Implement policy in code (1)

This commit will prepare for implementing policies in code[1]
that mean with oslo.policy, we can define all of default rules
in code base and only update some rules via policy file if need.

To do that, we can move "rule by rule" into code base.
In this change, we will:

- Define some common rules in code base.
- Register them into policy engine to use as default policy rules
- Remove them out of policy.json file, so if operators want to
update rules, they should define them in policy file like the way
we done with config option with oslo.config.

Summary, with any rules that we defined in codebase, we no need to keep
them in policy file anymore if we don't want to customize them.
And everything still work well meanwhile we didn't define rules
in policy file with falling back to default rules.

[1] https://governance.openstack.org/tc/goals/queens/policy-in-code.html

Change-Id: Ide8f581b9adb6701eeb9b1f5293307dcee3dd9c3
Co-authored-By: Hieu LE <hieulq@vn.fujitsu.com>

aodh/api/hooks.py

@@ -16,6 +16,8 @@
 from oslo_policy import policy
 from pecan import hooks
 
+from aodh.api import policies
+
 
 class ConfigHook(hooks.PecanHook):
     """Attach the configuration and policy enforcer object to the request.
@@ -26,6 +28,7 @@ class ConfigHook(hooks.PecanHook):
     def __init__(self, conf):
         self.conf = conf
         self.enforcer = policy.Enforcer(conf, default_rule="default")
+        self.enforcer.register_defaults(policies.list_rules())
 
     def before(self, state):
         state.request.cfg = self.conf

aodh/api/policies.py

@@ -0,0 +1,42 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+
+RULE_CONTEXT_IS_ADMIN = 'rule:context_is_admin'
+RULE_ADMIN_OR_OWNER = 'rule:context_is_admin or project_id:%(project_id)s'
+
+rules = [
+    policy.RuleDefault(
+        name="context_is_admin",
+        check_str="role:admin"
+    ),
+    policy.RuleDefault(
+        name="segregation",
+        check_str=RULE_CONTEXT_IS_ADMIN),
+    policy.RuleDefault(
+        name="admin_or_owner",
+        check_str=RULE_ADMIN_OR_OWNER
+    ),
+    policy.RuleDefault(
+        name="default",
+        check_str=RULE_ADMIN_OR_OWNER
+    )
+]
+
+
+def list_rules():
+    return rules

aodh/api/policy.json

@@ -1,9 +1,4 @@
 {
-    "context_is_admin": "role:admin",
-    "segregation": "rule:context_is_admin",
-    "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
-    "default": "rule:admin_or_owner",
-
     "telemetry:get_alarm": "rule:admin_or_owner",
     "telemetry:get_alarms": "rule:admin_or_owner",
     "telemetry:query_alarm": "rule:admin_or_owner",

aodh/cmd/aodh-policy-generator.conf

@@ -0,0 +1,2 @@
+[DEFAULT]
+namespace = aodh

setup.cfg

@@ -117,6 +117,9 @@ oslo.config.opts =
 oslo.config.opts.defaults =
     aodh = aodh.conf.defaults:set_cors_middleware_defaults
 
+oslo.policy.policies =
+    aodh = aodh.api.policies:list_rules
+
 tempest.test_plugins =
     aodh_tests = aodh.tests.tempest.plugin:AodhTempestPlugin