From 4469cacf3946be4096ef4c3ee6b8972d77653ef4 Mon Sep 17 00:00:00 2001 From: Hieu LE Date: Fri, 13 Oct 2017 14:07:04 +0700 Subject: [PATCH] Implement policy in code - event trigger (11) This commit migrate all event trigger policies into code [1]. Like oslo.config, with oslo.policy, we can define all of default rules in code base and only change some rules via policy file. Another thing that we should use yaml format instead of json format. This commit also remove policy.json file usage completely. [1] https://governance.openstack.org/tc/goals/queens/policy-in-code.html Co-authored-By: Dai Dang-Van Change-Id: Icd674fdc248e5b9c63f9e7d0f47c53288291ff07 --- devstack/plugin.sh | 6 - etc/policy.json | 12 +- mistral/api/access_control.py | 6 +- mistral/policies/__init__.py | 2 + mistral/policies/event_trigger.py | 104 ++++++++++++++++++ .../tests/unit/api/v2/test_event_trigger.py | 2 + mistral/tests/unit/fake_policy.py | 17 --- .../unit/mstrlfixtures/policy_fixtures.py | 19 ---- 8 files changed, 112 insertions(+), 56 deletions(-) create mode 100644 mistral/policies/event_trigger.py delete mode 100644 mistral/tests/unit/fake_policy.py diff --git a/devstack/plugin.sh b/devstack/plugin.sh index a613756d5..e947f9a61 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -70,9 +70,6 @@ function configure_mistral { oslo-config-generator --config-file $MISTRAL_DIR/tools/config/config-generator.mistral.conf --output-file $MISTRAL_CONF_FILE iniset $MISTRAL_CONF_FILE DEFAULT debug $MISTRAL_DEBUG - MISTRAL_POLICY_FILE=$MISTRAL_CONF_DIR/policy.json - cp $MISTRAL_DIR/etc/policy.json $MISTRAL_POLICY_FILE - # Run all Mistral processes as a single process iniset $MISTRAL_CONF_FILE DEFAULT server all @@ -94,9 +91,6 @@ function configure_mistral { # Configure action execution deletion policy iniset $MISTRAL_CONF_FILE api allow_action_execution_deletion True - # Path of policy.json file. - iniset $MISTRAL_CONF oslo_policy policy_file $MISTRAL_POLICY_FILE - if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ]; then setup_colorized_logging $MISTRAL_CONF_FILE DEFAULT tenant user fi diff --git a/etc/policy.json b/etc/policy.json index bc6d8020e..0967ef424 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -1,11 +1 @@ -{ - "default": "rule:admin_or_owner", - - "event_triggers:create": "rule:admin_or_owner", - "event_triggers:create:public": "rule:admin_only", - "event_triggers:delete": "rule:admin_or_owner", - "event_triggers:get": "rule:admin_or_owner", - "event_triggers:list": "rule:admin_or_owner", - "event_triggers:list:all_projects": "rule:admin_only", - "event_triggers:update": "rule:admin_or_owner" -} +{} diff --git a/mistral/api/access_control.py b/mistral/api/access_control.py index 316f7469a..004a827d5 100644 --- a/mistral/api/access_control.py +++ b/mistral/api/access_control.py @@ -74,9 +74,9 @@ def enforce(action, context, target=None, do_raise=True, target_obj.update(target or {}) policy_context = context.to_policy_values() - # Because policy.json example in Mistral repo still uses the rule - # 'is_admin: True', we insert 'is_admin' key to the default policy - # values. + # Because policy.json or policy.yaml example in Mistral repo still uses + # the rule 'is_admin: True', we insert 'is_admin' key to the default + # policy values. policy_context['is_admin'] = context.is_admin _ensure_enforcer_initialization() diff --git a/mistral/policies/__init__.py b/mistral/policies/__init__.py index b8f5b2256..a0e8aa9f7 100644 --- a/mistral/policies/__init__.py +++ b/mistral/policies/__init__.py @@ -19,6 +19,7 @@ from mistral.policies import action_executions from mistral.policies import base from mistral.policies import cron_trigger from mistral.policies import environment +from mistral.policies import event_trigger from mistral.policies import execution from mistral.policies import member from mistral.policies import service @@ -34,6 +35,7 @@ def list_rules(): base.list_rules(), cron_trigger.list_rules(), environment.list_rules(), + event_trigger.list_rules(), execution.list_rules(), member.list_rules(), service.list_rules(), diff --git a/mistral/policies/event_trigger.py b/mistral/policies/event_trigger.py new file mode 100644 index 000000000..85e1255a6 --- /dev/null +++ b/mistral/policies/event_trigger.py @@ -0,0 +1,104 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_policy import policy + +from mistral.policies import base + +EVENT_TRIGGERS = 'event_triggers:%s' + +# NOTE(hieulq): all API operations of below rules are not documented in API +# reference docs yet. +rules = [ + policy.DocumentedRuleDefault( + name=EVENT_TRIGGERS % 'create', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Create a new event trigger.', + operations=[ + { + 'path': '/v2/event_triggers', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=EVENT_TRIGGERS % 'create:public', + check_str=base.RULE_ADMIN_ONLY, + description='Create a new event trigger for public usage.', + operations=[ + { + 'path': '/v2/event_triggers', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=EVENT_TRIGGERS % 'delete', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Delete event trigger.', + operations=[ + { + 'path': '/v2/event_triggers/{event_trigger_id}', + 'method': 'DELETE' + } + ] + ), + policy.DocumentedRuleDefault( + name=EVENT_TRIGGERS % 'get', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Returns the specified event trigger.', + operations=[ + { + 'path': '/v2/event_triggers/{event_trigger_id}', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=EVENT_TRIGGERS % 'list', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Return all event triggers.', + operations=[ + { + 'path': '/v2/event_triggers', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=EVENT_TRIGGERS % 'list:all_projects', + check_str=base.RULE_ADMIN_ONLY, + description='Return all event triggers from all projects.', + operations=[ + { + 'path': '/v2/event_triggers', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=EVENT_TRIGGERS % 'update', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Updates an existing event trigger.', + operations=[ + { + 'path': '/v2/event_triggers', + 'method': 'PUT' + } + ] + ) +] + + +def list_rules(): + return rules diff --git a/mistral/tests/unit/api/v2/test_event_trigger.py b/mistral/tests/unit/api/v2/test_event_trigger.py index 8e4dbf1ad..d6419e763 100644 --- a/mistral/tests/unit/api/v2/test_event_trigger.py +++ b/mistral/tests/unit/api/v2/test_event_trigger.py @@ -133,6 +133,8 @@ class TestEventTriggerController(base.APITest): @mock.patch.object(db_api, "get_workflow_definition", MOCK_WF) @mock.patch.object(triggers, "create_event_trigger") def test_post_public(self, create_trigger): + self.ctx = unit_base.get_context(default=False, admin=True) + self.mock_ctx.return_value = self.ctx trigger = copy.deepcopy(TRIGGER) trigger['scope'] = 'public' trigger.pop('id') diff --git a/mistral/tests/unit/fake_policy.py b/mistral/tests/unit/fake_policy.py deleted file mode 100644 index cd47453af..000000000 --- a/mistral/tests/unit/fake_policy.py +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2016 NEC Corporation. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -policy_data = """{ - "default": "rule:admin_or_owner", -}""" diff --git a/mistral/tests/unit/mstrlfixtures/policy_fixtures.py b/mistral/tests/unit/mstrlfixtures/policy_fixtures.py index c1cd81281..885589246 100644 --- a/mistral/tests/unit/mstrlfixtures/policy_fixtures.py +++ b/mistral/tests/unit/mstrlfixtures/policy_fixtures.py @@ -12,8 +12,6 @@ # License for the specific language governing permissions and limitations # under the License. -import os - import fixtures from oslo_config import cfg from oslo_policy import opts as policy_opts @@ -21,32 +19,15 @@ from oslo_policy import policy as oslo_policy from mistral.api import access_control as acl from mistral import policies -from mistral.tests.unit import fake_policy class PolicyFixture(fixtures.Fixture): - """Load a fake policy from nova.tests.unit.fake_policy""" def setUp(self): super(PolicyFixture, self).setUp() - self.policy_dir = self.useFixture(fixtures.TempDir()) - self.policy_file_name = os.path.join( - self.policy_dir.path, - 'policy.json' - ) - - with open(self.policy_file_name, 'w') as policy_file: - policy_file.write(fake_policy.policy_data) - policy_opts.set_defaults(cfg.CONF) - cfg.CONF.set_override( - 'policy_file', - self.policy_file_name, - 'oslo_policy' - ) - acl._ENFORCER = oslo_policy.Enforcer(cfg.CONF) acl._ENFORCER.register_defaults(policies.list_rules()) acl._ENFORCER.load_rules()