Register default network policies in code

This commit uses the existing policy-in-code module to move all default policies for networks into code. This commit also adds helpful documetation about each API those policies protect, which will be generated in sample policy files. bp policy-and-docs-in-code Co-authored-By: Hieu LE <hieulq@vn.fujitsu.com> Change-Id: I3d5486c2b4d696c364eef1d16db403db6504da70
2017-10-02 20:11:29 +00:00 · 2017-10-02 20:11:29 +00:00 · 8e0e94ba9b
commit 8e0e94ba9b
parent 813ddb4087
6 changed files with 39 additions and 12 deletions
--- a/devstack/lib/zun
+++ b/devstack/lib/zun
@ -42,7 +42,6 @@ ZUN_AUTH_CACHE_DIR=${ZUN_AUTH_CACHE_DIR:-/var/cache/zun}

 ZUN_CONF_DIR=/etc/zun
 ZUN_CONF=$ZUN_CONF_DIR/zun.conf
-ZUN_POLICY_JSON=$ZUN_CONF_DIR/policy.json
 ZUN_API_PASTE=$ZUN_CONF_DIR/api-paste.ini

 if is_ssl_enabled_service "zun" || is_service_enabled tls-proxy; then
@ -110,7 +109,6 @@ function configure_zun {
        sudo chown $STACK_USER $ZUN_CONF_DIR
    fi

-    install_default_policy zun
    # Rebuild the config file from scratch
    create_zun_conf

@ -195,8 +193,6 @@ function create_zun_conf {
    iniset $ZUN_CONF api port "$ZUN_SERVICE_PORT"
    iniset $ZUN_CONF docker docker_remote_api_host "$HOST_IP"

-    iniset $ZUN_CONF oslo_policy policy_file $ZUN_POLICY_JSON
-
    iniset $ZUN_CONF keystone_auth auth_type password
    iniset $ZUN_CONF keystone_auth username zun
    iniset $ZUN_CONF keystone_auth password $SERVICE_PASSWORD
--- a/etc/zun/policy.json
+++ b/etc/zun/policy.json
@ -1,5 +0,0 @@
-{
-    "default": "rule:admin_or_owner",
-
-    "network:attach_external_network": "rule:context_is_admin"
-}
--- a/setup.cfg
+++ b/setup.cfg
@ -22,7 +22,6 @@ classifier =
 data_files =
    etc/zun =
        etc/zun/api-paste.ini
-        etc/zun/policy.json
 packages =
    zun

--- a/zun/common/policies/init.py
+++ b/zun/common/policies/init.py
@ -17,6 +17,7 @@ from zun.common.policies import capsule
 from zun.common.policies import container
 from zun.common.policies import host
 from zun.common.policies import image
+from zun.common.policies import network
 from zun.common.policies import zun_service


@ -27,5 +28,6 @@ def list_rules():
        image.list_rules(),
        zun_service.list_rules(),
        host.list_rules(),
-        capsule.list_rules()
+        capsule.list_rules(),
+        network.list_rules()
    )
--- a/zun/common/policies/container.py
+++ b/zun/common/policies/container.py
@ -62,7 +62,7 @@ rules = [
        ]
    ),
    policy.DocumentedRuleDefault(
-        name=CONTAINER % 'get',
+        name=CONTAINER % 'get_one',
        check_str=base.RULE_ADMIN_OR_OWNER,
        description='Retrieve the details of a specific container.',
        operations=[
--- a/zun/common/policies/network.py
+++ b/zun/common/policies/network.py
@ -0,0 +1,35 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from zun.common.policies import base
+
+NETWORK = 'network:%s'
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name=NETWORK % 'attach_external_network',
+        check_str=base.ROLE_ADMIN,
+        description='Attach an unshared external network to a container',
+        operations=[
+            {
+                'path': '/v1/containers',
+                'method': 'POST'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules