openstack/trove
Code Issues Proposed changes

Use DocumentedRuleDefault instead of RuleDefault

Browse Source 
The DocumentedRuleDefault class has advantages over the RuleDefault
class because it allows project developers the opportunity to
describe how policies map to actual APIs. This makes things a lot
easier for operators trying to understand policies for a given
project, and doesn't require them to dig in the code to figure out
what they protect.

Polices are also splitted into small files for easier maintainance.

This is part of an effort to move policy and documentation of policy
into code, treating it like configuration.

bp policy-and-docs-in-code

Co-Authored-By: Zhao Chao <zhaochao1984@gmail.com>
Change-Id: Ifcdbccae7350ec69ad7d92197b9bfca8aeb8352b
This commit is contained in:
Lance Bragstad 2017-10-05 14:34:20 +00:00 committed by Zhao Chao
parent d238db0945
commit e78b42237b
16 changed files with 1230 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
trove/common/policies/__init__.py Normal file
View File

@ -0,0 +1,47 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import itertools
from trove.common.policies import backups
from trove.common.policies import base
from trove.common.policies import clusters
from trove.common.policies import configuration_parameters
from trove.common.policies import configurations
from trove.common.policies import databases
from trove.common.policies import datastores
from trove.common.policies import flavors
from trove.common.policies import instances
from trove.common.policies import limits
from trove.common.policies import modules
from trove.common.policies import root
from trove.common.policies import user_access
from trove.common.policies import users
def list_rules():
return itertools.chain(
base.list_rules(),
instances.list_rules(),
root.list_rules(),
users.list_rules(),
user_access.list_rules(),
databases.list_rules(),
clusters.list_rules(),
backups.list_rules(),
configurations.list_rules(),
configuration_parameters.list_rules(),
datastores.list_rules(),
flavors.list_rules(),
limits.list_rules(),
modules.list_rules()
)

62
trove/common/policies/backups.py Normal file
View File

@ -0,0 +1,62 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from trove.common.policies.base import PATH_BACKUPS, PATH_BACKUP
rules = [
policy.DocumentedRuleDefault(
name='backup:create',
check_str='rule:admin_or_owner',
description='Create a backup of a database instance.',
operations=[
{
'path': PATH_BACKUPS,
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='backup:delete',
check_str='rule:admin_or_owner',
description='Delete a backup of a database instance.',
operations=[
{
'path': PATH_BACKUP,
'method': 'DELETE'
}
]),
policy.DocumentedRuleDefault(
name='backup:index',
check_str='rule:admin_or_owner',
description='List all backups.',
operations=[
{
'path': PATH_BACKUPS,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='backup:show',
check_str='rule:admin_or_owner',
description='Get informations of a backup.',
operations=[
{
'path': PATH_BACKUP,
'method': 'GET'
}
])
]
def list_rules():
return rules

67
trove/common/policies/base.py Normal file
View File

@ -0,0 +1,67 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
PATH_BASE = '/v1.0/{account_id}'
PATH_INSTANCES = PATH_BASE + '/instances'
PATH_INSTANCE = PATH_INSTANCES + '/{instance_id}'
PATH_INSTANCE_ACTION = PATH_INSTANCE + '/action'
PATH_USERS = PATH_INSTANCE + '/users'
PATH_USER = PATH_USERS + '/{user}'
PATH_ACCESSES = PATH_USER + '/databases'
PATH_ACCESS = PATH_ACCESSES + '/{database}'
PATH_DATABASES = PATH_INSTANCE + '/databases'
PATH_DATABASE = PATH_DATABASES + '/{database}'
PATH_CLUSTERS = PATH_BASE + '/clusters'
PATH_CLUSTER = PATH_CLUSTERS + '/{cluster}'
PATH_CLUSTER_INSTANCES = PATH_CLUSTER + '/instances'
PATH_CLUSTER_INSTANCE = PATH_CLUSTER_INSTANCES + '/{instance}'
PATH_BACKUPS = PATH_BASE + '/backups'
PATH_BACKUP = PATH_BACKUPS + '/{backup}'
PATH_CONFIGS = PATH_BASE + '/configurations'
PATH_CONFIG = PATH_CONFIGS + '/{config}'
PATH_DATASTORES = PATH_BASE + '/datastores'
PATH_DATASTORE = PATH_DATASTORES + '/{datastore}'
PATH_VERSIONS = PATH_DATASTORES + '/versions'
PATH_FLAVORS = PATH_BASE + '/flavors'
PATH_FLAVOR = PATH_FLAVORS + '/{flavor}'
PATH_LIMITS = PATH_BASE + '/limits'
PATH_MODULES = PATH_BASE + '/modules'
PATH_MODULE = PATH_MODULES + '/{module}'
rules = [
policy.RuleDefault(
'admin',
'role:admin or is_admin:True',
description='Must be an administrator.'),
policy.RuleDefault(
'admin_or_owner',
'rule:admin or tenant:%(tenant)s',
description='Must be an administrator or owner of the object.'),
policy.RuleDefault(
'default',
'rule:admin_or_owner',
description='Must be an administrator or owner of the object.')
]
def list_rules():
return rules

104
trove/common/policies/clusters.py Normal file
View File

@ -0,0 +1,104 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from trove.common.policies.base import (
PATH_CLUSTERS, PATH_CLUSTER,
PATH_CLUSTER_INSTANCE)
rules = [
policy.DocumentedRuleDefault(
name='cluster:create',
check_str='rule:admin_or_owner',
description='Create a cluster.',
operations=[
{
'path': PATH_CLUSTERS,
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='cluster:delete',
check_str='rule:admin_or_owner',
description='Delete a cluster.',
operations=[
{
'path': PATH_CLUSTER,
'method': 'DELETE'
}
]),
policy.DocumentedRuleDefault(
name='cluster:force_delete',
check_str='rule:admin_or_owner',
description='Forcibly delete a cluster.',
operations=[
{
'path': PATH_CLUSTER + ' (reset-status)',
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='cluster:index',
check_str='rule:admin_or_owner',
description='List all clusters',
operations=[
{
'path': PATH_CLUSTERS,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='cluster:show',
check_str='rule:admin_or_owner',
description='Get informations of a cluster.',
operations=[
{
'path': PATH_CLUSTER,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='cluster:show_instance',
check_str='rule:admin_or_owner',
description='Get informations of a instance in a cluster.',
operations=[
{
'path': PATH_CLUSTER_INSTANCE,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='cluster:action',
check_str='rule:admin_or_owner',
description='Commit an action against a cluster',
operations=[
{
'path': PATH_CLUSTER,
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='cluster:reset-status',
check_str='rule:admin',
description='Reset the status of a cluster to NONE.',
operations=[
{
'path': PATH_CLUSTER + ' (reset-status)',
'method': 'POST'
}
])
]
def list_rules():
return rules

65
trove/common/policies/configuration_parameters.py Normal file
View File

@ -0,0 +1,65 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from trove.common.policies.base import PATH_DATASTORE, PATH_VERSIONS
rules = [
policy.DocumentedRuleDefault(
name='configuration-parameter:index',
check_str='rule:admin_or_owner',
description='List all parameters bind to a datastore version.',
operations=[
{
'path': PATH_DATASTORE + '/versions/{version}/parameters',
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='configuration-parameter:show',
check_str='rule:admin_or_owner',
description='Get a paramter of a datastore version.',
operations=[
{
'path': (PATH_DATASTORE +
'/versions/{version}/parameters/{param}'),
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='configuration-parameter:index_by_version',
check_str='rule:admin_or_owner',
description='List all paramters bind to a datastore version by '
'the id of the version(datastore is not provided).',
operations=[
{
'path': PATH_VERSIONS + '/{version}/paramters',
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='configuration-parameter:show_by_version',
check_str='rule:admin_or_owner',
description='Get a paramter of a datastore version by it names and '
'the id of the version(datastore is not provided).',
operations=[
{
'path': PATH_VERSIONS + '/{version}/paramters/{param}',
'method': 'GET'
}
])
]
def list_rules():
return rules

94
trove/common/policies/configurations.py Normal file
View File

@ -0,0 +1,94 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from trove.common.policies.base import PATH_CONFIGS, PATH_CONFIG
rules = [
policy.DocumentedRuleDefault(
name='configuration:create',
check_str='rule:admin_or_owner',
description='Create a configuration group.',
operations=[
{
'path': PATH_CONFIGS,
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='configuration:delete',
check_str='rule:admin_or_owner',
description='Delete a configuration group.',
operations=[
{
'path': PATH_CONFIG,
'method': 'DELETE'
}
]),
policy.DocumentedRuleDefault(
name='configuration:index',
check_str='rule:admin_or_owner',
description='List all configuration groups.',
operations=[
{
'path': PATH_CONFIGS,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='configuration:show',
check_str='rule:admin_or_owner',
description='Get informations of a configuration group.',
operations=[
{
'path': PATH_CONFIG,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='configuration:instances',
check_str='rule:admin_or_owner',
description='List all instances which a configuration group '
'has be assigned to.',
operations=[
{
'path': PATH_CONFIG + '/instances',
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='configuration:update',
check_str='rule:admin_or_owner',
description='Update a configuration group(the configuration '
'group will be replaced completely).',
operations=[
{
'path': PATH_CONFIG,
'method': 'PUT'
}
]),
policy.DocumentedRuleDefault(
name='configuration:edit',
check_str='rule:admin_or_owner',
description='Patch a configuration group.',
operations=[
{
'path': PATH_CONFIG,
'method': 'PATCH'
}
])
]
def list_rules():
return rules

70
trove/common/policies/databases.py Normal file
View File

@ -0,0 +1,70 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from trove.common.policies.base import (
PATH_INSTANCES, PATH_DATABASES, PATH_DATABASE)
rules = [
policy.DocumentedRuleDefault(
name='instance:extension:database:create',
check_str='rule:admin_or_owner',
description='Create a set of Schemas',
operations=[
{
'path': PATH_DATABASES,
'method': 'POST'
},
# we also check this when creating instances with
# databases specified.
{
'path': PATH_INSTANCES,
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='instance:extension:database:delete',
check_str='rule:admin_or_owner',
description='Delete a schema from a database.',
operations=[
{
'path': PATH_DATABASE,
'method': 'DELETE'
}
]),
policy.DocumentedRuleDefault(
name='instance:extension:database:index',
check_str='rule:admin_or_owner',
description='List all schemas from a database.',
operations=[
{
'path': PATH_DATABASES,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='instance:extension:database:show',
check_str='rule:admin_or_owner',
description='Get informations of a schema'
'(Currently Not Implemented).',
operations=[
{
'path': PATH_DATABASE,
'method': 'GET'
}
])
]
def list_rules():
return rules

96
trove/common/policies/datastores.py Normal file
View File

@ -0,0 +1,96 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from trove.common.policies.base import (
PATH_DATASTORES, PATH_DATASTORE,
PATH_VERSIONS)
rules = [
policy.DocumentedRuleDefault(
name='datastore:index',
check_str='',
description='List all datastores.',
operations=[
{
'path': PATH_DATASTORES,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='datastore:show',
check_str='',
description='Get informations of a datastore.',
operations=[
{
'path': PATH_DATASTORE,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='datastore:version_show',
check_str='',
description='Get a version of a datastore by the version id.',
operations=[
{
'path': PATH_DATASTORE + '/versions/{version}',
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='datastore:version_show_by_uuid',
check_str='',
description='Get a version of a datastore by the version id'
'(without providing the datastore id).',
operations=[
{
'path': PATH_VERSIONS + '/{version}',
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='datastore:version_index',
check_str='',
description='Get all versions of a datastore.',
operations=[
{
'path': PATH_DATASTORE + '/versions',
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='datastore:list_associated_flavors',
check_str='',
description='List all flavors associated with a datastore version.',
operations=[
{
'path': PATH_DATASTORE + '/versions/{version}/flavors',
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='datastore:list_associated_volume_types',
check_str='',
description='List all volume-types associated with '
'a datastore version.',
operations=[
{
'path': PATH_DATASTORE + '/versions/{version}/volume-types',
'method': 'GET'
}
])
]
def list_rules():
return rules

42
trove/common/policies/flavors.py Normal file
View File

@ -0,0 +1,42 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from trove.common.policies.base import PATH_FLAVORS, PATH_FLAVOR
rules = [
policy.DocumentedRuleDefault(
name='flavor:index',
check_str='',
description='List all flavors.',
operations=[
{
'path': PATH_FLAVORS,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='flavor:show',
check_str='',
description='Get information of a flavor.',
operations=[
{
'path': PATH_FLAVOR,
'method': 'GET'
}
])
]
def list_rules():
return rules

230
trove/common/policies/instances.py Normal file
View File

@ -0,0 +1,230 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from trove.common.policies.base import (
PATH_INSTANCES, PATH_INSTANCE, PATH_INSTANCE_ACTION)
rules = [
policy.DocumentedRuleDefault(
name='instance:create',
check_str='rule:admin_or_owner',
description='Create a database instance.',
operations=[
{
'path': PATH_INSTANCES,
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='instance:delete',
check_str='rule:admin_or_owner',
description='Delete a database instance.',
operations=[
{
'path': PATH_INSTANCE,
'method': 'DELETE'
}
]),
policy.DocumentedRuleDefault(
name='instance:force_delete',
check_str='rule:admin_or_owner',
description='Forcibly delete a database instance.',
operations=[
{
'path': PATH_INSTANCE,
'method': 'DELETE'
}
]),
policy.DocumentedRuleDefault(
name='instance:index',
check_str='rule:admin_or_owner',
description='List database instances.',
operations=[
{
'path': PATH_INSTANCES,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='instance:show',
check_str='rule:admin_or_owner',
description='Get details of a specific database instance.',
operations=[
{
'path': PATH_INSTANCE,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='instance:update',
check_str='rule:admin_or_owner',
description='Update a database instance to '
'attach/detach configuration',
operations=[
{
'path': PATH_INSTANCE,
'method': 'PUT'
},
# we also check this when creating instances with
# a configuration group specified.
{
'path': PATH_INSTANCES,
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='instance:edit',
check_str='rule:admin_or_owner',
description='Updates the instance to set or '
'unset one or more attributes.',
operations=[
{
'path': PATH_INSTANCE,
'method': 'PATCH'
}
]),
policy.DocumentedRuleDefault(
name='instance:restart',
check_str='rule:admin_or_owner',
description='Restart a database instance.',
operations=[
{
'path': PATH_INSTANCE_ACTION + ' (restart)',
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='instance:resize_volume',
check_str='rule:admin_or_owner',
description='Resize a database instance volume.',
operations=[
{
'path': PATH_INSTANCE_ACTION + ' (resize)',
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='instance:resize_flavor',
check_str='rule:admin_or_owner',
description='Resize a database instance flavor.',
operations=[
{
'path': PATH_INSTANCE_ACTION + ' (resize)',
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='instance:reset_status',
check_str='rule:admin',
description='Reset the status of a database instance to ERROR.',
operations=[
{
'path': PATH_INSTANCE_ACTION + ' (reset_status)',
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='instance:promote_to_replica_source',
check_str='rule:admin_or_owner',
description='Promote instance to replica source.',
operations=[
{
'path': PATH_INSTANCE_ACTION + ' (promote_to_replica_source)',
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='instance:eject_replica_source',
check_str='rule:admin_or_owner',
description='Eject the replica source from its replica set.',
operations=[
{
'path': PATH_INSTANCE_ACTION + ' (eject_replica_source)',
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='instance:configuration',
check_str='rule:admin_or_owner',
description='Get the default configuration template '
'applied to the instance.',
operations=[
{
'path': PATH_INSTANCE + '/configuration',
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='instance:guest_log_list',
check_str='rule:admin_or_owner',
description='Get all informations about all logs '
'of a database instance.',
operations=[
{
'path': PATH_INSTANCE + '/log',
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='instance:backups',
check_str='rule:admin_or_owner',
description='Get all backups of a database instance.',
operations=[
{
'path': PATH_INSTANCE + '/backups',
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='instance:module_list',
check_str='rule:admin_or_owner',
description='Get informations about modules on a database instance.',
operations=[
{
'path': PATH_INSTANCE + '/modules',
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='instance:module_apply',
check_str='rule:admin_or_owner',
description='Apply modules to a database instance.',
operations=[
{
'path': PATH_INSTANCE + '/modules',
'method': 'POST'
},
# we also check this when creating instances with
# modules specified.
{
'path': PATH_INSTANCES,
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='instance:module_remove',
check_str='rule:admin_or_owner',
description='Remove a module from a database instance.',
operations=[
{
'path': PATH_INSTANCE + '/modules/{module_id}',
'method': 'DELETE'
}
])
]
def list_rules():
return rules

32
trove/common/policies/limits.py Normal file
View File

@ -0,0 +1,32 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from trove.common.policies.base import PATH_LIMITS
rules = [
policy.DocumentedRuleDefault(
name='limits:index',
check_str='rule:admin_or_owner',
description='List all absolute and rate limit informations.',
operations=[
{
'path': PATH_LIMITS,
'method': 'GET'
}
])
]
def list_rules():
return rules

92
trove/common/policies/modules.py Normal file
View File

@ -0,0 +1,92 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from trove.common.policies.base import PATH_MODULES, PATH_MODULE
rules = [
policy.DocumentedRuleDefault(
name='module:create',
check_str='rule:admin_or_owner',
description='Create a module.',
operations=[
{
'path': PATH_MODULES,
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='module:delete',
check_str='rule:admin_or_owner',
description='Delete a module.',
operations=[
{
'path': PATH_MODULE,
'method': 'DELETE'
}
]),
policy.DocumentedRuleDefault(
name='module:index',
check_str='rule:admin_or_owner',
description='List all modules.',
operations=[
{
'path': PATH_MODULES,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='module:show',
check_str='rule:admin_or_owner',
description='Get informations of a module.',
operations=[
{
'path': PATH_MODULE,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='module:instances',
check_str='rule:admin_or_owner',
description='List all instances to which a module is applied.',
operations=[
{
'path': PATH_MODULE + '/instances',
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='module:update',
check_str='rule:admin_or_owner',
description='Update a module.',
operations=[
{
'path': PATH_MODULE,
'method': 'PUT'
}
]),
policy.DocumentedRuleDefault(
name='module:reapply',
check_str='rule:admin_or_owner',
description='Reapply a module to all instances.',
operations=[
{
'path': PATH_MODULE + '/instances',
'method': 'PUT'
}
])
]
def list_rules():
return rules

84
trove/common/policies/root.py Normal file
View File

@ -0,0 +1,84 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from trove.common.policies.base import PATH_INSTANCE, PATH_CLUSTER
rules = [
policy.DocumentedRuleDefault(
name='instance:extension:root:create',
check_str='rule:admin_or_owner',
description='Enable the root user of a database instance.',
operations=[
{
'path': PATH_INSTANCE + '/root',
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='instance:extension:root:delete',
check_str='rule:admin_or_owner',
description='Disable the root user of a database instance.',
operations=[
{
'path': PATH_INSTANCE + '/root',
'method': 'DELETE'
}
]),
policy.DocumentedRuleDefault(
name='instance:extension:root:index',
check_str='rule:admin_or_owner',
description='Show whether the root user of a database '
'instance has been ever enabled.',
operations=[
{
'path': PATH_INSTANCE + '/root',
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='cluster:extension:root:create',
check_str='rule:admin_or_owner',
description='Enable the root user of the instances in a cluster.',
operations=[
{
'path': PATH_CLUSTER + '/root',
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='cluster:extension:root:delete',
check_str='rule:admin_or_owner',
description='Enable the root user of the instances in a cluster.',
operations=[
{
'path': PATH_CLUSTER + '/root',
'method': 'DELETE'
}
]),
policy.DocumentedRuleDefault(
name='cluster:extension:root:index',
check_str='rule:admin_or_owner',
description='Disable the root of the instances in a cluster.',
operations=[
{
'path': PATH_CLUSTER + '/root',
'method': 'GET'
}
])
]
def list_rules():
return rules

52
trove/common/policies/user_access.py Normal file
View File

@ -0,0 +1,52 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from trove.common.policies.base import PATH_ACCESSES, PATH_ACCESS
rules = [
policy.DocumentedRuleDefault(
name='instance:extension:user_access:update',
check_str='rule:admin_or_owner',
description='Grant access for a user to one or more databases.',
operations=[
{
'path': PATH_ACCESSES,
'method': 'PUT'
}
]),
policy.DocumentedRuleDefault(
name='instance:extension:user_access:delete',
check_str='rule:admin_or_owner',
description='Revoke access for a user to a databases.',
operations=[
{
'path': PATH_ACCESS,
'method': 'DELETE'
}
]),
policy.DocumentedRuleDefault(
name='instance:extension:user_access:index',
check_str='rule:admin_or_owner',
description='Get permissions of a user',
operations=[
{
'path': PATH_ACCESSES,
'method': 'GET'
}
])
]
def list_rules():
return rules

91
trove/common/policies/users.py Normal file
View File

@ -0,0 +1,91 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from trove.common.policies.base import (
PATH_INSTANCES, PATH_USERS, PATH_USER)
rules = [
policy.DocumentedRuleDefault(
name='instance:extension:user:create',
check_str='rule:admin_or_owner',
description='Create users for a database instance.',
operations=[
{
'path': PATH_USERS,
'method': 'POST'
},
# we also check this when creating instances with
# users specified.
{
'path': PATH_INSTANCES,
'method': 'POST'
}
]),
policy.DocumentedRuleDefault(
name='instance:extension:user:delete',
check_str='rule:admin_or_owner',
description='Delete a user from a database instance.',
operations=[
{
'path': PATH_USER,
'method': 'DELETE'
}
]),
policy.DocumentedRuleDefault(
name='instance:extension:user:index',
check_str='rule:admin_or_owner',
description='Get all users of a database instance.',
operations=[
{
'path': PATH_USERS,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='instance:extension:user:show',
check_str='rule:admin_or_owner',
description='Get the information of a single user '
'of a database instance.',
operations=[
{
'path': PATH_USER,
'method': 'GET'
}
]),
policy.DocumentedRuleDefault(
name='instance:extension:user:update',
check_str='rule:admin_or_owner',
description='Update attributes for a user of a database instance.',
operations=[
{
'path': PATH_USER,
'method': 'PUT'
}
]),
policy.DocumentedRuleDefault(
name='instance:extension:user:update_all',
check_str='rule:admin_or_owner',
description='Update the password for one or more users '
'a database instance.',
operations=[
{
'path': PATH_USERS,
'method': 'PUT'
}
])
]
def list_rules():
return rules

192
trove/common/policy.py
View File

@ -18,205 +18,17 @@ from oslo_config import cfg
from oslo_policy import policy
from trove.common import exception as trove_exceptions
from trove.common import policies
CONF = cfg.CONF
_ENFORCER = None
base_rules = [
policy.RuleDefault(
'admin',
'role:admin or is_admin:True',
description='Must be an administrator.'),
policy.RuleDefault(
'admin_or_owner',
'rule:admin or tenant:%(tenant)s',
description='Must be an administrator or owner of the object.'),
policy.RuleDefault(
'default',
'rule:admin_or_owner',
description='Must be an administrator or owner of the object.')
]
instance_rules = [
policy.RuleDefault(
'instance:create', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:delete', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:force_delete', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:index', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:show', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:update', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:edit', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:restart', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:resize_volume', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:resize_flavor', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:reset_status', 'rule:admin'),
policy.RuleDefault(
'instance:promote_to_replica_source', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:eject_replica_source', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:configuration', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:guest_log_list', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:backups', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:module_list', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:module_apply', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:module_remove', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:root:create', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:root:delete', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:root:index', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:user:create', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:user:delete', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:user:index', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:user:show', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:user:update', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:user:update_all', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:user_access:update', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:user_access:delete', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:user_access:index', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:database:create', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:database:delete', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:database:index', 'rule:admin_or_owner'),
policy.RuleDefault(
'instance:extension:database:show', 'rule:admin_or_owner'),
policy.RuleDefault(
'cluster:create', 'rule:admin_or_owner'),
policy.RuleDefault(
'cluster:delete', 'rule:admin_or_owner'),
policy.RuleDefault(
'cluster:force_delete', 'rule:admin_or_owner'),
policy.RuleDefault(
'cluster:index', 'rule:admin_or_owner'),
policy.RuleDefault(
'cluster:show', 'rule:admin_or_owner'),
policy.RuleDefault(
'cluster:show_instance', 'rule:admin_or_owner'),
policy.RuleDefault(
'cluster:action', 'rule:admin_or_owner'),
policy.RuleDefault(
'cluster:reset-status', 'rule:admin'),
policy.RuleDefault(
'cluster:extension:root:create', 'rule:admin_or_owner'),
policy.RuleDefault(
'cluster:extension:root:delete', 'rule:admin_or_owner'),
policy.RuleDefault(
'cluster:extension:root:index', 'rule:admin_or_owner'),
policy.RuleDefault(
'backup:create', 'rule:admin_or_owner'),
policy.RuleDefault(
'backup:delete', 'rule:admin_or_owner'),
policy.RuleDefault(
'backup:index', 'rule:admin_or_owner'),
policy.RuleDefault(
'backup:show', 'rule:admin_or_owner'),
policy.RuleDefault(
'configuration:create', 'rule:admin_or_owner'),
policy.RuleDefault(
'configuration:delete', 'rule:admin_or_owner'),
policy.RuleDefault(
'configuration:index', 'rule:admin_or_owner'),
policy.RuleDefault(
'configuration:show', 'rule:admin_or_owner'),
policy.RuleDefault(
'configuration:instances', 'rule:admin_or_owner'),
policy.RuleDefault(
'configuration:update', 'rule:admin_or_owner'),
policy.RuleDefault(
'configuration:edit', 'rule:admin_or_owner'),
policy.RuleDefault(
'configuration-parameter:index', 'rule:admin_or_owner'),
policy.RuleDefault(
'configuration-parameter:show', 'rule:admin_or_owner'),
policy.RuleDefault(
'configuration-parameter:index_by_version', 'rule:admin_or_owner'),
policy.RuleDefault(
'configuration-parameter:show_by_version', 'rule:admin_or_owner'),
policy.RuleDefault(
'datastore:index', ''),
policy.RuleDefault(
'datastore:show', ''),
policy.RuleDefault(
'datastore:version_show', ''),
policy.RuleDefault(
'datastore:version_show_by_uuid', ''),
policy.RuleDefault(
'datastore:version_index', ''),
policy.RuleDefault(
'datastore:list_associated_flavors', ''),
policy.RuleDefault(
'datastore:list_associated_volume_types', ''),
policy.RuleDefault(
'flavor:index', ''),
policy.RuleDefault(
'flavor:show', ''),
policy.RuleDefault(
'limits:index', 'rule:admin_or_owner'),
policy.RuleDefault(
'module:create', 'rule:admin_or_owner'),
policy.RuleDefault(
'module:delete', 'rule:admin_or_owner'),
policy.RuleDefault(
'module:index', 'rule:admin_or_owner'),
policy.RuleDefault(
'module:show', 'rule:admin_or_owner'),
policy.RuleDefault(
'module:instances', 'rule:admin_or_owner'),
policy.RuleDefault(
'module:update', 'rule:admin_or_owner'),
policy.RuleDefault(
'module:reapply', 'rule:admin_or_owner'),
]
def get_enforcer():
global _ENFORCER
if not _ENFORCER:
_ENFORCER = policy.Enforcer(CONF)
_ENFORCER.register_defaults(base_rules)
_ENFORCER.register_defaults(instance_rules)
_ENFORCER.register_defaults(policies.list_rules())
_ENFORCER.load_rules()
return _ENFORCER