,10 +14,12 @@ import itertools from zun.common.policies import base from zun.common.policies import container +from zun.common.policies import image def list_rules(): return itertools.chain( base.list_rules(), - container.list_rules() + container.list_rules(), + image.list_rules() ) diff --git a/zun/common/policies/image.py b/zun/common/policies/image.py new file mode 100644 index 000000000..0d0656ab0 --- /dev/null +++ b/zun/common/policies/image.py @@ -0,0 +1,66 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from zun.common.policies import base + +IMAGE = 'image:%s' + +rules = [ + # FIXME(lbragstad): This API call isn't actually listed in zun's API + # reference: + # https://developer.openstack.org/api-ref/application-container/ + policy.DocumentedRuleDefault( + name=IMAGE % 'pull', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Pull an image.', + operations=[ + { + 'path': '/v1/images', + 'method': 'POST' + } + ] + ), + # FIXME(lbragstad): This API call isn't actually listed in zun's API + # reference: + # https://developer.openstack.org/api-ref/application-container/ + policy.DocumentedRuleDefault( + name=IMAGE % 'get_all', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Print a list of available images.', + operations=[ + { + 'path': '/v1/images', + 'method': 'GET' + } + ] + ), + # FIXME(lbragstad): This API call isn't actually listed in zun's API + # reference: + # https://developer.openstack.org/api-ref/application-container/ + policy.DocumentedRuleDefault( + name=IMAGE % 'search', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Search an image.', + operations=[ + { + 'path': '/v1/images/{image_ident}/search', + 'method': 'GET' + } + ] + ) +] + + +def list_rules(): + return rules