diff --git a/config/policy.json b/config/policy.json new file mode 100644 index 0000000..91f1fbb --- /dev/null +++ b/config/policy.json @@ -0,0 +1,17 @@ +{ + "admin": "role:admin or is_admin:True", + "admin_or_owner": "rule:admin or project_id:%(id)s or project_name:%(name)s", + "cloud_admin": "rule:admin and project_name:admin", + "default": "rule:admin", + "ProjectManager:ADD_PROJECT": "rule:admin", + "ProjectManager:GET_PROJECT": "rule:admin_or_owner", + "ProjectManager:GET_PROJECTS": "rule:cloud_admin", + "ProjectManager:REMOVE_PROJECT": "rule:admin", + "ProjectManager:UPDATE_PROJECT": "rule:admin", + "synergy:EXECUTE": "rule:cloud_admin", + "synergy:LIST": "rule:admin", + "synergy:START": "rule:admin", + "synergy:STATUS": "rule:admin", + "synergy:STOP": "rule:admin", +} + diff --git a/packaging/debian/python-synergy-scheduler-manager.install b/packaging/debian/python-synergy-scheduler-manager.install index a151f67..239d687 100644 --- a/packaging/debian/python-synergy-scheduler-manager.install +++ b/packaging/debian/python-synergy-scheduler-manager.install @@ -1 +1,2 @@ config/synergy_scheduler.conf /etc/synergy +config/policy.json /etc/synergy diff --git a/packaging/debian/python-synergy-scheduler-manager.postinst b/packaging/debian/python-synergy-scheduler-manager.postinst new file mode 100755 index 0000000..1d48f51 --- /dev/null +++ b/packaging/debian/python-synergy-scheduler-manager.postinst @@ -0,0 +1,47 @@ +#!/bin/sh +# postinst script for python-synergy-service +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +case "$1" in + configure) + # Add synergy group & user + adduser --quiet --system --group --home /var/lib/synergy synergy > /dev/null 2>&1 + # Change dirs and files permission/ownership + chown synergy:synergy /etc/synergy/policy.json + chown synergy:synergy /etc/synergy/synergy_scheduler.conf + + chmod 0644 /etc/synergy/policy.json + chmod 0644 /etc/synergy/synergy_scheduler.conf + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/packaging/debian/python-synergy-scheduler-manager.postrm b/packaging/debian/python-synergy-scheduler-manager.postrm new file mode 100755 index 0000000..3c16658 --- /dev/null +++ b/packaging/debian/python-synergy-scheduler-manager.postrm @@ -0,0 +1,37 @@ +#!/bin/sh +# postrm script for python-synergy-service +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear|purge) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/packaging/debian/python-synergy-scheduler-manager.preinst b/packaging/debian/python-synergy-scheduler-manager.preinst new file mode 100755 index 0000000..b4f864f --- /dev/null +++ b/packaging/debian/python-synergy-scheduler-manager.preinst @@ -0,0 +1,34 @@ +#!/bin/sh +# preinst script for python-synergy-service +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `install' +# * `install' +# * `upgrade' +# * `abort-upgrade' +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +case "$1" in + install|upgrade) + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/packaging/rpm/python-synergy-scheduler-manager.spec b/packaging/rpm/python-synergy-scheduler-manager.spec index d11fd89..7351e4d 100644 --- a/packaging/rpm/python-synergy-scheduler-manager.spec +++ b/packaging/rpm/python-synergy-scheduler-manager.spec @@ -42,12 +42,17 @@ schedulers. rm -rf $RPM_BUILD_ROOT %{__python} setup.py install -O1 --skip-build --root $RPM_BUILD_ROOT install -D -m0644 config/synergy_scheduler.conf %{buildroot}%{_sysconfdir}/synergy/synergy_scheduler.conf +install -D -m0644 config/policy.json %{buildroot}%{_sysconfdir}/synergy/policy.json %files %doc README.rst %{python_sitelib}/* +%{_sysconfdir}/synergy +%dir %attr(0755, synergy, synergy) %{_sysconfdir}/synergy/ %config(noreplace) %{_sysconfdir}/synergy/synergy_scheduler.conf +%config(noreplace) %{_sysconfdir}/synergy/policy.json +%attr(0644, synergy, synergy) %{_sysconfdir}/synergy/policy.json %changelog diff --git a/synergy_scheduler_manager/auth/plugin.py b/synergy_scheduler_manager/auth/plugin.py index ea12bb0..71ff563 100644 --- a/synergy_scheduler_manager/auth/plugin.py +++ b/synergy_scheduler_manager/auth/plugin.py @@ -69,16 +69,21 @@ class KeystoneAuthorization(object): self.storePolicies(ENFORCER, policy_file) def storePolicies(self, enforcer, output_file): - output_file = (open(output_file, 'w') if output_file - else sys.stdout) + output_file = (open(output_file, 'w') if output_file else sys.stdout) rules = {} rules.update(enforcer.registered_rules) rules.update(enforcer.file_rules) + output_file.write("{\n") + for rule in sorted(rules.keys(), key=lambda v: v.upper()): section = generator._format_rule_default_yaml(rules[rule], include_help=False) - output_file.write(section) + output_file.write(" ") + output_file.write(section.replace('\n', ',\n')) + + output_file.write("}") + output_file.close() def authorize(self, context): managers = context.get("managers", None)