openstack/zun
Code Issues Proposed changes

Register default container policies in code

Browse Source 
This commit uses the existing policy-in-code module to move all
default policies for containers into code. This commit also adds
helpful documetation about each API those policies protect, which
will be generated in sample policy files.

bp policy-and-docs-in-code

Change-Id: I0b4b2707fe9bff320b31d64f449fb714efb01bf1
This commit is contained in:
Lance Bragstad 2017-10-02 19:43:27 +00:00 committed by Hongbin Lu
parent 4b46db7148
commit d466709771
4 changed files with 371 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
etc/zun/policy.json
View File

@ -1,36 +1,6 @@
{
"default": "rule:admin_or_owner",
"container:create": "rule:default",
"container:delete": "rule:default",
"container:delete_all_tenants": "rule:admin_api",
"container:delete_force": "rule:admin_api",
"container:get": "rule:default",
"container:get_one_all_tenants": "rule:admin_api",
"container:get_all": "rule:default",
"container:get_all_all_tenants": "rule:admin_api",
"container:update": "rule:default",
"container:start": "rule:default",
"container:stop": "rule:default",
"container:reboot": "rule:default",
"container:pause": "rule:default",
"container:unpause": "rule:default",
"container:logs": "rule:default",
"container:execute": "rule:default",
"container:execute_resize": "rule:default",
"container:kill": "rule:default",
"container:rename": "rule:default",
"container:attach": "rule:default",
"container:resize": "rule:default",
"container:top": "rule:default",
"container:get_archive": "rule:default",
"container:put_archive": "rule:default",
"container:stats": "rule:default",
"container:commit": "rule:default",
"container:add_security_group": "rule:default",
"container:network_detach": "rule:default",
"container:network_attach": "rule:default",
"image:pull": "rule:default",
"image:get_all": "rule:default",
"image:search": "rule:default",

0
etc/zun/policy.yaml.sample
View File

4
zun/common/policies/__init__.py
View File

@ -13,9 +13,11 @@
import itertools
from zun.common.policies import base
from zun.common.policies import container
def list_rules():
return itertools.chain(
base.list_rules()
base.list_rules(),
container.list_rules()
)

368
zun/common/policies/container.py Normal file
View File

@ -0,0 +1,368 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
from zun.common.policies import base
CONTAINER = 'container:%s'
rules = [
policy.DocumentedRuleDefault(
name=CONTAINER % 'create',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Create a new container.',
operations=[
{
'path': '/v1/containers',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'delete',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Delete a container.',
operations=[
{
'path': '/v1/containers/{container_ident}',
'method': 'DELETE'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'delete_all_tenants',
check_str=base.RULE_ADMIN_API,
description='Delete a container from all tenants.',
operations=[
{
'path': '/v1/containers/{container_ident}',
'method': 'DELETE'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'delete_force',
check_str=base.RULE_ADMIN_API,
description='Forcibly delete a container.',
operations=[
{
'path': '/v1/containers/{container_ident}',
'method': 'DELETE'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'get',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Retrieve the details of a specific container.',
operations=[
{
'path': '/v1/containers/{container_ident}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'get_one_all_tenants',
check_str=base.RULE_ADMIN_API,
description=('Retrieve the details of a specific container from '
'all tenants.'),
operations=[
{
'path': '/v1/containers/{container_ident}',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'get_all',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Retrieve the details of all containers.',
operations=[
{
'path': '/v1/containers',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'get_all_all_tenants',
check_str=base.RULE_ADMIN_API,
description='Retrieve the details of all containers across tenants.',
operations=[
{
'path': '/v1/containers',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'update',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Update a container.',
operations=[
{
'path': '/v1/containers/{container_ident}',
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'start',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Start a container.',
operations=[
{
'path': '/v1/containers/{container_ident}/start',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'stop',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Stop a container.',
operations=[
{
'path': '/v1/containers/{container_ident}/stop',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'reboot',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Reboot a container.',
operations=[
{
'path': '/v1/containers/{container_ident}/reboot',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'pause',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Pause a container.',
operations=[
{
'path': '/v1/containers/{container_ident}/pause',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'unpause',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Unpause a container.',
operations=[
{
'path': '/v1/containers/{container_ident}/unpause',
'method': 'POST'
}
]
),
# FIXME(lbragstad): This API call isn't actually listed in zun's API
# reference (bug #1720924):
# https://developer.openstack.org/api-ref/application-container/
policy.DocumentedRuleDefault(
name=CONTAINER % 'logs',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Get the log of a container',
operations=[
{
'path': '/v1/containers/{container_ident}/logs',
'method': 'GET'
}
]
),
# FIXME(lbragstad): This API call isn't actually listed in zun's API
# reference (bug #1720925):
# https://developer.openstack.org/api-ref/application-container/
policy.DocumentedRuleDefault(
name=CONTAINER % 'execute',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Execute command in a running container',
operations=[
{
'path': '/v1/containers/{container_ident}/execute',
'method': 'POST'
}
]
),
# FIXME(lbragstad): This API call isn't actually listed in zun's API
# reference (bug #1720926):
# https://developer.openstack.org/api-ref/application-container/
policy.DocumentedRuleDefault(
name=CONTAINER % 'execute_resize',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Resize the TTY used by an execute command.',
operations=[
{
'path': '/v1/containers/{container_ident}/execute_resize',
'method': 'POST'
}
]
),
# FIXME(lbragstad): This API call isn't actually listed in zun's API
# reference (bug #1720927):
# https://developer.openstack.org/api-ref/application-container/
policy.DocumentedRuleDefault(
name=CONTAINER % 'kill',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Kill a running container',
operations=[
{
'path': '/v1/containers/{container_ident}/kill',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'rename',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Rename a container.',
operations=[
{
'path': '/v1/containers/{container_ident}/rename',
'method': 'POST'
}
]
),
# FIXME(lbragstad): This API call isn't actually listed in zun's API
# reference (bug #1720928):
# https://developer.openstack.org/api-ref/application-container/
policy.DocumentedRuleDefault(
name=CONTAINER % 'attach',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Attach to a running container',
operations=[
{
'path': '/v1/containers/{container_ident}/attach',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'resize',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Resize a container.',
operations=[
{
'path': '/v1/containers/{container_ident}/resize',
'method': 'POST'
}
]
),
# FIXME(lbragstad): This API call isn't actually listed in zun's API
# reference (bug #1720929):
# https://developer.openstack.org/api-ref/application-container/
policy.DocumentedRuleDefault(
name=CONTAINER % 'top',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Display the running processes inside the container.',
operations=[
{
'path': '/v1/containers/{container_ident}/top',
'method': 'GET'
}
]
),
# FIXME(lbragstad): This API call isn't actually listed in zun's API
# reference, verify with someone from zun:
# https://developer.openstack.org/api-ref/application-container/
policy.DocumentedRuleDefault(
name=CONTAINER % 'get_archive',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Get a tar archive of a path of container.',
operations=[
{
'path': '/v1/containers/{container_ident}/get_archive',
'method': 'GET'
}
]
),
# FIXME(lbragstad): This API call isn't actually listed in zun's API
# reference, verify with someone from zun:
# https://developer.openstack.org/api-ref/application-container/
policy.DocumentedRuleDefault(
name=CONTAINER % 'put_archive',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Put a tar archive to be extracted to a path of container',
operations=[
{
'path': '/v1/containers/{container_ident}/put_archive',
'method': 'PUT'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'stats',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Display the statistics of a container',
operations=[
{
'path': '/v1/containers/{container_ident}/stats',
'method': 'GET'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'commit',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Commit a container',
operations=[
{
'path': '/v1/containers/{container_ident}/commit',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'add_security_group',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Add a security group to a specific container.',
operations=[
{
'path': '/v1/containers/{container_ident}/add_security_group',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'network_detach',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Detach a network from a container.',
operations=[
{
'path': '/v1/containers/{container_ident}/network_detach',
'method': 'POST'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'network_attach',
check_str=base.RULE_ADMIN_OR_OWNER,
description='Attach a network from a container.',
operations=[
{
'path': '/v1/containers/{container_ident}/network_attach',
'method': 'POST'
}
]
),
]
def list_rules():
return rules