From d466709771ba44ad7cc97b7c375c33a24e0b5e35 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Mon, 2 Oct 2017 19:43:27 +0000 Subject: [PATCH] Register default container policies in code This commit uses the existing policy-in-code module to move all default policies for containers into code. This commit also adds helpful documetation about each API those policies protect, which will be generated in sample policy files. bp policy-and-docs-in-code Change-Id: I0b4b2707fe9bff320b31d64f449fb714efb01bf1 --- etc/zun/policy.json | 30 --- etc/zun/policy.yaml.sample | 0 zun/common/policies/__init__.py | 4 +- zun/common/policies/container.py | 368 +++++++++++++++++++++++++++++++ 4 files changed, 371 insertions(+), 31 deletions(-) delete mode 100644 etc/zun/policy.yaml.sample create mode 100644 zun/common/policies/container.py diff --git a/etc/zun/policy.json b/etc/zun/policy.json index 453ea93d9..f45678fd8 100644 --- a/etc/zun/policy.json +++ b/etc/zun/policy.json @@ -1,36 +1,6 @@ { "default": "rule:admin_or_owner", - "container:create": "rule:default", - "container:delete": "rule:default", - "container:delete_all_tenants": "rule:admin_api", - "container:delete_force": "rule:admin_api", - "container:get": "rule:default", - "container:get_one_all_tenants": "rule:admin_api", - "container:get_all": "rule:default", - "container:get_all_all_tenants": "rule:admin_api", - "container:update": "rule:default", - "container:start": "rule:default", - "container:stop": "rule:default", - "container:reboot": "rule:default", - "container:pause": "rule:default", - "container:unpause": "rule:default", - "container:logs": "rule:default", - "container:execute": "rule:default", - "container:execute_resize": "rule:default", - "container:kill": "rule:default", - "container:rename": "rule:default", - "container:attach": "rule:default", - "container:resize": "rule:default", - "container:top": "rule:default", - "container:get_archive": "rule:default", - "container:put_archive": "rule:default", - "container:stats": "rule:default", - "container:commit": "rule:default", - "container:add_security_group": "rule:default", - "container:network_detach": "rule:default", - "container:network_attach": "rule:default", - "image:pull": "rule:default", "image:get_all": "rule:default", "image:search": "rule:default", diff --git a/etc/zun/policy.yaml.sample b/etc/zun/policy.yaml.sample deleted file mode 100644 index e69de29bb..000000000 diff --git a/zun/common/policies/__init__.py b/zun/common/policies/__init__.py index 07725382a..6beda1a5a 100644 --- a/zun/common/policies/__init__.py +++ b/zun/common/policies/__init__.py @@ -13,9 +13,11 @@ import itertools from zun.common.policies import base +from zun.common.policies import container def list_rules(): return itertools.chain( - base.list_rules() + base.list_rules(), + container.list_rules() ) diff --git a/zun/common/policies/container.py b/zun/common/policies/container.py new file mode 100644 index 000000000..0257a8daf --- /dev/null +++ b/zun/common/policies/container.py @@ -0,0 +1,368 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from zun.common.policies import base + +CONTAINER = 'container:%s' + +rules = [ + policy.DocumentedRuleDefault( + name=CONTAINER % 'create', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Create a new container.', + operations=[ + { + 'path': '/v1/containers', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'delete', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Delete a container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}', + 'method': 'DELETE' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'delete_all_tenants', + check_str=base.RULE_ADMIN_API, + description='Delete a container from all tenants.', + operations=[ + { + 'path': '/v1/containers/{container_ident}', + 'method': 'DELETE' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'delete_force', + check_str=base.RULE_ADMIN_API, + description='Forcibly delete a container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}', + 'method': 'DELETE' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'get', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Retrieve the details of a specific container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'get_one_all_tenants', + check_str=base.RULE_ADMIN_API, + description=('Retrieve the details of a specific container from ' + 'all tenants.'), + operations=[ + { + 'path': '/v1/containers/{container_ident}', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'get_all', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Retrieve the details of all containers.', + operations=[ + { + 'path': '/v1/containers', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'get_all_all_tenants', + check_str=base.RULE_ADMIN_API, + description='Retrieve the details of all containers across tenants.', + operations=[ + { + 'path': '/v1/containers', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'update', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Update a container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}', + 'method': 'PATCH' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'start', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Start a container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}/start', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'stop', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Stop a container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}/stop', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'reboot', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Reboot a container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}/reboot', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'pause', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Pause a container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}/pause', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'unpause', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Unpause a container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}/unpause', + 'method': 'POST' + } + ] + ), + # FIXME(lbragstad): This API call isn't actually listed in zun's API + # reference (bug #1720924): + # https://developer.openstack.org/api-ref/application-container/ + policy.DocumentedRuleDefault( + name=CONTAINER % 'logs', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Get the log of a container', + operations=[ + { + 'path': '/v1/containers/{container_ident}/logs', + 'method': 'GET' + } + ] + ), + # FIXME(lbragstad): This API call isn't actually listed in zun's API + # reference (bug #1720925): + # https://developer.openstack.org/api-ref/application-container/ + policy.DocumentedRuleDefault( + name=CONTAINER % 'execute', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Execute command in a running container', + operations=[ + { + 'path': '/v1/containers/{container_ident}/execute', + 'method': 'POST' + } + ] + ), + # FIXME(lbragstad): This API call isn't actually listed in zun's API + # reference (bug #1720926): + # https://developer.openstack.org/api-ref/application-container/ + policy.DocumentedRuleDefault( + name=CONTAINER % 'execute_resize', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Resize the TTY used by an execute command.', + operations=[ + { + 'path': '/v1/containers/{container_ident}/execute_resize', + 'method': 'POST' + } + ] + ), + # FIXME(lbragstad): This API call isn't actually listed in zun's API + # reference (bug #1720927): + # https://developer.openstack.org/api-ref/application-container/ + policy.DocumentedRuleDefault( + name=CONTAINER % 'kill', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Kill a running container', + operations=[ + { + 'path': '/v1/containers/{container_ident}/kill', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'rename', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Rename a container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}/rename', + 'method': 'POST' + } + ] + ), + # FIXME(lbragstad): This API call isn't actually listed in zun's API + # reference (bug #1720928): + # https://developer.openstack.org/api-ref/application-container/ + policy.DocumentedRuleDefault( + name=CONTAINER % 'attach', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Attach to a running container', + operations=[ + { + 'path': '/v1/containers/{container_ident}/attach', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'resize', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Resize a container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}/resize', + 'method': 'POST' + } + ] + ), + # FIXME(lbragstad): This API call isn't actually listed in zun's API + # reference (bug #1720929): + # https://developer.openstack.org/api-ref/application-container/ + policy.DocumentedRuleDefault( + name=CONTAINER % 'top', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Display the running processes inside the container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}/top', + 'method': 'GET' + } + ] + ), + # FIXME(lbragstad): This API call isn't actually listed in zun's API + # reference, verify with someone from zun: + # https://developer.openstack.org/api-ref/application-container/ + policy.DocumentedRuleDefault( + name=CONTAINER % 'get_archive', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Get a tar archive of a path of container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}/get_archive', + 'method': 'GET' + } + ] + ), + # FIXME(lbragstad): This API call isn't actually listed in zun's API + # reference, verify with someone from zun: + # https://developer.openstack.org/api-ref/application-container/ + policy.DocumentedRuleDefault( + name=CONTAINER % 'put_archive', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Put a tar archive to be extracted to a path of container', + operations=[ + { + 'path': '/v1/containers/{container_ident}/put_archive', + 'method': 'PUT' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'stats', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Display the statistics of a container', + operations=[ + { + 'path': '/v1/containers/{container_ident}/stats', + 'method': 'GET' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'commit', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Commit a container', + operations=[ + { + 'path': '/v1/containers/{container_ident}/commit', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'add_security_group', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Add a security group to a specific container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}/add_security_group', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'network_detach', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Detach a network from a container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}/network_detach', + 'method': 'POST' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'network_attach', + check_str=base.RULE_ADMIN_OR_OWNER, + description='Attach a network from a container.', + operations=[ + { + 'path': '/v1/containers/{container_ident}/network_attach', + 'method': 'POST' + } + ] + ), +] + + +def list_rules(): + return rules