Implement basic policy module in code

This change prepares the zaqar project to start implementing policies in code. Subsequent patches will register more zaqar policies in code and remove the corresponding entry from the policy file maintained in source. This is part of a community effort to provide better user experience for those having to maintain RBAC policy. More information on this effort can be found below: https://governance.openstack.org/tc/goals/queens/policy-in-code.html bp policy-and-docs-in-code Change-Id: I5d804b589df215fddc18257fc9f05ba2e0d708bd
2017-10-02 16:55:36 +00:00 · 2017-10-02 16:55:36 +00:00 · 3f7cc0a460
commit 3f7cc0a460
parent 7ca8254a42
7 changed files with 69 additions and 2 deletions
--- a/etc/oslo-config-generator/zaqar-policy-generator.conf
+++ b/etc/oslo-config-generator/zaqar-policy-generator.conf
@ -0,0 +1,3 @@
+[DEFAULT]
+output_file = etc/zaqar.policy.yaml.sample
+namespace = zaqar
--- a/etc/policy.json.sample
+++ b/etc/policy.json.sample
@ -1,6 +1,4 @@
 {
-    "context_is_admin": "role:admin",
-    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",

    "queues:get_all": "",
--- a/setup.cfg
+++ b/setup.cfg
@ -87,6 +87,9 @@ zaqar.notification.tasks =
 tempest.test_plugins =
    zaqar_tests = zaqar.tests.tempest_plugin.plugin:ZaqarTempestPlugin

+oslo.policy.policies =
+    zaqar = zaqar.common.policies:list_rules
+
 [nosetests]
 where=zaqar/tests
 verbosity=2
--- a/tox.ini
+++ b/tox.ini
@ -34,6 +34,10 @@ commands = flake8
 commands =
  oslo-config-generator --config-file etc/oslo-config-generator/zaqar.conf

+[testenv:genpolicy]
+commands =
+  oslopolicy-sample-generator --config-file etc/oslo-config-generator/zaqar-policy-generator.conf
+
 [testenv:cover]
 commands =
  python setup.py testr --coverage \
--- a/zaqar/common/policies/init.py
+++ b/zaqar/common/policies/init.py
@ -0,0 +1,21 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import itertools
+
+from zaqar.common.policies import base
+
+
+def list_rules():
+    return itertools.chain(
+        base.list_rules()
+    )
--- a/zaqar/common/policies/base.py
+++ b/zaqar/common/policies/base.py
@ -0,0 +1,31 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+ROLE_ADMIN = 'role:admin'
+RULE_ADMIN_OR_OWNER = 'is_admin:True or project_id:%(project_id)s'
+
+rules = [
+    policy.RuleDefault(
+        name='context_is_admin',
+        check_str=ROLE_ADMIN
+    ),
+    policy.RuleDefault(
+        name='admin_or_owner',
+        check_str=RULE_ADMIN_OR_OWNER
+    )
+]
+
+
+def list_rules():
+    return rules
--- a/zaqar/transport/acl.py
+++ b/zaqar/transport/acl.py
@ -18,6 +18,8 @@ import functools

 from oslo_policy import policy

+from zaqar.common import policies
+
 ENFORCER = None


@ -25,6 +27,11 @@ def setup_policy(conf):
    global ENFORCER

    ENFORCER = policy.Enforcer(conf)
+    register_rules(ENFORCER)
+
+
+def register_rules(enforcer):
+    enforcer.register_defaults(policies.list_rules())


 def enforce(rule):