openstack/zaqar
Code Issues Proposed changes

Merge "Implement basic policy module in code"

Browse Source
This commit is contained in:
Zuul 2017-10-17 09:49:25 +00:00 committed by Gerrit Code Review
commit fa44489ede
7 changed files with 69 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
etc/oslo-config-generator/zaqar-policy-generator.conf Normal file
View File

@ -0,0 +1,3 @@
[DEFAULT]
output_file = etc/zaqar.policy.yaml.sample
namespace = zaqar

2
etc/policy.json.sample
View File

@ -1,6 +1,4 @@
{ {
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner", "default": "rule:admin_or_owner",
"queues:get_all": "", "queues:get_all": "",

3
setup.cfg
View File

@ -87,6 +87,9 @@ zaqar.notification.tasks =
tempest.test_plugins = tempest.test_plugins =
zaqar_tests = zaqar.tests.tempest_plugin.plugin:ZaqarTempestPlugin zaqar_tests = zaqar.tests.tempest_plugin.plugin:ZaqarTempestPlugin
oslo.policy.policies =
zaqar = zaqar.common.policies:list_rules
[nosetests] [nosetests]
where=zaqar/tests where=zaqar/tests
verbosity=2 verbosity=2

4
tox.ini
View File

@ -34,6 +34,10 @@ commands = flake8
commands = commands =
oslo-config-generator --config-file etc/oslo-config-generator/zaqar.conf oslo-config-generator --config-file etc/oslo-config-generator/zaqar.conf
[testenv:genpolicy]
commands =
oslopolicy-sample-generator --config-file etc/oslo-config-generator/zaqar-policy-generator.conf
[testenv:cover] [testenv:cover]
commands = commands =
python setup.py testr --coverage \ python setup.py testr --coverage \

21
zaqar/common/policies/__init__.py Normal file
View File

@ -0,0 +1,21 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import itertools
from zaqar.common.policies import base
def list_rules():
return itertools.chain(
base.list_rules()
)

31
zaqar/common/policies/base.py Normal file
View File

@ -0,0 +1,31 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
ROLE_ADMIN = 'role:admin'
RULE_ADMIN_OR_OWNER = 'is_admin:True or project_id:%(project_id)s'
rules = [
policy.RuleDefault(
name='context_is_admin',
check_str=ROLE_ADMIN
),
policy.RuleDefault(
name='admin_or_owner',
check_str=RULE_ADMIN_OR_OWNER
)
]
def list_rules():
return rules

7
zaqar/transport/acl.py
View File

@ -18,6 +18,8 @@ import functools
from oslo_policy import policy from oslo_policy import policy
from zaqar.common import policies
ENFORCER = None ENFORCER = None
@ -25,6 +27,11 @@ def setup_policy(conf):
global ENFORCER global ENFORCER
ENFORCER = policy.Enforcer(conf) ENFORCER = policy.Enforcer(conf)
register_rules(ENFORCER)
def register_rules(enforcer):
enforcer.register_defaults(policies.list_rules())
def enforce(rule): def enforce(rule):