diff --git a/etc/oslo-config-generator/zaqar-policy-generator.conf b/etc/oslo-config-generator/zaqar-policy-generator.conf new file mode 100644 index 000000000..6a419956f --- /dev/null +++ b/etc/oslo-config-generator/zaqar-policy-generator.conf @@ -0,0 +1,3 @@ +[DEFAULT] +output_file = etc/zaqar.policy.yaml.sample +namespace = zaqar diff --git a/etc/policy.json.sample b/etc/policy.json.sample index 83a6bd5d4..e685911e4 100644 --- a/etc/policy.json.sample +++ b/etc/policy.json.sample @@ -1,6 +1,4 @@ { - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", "default": "rule:admin_or_owner", "queues:get_all": "", diff --git a/setup.cfg b/setup.cfg index 6843e826c..02b25924f 100644 --- a/setup.cfg +++ b/setup.cfg @@ -87,6 +87,9 @@ zaqar.notification.tasks = tempest.test_plugins = zaqar_tests = zaqar.tests.tempest_plugin.plugin:ZaqarTempestPlugin +oslo.policy.policies = + zaqar = zaqar.common.policies:list_rules + [nosetests] where=zaqar/tests verbosity=2 diff --git a/tox.ini b/tox.ini index e83c8363c..ebe6da552 100644 --- a/tox.ini +++ b/tox.ini @@ -34,6 +34,10 @@ commands = flake8 commands = oslo-config-generator --config-file etc/oslo-config-generator/zaqar.conf +[testenv:genpolicy] +commands = + oslopolicy-sample-generator --config-file etc/oslo-config-generator/zaqar-policy-generator.conf + [testenv:cover] commands = python setup.py testr --coverage \ diff --git a/zaqar/common/policies/__init__.py b/zaqar/common/policies/__init__.py new file mode 100644 index 000000000..4f457a846 --- /dev/null +++ b/zaqar/common/policies/__init__.py @@ -0,0 +1,21 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import itertools + +from zaqar.common.policies import base + + +def list_rules(): + return itertools.chain( + base.list_rules() + ) diff --git a/zaqar/common/policies/base.py b/zaqar/common/policies/base.py new file mode 100644 index 000000000..849e9bc38 --- /dev/null +++ b/zaqar/common/policies/base.py @@ -0,0 +1,31 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +ROLE_ADMIN = 'role:admin' +RULE_ADMIN_OR_OWNER = 'is_admin:True or project_id:%(project_id)s' + +rules = [ + policy.RuleDefault( + name='context_is_admin', + check_str=ROLE_ADMIN + ), + policy.RuleDefault( + name='admin_or_owner', + check_str=RULE_ADMIN_OR_OWNER + ) +] + + +def list_rules(): + return rules diff --git a/zaqar/transport/acl.py b/zaqar/transport/acl.py index 377563d04..e8fbafb18 100644 --- a/zaqar/transport/acl.py +++ b/zaqar/transport/acl.py @@ -18,6 +18,8 @@ import functools from oslo_policy import policy +from zaqar.common import policies + ENFORCER = None @@ -25,6 +27,11 @@ def setup_policy(conf): global ENFORCER ENFORCER = policy.Enforcer(conf) + register_rules(ENFORCER) + + +def register_rules(enforcer): + enforcer.register_defaults(policies.list_rules()) def enforce(rule):