Add Oslo Policy options for policy file location

Adds options to the configuration of Shipyard to direct oslo_policy to
the location of the /etc/shipyard/policy.yaml file (default location)
allowing for override of default policies via chart or chart override.

Change-Id: I5cf68994c40aa835a631f5b6f67363a2b8a8af0a

charts/shipyard/values.yaml

@@ -361,12 +361,17 @@ conf:
     workflow_orchestrator:create_action: rule:admin_required
     workflow_orchestrator:get_action: rule:admin_required
     workflow_orchestrator:get_action_step: rule:admin_required
+    workflow_orchestrator:get_action_step_logs: rule:admin_required
     workflow_orchestrator:get_action_validation: rule:admin_required
     workflow_orchestrator:invoke_action_control: rule:admin_required
+    workflow_orchestrator:get_configdocs_status: rule:admin_required
     workflow_orchestrator:create_configdocs: rule:admin_required
     workflow_orchestrator:get_configdocs: rule:admin_required
     workflow_orchestrator:commit_configdocs: rule:admin_required
     workflow_orchestrator:get_renderedconfigdocs: rule:admin_required
+    workflow_orchestrator:list_workflows: rule:admin_required
+    workflow_orchestrator:get_workflow: rule:admin_required
+    workflow_orchestrator:get_site_statuses: rule:admin_required
   paste:
     app:shipyard-api:
       paste.app_factory: shipyard_airflow.shipyard_api:paste_start_shipyard
@@ -385,17 +390,6 @@ conf:
       service_type: armada
     drydock:
       service_type: physicalprovisioner
-      verify_site_query_interval: 10
-      verify_site_task_timeout: 60
-      prepare_site_query_interval: 10
-      prepare_site_task_timeout: 300
-      prepare_node_query_interval: 30
-      prepare_node_task_timeout: 1800
-      deploy_node_query_interval: 30
-      deploy_node_task_timeout: 3600
-      destroy_node_query_interval: 30
-      destroy_node_task_timeout: 900
-      cluster_join_check_backoff_time: 120
     promenade:
       service_type: kubernetesprovisioner
     keystone_authtoken:
@@ -416,6 +410,11 @@ conf:
       worker_port: 8793
     k8s_logs:
       ucp_namespace: 'ucp'
+    oslo_policy:
+      policy_file: /etc/shipyard/policy.yaml
+      # If non-existent rule is used, the request should be denied. The
+      # deny_all rule is hard coded in the policy.py code to allow no access.
+      policy_default_rule: deny_all
   airflow_config_file:
     path: /usr/local/airflow/airflow.cfg
   airflow:

docs/source/_static/shipyard.policy.yaml.sample

@@ -59,3 +59,7 @@
 # GET  /api/v1.0/workflows/{id}
 #"workflow_orchestrator:get_workflow": "rule:admin_required"
 
+# Retrieve the statuses for the site
+# GET  /api/v1.0/site_statuses
+#"workflow_orchestrator:get_site_statuses": "rule:admin_required"
+

src/bin/shipyard_airflow/etc/shipyard/policy.yaml.sample

@@ -59,6 +59,7 @@
 # GET  /api/v1.0/workflows/{id}
 #"workflow_orchestrator:get_workflow": "rule:admin_required"
 
-# Retrieve the status for node provision status
+# Retrieve the statuses for the site
 # GET  /api/v1.0/site_statuses
 #"workflow_orchestrator:get_site_statuses": "rule:admin_required"
+

src/bin/shipyard_airflow/shipyard_airflow/policy.py

@@ -32,13 +32,20 @@ class ShipyardPolicy(object):
     """
 
     RULE_ADMIN_REQUIRED = 'rule:admin_required'
+    RULE_DENY_ALL = 'rule:deny_all'
 
     # Base Policy
     base_rules = [
         policy.RuleDefault(
             'admin_required',
             'role:admin',
-            description='Actions requiring admin authority'),
+            description='Actions requiring admin authority'
+        ),
+        policy.RuleDefault(
+            'deny_all',
+            '!',
+            description='Rule to deny all access. Used for default denial'
+        ),
     ]
 
     # Orchestrator Policy
@@ -234,7 +241,7 @@ class ApiEnforcer(object):
                     authorized = True
             except:
                 # couldn't service the auth request
-                LOG.error(
+                LOG.exception(
                     "Error - Expectation Failed - action: %s", self.action)
                 raise ApiError(
                     title="Expectation Failed",

src/bin/shipyard_airflow/tests/unit/control/test.conf

@@ -44,4 +44,6 @@ validation_read_timeout = 300
 service_type = shipyard
 [logging]
 named_log_levels = keystoneauth:ERROR,cheese:WARN,pumpkins:INFO
-
+[oslo_policy]
+policy_file = /etc/shipyard/policy.yaml
+policy_default_rule = deny_all

tools/resources/shipyard.conf

@@ -13,18 +13,7 @@ upgrade_db = false
 [deckhand]
 service_type = deckhand
 [drydock]
-cluster_join_check_backoff_time = 120
-deploy_node_query_interval = 30
-deploy_node_task_timeout = 3600
-destroy_node_query_interval = 30
-destroy_node_task_timeout = 900
-prepare_node_query_interval = 30
-prepare_node_task_timeout = 1800
-prepare_site_query_interval = 10
-prepare_site_task_timeout = 300
 service_type = physicalprovisioner
-verify_site_query_interval = 10
-verify_site_task_timeout = 60
 [keystone_authtoken]
 auth_section = keystone_authtoken
 auth_type = password
@@ -53,3 +42,6 @@ validation_connect_timeout = 5
 validation_read_timeout = 300
 [shipyard]
 service_type = shipyard
+[oslo_policy]
+policy_file = /etc/shipyard/policy.yaml
+policy_default_rule = deny_all