Implement policy in code (1)
This commit will prepare for implementing policies in code[1] that mean with oslo.policy, we can define all of default rules in code base and only update some rules via policy file if need. To do that, we can move "rule by rule" into code base. In this change, we will: - Define some common rules in code base. - Register them into policy engine to use as default policy rules - Remove them out of policy.json file, so if operators want to update rules, they should define them in policy file like the way we done with config option with oslo.config. Summary, with any rules that we defined in codebase, we no need to keep them in policy file anymore if we don't want to customize them. And everything still work well meanwhile we didn't define rules in policy file with falling back to default rules. [1] https://governance.openstack.org/tc/goals/queens/policy-in-code.html Change-Id: Ide8f581b9adb6701eeb9b1f5293307dcee3dd9c3 Co-authored-By: Hieu LE <hieulq@vn.fujitsu.com>
This commit is contained in:
parent
37ddc6569e
commit
c150d00dee
@ -16,6 +16,8 @@
|
||||
from oslo_policy import policy
|
||||
from pecan import hooks
|
||||
|
||||
from aodh.api import policies
|
||||
|
||||
|
||||
class ConfigHook(hooks.PecanHook):
|
||||
"""Attach the configuration and policy enforcer object to the request.
|
||||
@ -26,6 +28,7 @@ class ConfigHook(hooks.PecanHook):
|
||||
def __init__(self, conf):
|
||||
self.conf = conf
|
||||
self.enforcer = policy.Enforcer(conf, default_rule="default")
|
||||
self.enforcer.register_defaults(policies.list_rules())
|
||||
|
||||
def before(self, state):
|
||||
state.request.cfg = self.conf
|
||||
|
42
aodh/api/policies.py
Normal file
42
aodh/api/policies.py
Normal file
@ -0,0 +1,42 @@
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
from oslo_policy import policy
|
||||
|
||||
|
||||
RULE_CONTEXT_IS_ADMIN = 'rule:context_is_admin'
|
||||
RULE_ADMIN_OR_OWNER = 'rule:context_is_admin or project_id:%(project_id)s'
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
name="context_is_admin",
|
||||
check_str="role:admin"
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name="segregation",
|
||||
check_str=RULE_CONTEXT_IS_ADMIN),
|
||||
policy.RuleDefault(
|
||||
name="admin_or_owner",
|
||||
check_str=RULE_ADMIN_OR_OWNER
|
||||
),
|
||||
policy.RuleDefault(
|
||||
name="default",
|
||||
check_str=RULE_ADMIN_OR_OWNER
|
||||
)
|
||||
]
|
||||
|
||||
|
||||
def list_rules():
|
||||
return rules
|
@ -1,9 +1,4 @@
|
||||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"segregation": "rule:context_is_admin",
|
||||
"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
|
||||
"default": "rule:admin_or_owner",
|
||||
|
||||
"telemetry:get_alarm": "rule:admin_or_owner",
|
||||
"telemetry:get_alarms": "rule:admin_or_owner",
|
||||
"telemetry:query_alarm": "rule:admin_or_owner",
|
||||
|
2
aodh/cmd/aodh-policy-generator.conf
Normal file
2
aodh/cmd/aodh-policy-generator.conf
Normal file
@ -0,0 +1,2 @@
|
||||
[DEFAULT]
|
||||
namespace = aodh
|
Loading…
x
Reference in New Issue
Block a user