Implement policy in code (1)

This commit will prepare for implementing policies in code[1]
that mean with oslo.policy, we can define all of default rules
in code base and only update some rules via policy file if need.

To do that, we can move "rule by rule" into code base.
In this change, we will:

- Define some common rules in code base.
- Register them into policy engine to use as default policy rules
- Remove them out of policy.json file, so if operators want to
update rules, they should define them in policy file like the way
we done with config option with oslo.config.

Summary, with any rules that we defined in codebase, we no need to keep
them in policy file anymore if we don't want to customize them.
And everything still work well meanwhile we didn't define rules
in policy file with falling back to default rules.

[1] https://governance.openstack.org/tc/goals/queens/policy-in-code.html

Change-Id: Ide8f581b9adb6701eeb9b1f5293307dcee3dd9c3
Co-authored-By: Hieu LE <hieulq@vn.fujitsu.com>
This commit is contained in:
Dai Dang Van 2017-10-19 10:28:34 +07:00
parent 37ddc6569e
commit c150d00dee
5 changed files with 50 additions and 5 deletions

View File

@ -16,6 +16,8 @@
from oslo_policy import policy from oslo_policy import policy
from pecan import hooks from pecan import hooks
from aodh.api import policies
class ConfigHook(hooks.PecanHook): class ConfigHook(hooks.PecanHook):
"""Attach the configuration and policy enforcer object to the request. """Attach the configuration and policy enforcer object to the request.
@ -26,6 +28,7 @@ class ConfigHook(hooks.PecanHook):
def __init__(self, conf): def __init__(self, conf):
self.conf = conf self.conf = conf
self.enforcer = policy.Enforcer(conf, default_rule="default") self.enforcer = policy.Enforcer(conf, default_rule="default")
self.enforcer.register_defaults(policies.list_rules())
def before(self, state): def before(self, state):
state.request.cfg = self.conf state.request.cfg = self.conf

42
aodh/api/policies.py Normal file
View File

@ -0,0 +1,42 @@
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
RULE_CONTEXT_IS_ADMIN = 'rule:context_is_admin'
RULE_ADMIN_OR_OWNER = 'rule:context_is_admin or project_id:%(project_id)s'
rules = [
policy.RuleDefault(
name="context_is_admin",
check_str="role:admin"
),
policy.RuleDefault(
name="segregation",
check_str=RULE_CONTEXT_IS_ADMIN),
policy.RuleDefault(
name="admin_or_owner",
check_str=RULE_ADMIN_OR_OWNER
),
policy.RuleDefault(
name="default",
check_str=RULE_ADMIN_OR_OWNER
)
]
def list_rules():
return rules

View File

@ -1,9 +1,4 @@
{ {
"context_is_admin": "role:admin",
"segregation": "rule:context_is_admin",
"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"telemetry:get_alarm": "rule:admin_or_owner", "telemetry:get_alarm": "rule:admin_or_owner",
"telemetry:get_alarms": "rule:admin_or_owner", "telemetry:get_alarms": "rule:admin_or_owner",
"telemetry:query_alarm": "rule:admin_or_owner", "telemetry:query_alarm": "rule:admin_or_owner",

View File

@ -0,0 +1,2 @@
[DEFAULT]
namespace = aodh

View File

@ -117,6 +117,9 @@ oslo.config.opts =
oslo.config.opts.defaults = oslo.config.opts.defaults =
aodh = aodh.conf.defaults:set_cors_middleware_defaults aodh = aodh.conf.defaults:set_cors_middleware_defaults
oslo.policy.policies =
aodh = aodh.api.policies:list_rules
tempest.test_plugins = tempest.test_plugins =
aodh_tests = aodh.tests.tempest.plugin:AodhTempestPlugin aodh_tests = aodh.tests.tempest.plugin:AodhTempestPlugin