Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Registers in-code the last remaining policy rules. Adds missing 'discoverable' rules. Without them, the extension_info API can fail, as it tries to check the os_compute_api:os_server_tags:discoverable rule. As it wasn't previously registered, when listing the available extensions, an exception of type PolicyNotRegistered is encountered. In order to validate this, functional/api_sample_tests/test_extension_info.py now runs without mocking policy.authorize. Switches extension_info to context.can. Switches nova.cells.filters to context.can. Switches network.neutronv2.api to context.can. Removes the rest of the entries in etc/policy.json. Removes DefaultPolicyTestCase, as it tests the default policy rule, which is not registered. Removes rules from fake_policy.py that brings no value, that are the same as the default values. Removes extensions authorizer factories. Removes nova.policy.enforce. Change-Id: Ie7771768f4f3efe0edc787c12f297aa93d533d7e Partially-Implements: bp policy-in-code
- Loading branch information
1 parent
bc22a15
commit 7d01bce
Showing
20 changed files
with
266 additions
and
259 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,2 @@ | ||
{ | ||
"context_is_admin": "role:admin", | ||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s", | ||
"default": "rule:admin_or_owner", | ||
|
||
"cells_scheduler_filter:TargetCellFilter": "is_admin:True", | ||
|
||
"admin_api": "is_admin:True", | ||
|
||
"network:attach_external_network": "is_admin:True" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# Copyright 2016 Cloudbase Solutions Srl | ||
# All Rights Reserved. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
# not use this file except in compliance with the License. You may obtain | ||
# a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
|
||
from oslo_policy import policy | ||
|
||
from nova.policies import base | ||
|
||
|
||
POLICY_ROOT = 'os_compute_api:os-block-device-mapping:%s' | ||
|
||
|
||
block_device_mapping_policies = [ | ||
policy.RuleDefault( | ||
name=POLICY_ROOT % 'discoverable', | ||
check_str=base.RULE_ANY), | ||
] | ||
|
||
|
||
def list_rules(): | ||
return block_device_mapping_policies |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# Copyright 2016 Cloudbase Solutions Srl | ||
# All Rights Reserved. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
# not use this file except in compliance with the License. You may obtain | ||
# a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
|
||
from oslo_policy import policy | ||
|
||
|
||
POLICY_ROOT = 'cells_scheduler_filter:%s' | ||
|
||
|
||
cells_scheduler_policies = [ | ||
policy.RuleDefault( | ||
name=POLICY_ROOT % 'DifferentCellFilter', | ||
check_str='is_admin:True'), | ||
policy.RuleDefault( | ||
name=POLICY_ROOT % 'TargetCellFilter', | ||
check_str='is_admin:True'), | ||
] | ||
|
||
|
||
def list_rules(): | ||
return cells_scheduler_policies |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# Copyright 2016 Cloudbase Solutions Srl | ||
# All Rights Reserved. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
# not use this file except in compliance with the License. You may obtain | ||
# a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
|
||
from oslo_policy import policy | ||
|
||
from nova.policies import base | ||
|
||
|
||
POLICY_ROOT = 'os_compute_api:image-metadata:%s' | ||
|
||
|
||
image_metadata_policies = [ | ||
policy.RuleDefault( | ||
name=POLICY_ROOT % 'discoverable', | ||
check_str=base.RULE_ANY), | ||
] | ||
|
||
|
||
def list_rules(): | ||
return image_metadata_policies |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# Copyright 2016 Cloudbase Solutions Srl | ||
# All Rights Reserved. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
# not use this file except in compliance with the License. You may obtain | ||
# a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
|
||
from oslo_policy import policy | ||
|
||
from nova.policies import base | ||
|
||
|
||
POLICY_ROOT = 'os_compute_api:os-multiple-create:%s' | ||
|
||
|
||
multiple_create_policies = [ | ||
policy.RuleDefault( | ||
name=POLICY_ROOT % 'discoverable', | ||
check_str=base.RULE_ANY), | ||
] | ||
|
||
|
||
def list_rules(): | ||
return multiple_create_policies |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.