From c150d00dee41c780888e00e6bdc225226b503cb5 Mon Sep 17 00:00:00 2001
From: Dai Dang Van <daidv@vn.fujitsu.com>
Date: Thu, 19 Oct 2017 10:28:34 +0700
Subject: [PATCH] Implement policy in code (1)

This commit will prepare for implementing policies in code[1]
that mean with oslo.policy, we can define all of default rules
in code base and only update some rules via policy file if need.

To do that, we can move "rule by rule" into code base.
In this change, we will:

- Define some common rules in code base.
- Register them into policy engine to use as default policy rules
- Remove them out of policy.json file, so if operators want to
update rules, they should define them in policy file like the way
we done with config option with oslo.config.

Summary, with any rules that we defined in codebase, we no need to keep
them in policy file anymore if we don't want to customize them.
And everything still work well meanwhile we didn't define rules
in policy file with falling back to default rules.

[1] https://governance.openstack.org/tc/goals/queens/policy-in-code.html

Change-Id: Ide8f581b9adb6701eeb9b1f5293307dcee3dd9c3
Co-authored-By: Hieu LE <hieulq@vn.fujitsu.com>
---
 aodh/api/hooks.py                   |  3 +++
 aodh/api/policies.py                | 42 +++++++++++++++++++++++++++++
 aodh/api/policy.json                |  5 ----
 aodh/cmd/aodh-policy-generator.conf |  2 ++
 setup.cfg                           |  3 +++
 5 files changed, 50 insertions(+), 5 deletions(-)
 create mode 100644 aodh/api/policies.py
 create mode 100644 aodh/cmd/aodh-policy-generator.conf

diff --git a/aodh/api/hooks.py b/aodh/api/hooks.py
index 3d3e26d2c..0965ebca2 100644
--- a/aodh/api/hooks.py
+++ b/aodh/api/hooks.py
@@ -16,6 +16,8 @@
 from oslo_policy import policy
 from pecan import hooks
 
+from aodh.api import policies
+
 
 class ConfigHook(hooks.PecanHook):
     """Attach the configuration and policy enforcer object to the request.
@@ -26,6 +28,7 @@ class ConfigHook(hooks.PecanHook):
     def __init__(self, conf):
         self.conf = conf
         self.enforcer = policy.Enforcer(conf, default_rule="default")
+        self.enforcer.register_defaults(policies.list_rules())
 
     def before(self, state):
         state.request.cfg = self.conf
diff --git a/aodh/api/policies.py b/aodh/api/policies.py
new file mode 100644
index 000000000..e3784459b
--- /dev/null
+++ b/aodh/api/policies.py
@@ -0,0 +1,42 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+from oslo_policy import policy
+
+
+RULE_CONTEXT_IS_ADMIN = 'rule:context_is_admin'
+RULE_ADMIN_OR_OWNER = 'rule:context_is_admin or project_id:%(project_id)s'
+
+rules = [
+    policy.RuleDefault(
+        name="context_is_admin",
+        check_str="role:admin"
+    ),
+    policy.RuleDefault(
+        name="segregation",
+        check_str=RULE_CONTEXT_IS_ADMIN),
+    policy.RuleDefault(
+        name="admin_or_owner",
+        check_str=RULE_ADMIN_OR_OWNER
+    ),
+    policy.RuleDefault(
+        name="default",
+        check_str=RULE_ADMIN_OR_OWNER
+    )
+]
+
+
+def list_rules():
+    return rules
diff --git a/aodh/api/policy.json b/aodh/api/policy.json
index 4fd873e9f..96fdb48aa 100644
--- a/aodh/api/policy.json
+++ b/aodh/api/policy.json
@@ -1,9 +1,4 @@
 {
-    "context_is_admin": "role:admin",
-    "segregation": "rule:context_is_admin",
-    "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
-    "default": "rule:admin_or_owner",
-
     "telemetry:get_alarm": "rule:admin_or_owner",
     "telemetry:get_alarms": "rule:admin_or_owner",
     "telemetry:query_alarm": "rule:admin_or_owner",
diff --git a/aodh/cmd/aodh-policy-generator.conf b/aodh/cmd/aodh-policy-generator.conf
new file mode 100644
index 000000000..b881c6444
--- /dev/null
+++ b/aodh/cmd/aodh-policy-generator.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+namespace = aodh
diff --git a/setup.cfg b/setup.cfg
index 1df5f1e8e..5b16beed2 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -117,6 +117,9 @@ oslo.config.opts =
 oslo.config.opts.defaults =
     aodh = aodh.conf.defaults:set_cors_middleware_defaults
 
+oslo.policy.policies =
+    aodh = aodh.api.policies:list_rules
+
 tempest.test_plugins =
     aodh_tests = aodh.tests.tempest.plugin:AodhTempestPlugin