openstack/vitrage
Code Issues Proposed changes

Merge "Register default policies in code"

Browse Source
This commit is contained in:
Zuul 2017-11-20 03:24:06 +00:00 committed by Gerrit Code Review
commit e525801ff5
17 changed files with 372 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -24,6 +24,7 @@ ChangeLog
.coverage
cover
etc/vitrage/vitrage.conf
etc/vitrage/policy.yaml.sample
doc/source/_static/
*.db

4
devstack/plugin.sh
View File

@ -158,10 +158,6 @@ function configure_vitrage {
setup_colorized_logging $VITRAGE_CONF DEFAULT
fi
# Install the policy file for the API server
cp $VITRAGE_DIR/etc/vitrage/policy.json $VITRAGE_CONF_DIR
iniset $VITRAGE_CONF oslo_policy policy_file $VITRAGE_CONF_DIR/policy.json
cp $VITRAGE_DIR/etc/vitrage/api-paste.ini $VITRAGE_CONF_DIR
# Service credentials - openstack clients using keystone

3
doc/source/install/install-rdo.rst
View File

@ -61,8 +61,6 @@ Create the Vitrage folders
$ sudo mkdir /var/log/vitrage
$ sudo chmod 755 /var/log/vitrage
Copy `policy.json`_ to /etc/vitrage/
Copy `api-paste.ini`_ to /etc/vitrage/
Copy the `datasources_values`_ folder with its content
@ -73,7 +71,6 @@ is vitrage.yaml
.. _policy.json: http://git.openstack.org/cgit/openstack/vitrage/tree/etc/vitrage/policy.json
.. _api-paste.ini: http://git.openstack.org/cgit/openstack/vitrage/tree/etc/vitrage/api-paste.ini
.. _datasources_values: http://git.openstack.org/cgit/openstack/vitrage/tree/etc/vitrage/datasources_values

17
etc/vitrage/policy.json
View File

@ -1,17 +0,0 @@
{
"get topology": "",
"get topology:all_tenants": "role:admin",
"get resource": "",
"list resources": "",
"list resources:all_tenants": "role:admin",
"list alarms": "",
"list alarms:all_tenants": "role:admin",
"get alarms count": "",
"get alarms count:all_tenants": "role:admin",
"get rca": "",
"get rca:all_tenants": "role:admin",
"template validate": "",
"template list": "",
"template show": "",
"event post": ""
}

3
etc/vitrage/vitrage-policy-generator.conf Normal file
View File

@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/vitrage/policy.yaml.sample
namespace = vitrage

3
setup.cfg
View File

@ -39,6 +39,9 @@ oslo.config.opts =
vitrage = vitrage.opts:list_opts
datasources = vitrage.opts:datasources_opts
oslo.policy.policies =
vitrage = vitrage.common.policies:list_rules
tempest.test_plugins =
vitrage_tests = vitrage_tempest_tests.plugin:VitrageTempestPlugin

3
tox.ini
View File

@ -23,6 +23,9 @@ commands = flake8
[testenv:genconfig]
commands = oslo-config-generator --config-file=etc/vitrage/vitrage-config-generator.conf
[testenv:genpolicy]
commands = oslopolicy-sample-generator --config-file=etc/vitrage/vitrage-policy-generator.conf
[testenv:venv]
commands = {posargs}

5
vitrage/api/hooks.py
View File

@ -16,6 +16,7 @@ from oslo_context import context
from oslo_policy import policy
from pecan import hooks
from vitrage.common import policies
from vitrage import messaging
from vitrage import rpc as vitrage_rpc
from vitrage import storage
@ -27,6 +28,10 @@ class ConfigHook(hooks.PecanHook):
def __init__(self, conf):
self.conf = conf
self.enforcer = policy.Enforcer(conf)
self._register_rules()
def _register_rules(self):
self.enforcer.register_defaults(policies.list_rules())
def before(self, state):
state.request.cfg = self.conf

31
vitrage/common/policies/__init__.py Normal file
View File

@ -0,0 +1,31 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import itertools
from vitrage.common.policies import alarms
from vitrage.common.policies import event
from vitrage.common.policies import rca
from vitrage.common.policies import resource
from vitrage.common.policies import template
from vitrage.common.policies import topology
def list_rules():
return itertools.chain(
alarms.list_rules(),
event.list_rules(),
rca.list_rules(),
template.list_rules(),
topology.list_rules(),
resource.list_rules()
)

69
vitrage/common/policies/alarms.py Normal file
View File

@ -0,0 +1,69 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vitrage.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name='list alarms',
check_str=base.UNPROTECTED,
description='List the alarms on a resource, or all alarms',
operations=[
{
'path': '/alarm',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name='list alarms:all_tenants',
check_str=base.ROLE_ADMIN,
description='List alarms of all tenants '
'(if the user has the permissions)',
operations=[
{
'path': '/alarm',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name='list alarms count',
check_str=base.UNPROTECTED,
description='Show how many alarms of each operations severity exist',
operations=[
{
'path': '/alarm/count',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name='list alarms count:all_tenants',
check_str=base.ROLE_ADMIN,
description='Show how many alarms of each operation severity exist. '
'Consider the alarms of all tenants (if the user has the '
'permissions)',
operations=[
{
'path': '/alarm/count',
'method': 'GET'
}
]
)
]
def list_rules():
return rules

14
vitrage/common/policies/base.py Normal file
View File

@ -0,0 +1,14 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
UNPROTECTED = ''
ROLE_ADMIN = 'role:admin'

34
vitrage/common/policies/event.py Normal file
View File

@ -0,0 +1,34 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vitrage.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name='event post',
check_str=base.UNPROTECTED,
description='Post an event to Vitrage message queue, to be consumed by'
' a datasource driver.',
operations=[
{
'path': '/event',
'method': 'POST'
}
]
)
]
def list_rules():
return rules

45
vitrage/common/policies/rca.py Normal file
View File

@ -0,0 +1,45 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vitrage.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name='get rca',
check_str=base.UNPROTECTED,
description='Show the root cause analysis on an alarm',
operations=[
{
'path': '/rca',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name='get rca:all_tenants',
check_str=base.ROLE_ADMIN,
description='Show the root cause analysis on an alarm. Include alarms'
' of all tenants (if the user has the permisions)',
operations=[
{
'path': '/rca',
'method': 'GET'
}
]
)
]
def list_rules():
return rules

58
vitrage/common/policies/resource.py Normal file
View File

@ -0,0 +1,58 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vitrage.common.policies import base
rules = [
policy.DocumentedRuleDefault(
name='get resource',
check_str=base.UNPROTECTED,
description='Show the details of specified resource',
operations=[
{
'path': '/resources',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name='list resources',
check_str=base.UNPROTECTED,
description='List the resources with the specified type, or all the '
'resources',
operations=[
{
'path': '/resources',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name='list resources:all_tenants',
check_str=base.ROLE_ADMIN,
description='List the resources with the specified type, or all the '
'resources. Include resources of all tenants (if the user'
' has the permissions)',
operations=[
{
'path': '/resources',
'method': 'GET'
}
]
)
]
def list_rules():
return rules

57
vitrage/common/policies/template.py Normal file
View File

@ -0,0 +1,57 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vitrage.common.policies import base
TEMPLATE = 'template %s'
rules = [
policy.DocumentedRuleDefault(
name=TEMPLATE % 'validate',
check_str=base.UNPROTECTED,
description='Validate a template, or all templates in a folder',
operations=[
{
'path': '/template',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=TEMPLATE % 'list',
check_str=base.UNPROTECTED,
description='List all templates',
operations=[
{
'path': '/template',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=TEMPLATE % 'show',
check_str=base.UNPROTECTED,
description='Show the template body for given template ID',
operations=[
{
'path': '/template/{template_uuid}',
'method': 'GET'
}
]
)
]
def list_rules():
return rules

49
vitrage/common/policies/topology.py Normal file
View File

@ -0,0 +1,49 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from vitrage.common.policies import base
TOPOLOGY = 'get topology'
rules = [
policy.DocumentedRuleDefault(
name=TOPOLOGY,
check_str=base.UNPROTECTED,
description='Get the topology for the OpenStack cluster with optional '
'query parameters',
operations=[
{
'path': '/topology',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=TOPOLOGY + ':all_tenants',
check_str=base.ROLE_ADMIN,
description='Get the topology for the OpenStack cluster with optional '
'query parameters. Return resources of all tenants (if the'
' user has the permissions).',
operations=[
{
'path': '/topology',
'method': 'GET'
}
]
)
]
def list_rules():
return rules

5
vitrage/tests/functional/api/__init__.py
View File

@ -47,11 +47,6 @@ class FunctionalTest(base.BaseTest):
vitrage_root = os.path.abspath(
os.path.join(os.path.dirname(vitrage_init_file), '..', ))
self.CONF.set_override('policy_file', os.path.join(vitrage_root,
'etc', 'vitrage',
'policy.json'),
group='oslo_policy')
self.CONF.set_override('paste_config', os.path.join(vitrage_root,
'etc', 'vitrage',
'api-paste.ini'),