diff --git a/trove/common/policies/__init__.py b/trove/common/policies/__init__.py new file mode 100644 index 0000000000..b30255c33a --- /dev/null +++ b/trove/common/policies/__init__.py @@ -0,0 +1,47 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import itertools + +from trove.common.policies import backups +from trove.common.policies import base +from trove.common.policies import clusters +from trove.common.policies import configuration_parameters +from trove.common.policies import configurations +from trove.common.policies import databases +from trove.common.policies import datastores +from trove.common.policies import flavors +from trove.common.policies import instances +from trove.common.policies import limits +from trove.common.policies import modules +from trove.common.policies import root +from trove.common.policies import user_access +from trove.common.policies import users + + +def list_rules(): + return itertools.chain( + base.list_rules(), + instances.list_rules(), + root.list_rules(), + users.list_rules(), + user_access.list_rules(), + databases.list_rules(), + clusters.list_rules(), + backups.list_rules(), + configurations.list_rules(), + configuration_parameters.list_rules(), + datastores.list_rules(), + flavors.list_rules(), + limits.list_rules(), + modules.list_rules() + ) diff --git a/trove/common/policies/backups.py b/trove/common/policies/backups.py new file mode 100644 index 0000000000..0ab36e6c92 --- /dev/null +++ b/trove/common/policies/backups.py @@ -0,0 +1,62 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from trove.common.policies.base import PATH_BACKUPS, PATH_BACKUP + +rules = [ + policy.DocumentedRuleDefault( + name='backup:create', + check_str='rule:admin_or_owner', + description='Create a backup of a database instance.', + operations=[ + { + 'path': PATH_BACKUPS, + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='backup:delete', + check_str='rule:admin_or_owner', + description='Delete a backup of a database instance.', + operations=[ + { + 'path': PATH_BACKUP, + 'method': 'DELETE' + } + ]), + policy.DocumentedRuleDefault( + name='backup:index', + check_str='rule:admin_or_owner', + description='List all backups.', + operations=[ + { + 'path': PATH_BACKUPS, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='backup:show', + check_str='rule:admin_or_owner', + description='Get informations of a backup.', + operations=[ + { + 'path': PATH_BACKUP, + 'method': 'GET' + } + ]) +] + + +def list_rules(): + return rules diff --git a/trove/common/policies/base.py b/trove/common/policies/base.py new file mode 100644 index 0000000000..2ea4c62f6a --- /dev/null +++ b/trove/common/policies/base.py @@ -0,0 +1,67 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +PATH_BASE = '/v1.0/{account_id}' + +PATH_INSTANCES = PATH_BASE + '/instances' +PATH_INSTANCE = PATH_INSTANCES + '/{instance_id}' +PATH_INSTANCE_ACTION = PATH_INSTANCE + '/action' +PATH_USERS = PATH_INSTANCE + '/users' +PATH_USER = PATH_USERS + '/{user}' +PATH_ACCESSES = PATH_USER + '/databases' +PATH_ACCESS = PATH_ACCESSES + '/{database}' +PATH_DATABASES = PATH_INSTANCE + '/databases' +PATH_DATABASE = PATH_DATABASES + '/{database}' + +PATH_CLUSTERS = PATH_BASE + '/clusters' +PATH_CLUSTER = PATH_CLUSTERS + '/{cluster}' +PATH_CLUSTER_INSTANCES = PATH_CLUSTER + '/instances' +PATH_CLUSTER_INSTANCE = PATH_CLUSTER_INSTANCES + '/{instance}' + +PATH_BACKUPS = PATH_BASE + '/backups' +PATH_BACKUP = PATH_BACKUPS + '/{backup}' + +PATH_CONFIGS = PATH_BASE + '/configurations' +PATH_CONFIG = PATH_CONFIGS + '/{config}' + +PATH_DATASTORES = PATH_BASE + '/datastores' +PATH_DATASTORE = PATH_DATASTORES + '/{datastore}' +PATH_VERSIONS = PATH_DATASTORES + '/versions' + +PATH_FLAVORS = PATH_BASE + '/flavors' +PATH_FLAVOR = PATH_FLAVORS + '/{flavor}' + +PATH_LIMITS = PATH_BASE + '/limits' + +PATH_MODULES = PATH_BASE + '/modules' +PATH_MODULE = PATH_MODULES + '/{module}' + +rules = [ + policy.RuleDefault( + 'admin', + 'role:admin or is_admin:True', + description='Must be an administrator.'), + policy.RuleDefault( + 'admin_or_owner', + 'rule:admin or tenant:%(tenant)s', + description='Must be an administrator or owner of the object.'), + policy.RuleDefault( + 'default', + 'rule:admin_or_owner', + description='Must be an administrator or owner of the object.') +] + + +def list_rules(): + return rules diff --git a/trove/common/policies/clusters.py b/trove/common/policies/clusters.py new file mode 100644 index 0000000000..44bc1e7a8e --- /dev/null +++ b/trove/common/policies/clusters.py @@ -0,0 +1,104 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from trove.common.policies.base import ( + PATH_CLUSTERS, PATH_CLUSTER, + PATH_CLUSTER_INSTANCE) + +rules = [ + policy.DocumentedRuleDefault( + name='cluster:create', + check_str='rule:admin_or_owner', + description='Create a cluster.', + operations=[ + { + 'path': PATH_CLUSTERS, + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='cluster:delete', + check_str='rule:admin_or_owner', + description='Delete a cluster.', + operations=[ + { + 'path': PATH_CLUSTER, + 'method': 'DELETE' + } + ]), + policy.DocumentedRuleDefault( + name='cluster:force_delete', + check_str='rule:admin_or_owner', + description='Forcibly delete a cluster.', + operations=[ + { + 'path': PATH_CLUSTER + ' (reset-status)', + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='cluster:index', + check_str='rule:admin_or_owner', + description='List all clusters', + operations=[ + { + 'path': PATH_CLUSTERS, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='cluster:show', + check_str='rule:admin_or_owner', + description='Get informations of a cluster.', + operations=[ + { + 'path': PATH_CLUSTER, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='cluster:show_instance', + check_str='rule:admin_or_owner', + description='Get informations of a instance in a cluster.', + operations=[ + { + 'path': PATH_CLUSTER_INSTANCE, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='cluster:action', + check_str='rule:admin_or_owner', + description='Commit an action against a cluster', + operations=[ + { + 'path': PATH_CLUSTER, + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='cluster:reset-status', + check_str='rule:admin', + description='Reset the status of a cluster to NONE.', + operations=[ + { + 'path': PATH_CLUSTER + ' (reset-status)', + 'method': 'POST' + } + ]) +] + + +def list_rules(): + return rules diff --git a/trove/common/policies/configuration_parameters.py b/trove/common/policies/configuration_parameters.py new file mode 100644 index 0000000000..f9db5903cb --- /dev/null +++ b/trove/common/policies/configuration_parameters.py @@ -0,0 +1,65 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from trove.common.policies.base import PATH_DATASTORE, PATH_VERSIONS + +rules = [ + policy.DocumentedRuleDefault( + name='configuration-parameter:index', + check_str='rule:admin_or_owner', + description='List all parameters bind to a datastore version.', + operations=[ + { + 'path': PATH_DATASTORE + '/versions/{version}/parameters', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='configuration-parameter:show', + check_str='rule:admin_or_owner', + description='Get a paramter of a datastore version.', + operations=[ + { + 'path': (PATH_DATASTORE + + '/versions/{version}/parameters/{param}'), + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='configuration-parameter:index_by_version', + check_str='rule:admin_or_owner', + description='List all paramters bind to a datastore version by ' + 'the id of the version(datastore is not provided).', + operations=[ + { + 'path': PATH_VERSIONS + '/{version}/paramters', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='configuration-parameter:show_by_version', + check_str='rule:admin_or_owner', + description='Get a paramter of a datastore version by it names and ' + 'the id of the version(datastore is not provided).', + operations=[ + { + 'path': PATH_VERSIONS + '/{version}/paramters/{param}', + 'method': 'GET' + } + ]) +] + + +def list_rules(): + return rules diff --git a/trove/common/policies/configurations.py b/trove/common/policies/configurations.py new file mode 100644 index 0000000000..80119fc1bf --- /dev/null +++ b/trove/common/policies/configurations.py @@ -0,0 +1,94 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from trove.common.policies.base import PATH_CONFIGS, PATH_CONFIG + +rules = [ + policy.DocumentedRuleDefault( + name='configuration:create', + check_str='rule:admin_or_owner', + description='Create a configuration group.', + operations=[ + { + 'path': PATH_CONFIGS, + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='configuration:delete', + check_str='rule:admin_or_owner', + description='Delete a configuration group.', + operations=[ + { + 'path': PATH_CONFIG, + 'method': 'DELETE' + } + ]), + policy.DocumentedRuleDefault( + name='configuration:index', + check_str='rule:admin_or_owner', + description='List all configuration groups.', + operations=[ + { + 'path': PATH_CONFIGS, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='configuration:show', + check_str='rule:admin_or_owner', + description='Get informations of a configuration group.', + operations=[ + { + 'path': PATH_CONFIG, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='configuration:instances', + check_str='rule:admin_or_owner', + description='List all instances which a configuration group ' + 'has be assigned to.', + operations=[ + { + 'path': PATH_CONFIG + '/instances', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='configuration:update', + check_str='rule:admin_or_owner', + description='Update a configuration group(the configuration ' + 'group will be replaced completely).', + operations=[ + { + 'path': PATH_CONFIG, + 'method': 'PUT' + } + ]), + policy.DocumentedRuleDefault( + name='configuration:edit', + check_str='rule:admin_or_owner', + description='Patch a configuration group.', + operations=[ + { + 'path': PATH_CONFIG, + 'method': 'PATCH' + } + ]) +] + + +def list_rules(): + return rules diff --git a/trove/common/policies/databases.py b/trove/common/policies/databases.py new file mode 100644 index 0000000000..4e2fd1d8d1 --- /dev/null +++ b/trove/common/policies/databases.py @@ -0,0 +1,70 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from trove.common.policies.base import ( + PATH_INSTANCES, PATH_DATABASES, PATH_DATABASE) + +rules = [ + policy.DocumentedRuleDefault( + name='instance:extension:database:create', + check_str='rule:admin_or_owner', + description='Create a set of Schemas', + operations=[ + { + 'path': PATH_DATABASES, + 'method': 'POST' + }, + # we also check this when creating instances with + # databases specified. + { + 'path': PATH_INSTANCES, + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='instance:extension:database:delete', + check_str='rule:admin_or_owner', + description='Delete a schema from a database.', + operations=[ + { + 'path': PATH_DATABASE, + 'method': 'DELETE' + } + ]), + policy.DocumentedRuleDefault( + name='instance:extension:database:index', + check_str='rule:admin_or_owner', + description='List all schemas from a database.', + operations=[ + { + 'path': PATH_DATABASES, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='instance:extension:database:show', + check_str='rule:admin_or_owner', + description='Get informations of a schema' + '(Currently Not Implemented).', + operations=[ + { + 'path': PATH_DATABASE, + 'method': 'GET' + } + ]) +] + + +def list_rules(): + return rules diff --git a/trove/common/policies/datastores.py b/trove/common/policies/datastores.py new file mode 100644 index 0000000000..f3f9c02b13 --- /dev/null +++ b/trove/common/policies/datastores.py @@ -0,0 +1,96 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from trove.common.policies.base import ( + PATH_DATASTORES, PATH_DATASTORE, + PATH_VERSIONS) + +rules = [ + policy.DocumentedRuleDefault( + name='datastore:index', + check_str='', + description='List all datastores.', + operations=[ + { + 'path': PATH_DATASTORES, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='datastore:show', + check_str='', + description='Get informations of a datastore.', + operations=[ + { + 'path': PATH_DATASTORE, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='datastore:version_show', + check_str='', + description='Get a version of a datastore by the version id.', + operations=[ + { + 'path': PATH_DATASTORE + '/versions/{version}', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='datastore:version_show_by_uuid', + check_str='', + description='Get a version of a datastore by the version id' + '(without providing the datastore id).', + operations=[ + { + 'path': PATH_VERSIONS + '/{version}', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='datastore:version_index', + check_str='', + description='Get all versions of a datastore.', + operations=[ + { + 'path': PATH_DATASTORE + '/versions', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='datastore:list_associated_flavors', + check_str='', + description='List all flavors associated with a datastore version.', + operations=[ + { + 'path': PATH_DATASTORE + '/versions/{version}/flavors', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='datastore:list_associated_volume_types', + check_str='', + description='List all volume-types associated with ' + 'a datastore version.', + operations=[ + { + 'path': PATH_DATASTORE + '/versions/{version}/volume-types', + 'method': 'GET' + } + ]) +] + + +def list_rules(): + return rules diff --git a/trove/common/policies/flavors.py b/trove/common/policies/flavors.py new file mode 100644 index 0000000000..28f91e03ef --- /dev/null +++ b/trove/common/policies/flavors.py @@ -0,0 +1,42 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from trove.common.policies.base import PATH_FLAVORS, PATH_FLAVOR + +rules = [ + policy.DocumentedRuleDefault( + name='flavor:index', + check_str='', + description='List all flavors.', + operations=[ + { + 'path': PATH_FLAVORS, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='flavor:show', + check_str='', + description='Get information of a flavor.', + operations=[ + { + 'path': PATH_FLAVOR, + 'method': 'GET' + } + ]) +] + + +def list_rules(): + return rules diff --git a/trove/common/policies/instances.py b/trove/common/policies/instances.py new file mode 100644 index 0000000000..3aeeb3151a --- /dev/null +++ b/trove/common/policies/instances.py @@ -0,0 +1,230 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from trove.common.policies.base import ( + PATH_INSTANCES, PATH_INSTANCE, PATH_INSTANCE_ACTION) + + +rules = [ + policy.DocumentedRuleDefault( + name='instance:create', + check_str='rule:admin_or_owner', + description='Create a database instance.', + operations=[ + { + 'path': PATH_INSTANCES, + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='instance:delete', + check_str='rule:admin_or_owner', + description='Delete a database instance.', + operations=[ + { + 'path': PATH_INSTANCE, + 'method': 'DELETE' + } + ]), + policy.DocumentedRuleDefault( + name='instance:force_delete', + check_str='rule:admin_or_owner', + description='Forcibly delete a database instance.', + operations=[ + { + 'path': PATH_INSTANCE, + 'method': 'DELETE' + } + ]), + policy.DocumentedRuleDefault( + name='instance:index', + check_str='rule:admin_or_owner', + description='List database instances.', + operations=[ + { + 'path': PATH_INSTANCES, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='instance:show', + check_str='rule:admin_or_owner', + description='Get details of a specific database instance.', + operations=[ + { + 'path': PATH_INSTANCE, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='instance:update', + check_str='rule:admin_or_owner', + description='Update a database instance to ' + 'attach/detach configuration', + operations=[ + { + 'path': PATH_INSTANCE, + 'method': 'PUT' + }, + # we also check this when creating instances with + # a configuration group specified. + { + 'path': PATH_INSTANCES, + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='instance:edit', + check_str='rule:admin_or_owner', + description='Updates the instance to set or ' + 'unset one or more attributes.', + operations=[ + { + 'path': PATH_INSTANCE, + 'method': 'PATCH' + } + ]), + policy.DocumentedRuleDefault( + name='instance:restart', + check_str='rule:admin_or_owner', + description='Restart a database instance.', + operations=[ + { + 'path': PATH_INSTANCE_ACTION + ' (restart)', + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='instance:resize_volume', + check_str='rule:admin_or_owner', + description='Resize a database instance volume.', + operations=[ + { + 'path': PATH_INSTANCE_ACTION + ' (resize)', + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='instance:resize_flavor', + check_str='rule:admin_or_owner', + description='Resize a database instance flavor.', + operations=[ + { + 'path': PATH_INSTANCE_ACTION + ' (resize)', + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='instance:reset_status', + check_str='rule:admin', + description='Reset the status of a database instance to ERROR.', + operations=[ + { + 'path': PATH_INSTANCE_ACTION + ' (reset_status)', + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='instance:promote_to_replica_source', + check_str='rule:admin_or_owner', + description='Promote instance to replica source.', + operations=[ + { + 'path': PATH_INSTANCE_ACTION + ' (promote_to_replica_source)', + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='instance:eject_replica_source', + check_str='rule:admin_or_owner', + description='Eject the replica source from its replica set.', + operations=[ + { + 'path': PATH_INSTANCE_ACTION + ' (eject_replica_source)', + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='instance:configuration', + check_str='rule:admin_or_owner', + description='Get the default configuration template ' + 'applied to the instance.', + operations=[ + { + 'path': PATH_INSTANCE + '/configuration', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='instance:guest_log_list', + check_str='rule:admin_or_owner', + description='Get all informations about all logs ' + 'of a database instance.', + operations=[ + { + 'path': PATH_INSTANCE + '/log', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='instance:backups', + check_str='rule:admin_or_owner', + description='Get all backups of a database instance.', + operations=[ + { + 'path': PATH_INSTANCE + '/backups', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='instance:module_list', + check_str='rule:admin_or_owner', + description='Get informations about modules on a database instance.', + operations=[ + { + 'path': PATH_INSTANCE + '/modules', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='instance:module_apply', + check_str='rule:admin_or_owner', + description='Apply modules to a database instance.', + operations=[ + { + 'path': PATH_INSTANCE + '/modules', + 'method': 'POST' + }, + # we also check this when creating instances with + # modules specified. + { + 'path': PATH_INSTANCES, + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='instance:module_remove', + check_str='rule:admin_or_owner', + description='Remove a module from a database instance.', + operations=[ + { + 'path': PATH_INSTANCE + '/modules/{module_id}', + 'method': 'DELETE' + } + ]) +] + + +def list_rules(): + return rules diff --git a/trove/common/policies/limits.py b/trove/common/policies/limits.py new file mode 100644 index 0000000000..0c6f09ae62 --- /dev/null +++ b/trove/common/policies/limits.py @@ -0,0 +1,32 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from trove.common.policies.base import PATH_LIMITS + +rules = [ + policy.DocumentedRuleDefault( + name='limits:index', + check_str='rule:admin_or_owner', + description='List all absolute and rate limit informations.', + operations=[ + { + 'path': PATH_LIMITS, + 'method': 'GET' + } + ]) +] + + +def list_rules(): + return rules diff --git a/trove/common/policies/modules.py b/trove/common/policies/modules.py new file mode 100644 index 0000000000..4247b12ec6 --- /dev/null +++ b/trove/common/policies/modules.py @@ -0,0 +1,92 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from trove.common.policies.base import PATH_MODULES, PATH_MODULE + +rules = [ + policy.DocumentedRuleDefault( + name='module:create', + check_str='rule:admin_or_owner', + description='Create a module.', + operations=[ + { + 'path': PATH_MODULES, + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='module:delete', + check_str='rule:admin_or_owner', + description='Delete a module.', + operations=[ + { + 'path': PATH_MODULE, + 'method': 'DELETE' + } + ]), + policy.DocumentedRuleDefault( + name='module:index', + check_str='rule:admin_or_owner', + description='List all modules.', + operations=[ + { + 'path': PATH_MODULES, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='module:show', + check_str='rule:admin_or_owner', + description='Get informations of a module.', + operations=[ + { + 'path': PATH_MODULE, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='module:instances', + check_str='rule:admin_or_owner', + description='List all instances to which a module is applied.', + operations=[ + { + 'path': PATH_MODULE + '/instances', + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='module:update', + check_str='rule:admin_or_owner', + description='Update a module.', + operations=[ + { + 'path': PATH_MODULE, + 'method': 'PUT' + } + ]), + policy.DocumentedRuleDefault( + name='module:reapply', + check_str='rule:admin_or_owner', + description='Reapply a module to all instances.', + operations=[ + { + 'path': PATH_MODULE + '/instances', + 'method': 'PUT' + } + ]) +] + + +def list_rules(): + return rules diff --git a/trove/common/policies/root.py b/trove/common/policies/root.py new file mode 100644 index 0000000000..736969cd39 --- /dev/null +++ b/trove/common/policies/root.py @@ -0,0 +1,84 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from trove.common.policies.base import PATH_INSTANCE, PATH_CLUSTER + +rules = [ + policy.DocumentedRuleDefault( + name='instance:extension:root:create', + check_str='rule:admin_or_owner', + description='Enable the root user of a database instance.', + operations=[ + { + 'path': PATH_INSTANCE + '/root', + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='instance:extension:root:delete', + check_str='rule:admin_or_owner', + description='Disable the root user of a database instance.', + operations=[ + { + 'path': PATH_INSTANCE + '/root', + 'method': 'DELETE' + } + ]), + policy.DocumentedRuleDefault( + name='instance:extension:root:index', + check_str='rule:admin_or_owner', + description='Show whether the root user of a database ' + 'instance has been ever enabled.', + operations=[ + { + 'path': PATH_INSTANCE + '/root', + 'method': 'GET' + } + ]), + + policy.DocumentedRuleDefault( + name='cluster:extension:root:create', + check_str='rule:admin_or_owner', + description='Enable the root user of the instances in a cluster.', + operations=[ + { + 'path': PATH_CLUSTER + '/root', + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='cluster:extension:root:delete', + check_str='rule:admin_or_owner', + description='Enable the root user of the instances in a cluster.', + operations=[ + { + 'path': PATH_CLUSTER + '/root', + 'method': 'DELETE' + } + ]), + policy.DocumentedRuleDefault( + name='cluster:extension:root:index', + check_str='rule:admin_or_owner', + description='Disable the root of the instances in a cluster.', + operations=[ + { + 'path': PATH_CLUSTER + '/root', + 'method': 'GET' + } + ]) +] + + +def list_rules(): + return rules diff --git a/trove/common/policies/user_access.py b/trove/common/policies/user_access.py new file mode 100644 index 0000000000..e0bb9ac1ba --- /dev/null +++ b/trove/common/policies/user_access.py @@ -0,0 +1,52 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from trove.common.policies.base import PATH_ACCESSES, PATH_ACCESS + +rules = [ + policy.DocumentedRuleDefault( + name='instance:extension:user_access:update', + check_str='rule:admin_or_owner', + description='Grant access for a user to one or more databases.', + operations=[ + { + 'path': PATH_ACCESSES, + 'method': 'PUT' + } + ]), + policy.DocumentedRuleDefault( + name='instance:extension:user_access:delete', + check_str='rule:admin_or_owner', + description='Revoke access for a user to a databases.', + operations=[ + { + 'path': PATH_ACCESS, + 'method': 'DELETE' + } + ]), + policy.DocumentedRuleDefault( + name='instance:extension:user_access:index', + check_str='rule:admin_or_owner', + description='Get permissions of a user', + operations=[ + { + 'path': PATH_ACCESSES, + 'method': 'GET' + } + ]) +] + + +def list_rules(): + return rules diff --git a/trove/common/policies/users.py b/trove/common/policies/users.py new file mode 100644 index 0000000000..fe7e60d7e3 --- /dev/null +++ b/trove/common/policies/users.py @@ -0,0 +1,91 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from trove.common.policies.base import ( + PATH_INSTANCES, PATH_USERS, PATH_USER) + +rules = [ + policy.DocumentedRuleDefault( + name='instance:extension:user:create', + check_str='rule:admin_or_owner', + description='Create users for a database instance.', + operations=[ + { + 'path': PATH_USERS, + 'method': 'POST' + }, + # we also check this when creating instances with + # users specified. + { + 'path': PATH_INSTANCES, + 'method': 'POST' + } + ]), + policy.DocumentedRuleDefault( + name='instance:extension:user:delete', + check_str='rule:admin_or_owner', + description='Delete a user from a database instance.', + operations=[ + { + 'path': PATH_USER, + 'method': 'DELETE' + } + ]), + policy.DocumentedRuleDefault( + name='instance:extension:user:index', + check_str='rule:admin_or_owner', + description='Get all users of a database instance.', + operations=[ + { + 'path': PATH_USERS, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='instance:extension:user:show', + check_str='rule:admin_or_owner', + description='Get the information of a single user ' + 'of a database instance.', + operations=[ + { + 'path': PATH_USER, + 'method': 'GET' + } + ]), + policy.DocumentedRuleDefault( + name='instance:extension:user:update', + check_str='rule:admin_or_owner', + description='Update attributes for a user of a database instance.', + operations=[ + { + 'path': PATH_USER, + 'method': 'PUT' + } + ]), + policy.DocumentedRuleDefault( + name='instance:extension:user:update_all', + check_str='rule:admin_or_owner', + description='Update the password for one or more users ' + 'a database instance.', + operations=[ + { + 'path': PATH_USERS, + 'method': 'PUT' + } + ]) +] + + +def list_rules(): + return rules diff --git a/trove/common/policy.py b/trove/common/policy.py index 3137ef8a0a..fb6f9f29df 100644 --- a/trove/common/policy.py +++ b/trove/common/policy.py @@ -18,205 +18,17 @@ from oslo_config import cfg from oslo_policy import policy from trove.common import exception as trove_exceptions +from trove.common import policies CONF = cfg.CONF _ENFORCER = None -base_rules = [ - policy.RuleDefault( - 'admin', - 'role:admin or is_admin:True', - description='Must be an administrator.'), - policy.RuleDefault( - 'admin_or_owner', - 'rule:admin or tenant:%(tenant)s', - description='Must be an administrator or owner of the object.'), - policy.RuleDefault( - 'default', - 'rule:admin_or_owner', - description='Must be an administrator or owner of the object.') -] - -instance_rules = [ - policy.RuleDefault( - 'instance:create', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:delete', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:force_delete', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:index', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:show', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:update', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:edit', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:restart', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:resize_volume', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:resize_flavor', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:reset_status', 'rule:admin'), - policy.RuleDefault( - 'instance:promote_to_replica_source', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:eject_replica_source', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:configuration', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:guest_log_list', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:backups', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:module_list', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:module_apply', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:module_remove', 'rule:admin_or_owner'), - - policy.RuleDefault( - 'instance:extension:root:create', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:extension:root:delete', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:extension:root:index', 'rule:admin_or_owner'), - - policy.RuleDefault( - 'instance:extension:user:create', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:extension:user:delete', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:extension:user:index', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:extension:user:show', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:extension:user:update', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:extension:user:update_all', 'rule:admin_or_owner'), - - policy.RuleDefault( - 'instance:extension:user_access:update', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:extension:user_access:delete', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:extension:user_access:index', 'rule:admin_or_owner'), - - policy.RuleDefault( - 'instance:extension:database:create', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:extension:database:delete', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:extension:database:index', 'rule:admin_or_owner'), - policy.RuleDefault( - 'instance:extension:database:show', 'rule:admin_or_owner'), - - policy.RuleDefault( - 'cluster:create', 'rule:admin_or_owner'), - policy.RuleDefault( - 'cluster:delete', 'rule:admin_or_owner'), - policy.RuleDefault( - 'cluster:force_delete', 'rule:admin_or_owner'), - policy.RuleDefault( - 'cluster:index', 'rule:admin_or_owner'), - policy.RuleDefault( - 'cluster:show', 'rule:admin_or_owner'), - policy.RuleDefault( - 'cluster:show_instance', 'rule:admin_or_owner'), - policy.RuleDefault( - 'cluster:action', 'rule:admin_or_owner'), - policy.RuleDefault( - 'cluster:reset-status', 'rule:admin'), - - policy.RuleDefault( - 'cluster:extension:root:create', 'rule:admin_or_owner'), - policy.RuleDefault( - 'cluster:extension:root:delete', 'rule:admin_or_owner'), - policy.RuleDefault( - 'cluster:extension:root:index', 'rule:admin_or_owner'), - - policy.RuleDefault( - 'backup:create', 'rule:admin_or_owner'), - policy.RuleDefault( - 'backup:delete', 'rule:admin_or_owner'), - policy.RuleDefault( - 'backup:index', 'rule:admin_or_owner'), - policy.RuleDefault( - 'backup:show', 'rule:admin_or_owner'), - - policy.RuleDefault( - 'configuration:create', 'rule:admin_or_owner'), - policy.RuleDefault( - 'configuration:delete', 'rule:admin_or_owner'), - policy.RuleDefault( - 'configuration:index', 'rule:admin_or_owner'), - policy.RuleDefault( - 'configuration:show', 'rule:admin_or_owner'), - policy.RuleDefault( - 'configuration:instances', 'rule:admin_or_owner'), - policy.RuleDefault( - 'configuration:update', 'rule:admin_or_owner'), - policy.RuleDefault( - 'configuration:edit', 'rule:admin_or_owner'), - - policy.RuleDefault( - 'configuration-parameter:index', 'rule:admin_or_owner'), - policy.RuleDefault( - 'configuration-parameter:show', 'rule:admin_or_owner'), - policy.RuleDefault( - 'configuration-parameter:index_by_version', 'rule:admin_or_owner'), - policy.RuleDefault( - 'configuration-parameter:show_by_version', 'rule:admin_or_owner'), - - policy.RuleDefault( - 'datastore:index', ''), - policy.RuleDefault( - 'datastore:show', ''), - policy.RuleDefault( - 'datastore:version_show', ''), - policy.RuleDefault( - 'datastore:version_show_by_uuid', ''), - policy.RuleDefault( - 'datastore:version_index', ''), - policy.RuleDefault( - 'datastore:list_associated_flavors', ''), - policy.RuleDefault( - 'datastore:list_associated_volume_types', ''), - - policy.RuleDefault( - 'flavor:index', ''), - policy.RuleDefault( - 'flavor:show', ''), - - policy.RuleDefault( - 'limits:index', 'rule:admin_or_owner'), - - policy.RuleDefault( - 'module:create', 'rule:admin_or_owner'), - policy.RuleDefault( - 'module:delete', 'rule:admin_or_owner'), - policy.RuleDefault( - 'module:index', 'rule:admin_or_owner'), - policy.RuleDefault( - 'module:show', 'rule:admin_or_owner'), - policy.RuleDefault( - 'module:instances', 'rule:admin_or_owner'), - policy.RuleDefault( - 'module:update', 'rule:admin_or_owner'), - policy.RuleDefault( - 'module:reapply', 'rule:admin_or_owner'), -] - - def get_enforcer(): global _ENFORCER if not _ENFORCER: _ENFORCER = policy.Enforcer(CONF) - _ENFORCER.register_defaults(base_rules) - _ENFORCER.register_defaults(instance_rules) + _ENFORCER.register_defaults(policies.list_rules()) _ENFORCER.load_rules() return _ENFORCER