diff options
51 files changed, 1795 insertions, 633 deletions
diff --git a/moon_authz/Changelog b/moon_authz/Changelog new file mode 100644 index 00000000..59d7f8e4 --- /dev/null +++ b/moon_authz/Changelog @@ -0,0 +1,30 @@ +# Copyright 2018 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + + +CHANGES +======= + +1.0.0 +----- +- First version of the manager + +2.0.0 +----- +- Version built inside the Keystone component + +3.0.0 +----- +- Version built outside the Keystone component + +4.0.0 +----- +- First micro-architecture version + +4.3.3 +----- +- use the threading capability of Flask app +- set the number of manager to 1 +- update to the latest version of the python-moondb library diff --git a/moon_authz/moon_authz/__init__.py b/moon_authz/moon_authz/__init__.py index 6f964a63..0fb32055 100644 --- a/moon_authz/moon_authz/__init__.py +++ b/moon_authz/moon_authz/__init__.py @@ -3,4 +3,4 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -__version__ = "4.3.2" +__version__ = "4.3.3" diff --git a/moon_authz/moon_authz/http_server.py b/moon_authz/moon_authz/http_server.py index b6ac6426..7d3b1ec3 100644 --- a/moon_authz/moon_authz/http_server.py +++ b/moon_authz/moon_authz/http_server.py @@ -94,7 +94,7 @@ class Root(Resource): class HTTPServer(Server): - def __init__(self, host="0.0.0.0", port=38001, **kwargs): + def __init__(self, host="localhost", port=38001, **kwargs): super(HTTPServer, self).__init__(host=host, port=port, **kwargs) self.component_data = kwargs.get("component_data", {}) logger.info("HTTPServer port={} {}".format(port, kwargs)) @@ -135,4 +135,4 @@ class HTTPServer(Server): ) def run(self): - self.app.run(host=self._host, port=self._port) # nosec + self.app.run(host=self._host, port=self._port, threaded=True) # nosec diff --git a/moon_authz/tests/unit_python/mock_pods.py b/moon_authz/tests/unit_python/mock_pods.py index 74801cd1..9e05e335 100644 --- a/moon_authz/tests/unit_python/mock_pods.py +++ b/moon_authz/tests/unit_python/mock_pods.py @@ -87,7 +87,7 @@ subject_mock = { "name": "testuser", "email": "mail", "id": "89ba91c18dd54abfbfde7a66936c51a6", - "partner_id": "" + "extra": {} } }, "policy_id_1": { @@ -141,7 +141,7 @@ object_mock = { "name": "vm1", "description": "test", "id": "9089b3d2ce5b4e929ffc7e35b55eba1a", - "partner_id": "", + "extra": {}, "policy_list": [ "f8f49a779ceb47b3ac810f01ef71b4e0", "636cd473324f4c0bbd9102cb5b62a16d" @@ -195,7 +195,7 @@ action_mock = { "name": "boot", "description": "test", "id": "cdb3df220dc04a6ea3334b994827b068", - "partner_id": "", + "extra": {}, "policy_list": [ "f8f49a779ceb47b3ac810f01ef71b4e0", "636cd473324f4c0bbd9102cb5b62a16d" @@ -205,7 +205,7 @@ action_mock = { "name": "stop", "description": "test", "id": "cdb3df220dc04a6ea3334b994827b068", - "partner_id": "", + "extra": {}, "policy_list": [ "f8f49a779ceb47b3ac810f01ef71b4e0", "636cd473324f4c0bbd9102cb5b62a16d" @@ -215,7 +215,7 @@ action_mock = { "name": "start", "description": "test", "id": "9f5112afe9b34a6c894eb87246ccb7aa", - "partner_id": "", + "extra": {}, "policy_list": [ "f8f49a779ceb47b3ac810f01ef71b4e0", "636cd473324f4c0bbd9102cb5b62a16d" diff --git a/moon_interface/Changelog b/moon_interface/Changelog new file mode 100644 index 00000000..f58682a9 --- /dev/null +++ b/moon_interface/Changelog @@ -0,0 +1,28 @@ +# Copyright 2018 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + + +CHANGES +======= + +1.0.0 +----- +- First version of the manager + +2.0.0 +----- +- Version built inside the Keystone component + +3.0.0 +----- +- Version built outside the Keystone component + +4.0.0 +----- +- First micro-architecture version + +4.3.3 +----- +- use the threading capability of Flask app diff --git a/moon_interface/moon_interface/__init__.py b/moon_interface/moon_interface/__init__.py index 6f964a63..0fb32055 100644 --- a/moon_interface/moon_interface/__init__.py +++ b/moon_interface/moon_interface/__init__.py @@ -3,4 +3,4 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -__version__ = "4.3.2" +__version__ = "4.3.3" diff --git a/moon_interface/moon_interface/http_server.py b/moon_interface/moon_interface/http_server.py index a2e25377..1e0858c0 100644 --- a/moon_interface/moon_interface/http_server.py +++ b/moon_interface/moon_interface/http_server.py @@ -133,4 +133,4 @@ class HTTPServer(Server): ) def run(self): - self.app.run(host=self._host, port=self._port) # nosec + self.app.run(host=self._host, port=self._port, threaded=True) # nosec diff --git a/moon_interface/tests/unit_python/conftest.py b/moon_interface/tests/unit_python/conftest.py index 893a8637..f6b204e6 100644 --- a/moon_interface/tests/unit_python/conftest.py +++ b/moon_interface/tests/unit_python/conftest.py @@ -400,7 +400,7 @@ def set_consul_and_db(monkeypatch): "name": "testuser", "email": "mail", "id": "89ba91c18dd54abfbfde7a66936c51a6", - "partner_id": "" + "extra": {} }, "31fd15ad14784a9696fcc887dddbfaf9": { "description": "test", @@ -411,7 +411,7 @@ def set_consul_and_db(monkeypatch): "name": "adminuser", "email": "mail", "id": "31fd15ad14784a9696fcc887dddbfaf9", - "partner_id": "" + "extra": {} } } } @@ -424,7 +424,7 @@ def set_consul_and_db(monkeypatch): "name": "vm1", "description": "test", "id": "67b8008a3f8d4f8e847eb628f0f7ca0e", - "partner_id": "", + "extra": {}, "policy_list": [ "f8f49a779ceb47b3ac810f01ef71b4e0", "636cd473324f4c0bbd9102cb5b62a16d" @@ -434,7 +434,7 @@ def set_consul_and_db(monkeypatch): "name": "vm0", "description": "test", "id": "9089b3d2ce5b4e929ffc7e35b55eba1a", - "partner_id": "", + "extra": {}, "policy_list": [ "f8f49a779ceb47b3ac810f01ef71b4e0", "636cd473324f4c0bbd9102cb5b62a16d" @@ -451,7 +451,7 @@ def set_consul_and_db(monkeypatch): "name": "boot", "description": "test", "id": "cdb3df220dc04a6ea3334b994827b068", - "partner_id": "", + "extra": {}, "policy_list": [ "f8f49a779ceb47b3ac810f01ef71b4e0", "636cd473324f4c0bbd9102cb5b62a16d" @@ -461,7 +461,7 @@ def set_consul_and_db(monkeypatch): "name": "stop", "description": "test", "id": "cdb3df220dc04a6ea3334b994827b068", - "partner_id": "", + "extra": {}, "policy_list": [ "f8f49a779ceb47b3ac810f01ef71b4e0", "636cd473324f4c0bbd9102cb5b62a16d" @@ -471,7 +471,7 @@ def set_consul_and_db(monkeypatch): "name": "start", "description": "test", "id": "9f5112afe9b34a6c894eb87246ccb7aa", - "partner_id": "", + "extra": {}, "policy_list": [ "f8f49a779ceb47b3ac810f01ef71b4e0", "636cd473324f4c0bbd9102cb5b62a16d" diff --git a/moon_manager/Changelog b/moon_manager/Changelog new file mode 100644 index 00000000..2bd01595 --- /dev/null +++ b/moon_manager/Changelog @@ -0,0 +1,30 @@ +# Copyright 2018 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + + +CHANGES +======= + +1.0.0 +----- +- First version of the manager + +2.0.0 +----- +- Version built inside the Keystone component + +3.0.0 +----- +- Version built outside the Keystone component + +4.0.0 +----- +- First micro-architecture version + +4.5.2 +----- +- use the threading capability of Flask app +- set the number of manager to 1 +- update to the latest version of the python-moondb library diff --git a/moon_manager/moon_manager/__init__.py b/moon_manager/moon_manager/__init__.py index af7fced5..20a70977 100644 --- a/moon_manager/moon_manager/__init__.py +++ b/moon_manager/moon_manager/__init__.py @@ -3,4 +3,4 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -__version__ = "4.5.0" +__version__ = "4.5.2" diff --git a/moon_manager/moon_manager/api/json_export.py b/moon_manager/moon_manager/api/json_export.py index feb4fde2..1d3643e7 100644 --- a/moon_manager/moon_manager/api/json_export.py +++ b/moon_manager/moon_manager/api/json_export.py @@ -1,3 +1,8 @@ +# Copyright 2018 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + import logging from flask_restful import Resource from python_moonutilities.security_functions import check_auth @@ -34,11 +39,19 @@ class JsonExport(Resource): JsonUtils.convert_id_to_name(policy_key, rule_dict, "policy", "policy", PolicyManager, self._user_id) ids = rule["rule"] rule_description = dict() - JsonUtils.convert_ids_to_names([ids[0]], rule_description, "subject_data", "subject_data", PolicyManager, self._user_id, policy_key) - JsonUtils.convert_ids_to_names([ids[1]], rule_description, "object_data", "object_data", PolicyManager, self._user_id, policy_key) - JsonUtils.convert_ids_to_names([ids[2]], rule_description, "action_data", "action_data", PolicyManager, self._user_id, policy_key) + meta_rule = ModelManager.get_meta_rules(self._user_id, rule["meta_rule_id"]) + meta_rule = [v for v in meta_rule.values()] + meta_rule = meta_rule[0] + index_subject_data = len(meta_rule["subject_categories"])-1 + index_object_data = len(meta_rule["subject_categories"]) + len(meta_rule["object_categories"])-1 + index_action_data = len(meta_rule["subject_categories"]) + len(meta_rule["object_categories"]) + len(meta_rule["action_categories"])-1 + ids_subject_data = [ids[0]] if len(meta_rule["subject_categories"]) == 1 else ids[0:index_subject_data] + ids_object_data = [ids[index_object_data]] if len(meta_rule["object_categories"]) == 1 else ids[index_subject_data+1:index_object_data] + ids_action_date = [ids[index_action_data]] if len(meta_rule["action_categories"]) == 1 else ids[index_object_data+1:index_action_data] + JsonUtils.convert_ids_to_names(ids_subject_data, rule_description, "subject_data", "subject_data", PolicyManager, self._user_id, policy_key) + JsonUtils.convert_ids_to_names(ids_object_data, rule_description, "object_data", "object_data", PolicyManager, self._user_id, policy_key) + JsonUtils.convert_ids_to_names(ids_action_date, rule_description, "action_data", "action_data", PolicyManager, self._user_id, policy_key) rule_dict["rule"] = rule_description - logger.info("Exporting rule {}".format(rule_dict)) rules_array.append(rule_dict) if len(rules_array) > 0: @@ -95,8 +108,8 @@ class JsonExport(Resource): JsonUtils.copy_field_if_exists(data_group["data"][data_key], data_dict, "name", str) JsonUtils.copy_field_if_exists(data_group["data"][data_key], data_dict, "description", str) else: - JsonUtils.copy_field_if_exists(data_group["data"][data_key]["value"], data_dict, "name", str) - JsonUtils.copy_field_if_exists(data_group["data"][data_key]["value"], data_dict, "description", str) + JsonUtils.copy_field_if_exists(data_group["data"][data_key], data_dict, "name", str) + JsonUtils.copy_field_if_exists(data_group["data"][data_key], data_dict, "description", str) JsonUtils.convert_id_to_name(policy_id, data_dict, "policy", "policy", PolicyManager, self._user_id) JsonUtils.convert_id_to_name(category_id, data_dict, "category", type_element + "_category", ModelManager, self._user_id, policy_key) diff --git a/moon_manager/moon_manager/api/json_import.py b/moon_manager/moon_manager/api/json_import.py index a048baee..ae9a21d0 100644 --- a/moon_manager/moon_manager/api/json_import.py +++ b/moon_manager/moon_manager/api/json_import.py @@ -79,6 +79,23 @@ class JsonImport(Resource): "/import/", ) + def _reorder_rules_ids(self, rule, ordered_perimeter_categories_ids, json_data_ids, policy_id, get_function): + ordered_json_ids = [None]*len(ordered_perimeter_categories_ids) + logger.info("ordered_json_ids {}".format(ordered_json_ids)) + logger.info("json_data_ids {}".format(json_data_ids)) + for json_id in json_data_ids: + logger.info("json_id {}".format(json_id)) + data = get_function(self._user_id, policy_id, data_id=json_id) + data = data[0] + logger.info("data {}".format(data)) + if data["category_id"] not in ordered_perimeter_categories_ids: + raise InvalidJson("The category id {} of the rule {} does not match the meta rule".format(data["category_id"], rule)) + if ordered_json_ids[ordered_perimeter_categories_ids.index(data["category_id"])] is not None: + raise InvalidJson("The category id {} of the rule {} shall not be used twice in the same rule".format(data["category_id"], rule)) + ordered_json_ids[ordered_perimeter_categories_ids.index(data["category_id"])] = json_id + logger.info(ordered_json_ids) + return ordered_json_ids + def _import_rules(self, json_rules): if not isinstance(json_rules, list): raise InvalidJson("rules shall be a list!") @@ -91,26 +108,28 @@ class JsonImport(Resource): json_ids = dict() JsonUtils.convert_name_to_id(json_rule, json_ids, "policy", "policy_id", "policy", PolicyManager, self._user_id) JsonUtils.convert_name_to_id(json_rule, json_to_use, "meta_rule", "meta_rule_id", "meta_rule", ModelManager, self._user_id) - json_subject_ids = dict() json_object_ids = dict() json_action_ids = dict() - json_rule_to_use = dict() JsonUtils.convert_names_to_ids(json_rule["rule"], json_subject_ids, "subject_data", "subject", "subject_data", PolicyManager, self._user_id, json_ids["policy_id"]) JsonUtils.convert_names_to_ids(json_rule["rule"], json_object_ids, "object_data", "object", "object_data", PolicyManager, self._user_id, json_ids["policy_id"]) JsonUtils.convert_names_to_ids(json_rule["rule"], json_action_ids, "action_data", "action", "action_data", PolicyManager, self._user_id, json_ids["policy_id"]) - logger.info(json_rule_to_use) - for json_subject_id in json_subject_ids["subject"]: - for json_object_id in json_object_ids["object"]: - for json_action_id in json_action_ids["action"]: - json_to_use["rule"] = [json_subject_id, json_object_id, json_action_id] - try: - logger.info("Adding / updating a rule from json {}".format(json_to_use)) - PolicyManager.add_rule(self._user_id, json_ids["policy_id"], json_to_use["meta_rule_id"], json_to_use) - except exceptions.RuleExisting: - pass - except exceptions.PolicyUnknown: - raise UnknownPolicy("Unknown policy with id {}".format(json_ids["policy_id"])) + + meta_rule = ModelManager.get_meta_rules(self._user_id, json_to_use["meta_rule_id"]) + meta_rule = [v for v in meta_rule.values()] + meta_rule = meta_rule[0] + + json_to_use_rule = self._reorder_rules_ids(json_rule, meta_rule["subject_categories"], json_subject_ids["subject"], json_ids["policy_id"], PolicyManager.get_subject_data) + json_to_use_rule = json_to_use_rule + self._reorder_rules_ids(json_rule, meta_rule["object_categories"], json_object_ids["object"], json_ids["policy_id"], PolicyManager.get_object_data) + json_to_use_rule = json_to_use_rule + self._reorder_rules_ids(json_rule, meta_rule["action_categories"], json_action_ids["action"], json_ids["policy_id"], PolicyManager.get_action_data) + json_to_use["rule"] = json_to_use_rule + try: + logger.info("Adding / updating a rule from json {}".format(json_to_use)) + PolicyManager.add_rule(self._user_id, json_ids["policy_id"], json_to_use["meta_rule_id"], json_to_use) + except exceptions.RuleExisting: + pass + except exceptions.PolicyUnknown: + raise UnknownPolicy("Unknown policy with id {}".format(json_ids["policy_id"])) def _import_meta_rules(self, json_meta_rules): logger.info("Input meta rules : {}".format(json_meta_rules)) @@ -188,19 +207,20 @@ class JsonImport(Resource): JsonUtils.copy_field_if_exists(json_item_data, json_to_use, "description", str) json_policy = dict() # field_mandatory : not mandatory if there is some mandatory policies - JsonUtils.convert_name_to_id(json_item_data, json_policy, "policy", "policy_id", "policy", + JsonUtils.convert_names_to_ids(json_item_data, json_policy, "policies", "policy_id", "policy", PolicyManager, self._user_id, field_mandatory=len(mandatory_policy_ids) == 0) logger.info("json_policy {}".format(json_policy)) json_category = dict() JsonUtils.convert_name_to_id(json_item_data, json_category, "category", "category_id", type_element+"_category", ModelManager, self._user_id) logger.info("json_category {}".format(json_category)) - policy_id = None + policy_ids = [] if "policy_id" in json_policy: - policy_id = json_policy["policy_id"] + policy_ids = json_policy["policy_id"] - if policy_id is not None and policy_id not in mandatory_policy_ids: - mandatory_policy_ids.append(policy_id) + for policy_id in policy_ids: + if policy_id is not None and policy_id not in mandatory_policy_ids: + mandatory_policy_ids.append(policy_id) if len(mandatory_policy_ids) == 0: raise InvalidJson("Invalid data, the policy shall be set when importing {}".format(json_item_data)) diff --git a/moon_manager/moon_manager/api/pdp.py b/moon_manager/moon_manager/api/pdp.py index 78931e1f..4bc34a24 100644 --- a/moon_manager/moon_manager/api/pdp.py +++ b/moon_manager/moon_manager/api/pdp.py @@ -73,7 +73,7 @@ def add_pod(uuid, data): time.sleep(1) else: break - logger.info(req.text) + logger.info("Pod add request answer : {}".format(req.text)) def check_keystone_pid(k_pid): diff --git a/moon_manager/moon_manager/api/rules.py b/moon_manager/moon_manager/api/rules.py index e6c46bf4..57dcd45c 100644 --- a/moon_manager/moon_manager/api/rules.py +++ b/moon_manager/moon_manager/api/rules.py @@ -40,9 +40,9 @@ class Rules(Resource): "policy_id": "policy_id1", "meta_rule_id": "meta_rule_id1", "rule_id1": - ["subject_data_id1", "object_data_id1", "action_data_id1"], + ["subject_data_id1", "subject_data_id2", "object_data_id1", "action_data_id1"], "rule_id2": - ["subject_data_id2", "object_data_id2", "action_data_id2"], + ["subject_data_id3", "subject_data_id4", "object_data_id2", "action_data_id2"], ] } :internal_api: get_rules diff --git a/moon_manager/moon_manager/http_server.py b/moon_manager/moon_manager/http_server.py index 28d77ea0..128d5b74 100644 --- a/moon_manager/moon_manager/http_server.py +++ b/moon_manager/moon_manager/http_server.py @@ -2,12 +2,10 @@ # This software is distributed under the terms and conditions of the 'Apache-2.0' # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -from werkzeug.exceptions import HTTPException from flask import Flask, jsonify, Response, make_response from flask_cors import CORS, cross_origin from json import dumps from flask_restful import Resource, Api -import flask_restful import logging import sqlalchemy.exc import time @@ -24,7 +22,6 @@ from moon_manager.api.data import SubjectData, ObjectData, ActionData from moon_manager.api.assignments import SubjectAssignments, ObjectAssignments, ActionAssignments from moon_manager.api.rules import Rules from moon_manager.api.json_import import JsonImport -from moon_manager.api.base_exception import BaseException from moon_manager.api.json_export import JsonExport from python_moonutilities import configuration from python_moondb.core import PDPManager @@ -112,17 +109,19 @@ class Root(Resource): class CustomApi(Api): - def handle_error(self, e): + @staticmethod + def handle_error(e): try: - error_message = dumps({'message': str(e)}) + error_message = dumps({'message': str(e), "code": getattr(e, "code", 500)}) logger.error(error_message) - return make_response(error_message, e.code) - except Exception as e2: # unhandled exception in the api... + return make_response(error_message, getattr(e, "code", 500)) + except Exception as e2: # unhandled exception in the api... logger.error(str(e2)) return make_response(error_message, 500) class HTTPServer(Server): + def __init__(self, host="localhost", port=80, **kwargs): super(HTTPServer, self).__init__(host=host, port=port, **kwargs) self.app = Flask(__name__) @@ -135,26 +134,6 @@ class HTTPServer(Server): CORS(self.app) self.api = CustomApi(self.app) self.__set_route() - # self.__hook_errors() - - #def __hook_errors(self): - # def get_500_json(e): - # logger.error("get_500_json") - # return jsonify({"result": False, "code": 500, "description": str(e)}), 500 - # self.app.register_error_handler(JsonUtilsException, get_500_json) - # self.app.register_error_handler(JsonImportException, get_500_json) - # self.app.register_error_handler(UnknownName, get_500_json) - - # def get_404_json(e): - # return jsonify({"result": False, "code": 404, "description": str(e)}), 404 - # self.app.register_error_handler(404, get_404_json) - - # def get_400_json(e): - # return jsonify({"result": False, "code": 400, "description": str(e)}), 400 - - # self.app.register_error_handler(500, lambda e: get_500_json) - # self.app.register_error_handler(400, lambda e: get_400_json) - # self.app.register_error_handler(403, exceptions.AuthException) def __set_route(self): self.api.add_resource(Root, '/') @@ -179,4 +158,4 @@ class HTTPServer(Server): def run(self): self.__check_if_db_is_up() - self.app.run(debug=True, host=self._host, port=self._port) # nosec + self.app.run(host=self._host, port=self._port, threaded=True) # nosec diff --git a/moon_manager/tests/functional_pod/json/mls.json b/moon_manager/tests/functional_pod/json/mls.json index d2a5c67c..01ef6deb 100644 --- a/moon_manager/tests/functional_pod/json/mls.json +++ b/moon_manager/tests/functional_pod/json/mls.json @@ -15,9 +15,9 @@ "subject_categories": [{ "name":"subject-security-level", "description": "" }], - "subject_data": [{ "name":"low", "description": "", "policy": {"name" :"MLS policy example"}, "category": {"name": "subject-security-level"}}, - { "name":"medium", "description": "", "policy": {"name" :"MLS policy example"}, "category": {"name": "subject-security-level"}}, - { "name":"high", "description": "", "policy": {"name" :"MLS policy example"}, "category": {"name": "subject-security-level"}}], + "subject_data": [{ "name":"low", "description": "", "policies": [{"name" :"MLS policy example"}], "category": {"name": "subject-security-level"}}, + { "name":"medium", "description": "", "policies": [{"name" :"MLS policy example"}], "category": {"name": "subject-security-level"}}, + { "name":"high", "description": "", "policies": [{"name" :"MLS policy example"}], "category": {"name": "subject-security-level"}}], "subject_assignments":[{ "subject" : {"name": "adminuser"}, "category" : {"name": "subject-security-level"}, "assignments": [{"name" : "high"}]}, { "subject" : {"name": "user1"}, "category" : {"name": "subject-security-level"}, "assignments": [{"name" : "medium"}] }], @@ -32,9 +32,9 @@ "object_categories": [{"name":"object-security-level", "description": ""}], - "object_data": [{ "name":"low", "description": "", "policy": {"name" :"MLS policy example"}, "category": {"name": "object-security-level"}}, - { "name":"medium", "description": "", "policy": {"name" :"MLS policy example"}, "category": {"name": "object-security-level"}}, - { "name":"high", "description": "", "policy": {"name" :"MLS policy example"}, "category": {"name": "object-security-level"}}], + "object_data": [{ "name":"low", "description": "", "policies": [{"name" :"MLS policy example"}], "category": {"name": "object-security-level"}}, + { "name":"medium", "description": "", "policies": [{"name" :"MLS policy example"}], "category": {"name": "object-security-level"}}, + { "name":"high", "description": "", "policies": [{"name" :"MLS policy example"}], "category": {"name": "object-security-level"}}], "object_assignments":[{ "object" : {"name": "vm0"}, "category" : {"name": "object-security-level"}, "assignments": [{"name" : "medium"}]}, { "object" : {"name": "vm1"}, "category" : {"name": "object-security-level"}, "assignments": [{"name" : "low"}]}], @@ -49,8 +49,8 @@ "action_categories": [{"name":"action-type", "description": ""}], - "action_data": [{"name":"vm-action", "description": "", "policy": {"name": "MLS policy example"}, "category": {"name": "action-type"}}, - {"name":"storage-action", "description": "", "policy": {"name" :"MLS policy example"}, "category": {"name": "action-type"}}], + "action_data": [{"name":"vm-action", "description": "", "policies": [{"name": "MLS policy example"}], "category": {"name": "action-type"}}, + {"name":"storage-action", "description": "", "policies": [{"name" :"MLS policy example"}], "category": {"name": "action-type"}}], "action_assignments":[{ "action" : {"name": "start"}, "category" : {"name": "action-type"}, "assignments": [{"name" : "vm-action"}]}, { "action" : {"name": "stop"}, "category" : {"name": "action-type"}, "assignments": [{"name" : "vm-action"}]}], diff --git a/moon_manager/tests/functional_pod/json/rbac.json b/moon_manager/tests/functional_pod/json/rbac.json index eddbb654..a75f291b 100644 --- a/moon_manager/tests/functional_pod/json/rbac.json +++ b/moon_manager/tests/functional_pod/json/rbac.json @@ -15,9 +15,9 @@ "subject_categories": [{ "name":"role", "description": "" }], - "subject_data": [{ "name":"admin", "description": "", "policy": {"name" :"RBAC policy example"}, "category": {"name": "role"}}, - { "name":"employee", "description": "", "policy": {"name" :"RBAC policy example"}, "category": {"name": "role"}}, - { "name":"*", "description": "", "policy": {"name" :"RBAC policy example"}, "category": {"name": "role"}}], + "subject_data": [{ "name":"admin", "description": "", "policies": [{"name" :"RBAC policy example"}], "category": {"name": "role"}}, + { "name":"employee", "description": "", "policies": [{"name" :"RBAC policy example"}], "category": {"name": "role"}}, + { "name":"*", "description": "", "policies": [{"name" :"RBAC policy example"}], "category": {"name": "role"}}], "subject_assignments":[{ "subject" : {"name": "adminuser"}, "category" : {"name": "role"}, "assignments": [{"name" : "admin"}, {"name" : "employee"}, {"name" : "*"}]}, { "subject" : {"name": "user1"}, "category" : {"name": "role"}, "assignments": [{"name" : "employee"}, {"name" : "*"}] }], @@ -32,9 +32,9 @@ "object_categories": [{"name":"id", "description": ""}], - "object_data": [{ "name":"vm0", "description": "", "policy": {"name" :"RBAC policy example"}, "category": {"name": "id"}}, - { "name":"vm1", "description": "", "policy": {"name" :"RBAC policy example"}, "category": {"name": "id"}}, - { "name":"*", "description": "", "policy": {"name" :"RBAC policy example"}, "category": {"name": "id"}}], + "object_data": [{ "name":"vm0", "description": "", "policies": [{"name" :"RBAC policy example"}], "category": {"name": "id"}}, + { "name":"vm1", "description": "", "policies": [{"name" :"RBAC policy example"}], "category": {"name": "id"}}, + { "name":"*", "description": "", "policies": [{"name" :"RBAC policy example"}], "category": {"name": "id"}}], "object_assignments":[{ "object" : {"name": "vm0"}, "category" : {"name": "id"}, "assignments": [{"name" : "vm0"}, {"name" : "*"}]}, { "object" : {"name": "vm1"}, "category" : {"name": "id"}, "assignments": [{"name" : "vm1"}, {"name" : "*"}]}], @@ -49,8 +49,8 @@ "action_categories": [{"name":"action-type", "description": ""}], - "action_data": [{"name":"vm-action", "description": "", "policy": {"name": "RBAC policy example"}, "category": {"name": "action-type"}}, - {"name":"*", "description": "", "policy": {"name" :"RBAC policy example"}, "category": {"name": "action-type"}}], + "action_data": [{"name":"vm-action", "description": "", "policies": [{"name": "RBAC policy example"}], "category": {"name": "action-type"}}, + {"name":"*", "description": "", "policies": [{"name" :"RBAC policy example"}], "category": {"name": "action-type"}}], "action_assignments":[{ "action" : {"name": "start"}, "category" : {"name": "action-type"}, "assignments": [{"name" : "vm-action"}, {"name" : "*"}]}, { "action" : {"name": "stop"}, "category" : {"name": "action-type"}, "assignments": [{"name" : "vm-action"}, {"name" : "*"}]}], diff --git a/moon_manager/tests/unit_python/api/import_export_utilities.py b/moon_manager/tests/unit_python/api/import_export_utilities.py index 15c3e333..98586d02 100644 --- a/moon_manager/tests/unit_python/api/import_export_utilities.py +++ b/moon_manager/tests/unit_python/api/import_export_utilities.py @@ -1,3 +1,8 @@ +# Copyright 2018 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + import api.utilities as utilities import api.test_models as test_models import api.test_policies as test_policies @@ -7,6 +12,10 @@ import api.test_data as test_data import api.meta_rules_test as test_meta_rules import api.test_assignemnt as test_assignments import api.test_rules as test_rules +import logging + +logger = logging.getLogger("moon.manager.test.api." + __name__) + def clean_models(client): req, models = test_models.get_models(client) @@ -25,9 +34,11 @@ def clean_policies(client): def clean_subjects(client): subjects = test_perimeter.get_subjects(client) + logger.info("subjects {}".format(subjects)) for key in subjects["subjects"]: subject = subjects["subjects"][key] policy_keys = subject["policy_list"] + logger.info("subjects policy_keys {}".format(policy_keys)) for policy_key in policy_keys: client.delete("/policies/{}/subjects/{}".format(policy_key,key)) client.delete("/subjects/{}".format(key)) @@ -36,9 +47,11 @@ def clean_subjects(client): def clean_objects(client): objects = test_perimeter.get_objects(client) + logger.info("objects {}".format(objects)) for key in objects["objects"]: object_ = objects["objects"][key] policy_keys = object_["policy_list"] + logger.info("objects policy_keys {}".format(policy_keys)) for policy_key in policy_keys: print("/policies/{}/objects/{}".format(policy_key, key)) req = client.delete("/policies/{}/objects/{}".format(policy_key, key)) @@ -48,9 +61,11 @@ def clean_objects(client): def clean_actions(client): actions = test_perimeter.get_actions(client) + logger.info("objects {}".format(actions)) for key in actions["actions"]: action = actions["actions"][key] policy_keys = action["policy_list"] + logger.info("action policy_keys {}".format(policy_keys)) for policy_key in policy_keys: client.delete("/policies/{}/actions/{}".format(policy_key, key)) client.delete("/actions/{}".format(key)) @@ -59,19 +74,21 @@ def clean_actions(client): def clean_subject_categories(client): req, categories = test_categories.get_subject_categories(client) - print(categories) + logger.info(categories) for key in categories["subject_categories"]: client.delete("/subject_categories/{}".format(key)) def clean_object_categories(client): req, categories = test_categories.get_object_categories(client) + logger.info(categories) for key in categories["object_categories"]: client.delete("/object_categories/{}".format(key)) def clean_action_categories(client): req, categories = test_categories.get_action_categories(client) + logger.info(categories) for key in categories["action_categories"]: client.delete("/action_categories/{}".format(key)) @@ -174,8 +191,9 @@ def clean_all(client): clean_object_data(client) clean_action_data(client) - clean_policies(client) - clean_models(client) clean_actions(client) clean_objects(client) clean_subjects(client) + + clean_policies(client) + clean_models(client)
\ No newline at end of file diff --git a/moon_manager/tests/unit_python/api/test_data.py b/moon_manager/tests/unit_python/api/test_data.py index f636aaa5..724f919f 100644 --- a/moon_manager/tests/unit_python/api/test_data.py +++ b/moon_manager/tests/unit_python/api/test_data.py @@ -1,3 +1,8 @@ +# Copyright 2018 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + import api.utilities as utilities import json @@ -106,8 +111,12 @@ def test_add_object_data(): value = object_data["object_data"]['data'] assert "object_data" in object_data id = list(value.keys())[0] - assert value[id]['value']['name'] == "testuser" - assert value[id]['value']['description'] == "description of {}".format("testuser") + print("-----------------------") + print(id) + print(value[id]) + print("-----------------------") + assert value[id]['name'] == "testuser" + assert value[id]['description'] == "description of {}".format("testuser") def test_delete_object_data(): @@ -164,8 +173,8 @@ def test_add_action_data(): value = action_data["action_data"]['data'] assert "action_data" in action_data id = list(value.keys())[0] - assert value[id]['value']['name'] == "testuser" - assert value[id]['value']['description'] == "description of {}".format("testuser") + assert value[id]['name'] == "testuser" + assert value[id]['description'] == "description of {}".format("testuser") def test_delete_action_data(): diff --git a/moon_manager/tests/unit_python/api/test_export.py b/moon_manager/tests/unit_python/api/test_export.py index 25097180..122ab927 100644 --- a/moon_manager/tests/unit_python/api/test_export.py +++ b/moon_manager/tests/unit_python/api/test_export.py @@ -1,3 +1,8 @@ +# Copyright 2018 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + import json import api.utilities as utilities import api.import_export_utilities as import_export_utilities @@ -24,9 +29,9 @@ SUBJECT_OBJECT_ACTION_DATA = {"models": [{"name": "test model", "description": " "subject_categories": [{"name": "test subject categories", "description": "subject category description"}], "object_categories": [{"name": "test object categories", "description": "object category description"}], "action_categories": [{"name": "test action categories", "description": "action category description"}], - "subject_data": [{"name": "test subject data", "description": "subject data description", "policy": {"name": "test policy"}, "category": {"name": "test subject categories"}}], - "object_data": [{"name": "test object data", "description": "object data description", "policy": {"name": "test policy"}, "category": {"name": "test object categories"}}], - "action_data": [{"name": "test action data", "description": "action data description", "policy": {"name": "test policy"}, "category": {"name": "test action categories"}}], + "subject_data": [{"name": "test subject data", "description": "subject data description", "policies": [{"name": "test policy"}], "category": {"name": "test subject categories"}}], + "object_data": [{"name": "test object data", "description": "object data description", "policies": [{"name": "test policy"}], "category": {"name": "test object categories"}}], + "action_data": [{"name": "test action data", "description": "action data description", "policies": [{"name": "test policy"}], "category": {"name": "test action categories"}}], "meta_rules": [{"name": "meta rule", "description": "valid meta rule", "subject_categories": [{"name": "test subject categories"}], "object_categories": [{"name": "test object categories"}], "action_categories": [{"name": "test action categories"}]}]} @@ -41,9 +46,9 @@ ASSIGNMENTS = {"models": [{"name": "test model", "description": "", "meta_rules" "subject_categories": [{"name": "test subject categories", "description": "subject category description"}], "object_categories": [{"name": "test object categories", "description": "object category description"}], "action_categories": [{"name": "test action categories", "description": "action category description"}], - "subject_data": [{"name": "test subject data", "description": "subject data description", "policy": {"name": "test policy"}, "category": {"name": "test subject categories"}}], - "object_data": [{"name": "test object data", "description": "object data description", "policy": {"name": "test policy"}, "category": {"name": "test object categories"}}], - "action_data": [{"name": "test action data", "description": "action data description", "policy": {"name": "test policy"}, "category": {"name": "test action categories"}}], + "subject_data": [{"name": "test subject data", "description": "subject data description", "policies": [{"name": "test policy"}], "category": {"name": "test subject categories"}}], + "object_data": [{"name": "test object data", "description": "object data description", "policies": [{"name": "test policy"}], "category": {"name": "test object categories"}}], + "action_data": [{"name": "test action data", "description": "action data description", "policies": [{"name": "test policy"}], "category": {"name": "test action categories"}}], "meta_rules": [{"name": "meta rule", "description": "valid meta rule", "subject_categories": [{"name": "test subject categories"}], "object_categories": [{"name": "test object categories"}], "action_categories": [{"name": "test action categories"}]}], "subjects": [{"name": "testuser", "description": "description of the subject", "extra": {"field_extra_subject": "value extra subject"}, "policies": [{"name": "test policy"}]}], "objects": [{"name": "test object", "description": "description of the object", "extra": {"field_extra_object": "value extra object"}, "policies": [{"name": "test policy"}]}], @@ -57,9 +62,9 @@ RULES = {"models": [{"name": "test model", "description": "", "meta_rules": [{"n "subject_categories": [{"name": "test subject categories", "description": "subject category description"}], "object_categories": [{"name": "test object categories", "description": "object category description"}], "action_categories": [{"name": "test action categories", "description": "action category description"}], - "subject_data": [{"name": "test subject data", "description": "subject data description", "policy": {"name": "test policy"}, "category": {"name": "test subject categories"}}], - "object_data": [{"name": "test object data", "description": "object data description", "policy": {"name": "test policy"}, "category": {"name": "test object categories"}}], - "action_data": [{"name": "test action data", "description": "action data description", "policy": {"name": "test policy"}, "category": {"name": "test action categories"}}], + "subject_data": [{"name": "test subject data", "description": "subject data description", "policies": [{"name": "test policy"}], "category": {"name": "test subject categories"}}], + "object_data": [{"name": "test object data", "description": "object data description", "policies": [{"name": "test policy"}], "category": {"name": "test object categories"}}], + "action_data": [{"name": "test action data", "description": "action data description", "policies": [{"name": "test policy"}], "category": {"name": "test action categories"}}], "meta_rules": [{"name": "meta rule", "description": "valid meta rule", "subject_categories": [{"name": "test subject categories"}], "object_categories": [{"name": "test object categories"}], "action_categories": [{"name": "test action categories"}]}], "subjects": [{"name": "testuser", "description": "description of the subject", "extra": {"field_extra_subject": "value extra subject"}, "policies": [{"name": "test policy"}]}], "objects": [{"name": "test object", "description": "description of the object", "extra": {"field_extra_object": "value extra object"}, "policies": [{"name": "test policy"}]}], @@ -169,7 +174,6 @@ def test_export_subject_object_action_categories(): req = client.get("/export") assert req.status_code == 200 data = utilities.get_json(req.data) - print(data) assert "content" in data type_elements = ["subject", "object", "action"] for type_element in type_elements: diff --git a/moon_manager/tests/unit_python/api/test_import.py b/moon_manager/tests/unit_python/api/test_import.py index ef2267ed..4e970a0e 100644 --- a/moon_manager/tests/unit_python/api/test_import.py +++ b/moon_manager/tests/unit_python/api/test_import.py @@ -1,3 +1,8 @@ +# Copyright 2018 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + import api.utilities as utilities import api.test_models as test_models import api.test_policies as test_policies @@ -66,24 +71,24 @@ PRE_DATA = {"models": [{"name": "test model", "description": "", "meta_rules": [ "meta_rules": [{"name": "good meta rule", "description": "valid meta rule", "subject_categories": [{"name": "test subject categories"}], "object_categories": [{"name": "test object categories"}], "action_categories": [{"name": "test action categories"}]}, {"name": "other good meta rule", "description": "valid meta rule", "subject_categories": [{"name": "other test subject categories"}], "object_categories": [{"name": "other test object categories"}], "action_categories": [{"name": "other test action categories"}]}]} -SUBJECT_DATA = [{"subject_data": [{"name": "not valid subject data", "description": "", "policy": {}, "category": {}}]}, - {"subject_data": [{"name": "not valid subject data", "description": "", "policy": {}, "category": {"name": "test subject categories"}}]}, - {"policies": [{"name": "test policy", "genre": "authz", "description": "description", "model": {"name": "test model"}, "mandatory": True}], "subject_data": [{"name": "one valid subject data", "description": "description", "policy": {}, "category": {"name": "test subject categories"}}]}, - {"subject_data": [{"name": "valid subject data", "description": "description", "policy": {"name": "test policy"}, "category": {"name": "test subject categories"}}]}, - {"subject_data": [{"name": "valid subject data", "description": "new description", "policy": {"name": "test other policy"}, "category": {"name": "test subject categories"}}]}] +SUBJECT_DATA = [{"subject_data": [{"name": "not valid subject data", "description": "", "policies": [{}], "category": {}}]}, + {"subject_data": [{"name": "not valid subject data", "description": "", "policies": [{}], "category": {"name": "test subject categories"}}]}, + {"policies": [{"name": "test policy", "genre": "authz", "description": "description", "model": {"name": "test model"}, "mandatory": True}], "subject_data": [{"name": "one valid subject data", "description": "description", "policies": [{}], "category": {"name": "test subject categories"}}]}, + {"subject_data": [{"name": "valid subject data", "description": "description", "policies": [{"name": "test policy"}], "category": {"name": "test subject categories"}}]}, + {"subject_data": [{"name": "valid subject data", "description": "new description", "policies": [{"name": "test other policy"}], "category": {"name": "test subject categories"}}]}] -OBJECT_DATA = [{"object_data": [{"name": "not valid object data", "description": "", "policy": {}, "category": {}}]}, - {"object_data": [{"name": "not valid object data", "description": "", "policy": {}, "category": {"name": "test object categories"}}]}, - {"policies": [{"name": "test policy", "genre": "authz", "description": "description", "model": {"name": "test model"}, "mandatory": True}], "object_data": [{"name": "one valid object data", "description": "description", "policy": {}, "category": {"name": "test object categories"}}]}, - {"object_data": [{"name": "valid object data", "description": "description", "policy": {"name": "test policy"}, "category": {"name": "test object categories"}}]}, - {"object_data": [{"name": "valid object data", "description": "new description", "policy": {"name": "test other policy"}, "category": {"name": "test object categories"}}]}] +OBJECT_DATA = [{"object_data": [{"name": "not valid object data", "description": "", "policies": [{}], "category": {}}]}, + {"object_data": [{"name": "not valid object data", "description": "", "policies": [{}], "category": {"name": "test object categories"}}]}, + {"policies": [{"name": "test policy", "genre": "authz", "description": "description", "model": {"name": "test model"}, "mandatory": True}], "object_data": [{"name": "one valid object data", "description": "description", "policies": [{}], "category": {"name": "test object categories"}}]}, + {"object_data": [{"name": "valid object data", "description": "description", "policies": [{"name": "test policy"}], "category": {"name": "test object categories"}}]}, + {"object_data": [{"name": "valid object data", "description": "new description", "policies": [{"name": "test other policy"}], "category": {"name": "test object categories"}}]}] -ACTION_DATA = [{"action_data": [{"name": "not valid action data", "description": "", "policy": {}, "category": {}}]}, - {"action_data": [{"name": "not valid action data", "description": "", "policy": {}, "category": {"name": "test action categories"}}]}, - {"policies": [{"name": "test policy", "genre": "authz", "description": "description", "model": {"name": "test model"}, "mandatory": True}], "action_data": [{"name": "one valid action data", "description": "description", "policy": {}, "category": {"name": "test action categories"}}]}, - {"action_data": [{"name": "valid action data", "description": "description", "policy": {"name": "test policy"}, "category": {"name": "test action categories"}}]}, - {"action_data": [{"name": "valid action data", "description": "new description", "policy": {"name": "test other policy"}, "category": {"name": "test action categories"}}]}] +ACTION_DATA = [{"action_data": [{"name": "not valid action data", "description": "", "policies": [{}], "category": {}}]}, + {"action_data": [{"name": "not valid action data", "description": "", "policies": [{}], "category": {"name": "test action categories"}}]}, + {"policies": [{"name": "test policy", "genre": "authz", "description": "description", "model": {"name": "test model"}, "mandatory": True}], "action_data": [{"name": "one valid action data", "description": "description", "policies": [{}], "category": {"name": "test action categories"}}]}, + {"action_data": [{"name": "valid action data", "description": "description", "policies": [{"name": "test policy"}], "category": {"name": "test action categories"}}]}, + {"action_data": [{"name": "valid action data", "description": "new description", "policies": [{"name": "test other policy"}], "category": {"name": "test action categories"}}]}] PRE_META_RULES = {"subject_categories": [{"name": "test subject categories", "description": "subject category description"}], @@ -104,9 +109,9 @@ PRE_ASSIGNMENTS = {"models": [{"name": "test model", "description": "", "meta_ru "objects": [{"name": "test object", "description": "description of the object", "extra": {}, "policies": [{"name": "test policy"}]}], "actions": [{"name": "test action", "description": "description of the action", "extra": {}, "policies": [{"name": "test policy"}]}], "meta_rules": [{"name": "good meta rule", "description": "valid meta rule", "subject_categories": [{"name": "test subject categories"}], "object_categories": [{"name": "test object categories"}], "action_categories": [{"name": "test action categories"}]}], - "subject_data": [{"name": "subject data", "description": "test subject data", "policy": {"name": "test policy"}, "category": {"name": "test subject categories"}}], - "object_data": [{"name": "object data", "description": "test object data", "policy": {"name": "test policy"}, "category": {"name": "test object categories"}}], - "action_data": [{"name": "action data", "description": "test action data", "policy": {"name": "test policy"}, "category": {"name": "test action categories"}}]} + "subject_data": [{"name": "subject data", "description": "test subject data", "policies": [{"name": "test policy"}], "category": {"name": "test subject categories"}}], + "object_data": [{"name": "object data", "description": "test object data", "policies": [{"name": "test policy"}], "category": {"name": "test object categories"}}], + "action_data": [{"name": "action data", "description": "test action data", "policies": [{"name": "test policy"}], "category": {"name": "test action categories"}}]} SUBJECT_ASSIGNMENTS = [{"subject_assignments": [{"subject": {"name": "unknonw"}, "category" : {"name": "test subject categories"}, "assignments": [{"name": "subject data"}]}]}, @@ -512,4 +517,6 @@ def test_import_subject_object_action_data(): def test_clean(): client = utilities.register_client() - import_export_utilities.clean_all(client)
\ No newline at end of file + import_export_utilities.clean_all(client) + #restore the database as previously + utilities.get_policy_id()
\ No newline at end of file diff --git a/moon_orchestrator/Changelog b/moon_orchestrator/Changelog index 31aabf5d..783c9130 100644 --- a/moon_orchestrator/Changelog +++ b/moon_orchestrator/Changelog @@ -23,3 +23,7 @@ CHANGES ----- - add bootstrap file to start Orchestrator with all configuration +4.4.1 +----- +- the processing of a request is now performed in a thread + diff --git a/moon_orchestrator/moon_orchestrator/__init__.py b/moon_orchestrator/moon_orchestrator/__init__.py index 85c245e0..bc8f2781 100644 --- a/moon_orchestrator/moon_orchestrator/__init__.py +++ b/moon_orchestrator/moon_orchestrator/__init__.py @@ -3,4 +3,4 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -__version__ = "4.4.0" +__version__ = "4.4.1" diff --git a/moon_orchestrator/moon_orchestrator/http_server.py b/moon_orchestrator/moon_orchestrator/http_server.py index 85e29cd0..1cb12618 100644 --- a/moon_orchestrator/moon_orchestrator/http_server.py +++ b/moon_orchestrator/moon_orchestrator/http_server.py @@ -158,7 +158,7 @@ class HTTPServer(Server): }) def run(self): - self.app.run(host=self._host, port=self._port) # nosec + self.app.run(host=self._host, port=self._port, threaded=True) # nosec @staticmethod def __filter_str(data): diff --git a/moon_pythonunittest/requirements.txt b/moon_pythonunittest/requirements.txt index b611b008..fe107293 100644 --- a/moon_pythonunittest/requirements.txt +++ b/moon_pythonunittest/requirements.txt @@ -7,4 +7,5 @@ werkzeug flask requests pytest -requests_mock
\ No newline at end of file +pytest-cov +requests_mock diff --git a/moon_pythonunittest/run_tests.sh b/moon_pythonunittest/run_tests.sh index b59a9ec2..285bd856 100644 --- a/moon_pythonunittest/run_tests.sh +++ b/moon_pythonunittest/run_tests.sh @@ -1,8 +1,14 @@ #!/usr/bin/env bash cd /data -#pip3 install -r tests/python_unit/requirements.txt --upgrade -#pip3 install . +pip3 install -r tests/unit_python/requirements.txt --upgrade +pip3 install . + +if [ -d /data/dist ]; +then + pip install /data/dist/*.tar.gz --upgrade + pip install /data/dist/*.whl --upgrade +fi if [ -f /data/tests/unit_python/run_tests.sh ]; then @@ -10,4 +16,4 @@ then fi cd /data/tests/unit_python -pytest -s . +pytest --cov --cov-report term --cov-report html --cov-report xml . diff --git a/moon_wrapper/Changelog b/moon_wrapper/Changelog new file mode 100644 index 00000000..071e4ef9 --- /dev/null +++ b/moon_wrapper/Changelog @@ -0,0 +1,28 @@ +# Copyright 2018 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + + +CHANGES +======= + +1.0.0 +----- +- First version of the manager + +2.0.0 +----- +- Version built inside the Keystone component + +3.0.0 +----- +- Version built outside the Keystone component + +4.0.0 +----- +- First micro-architecture version + +4.5.1 +----- +- use the threading capability of Flask app diff --git a/moon_wrapper/moon_wrapper/__init__.py b/moon_wrapper/moon_wrapper/__init__.py index 903c6518..98a98146 100644 --- a/moon_wrapper/moon_wrapper/__init__.py +++ b/moon_wrapper/moon_wrapper/__init__.py @@ -3,4 +3,4 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -__version__ = "0.1.0" +__version__ = "4.5.1" diff --git a/moon_wrapper/moon_wrapper/http_server.py b/moon_wrapper/moon_wrapper/http_server.py index f23af182..dfbaed9f 100644 --- a/moon_wrapper/moon_wrapper/http_server.py +++ b/moon_wrapper/moon_wrapper/http_server.py @@ -136,5 +136,5 @@ class HTTPServer(Server): ) def run(self): - self.app.run(host=self._host, port=self._port) # nosec + self.app.run(host=self._host, port=self._port, threaded=True) # nosec diff --git a/moon_wrapper/tests/unit_python/conftest.py b/moon_wrapper/tests/unit_python/conftest.py index 621c2014..2c332c89 100644 --- a/moon_wrapper/tests/unit_python/conftest.py +++ b/moon_wrapper/tests/unit_python/conftest.py @@ -415,7 +415,7 @@ def set_consul_and_db(monkeypatch): "name": "testuser", "email": "mail", "id": "89ba91c18dd54abfbfde7a66936c51a6", - "partner_id": "" + "extra": {} }, "31fd15ad14784a9696fcc887dddbfaf9": { "description": "test", @@ -426,7 +426,7 @@ def set_consul_and_db(monkeypatch): "name": "adminuser", "email": "mail", "id": "31fd15ad14784a9696fcc887dddbfaf9", - "partner_id": "" + "extra": {} } } } @@ -439,7 +439,7 @@ def set_consul_and_db(monkeypatch): "name": "vm1", "description": "test", "id": "67b8008a3f8d4f8e847eb628f0f7ca0e", - "partner_id": "", + "extra": {}, "policy_list": [ "f8f49a779ceb47b3ac810f01ef71b4e0", "636cd473324f4c0bbd9102cb5b62a16d" @@ -449,7 +449,7 @@ def set_consul_and_db(monkeypatch): "name": "vm0", "description": "test", "id": "9089b3d2ce5b4e929ffc7e35b55eba1a", - "partner_id": "", + "extra": {}, "policy_list": [ "f8f49a779ceb47b3ac810f01ef71b4e0", "636cd473324f4c0bbd9102cb5b62a16d" @@ -466,7 +466,7 @@ def set_consul_and_db(monkeypatch): "name": "boot", "description": "test", "id": "cdb3df220dc04a6ea3334b994827b068", - "partner_id": "", + "extra": {}, "policy_list": [ "f8f49a779ceb47b3ac810f01ef71b4e0", "636cd473324f4c0bbd9102cb5b62a16d" @@ -476,7 +476,7 @@ def set_consul_and_db(monkeypatch): "name": "stop", "description": "test", "id": "cdb3df220dc04a6ea3334b994827b068", - "partner_id": "", + "extra": {}, "policy_list": [ "f8f49a779ceb47b3ac810f01ef71b4e0", "636cd473324f4c0bbd9102cb5b62a16d" @@ -486,7 +486,7 @@ def set_consul_and_db(monkeypatch): "name": "start", "description": "test", "id": "9f5112afe9b34a6c894eb87246ccb7aa", - "partner_id": "", + "extra": {}, "policy_list": [ "f8f49a779ceb47b3ac810f01ef71b4e0", "636cd473324f4c0bbd9102cb5b62a16d" diff --git a/python_moonclient/Changelog b/python_moonclient/Changelog index 9a2971cb..c58d83c4 100644 --- a/python_moonclient/Changelog +++ b/python_moonclient/Changelog @@ -1,4 +1,4 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# Copyright 2018 Open Platform for NFV Project, Inc. and its contributors # This software is distributed under the terms and conditions of the 'Apache-2.0' # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. diff --git a/python_moondb/Changelog b/python_moondb/Changelog index a7d10b17..44ae7fa8 100644 --- a/python_moondb/Changelog +++ b/python_moondb/Changelog @@ -57,3 +57,11 @@ CHANGES ----- - Code cleaning +1.2.6 +----- +- Remove some code duplication in moon_db +- handle the extra field for the perimeter + +1.2.7 +----- +- Fix some bugs diff --git a/python_moondb/MANIFEST.in b/python_moondb/MANIFEST.in index 82b40140..02655837 100644 --- a/python_moondb/MANIFEST.in +++ b/python_moondb/MANIFEST.in @@ -3,7 +3,7 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -include README.rst +include README.md include LICENSE include setup.py include requirements.txt diff --git a/python_moondb/python_moondb/__init__.py b/python_moondb/python_moondb/__init__.py index de7c772e..bebaca8a 100644 --- a/python_moondb/python_moondb/__init__.py +++ b/python_moondb/python_moondb/__init__.py @@ -3,5 +3,5 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -__version__ = "1.2.5" +__version__ = "1.2.7" diff --git a/python_moondb/python_moondb/api/policy.py b/python_moondb/python_moondb/api/policy.py index ca313f9a..cde3ab77 100644 --- a/python_moondb/python_moondb/api/policy.py +++ b/python_moondb/python_moondb/api/policy.py @@ -112,6 +112,7 @@ class PolicyManager(Managers): @enforce(("read", "write"), "perimeter") def add_action(self, user_id, policy_id, perimeter_id=None, value=None): + logger.info("add_action {}".format(policy_id)) if not self.get_policies(user_id=user_id, policy_id=policy_id): raise exceptions.PolicyUnknown if not perimeter_id: diff --git a/python_moondb/python_moondb/backends/sql.py b/python_moondb/python_moondb/backends/sql.py index 1ce8d016..c0670951 100644 --- a/python_moondb/python_moondb/backends/sql.py +++ b/python_moondb/python_moondb/backends/sql.py @@ -9,7 +9,7 @@ from uuid import uuid4 import sqlalchemy as sql import logging from sqlalchemy.orm import sessionmaker -from sqlalchemy.ext.declarative import declarative_base +from sqlalchemy.ext.declarative import declarative_base, declared_attr from sqlalchemy import create_engine from contextlib import contextmanager from sqlalchemy import types as sql_types @@ -103,36 +103,30 @@ class PDP(Base, DictBase): } -class SubjectCategory(Base, DictBase): - __tablename__ = 'subject_categories' +class PerimeterCategoryBase(DictBase): attributes = ['id', 'name', 'description'] id = sql.Column(sql.String(64), primary_key=True) name = sql.Column(sql.String(256), nullable=False) description = sql.Column(sql.String(256), nullable=True) -class ObjectCategory(Base, DictBase): +class SubjectCategory(Base, PerimeterCategoryBase): + __tablename__ = 'subject_categories' + + +class ObjectCategory(Base, PerimeterCategoryBase): __tablename__ = 'object_categories' - attributes = ['id', 'name', 'description'] - id = sql.Column(sql.String(64), primary_key=True) - name = sql.Column(sql.String(256), nullable=False) - description = sql.Column(sql.String(256), nullable=True) -class ActionCategory(Base, DictBase): +class ActionCategory(Base, PerimeterCategoryBase): __tablename__ = 'action_categories' - attributes = ['id', 'name', 'description'] - id = sql.Column(sql.String(64), primary_key=True) - name = sql.Column(sql.String(256), nullable=False) - description = sql.Column(sql.String(256), nullable=True) -class Subject(Base, DictBase): - __tablename__ = 'subjects' +class PerimeterBase(DictBase): attributes = ['id', 'value'] id = sql.Column(sql.String(64), primary_key=True) value = sql.Column(JsonBlob(), nullable=True) - + __mapper_args__ = {'concrete': True} def __repr__(self): return "{}: {}".format(self.id, json.dumps(self.value)) @@ -142,7 +136,7 @@ class Subject(Base, DictBase): 'name': self.value.get("name", ""), 'description': self.value.get("description", ""), 'email': self.value.get("email", ""), - 'partner_id': self.value.get("partner_id", ""), + 'extra': self.value.get("extra", dict()), 'policy_list': self.value.get("policy_list", []) } @@ -153,63 +147,25 @@ class Subject(Base, DictBase): } -class Object(Base, DictBase): - __tablename__ = 'objects' - attributes = ['id', 'value'] - id = sql.Column(sql.String(64), primary_key=True) - value = sql.Column(JsonBlob(), nullable=True) - - def __repr__(self): - return "{}: {}".format(self.id, json.dumps(self.value)) +class Subject(Base, PerimeterBase): + __tablename__ = 'subjects' - def to_dict(self): - return { - 'id': self.id, - 'value': self.value - } - def to_return(self): - return { - 'id': self.id, - 'name': self.value.get("name", ""), - 'description': self.value.get("description", ""), - 'partner_id': self.value.get("partner_id", ""), - 'policy_list': self.value.get("policy_list", []) - } +class Object(Base, PerimeterBase): + __tablename__ = 'objects' -class Action(Base, DictBase): +class Action(Base, PerimeterBase): __tablename__ = 'actions' - attributes = ['id', 'value'] - id = sql.Column(sql.String(64), primary_key=True) - value = sql.Column(JsonBlob(), nullable=True) - - def __repr__(self): - return "{}: {}".format(self.id, json.dumps(self.value)) - def to_dict(self): - return { - 'id': self.id, - 'value': self.value - } - def to_return(self): - return { - 'id': self.id, - 'name': self.value.get("name", ""), - 'description': self.value.get("description", ""), - 'partner_id': self.value.get("partner_id", ""), - 'policy_list': self.value.get("policy_list", []) - } - - -class SubjectData(Base, DictBase): - __tablename__ = 'subject_data' +class PerimeterDataBase(DictBase): attributes = ['id', 'value', 'category_id', 'policy_id'] id = sql.Column(sql.String(64), primary_key=True) value = sql.Column(JsonBlob(), nullable=True) - category_id = sql.Column(sql.ForeignKey("subject_categories.id"), nullable=False) - policy_id = sql.Column(sql.ForeignKey("policies.id"), nullable=False) + @declared_attr + def policy_id(cls): + return sql.Column(sql.ForeignKey("policies.id"), nullable=False) def to_dict(self): return { @@ -221,79 +177,68 @@ class SubjectData(Base, DictBase): } -class ObjectData(Base, DictBase): +class SubjectData(Base, PerimeterDataBase): + __tablename__ = 'subject_data' + category_id = sql.Column(sql.ForeignKey("subject_categories.id"), nullable=False) + + +class ObjectData(Base, PerimeterDataBase): __tablename__ = 'object_data' - attributes = ['id', 'value', 'category_id', 'policy_id'] - id = sql.Column(sql.String(64), primary_key=True) - value = sql.Column(JsonBlob(), nullable=True) category_id = sql.Column(sql.ForeignKey("object_categories.id"), nullable=False) - policy_id = sql.Column(sql.ForeignKey("policies.id"), nullable=False) -class ActionData(Base, DictBase): +class ActionData(Base, PerimeterDataBase): __tablename__ = 'action_data' - attributes = ['id', 'value', 'category_id', 'policy_id'] - id = sql.Column(sql.String(64), primary_key=True) - value = sql.Column(JsonBlob(), nullable=True) category_id = sql.Column(sql.ForeignKey("action_categories.id"), nullable=False) - policy_id = sql.Column(sql.ForeignKey("policies.id"), nullable=False) -class SubjectAssignment(Base, DictBase): - __tablename__ = 'subject_assignments' +class PerimeterAssignmentBase(DictBase): attributes = ['id', 'assignments', 'policy_id', 'subject_id', 'category_id'] id = sql.Column(sql.String(64), primary_key=True) assignments = sql.Column(JsonBlob(), nullable=True) - policy_id = sql.Column(sql.ForeignKey("policies.id"), nullable=False) - subject_id = sql.Column(sql.ForeignKey("subjects.id"), nullable=False) - category_id = sql.Column(sql.ForeignKey("subject_categories.id"), nullable=False) + category_id = None - def to_dict(self): + @declared_attr + def policy_id(cls): + return sql.Column(sql.ForeignKey("policies.id"), nullable=False) + + def _to_dict(self, element_key, element_value): return { "id": self.id, "policy_id": self.policy_id, - "subject_id": self.subject_id, + element_key: element_value, "category_id": self.category_id, "assignments": self.assignments, } -class ObjectAssignment(Base, DictBase): +class SubjectAssignment(Base, PerimeterAssignmentBase): + __tablename__ = 'subject_assignments' + subject_id = sql.Column(sql.ForeignKey("subjects.id"), nullable=False) + category_id = sql.Column(sql.ForeignKey("subject_categories.id"), nullable=False) + + def to_dict(self): + return self._to_dict("subject_id", self.subject_id) + + +class ObjectAssignment(Base, PerimeterAssignmentBase): __tablename__ = 'object_assignments' attributes = ['id', 'assignments', 'policy_id', 'object_id', 'category_id'] - id = sql.Column(sql.String(64), primary_key=True) - assignments = sql.Column(JsonBlob(), nullable=True) - policy_id = sql.Column(sql.ForeignKey("policies.id"), nullable=False) object_id = sql.Column(sql.ForeignKey("objects.id"), nullable=False) category_id = sql.Column(sql.ForeignKey("object_categories.id"), nullable=False) def to_dict(self): - return { - "id": self.id, - "policy_id": self.policy_id, - "object_id": self.object_id, - "category_id": self.category_id, - "assignments": self.assignments, - } + return self._to_dict("object_id", self.object_id) -class ActionAssignment(Base, DictBase): +class ActionAssignment(Base, PerimeterAssignmentBase): __tablename__ = 'action_assignments' attributes = ['id', 'assignments', 'policy_id', 'action_id', 'category_id'] - id = sql.Column(sql.String(64), primary_key=True) - assignments = sql.Column(JsonBlob(), nullable=True) - policy_id = sql.Column(sql.ForeignKey("policies.id"), nullable=False) action_id = sql.Column(sql.ForeignKey("actions.id"), nullable=False) category_id = sql.Column(sql.ForeignKey("action_categories.id"), nullable=False) def to_dict(self): - return { - "id": self.id, - "policy_id": self.policy_id, - "action_id": self.action_id, - "category_id": self.category_id, - "assignments": self.assignments, - } + return self._to_dict("action_id", self.action_id) class MetaRule(Base, DictBase): @@ -446,9 +391,9 @@ class PolicyConnector(BaseConnector, PolicyDriver): ref_list = query.all() return {_ref.id: _ref.to_dict() for _ref in ref_list} - def get_subjects(self, policy_id, perimeter_id=None): + def __get_perimeters(self, ClassType, policy_id, perimeter_id=None): with self.get_session_for_read() as session: - query = session.query(Subject) + query = session.query(ClassType) ref_list = copy.deepcopy(query.all()) if perimeter_id: for _ref in ref_list: @@ -467,190 +412,83 @@ class PolicyConnector(BaseConnector, PolicyDriver): return {_ref.id: _ref.to_return() for _ref in results} return {_ref.id: _ref.to_return() for _ref in ref_list} - def set_subject(self, policy_id, perimeter_id=None, value=None): - _subject = None + def __set_perimeter(self, ClassType, policy_id, perimeter_id=None, value=None): + _perimeter = None with self.get_session_for_write() as session: if perimeter_id: - query = session.query(Subject) + query = session.query(ClassType) query = query.filter_by(id=perimeter_id) - _subject = query.first() - if not _subject: + _perimeter = query.first() + if not _perimeter: if "policy_list" not in value or type(value["policy_list"]) is not list: value["policy_list"] = [] if policy_id and policy_id not in value["policy_list"]: value["policy_list"] = [policy_id, ] - new = Subject.from_dict({ + new = ClassType.from_dict({ "id": perimeter_id if perimeter_id else uuid4().hex, "value": value }) session.add(new) return {new.id: new.to_return()} else: - _value = copy.deepcopy(_subject.to_dict()) + _value = copy.deepcopy(_perimeter.to_dict()) if "policy_list" not in _value["value"] or type(_value["value"]["policy_list"]) is not list: _value["value"]["policy_list"] = [] if policy_id and policy_id not in _value["value"]["policy_list"]: _value["value"]["policy_list"].append(policy_id) - new_subject = Subject.from_dict(_value) + new_perimeter = ClassType.from_dict(_value) # setattr(_subject, "value", _value["value"]) - setattr(_subject, "value", getattr(new_subject, "value")) - return {_subject.id: _subject.to_return()} + setattr(_perimeter, "value", getattr(new_perimeter, "value")) + return {_perimeter.id: _perimeter.to_return()} - def delete_subject(self, policy_id, perimeter_id): + def __delete_perimeter(self,ClassType, ClassUnknownException, policy_id, perimeter_id): with self.get_session_for_write() as session: - query = session.query(Subject) + query = session.query(ClassType) query = query.filter_by(id=perimeter_id) - _subject = query.first() - if not _subject: - raise SubjectUnknown - old_subject = copy.deepcopy(_subject.to_dict()) + _perimeter = query.first() + if not _perimeter: + raise ClassUnknownException + old_perimeter = copy.deepcopy(_perimeter.to_dict()) # value = _subject.to_dict() try: - old_subject["value"]["policy_list"].remove(policy_id) - new_user = Subject.from_dict(old_subject) - setattr(_subject, "value", getattr(new_user, "value")) + old_perimeter["value"]["policy_list"].remove(policy_id) + new_perimeter = ClassType.from_dict(old_perimeter) + setattr(_perimeter, "value", getattr(new_perimeter, "value")) except ValueError: - if not _subject.value["policy_list"]: - session.delete(_subject) + if not _perimeter.value["policy_list"]: + session.delete(_perimeter) + + def get_subjects(self, policy_id, perimeter_id=None): + return self.__get_perimeters(Subject, policy_id, perimeter_id) + + def set_subject(self, policy_id, perimeter_id=None, value=None): + return self.__set_perimeter(Subject, policy_id, perimeter_id=perimeter_id, value=value) + + def delete_subject(self, policy_id, perimeter_id): + self.__delete_perimeter(Subject, SubjectUnknown, policy_id, perimeter_id) def get_objects(self, policy_id, perimeter_id=None): - with self.get_session_for_read() as session: - query = session.query(Object) - ref_list = copy.deepcopy(query.all()) - if perimeter_id: - for _ref in ref_list: - _ref_value = _ref.to_return() - if perimeter_id == _ref.id: - if policy_id and policy_id in _ref_value["policy_list"]: - return {_ref.id: _ref_value} - else: - return {} - elif policy_id: - results = [] - for _ref in ref_list: - _ref_value = _ref.to_return() - if policy_id in _ref_value["policy_list"]: - results.append(_ref) - return {_ref.id: _ref.to_return() for _ref in results} - return {_ref.id: _ref.to_return() for _ref in ref_list} + return self.__get_perimeters(Object, policy_id, perimeter_id) def set_object(self, policy_id, perimeter_id=None, value=None): - _object = None - with self.get_session_for_write() as session: - if perimeter_id: - query = session.query(Object) - query = query.filter_by(id=perimeter_id) - _object = query.first() - if not _object: - if "policy_list" not in value or type(value["policy_list"]) is not list: - value["policy_list"] = [] - if policy_id and policy_id not in value["policy_list"]: - value["policy_list"] = [policy_id, ] - new = Object.from_dict({ - "id": perimeter_id if perimeter_id else uuid4().hex, - "value": value - }) - session.add(new) - return {new.id: new.to_return()} - else: - _value = copy.deepcopy(_object.to_dict()) - if "policy_list" not in _value["value"] or type(_value["value"]["policy_list"]) is not list: - _value["value"]["policy_list"] = [] - if policy_id and policy_id not in _value["value"]["policy_list"]: - _value["value"]["policy_list"].append(policy_id) - new_object = Object.from_dict(_value) - # setattr(_object, "value", _value["value"]) - setattr(_object, "value", getattr(new_object, "value")) - return {_object.id: _object.to_return()} + return self.__set_perimeter(Object, policy_id, perimeter_id=perimeter_id, value=value) def delete_object(self, policy_id, perimeter_id): - with self.get_session_for_write() as session: - query = session.query(Object) - query = query.filter_by(id=perimeter_id) - _object = query.first() - if not _object: - raise ObjectUnknown - old_object = copy.deepcopy(_object.to_dict()) - # value = _object.to_dict() - try: - old_object["value"]["policy_list"].remove(policy_id) - new_user = Object.from_dict(old_object) - setattr(_object, "value", getattr(new_user, "value")) - except ValueError: - if not _object.value["policy_list"]: - session.delete(_object) + self.__delete_perimeter(Object, ObjectUnknown, policy_id, perimeter_id) def get_actions(self, policy_id, perimeter_id=None): - with self.get_session_for_read() as session: - query = session.query(Action) - ref_list = copy.deepcopy(query.all()) - if perimeter_id: - for _ref in ref_list: - _ref_value = _ref.to_return() - if perimeter_id == _ref.id: - if policy_id and policy_id in _ref_value["policy_list"]: - return {_ref.id: _ref_value} - else: - return {} - elif policy_id: - results = [] - for _ref in ref_list: - _ref_value = _ref.to_return() - if policy_id in _ref_value["policy_list"]: - results.append(_ref) - return {_ref.id: _ref.to_return() for _ref in results} - return {_ref.id: _ref.to_return() for _ref in ref_list} + return self.__get_perimeters(Action, policy_id, perimeter_id) def set_action(self, policy_id, perimeter_id=None, value=None): - _action = None - with self.get_session_for_write() as session: - if perimeter_id: - query = session.query(Action) - query = query.filter_by(id=perimeter_id) - _action = query.first() - if not _action: - if "policy_list" not in value or type(value["policy_list"]) is not list: - value["policy_list"] = [] - if policy_id and policy_id not in value["policy_list"]: - value["policy_list"] = [policy_id, ] - new = Action.from_dict({ - "id": perimeter_id if perimeter_id else uuid4().hex, - "value": value - }) - session.add(new) - return {new.id: new.to_return()} - else: - _value = copy.deepcopy(_action.to_dict()) - if "policy_list" not in _value["value"] or type(_value["value"]["policy_list"]) is not list: - _value["value"]["policy_list"] = [] - if policy_id and policy_id not in _value["value"]["policy_list"]: - _value["value"]["policy_list"].append(policy_id) - new_action = Action.from_dict(_value) - # setattr(_action, "value", _value["value"]) - setattr(_action, "value", getattr(new_action, "value")) - return {_action.id: _action.to_return()} + return self.__set_perimeter(Action, policy_id, perimeter_id=perimeter_id, value=value) def delete_action(self, policy_id, perimeter_id): - with self.get_session_for_write() as session: - query = session.query(Action) - query = query.filter_by(id=perimeter_id) - _action = query.first() - if not _action: - raise ActionUnknown - old_action = copy.deepcopy(_action.to_dict()) - # value = _action.to_dict() - try: - old_action["value"]["policy_list"].remove(policy_id) - new_user = Action.from_dict(old_action) - setattr(_action, "value", getattr(new_user, "value")) - except ValueError: - if not _action.value["policy_list"]: - session.delete(_action) + self.__delete_perimeter(Action, ActionUnknown, policy_id, perimeter_id) - def get_subject_data(self, policy_id, data_id=None, category_id=None): + def __get_perimeter_data(self, ClassType, policy_id, data_id=None, category_id=None): logger.info("driver {} {} {}".format(policy_id, data_id, category_id)) with self.get_session_for_read() as session: - query = session.query(SubjectData) + query = session.query(ClassType) if data_id: query = query.filter_by(policy_id=policy_id, id=data_id, category_id=category_id) else: @@ -663,13 +501,13 @@ class PolicyConnector(BaseConnector, PolicyDriver): "data": {_ref.id: _ref.to_dict() for _ref in ref_list} } - def set_subject_data(self, policy_id, data_id=None, category_id=None, value=None): + def __set_perimeter_data(self, ClassType, ClassTypeData, policy_id, data_id=None, category_id=None, value=None): with self.get_session_for_write() as session: - query = session.query(SubjectData) + query = session.query(ClassTypeData) query = query.filter_by(policy_id=policy_id, id=data_id, category_id=category_id) ref = query.first() if not ref: - new_ref = SubjectData.from_dict( + new_ref = ClassTypeData.from_dict( { "id": data_id if data_id else uuid4().hex, 'value': value, @@ -680,7 +518,7 @@ class PolicyConnector(BaseConnector, PolicyDriver): session.add(new_ref) ref = new_ref else: - for attr in Subject.attributes: + for attr in ClassType.attributes: if attr != 'id': setattr(ref, attr, getattr(ref, attr)) # session.flush() @@ -690,116 +528,46 @@ class PolicyConnector(BaseConnector, PolicyDriver): "data": {ref.id: ref.to_dict()} } - def delete_subject_data(self, policy_id, data_id): + def __delete_perimeter_data(self, ClassType, policy_id, data_id): with self.get_session_for_write() as session: - query = session.query(SubjectData) + query = session.query(ClassType) query = query.filter_by(policy_id=policy_id, id=data_id) ref = query.first() if ref: session.delete(ref) + def get_subject_data(self, policy_id, data_id=None, category_id=None): + return self.__get_perimeter_data(SubjectData, policy_id, data_id=data_id, category_id=category_id) + + def set_subject_data(self, policy_id, data_id=None, category_id=None, value=None): + return self.__set_perimeter_data(Subject, SubjectData, policy_id, data_id=data_id, category_id=category_id, value=value) + + def delete_subject_data(self, policy_id, data_id): + return self.__delete_perimeter_data(SubjectData, policy_id, data_id) + def get_object_data(self, policy_id, data_id=None, category_id=None): - with self.get_session_for_read() as session: - query = session.query(ObjectData) - if data_id: - query = query.filter_by(policy_id=policy_id, id=data_id, category_id=category_id) - else: - query = query.filter_by(policy_id=policy_id, category_id=category_id) - ref_list = query.all() - return { - "policy_id": policy_id, - "category_id": category_id, - "data": {_ref.id: _ref.to_dict() for _ref in ref_list} - } + return self.__get_perimeter_data(ObjectData, policy_id, data_id=data_id, category_id=category_id) def set_object_data(self, policy_id, data_id=None, category_id=None, value=None): - with self.get_session_for_write() as session: - query = session.query(ObjectData) - query = query.filter_by(policy_id=policy_id, id=data_id, category_id=category_id) - ref = query.first() - if not ref: - new_ref = ObjectData.from_dict( - { - "id": data_id if data_id else uuid4().hex, - 'value': value, - 'category_id': category_id, - 'policy_id': policy_id, - } - ) - session.add(new_ref) - ref = new_ref - else: - for attr in Object.attributes: - if attr != 'id': - setattr(ref, attr, getattr(ref, attr)) - # session.flush() - return { - "policy_id": policy_id, - "category_id": category_id, - "data": {ref.id: ref.to_dict()} - } + return self.__set_perimeter_data(Object, ObjectData, policy_id, data_id=data_id, category_id=category_id, value=value) def delete_object_data(self, policy_id, data_id): - with self.get_session_for_write() as session: - query = session.query(ObjectData) - query = query.filter_by(policy_id=policy_id, id=data_id) - ref = query.first() - if ref: - session.delete(ref) + return self.__delete_perimeter_data(ObjectData, policy_id, data_id) def get_action_data(self, policy_id, data_id=None, category_id=None): - with self.get_session_for_read() as session: - query = session.query(ActionData) - if data_id: - query = query.filter_by(policy_id=policy_id, id=data_id, category_id=category_id) - else: - query = query.filter_by(policy_id=policy_id, category_id=category_id) - ref_list = query.all() - return { - "policy_id": policy_id, - "category_id": category_id, - "data": {_ref.id: _ref.to_dict() for _ref in ref_list} - } + return self.__get_perimeter_data(ActionData, policy_id, data_id=data_id, category_id=category_id) def set_action_data(self, policy_id, data_id=None, category_id=None, value=None): - with self.get_session_for_write() as session: - query = session.query(ActionData) - query = query.filter_by(policy_id=policy_id, id=data_id, category_id=category_id) - ref = query.first() - if not ref: - new_ref = ActionData.from_dict( - { - "id": data_id if data_id else uuid4().hex, - 'value': value, - 'category_id': category_id, - 'policy_id': policy_id, - } - ) - session.add(new_ref) - ref = new_ref - else: - for attr in Action.attributes: - if attr != 'id': - setattr(ref, attr, getattr(ref, attr)) - # session.flush() - return { - "policy_id": policy_id, - "category_id": category_id, - "data": {ref.id: ref.to_dict()} - } + return self.__set_perimeter_data(Action, ActionData, policy_id, data_id=data_id, category_id=category_id, value=value) def delete_action_data(self, policy_id, data_id): - with self.get_session_for_write() as session: - query = session.query(ActionData) - query = query.filter_by(policy_id=policy_id, id=data_id) - ref = query.first() - if ref: - session.delete(ref) + return self.__delete_perimeter_data(ActionData, policy_id, data_id) def get_subject_assignments(self, policy_id, subject_id=None, category_id=None): with self.get_session_for_write() as session: query = session.query(SubjectAssignment) if subject_id and category_id: + #TODO change the subject_id to perimeter_id to allow code refactoring query = query.filter_by(policy_id=policy_id, subject_id=subject_id, category_id=category_id) elif subject_id: query = query.filter_by(policy_id=policy_id, subject_id=subject_id) @@ -852,6 +620,7 @@ class PolicyConnector(BaseConnector, PolicyDriver): with self.get_session_for_write() as session: query = session.query(ObjectAssignment) if object_id and category_id: + #TODO change the object_id to perimeter_id to allow code refactoring query = query.filter_by(policy_id=policy_id, object_id=object_id, category_id=category_id) elif object_id: query = query.filter_by(policy_id=policy_id, object_id=object_id) @@ -904,6 +673,7 @@ class PolicyConnector(BaseConnector, PolicyDriver): with self.get_session_for_write() as session: query = session.query(ActionAssignment) if action_id and category_id: + # TODO change the action_id to perimeter_id to allow code refactoring query = query.filter_by(policy_id=policy_id, action_id=action_id, category_id=category_id) elif action_id: query = query.filter_by(policy_id=policy_id, action_id=action_id) @@ -1074,21 +844,21 @@ class ModelConnector(BaseConnector, ModelDriver): if ref: session.delete(ref) - def get_subject_categories(self, category_id=None): + def __get_perimeter_categories(self, ClassType, category_id=None): with self.get_session_for_read() as session: - query = session.query(SubjectCategory) + query = session.query(ClassType) if category_id: query = query.filter_by(id=category_id) ref_list = query.all() return {_ref.id: _ref.to_dict() for _ref in ref_list} - def add_subject_category(self, name, description, uuid=None): + def __add_perimeter_category(self, ClassType, name, description, uuid=None): with self.get_session_for_write() as session: - query = session.query(SubjectCategory) + query = session.query(ClassType) query = query.filter_by(name=name) ref = query.first() if not ref: - ref = SubjectCategory.from_dict( + ref = ClassType.from_dict( { "id": uuid if uuid else uuid4().hex, "name": name, @@ -1098,77 +868,41 @@ class ModelConnector(BaseConnector, ModelDriver): session.add(ref) return {ref.id: ref.to_dict()} - def delete_subject_category(self, category_id): + def __delete_perimeter_category(self, ClassType, category_id): with self.get_session_for_write() as session: - query = session.query(SubjectCategory) + query = session.query(ClassType) query = query.filter_by(id=category_id) ref = query.first() if ref: session.delete(ref) + def get_subject_categories(self, category_id=None): + return self.__get_perimeter_categories(SubjectCategory, category_id=category_id) + + def add_subject_category(self, name, description, uuid=None): + return self.__add_perimeter_category(SubjectCategory, name, description, uuid=uuid) + + def delete_subject_category(self, category_id): + self.__delete_perimeter_category(SubjectCategory, category_id) + def get_object_categories(self, category_id=None): - with self.get_session_for_read() as session: - query = session.query(ObjectCategory) - if category_id: - query = query.filter_by(id=category_id) - ref_list = query.all() - return {_ref.id: _ref.to_dict() for _ref in ref_list} + return self.__get_perimeter_categories(ObjectCategory, category_id=category_id) def add_object_category(self, name, description, uuid=None): - with self.get_session_for_write() as session: - query = session.query(ObjectCategory) - query = query.filter_by(name=name) - ref = query.first() - if not ref: - ref = ObjectCategory.from_dict( - { - "id": uuid if uuid else uuid4().hex, - "name": name, - "description": description - } - ) - session.add(ref) - return {ref.id: ref.to_dict()} + return self.__add_perimeter_category(ObjectCategory, name, description, uuid=uuid) def delete_object_category(self, category_id): - with self.get_session_for_write() as session: - query = session.query(ObjectCategory) - query = query.filter_by(id=category_id) - ref = query.first() - if ref: - session.delete(ref) + self.__delete_perimeter_category(ObjectCategory, category_id) def get_action_categories(self, category_id=None): - with self.get_session_for_read() as session: - query = session.query(ActionCategory) - if category_id: - query = query.filter_by(id=category_id) - ref_list = query.all() - return {_ref.id: _ref.to_dict() for _ref in ref_list} + return self.__get_perimeter_categories(ActionCategory, category_id=category_id) def add_action_category(self, name, description, uuid=None): - with self.get_session_for_write() as session: - query = session.query(ActionCategory) - query = query.filter_by(name=name) - ref = query.first() - if not ref: - ref = ActionCategory.from_dict( - { - "id": uuid if uuid else uuid4().hex, - "name": name, - "description": description - } - ) - session.add(ref) - return {ref.id: ref.to_dict()} + return self.__add_perimeter_category(ActionCategory, name, description, uuid=uuid) def delete_action_category(self, category_id): - with self.get_session_for_write() as session: - query = session.query(ActionCategory) - query = query.filter_by(id=category_id) - ref = query.first() - if ref: - session.delete(ref) + self.__delete_perimeter_category(ActionCategory, category_id) + # Getter and Setter for subject_category # def get_subject_categories_dict(self, intra_extension_id): diff --git a/python_moonutilities/Changelog b/python_moonutilities/Changelog index ffc03809..4c08f10c 100644 --- a/python_moonutilities/Changelog +++ b/python_moonutilities/Changelog @@ -82,3 +82,7 @@ CHANGES 1.4.6 ----- - Add WrapperConflict, PipelineConflict, SlaveNameUnknown exceptions + +1.4.7 +----- +- Delete the auth.py file to remove some code duplication
\ No newline at end of file diff --git a/python_moonutilities/python_moonutilities/__init__.py b/python_moonutilities/python_moonutilities/__init__.py index 741ba4f6..43f8645f 100644 --- a/python_moonutilities/python_moonutilities/__init__.py +++ b/python_moonutilities/python_moonutilities/__init__.py @@ -3,6 +3,6 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -__version__ = "1.4.6" +__version__ = "1.4.7" diff --git a/python_moonutilities/python_moonutilities/auth.py b/python_moonutilities/python_moonutilities/auth.py deleted file mode 100644 index 5f921d0b..00000000 --- a/python_moonutilities/python_moonutilities/auth.py +++ /dev/null @@ -1,76 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -import os -import requests -import time -from functools import wraps -from flask import request -from oslo_log import log as logging -from python_moonutilities import exceptions, configuration - - -logger = logging.getLogger(__name__) -KEYSTONE_CONFIG = configuration.get_configuration("openstack/keystone")["openstack/keystone"] -TOKENS = {} - - -def check_token(token, url=None): - _verify = False - if KEYSTONE_CONFIG['certificate']: - _verify = KEYSTONE_CONFIG['certificate'] - try: - os.environ.pop("http_proxy") - os.environ.pop("https_proxy") - except KeyError: - pass - if not url: - url = KEYSTONE_CONFIG['url'] - headers = { - "Content-Type": "application/json", - 'X-Subject-Token': token, - 'X-Auth-Token': token, - } - if KEYSTONE_CONFIG['check_token'].lower() in ("false", "no", "n"): - # TODO (asteroide): must send the admin id - return "admin" if not token else token - if KEYSTONE_CONFIG['check_token'].lower() in ("yes", "y", "true"): - if token in TOKENS: - delta = time.mktime(TOKENS[token]["expires_at"]) - time.mktime(time.gmtime()) - if delta > 0: - return TOKENS[token]["user"] - raise exceptions.KeystoneError - else: - req = requests.get("{}/auth/tokens".format(url), headers=headers, verify=_verify) - if req.status_code in (200, 201): - # Note (asteroide): the time stamps is not in ISO 8601, so it is necessary to delete - # characters after the dot - token_time = req.json().get("token").get("expires_at").split(".") - TOKENS[token] = dict() - TOKENS[token]["expires_at"] = time.strptime(token_time[0], "%Y-%m-%dT%H:%M:%S") - TOKENS[token]["user"] = req.json().get("token").get("user").get("id") - return TOKENS[token]["user"] - logger.error("{} - {}".format(req.status_code, req.text)) - raise exceptions.KeystoneError - elif KEYSTONE_CONFIG['check_token'].lower() == "strict": - req = requests.head("{}/auth/tokens".format(url), headers=headers, verify=_verify) - if req.status_code in (200, 201): - return token - logger.error("{} - {}".format(req.status_code, req.text)) - raise exceptions.KeystoneError - raise exceptions.KeystoneError - - -def check_auth(function): - @wraps(function) - def wrapper(*args, **kwargs): - token = request.headers.get('X-Auth-Token') - token = check_token(token) - if not token: - raise exceptions.AuthException - user_id = kwargs.pop("user_id", token) - result = function(*args, **kwargs, user_id=user_id) - return result - return wrapper diff --git a/tests/python_unit/run_tests.sh b/tests/python_unit/run_tests.sh index 0a9ac1f3..ab30e523 100644 --- a/tests/python_unit/run_tests.sh +++ b/tests/python_unit/run_tests.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -echo "starting Moon Functional Tests" +echo "starting Moon Unit Tests" cd python_moonutilities docker run --rm --volume $(pwd):/data wukongsun/moon_python_unit_test:latest diff --git a/tools/moon_kubernetes/conf/moon.conf b/tools/moon_kubernetes/conf/moon.conf index e242125b..5fc94edd 100644 --- a/tools/moon_kubernetes/conf/moon.conf +++ b/tools/moon_kubernetes/conf/moon.conf @@ -22,12 +22,12 @@ components: port: 8080 bind: 0.0.0.0 hostname: interface - container: wukongsun/moon_interface:latest + container: moonplatform/moon_interface:latest authz: port: 8081 bind: 0.0.0.0 hostname: interface - container: wukongsun/moon_authz:latest + container: moonplatform/moon_authz:latest session: container: asteroide/session:latest port: 8082 @@ -35,7 +35,7 @@ components: port: 8083 bind: 0.0.0.0 hostname: orchestrator - container: wukongsun/moon_orchestrator:latest + container: moonplatform/moon_orchestrator:latest external: port: 30003 hostname: orchestrator @@ -43,13 +43,13 @@ components: port: 8080 bind: 0.0.0.0 hostname: wrapper - container: wukongsun/moon_wrapper:latest + container: moonplatform/moon_wrapper:latest timeout: 5 manager: port: 8082 bind: 0.0.0.0 hostname: manager - container: wukongsun/moon_manager:latest + container: moonplatform/moon_manager:latest external: port: 30001 hostname: manager diff --git a/tools/moon_kubernetes/templates/moon_forming.yaml b/tools/moon_kubernetes/templates/moon_forming.yaml index 334ee175..1214a41a 100644 --- a/tools/moon_kubernetes/templates/moon_forming.yaml +++ b/tools/moon_kubernetes/templates/moon_forming.yaml @@ -10,7 +10,7 @@ spec: spec: containers: - name: forming - image: wukongsun/moon_forming:latest + image: moonplatform/moon_forming:latest env: - name: POPULATE_ARGS value: "--verbose" # debug mode: --debug diff --git a/tools/moon_kubernetes/templates/moon_gui.yaml b/tools/moon_kubernetes/templates/moon_gui.yaml index 7c6ab732..eca4267d 100644 --- a/tools/moon_kubernetes/templates/moon_gui.yaml +++ b/tools/moon_kubernetes/templates/moon_gui.yaml @@ -13,7 +13,7 @@ spec: hostname: gui containers: - name: gui - image: wukongsun/moon_gui:latest + image: moonplatform/moon_gui:latest env: - name: MANAGER_HOST value: "127.0.0.1" diff --git a/tools/moon_kubernetes/templates/moon_manager.yaml b/tools/moon_kubernetes/templates/moon_manager.yaml index 28913f48..8eb59482 100644 --- a/tools/moon_kubernetes/templates/moon_manager.yaml +++ b/tools/moon_kubernetes/templates/moon_manager.yaml @@ -4,7 +4,7 @@ metadata: name: manager namespace: moon spec: - replicas: 3 + replicas: 1 template: metadata: labels: @@ -13,7 +13,7 @@ spec: hostname: manager containers: - name: manager - image: wukongsun/moon_manager:latest + image: moonplatform/moon_manager:latest ports: - containerPort: 8082 --- diff --git a/tools/moon_kubernetes/templates/moon_orchestrator.yaml b/tools/moon_kubernetes/templates/moon_orchestrator.yaml index 9c34a60b..a4ae2bd9 100644 --- a/tools/moon_kubernetes/templates/moon_orchestrator.yaml +++ b/tools/moon_kubernetes/templates/moon_orchestrator.yaml @@ -13,7 +13,7 @@ spec: hostname: orchestrator containers: - name: orchestrator - image: wukongsun/moon_orchestrator:latest + image: moonplatform/moon_orchestrator:latest ports: - containerPort: 8083 volumeMounts: diff --git a/tools/policies/generate_opst_policy.py b/tools/policies/generate_opst_policy.py new file mode 100644 index 00000000..dd01d1c1 --- /dev/null +++ b/tools/policies/generate_opst_policy.py @@ -0,0 +1,167 @@ +import json +import os +import logging +import argparse + + +FILES = [ + "cinder.policy.json", + "glance.policy.json", + "keystone.policy.json", + "neutron.policy.json", + "nova.policy.json", +] +policy = { + "pdps": [{ + "name": "external_pdp", + "keystone_project_id": "", + "description": "", + "policies": [{"name": "OpenStack RBAC Policy"}]} + ], + + "policies": [{ + "name": "OpenStack RBAC Policy", + "genre": "authz", + "description": "A RBAC policy similar of what you can find through policy.json files", + "model": {"name": "OPST_RBAC"}, "mandatory": True, "override": True} + ], + + "models": [{"name": "OPST_RBAC", "description": "", "meta_rules": [{"name": "rbac"}], "override": True}], + + "subjects": [ + {"name": "admin", "description": "", "extra": {}, "policies": [{"name": "OpenStack RBAC Policy"}]}, + {"name": "demo", "description": "", "extra": {}, "policies": [{"name": "OpenStack RBAC Policy"}]} + ], + + "subject_categories": [{"name": "role", "description": "a role in OpenStack"}], + + "subject_data": [ + {"name": "admin", "description": "the admin role", "policies": [], "category": {"name": "role"}}, + {"name": "member", "description": "the member role", "policies": [], "category": {"name": "role"}} + ], + + "subject_assignments": [ + {"subject": {"name": "admin"}, "category": {"name": "role"}, "assignments": [{"name": "admin"}, {"name": "member"}]}, + {"subject": {"name": "demo"}, "category": {"name": "role"}, "assignments": [{"name": "member"}]} + ], + + "objects": [], + + "object_categories": [{"name": "id", "description": "the UID of each virtual machine"}], + + "object_data": [ + { + "name": "all_vm", + "description": "represents all virtual machines in this project", + "policies": [], + "category": {"name": "id"}}, + ], + + "object_assignments": [], + + "actions": [], + + "action_categories": [{"name": "action_id", "description": ""}], + + "action_data": [], + + "action_assignments": [], + + "meta_rules": [ + { + "name": "rbac", "description": "", + "subject_categories": [{"name": "role"}], + "object_categories": [{"name": "id"}], + "action_categories": [{"name": "action_id"}] + } + ], + + "rules": [], + +} +logger = logging.getLogger(__name__) + + +def init(): + parser = argparse.ArgumentParser() + parser.add_argument("--verbose", '-v', action='store_true', help='verbose mode') + parser.add_argument("--debug", '-d', action='store_true', help='debug mode') + parser.add_argument("--dir", help='directory containing policy files', default="./policy.json.d") + parser.add_argument("--indent", '-i', help='indent the output (default:None)', type=int, default=None) + parser.add_argument("--output", '-o', help='output name', type=str, default="opst_default_policy.json") + args = parser.parse_args() + logging_format = "%(levelname)s: %(message)s" + if args.verbose: + logging.basicConfig(level=logging.INFO, format=logging_format) + if args.debug: + logging.basicConfig(level=logging.DEBUG, format=logging_format) + else: + logging.basicConfig(format=logging_format) + return args + + +def get_rules(args): + results = {} + for f in FILES: + _json_file = json.loads(open(os.path.join(args.dir, f)).read()) + keys = list(_json_file.keys()) + values = list(_json_file.values()) + for value in values: + if value in keys: + keys.remove(value) + component = os.path.basename(f).split(".")[0] + results[component] = keys + return results + + +def build_dict(results): + for key in results: + for rule in results[key]: + _output = { + "name": rule, + "description": "{} action for {}".format(rule, key), + "extra": {"component": key}, + "policies": [] + } + policy['actions'].append(_output) + _output = { + "name": rule, + "description": "{} action for {}".format(rule, key), + "policies": [], + "category": {"name": "action_id"} + } + policy['action_data'].append(_output) + _output = { + "action": {"name": rule}, + "category": {"name": "action_id"}, + "assignments": [{"name": rule}, ]} + policy['action_assignments'].append(_output) + _output = { + "meta_rule": {"name": "rbac"}, + "rule": { + "subject_data": [{"name": "admin"}], + "object_data": [{"name": "all_vm"}], + "action_data": [{"name": rule}] + }, + "policy": {"name": "OpenStack RBAC Policy"}, + "instructions": {"decision": "grant"}, + "enabled": True + } + policy['rules'].append(_output) + # TODO: add rules for member only + # TODO: add rules for everyone + + +def write_dict(args): + json.dump(policy, open(args.output, "w"), indent=args.indent) + + +def main(): + args = init() + rules = get_rules(args) + build_dict(rules) + write_dict(args) + + +if __name__ == "__main__": + main()
\ No newline at end of file diff --git a/tools/policies/policy.json.d/cinder.policy.json b/tools/policies/policy.json.d/cinder.policy.json new file mode 100644 index 00000000..02af88bd --- /dev/null +++ b/tools/policies/policy.json.d/cinder.policy.json @@ -0,0 +1,104 @@ +{ + "context_is_admin": "role:admin", + "admin_or_owner": "is_admin:True or project_id:%(project_id)s", + "default": "rule:admin_or_owner", + + "admin_api": "is_admin:True", + + "volume:create": "", + "volume:delete": "rule:admin_or_owner", + "volume:get": "rule:admin_or_owner", + "volume:get_all": "rule:admin_or_owner", + "volume:get_volume_metadata": "rule:admin_or_owner", + "volume:delete_volume_metadata": "rule:admin_or_owner", + "volume:update_volume_metadata": "rule:admin_or_owner", + "volume:get_volume_admin_metadata": "rule:admin_api", + "volume:update_volume_admin_metadata": "rule:admin_api", + "volume:get_snapshot": "rule:admin_or_owner", + "volume:get_all_snapshots": "rule:admin_or_owner", + "volume:create_snapshot": "rule:admin_or_owner", + "volume:delete_snapshot": "rule:admin_or_owner", + "volume:update_snapshot": "rule:admin_or_owner", + "volume:extend": "rule:admin_or_owner", + "volume:update_readonly_flag": "rule:admin_or_owner", + "volume:retype": "rule:admin_or_owner", + "volume:update": "rule:admin_or_owner", + + "volume_extension:types_manage": "rule:admin_api", + "volume_extension:types_extra_specs": "rule:admin_api", + "volume_extension:access_types_qos_specs_id": "rule:admin_api", + "volume_extension:access_types_extra_specs": "rule:admin_api", + "volume_extension:volume_type_access": "rule:admin_or_owner", + "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api", + "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api", + "volume_extension:volume_type_encryption": "rule:admin_api", + "volume_extension:volume_encryption_metadata": "rule:admin_or_owner", + "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner", + "volume_extension:volume_image_metadata": "rule:admin_or_owner", + + "volume_extension:quotas:show": "", + "volume_extension:quotas:update": "rule:admin_api", + "volume_extension:quotas:delete": "rule:admin_api", + "volume_extension:quota_classes": "rule:admin_api", + "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api", + + "volume_extension:volume_admin_actions:reset_status": "rule:admin_api", + "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api", + "volume_extension:backup_admin_actions:reset_status": "rule:admin_api", + "volume_extension:volume_admin_actions:force_delete": "rule:admin_api", + "volume_extension:volume_admin_actions:force_detach": "rule:admin_api", + "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api", + "volume_extension:backup_admin_actions:force_delete": "rule:admin_api", + "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api", + "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api", + + "volume_extension:volume_host_attribute": "rule:admin_api", + "volume_extension:volume_tenant_attribute": "rule:admin_or_owner", + "volume_extension:volume_mig_status_attribute": "rule:admin_api", + "volume_extension:hosts": "rule:admin_api", + "volume_extension:services:index": "rule:admin_api", + "volume_extension:services:update" : "rule:admin_api", + + "volume_extension:volume_manage": "rule:admin_api", + "volume_extension:volume_unmanage": "rule:admin_api", + + "volume_extension:capabilities": "rule:admin_api", + + "volume:create_transfer": "rule:admin_or_owner", + "volume:accept_transfer": "", + "volume:delete_transfer": "rule:admin_or_owner", + "volume:get_all_transfers": "rule:admin_or_owner", + + "volume_extension:replication:promote": "rule:admin_api", + "volume_extension:replication:reenable": "rule:admin_api", + + "volume:enable_replication": "rule:admin_api", + "volume:disable_replication": "rule:admin_api", + "volume:failover_replication": "rule:admin_api", + "volume:list_replication_targets": "rule:admin_api", + + "backup:create" : "", + "backup:delete": "rule:admin_or_owner", + "backup:get": "rule:admin_or_owner", + "backup:get_all": "rule:admin_or_owner", + "backup:restore": "rule:admin_or_owner", + "backup:backup-import": "rule:admin_api", + "backup:backup-export": "rule:admin_api", + + "snapshot_extension:snapshot_actions:update_snapshot_status": "", + "snapshot_extension:snapshot_manage": "rule:admin_api", + "snapshot_extension:snapshot_unmanage": "rule:admin_api", + + "consistencygroup:create" : "group:nobody", + "consistencygroup:delete": "group:nobody", + "consistencygroup:update": "group:nobody", + "consistencygroup:get": "group:nobody", + "consistencygroup:get_all": "group:nobody", + + "consistencygroup:create_cgsnapshot" : "group:nobody", + "consistencygroup:delete_cgsnapshot": "group:nobody", + "consistencygroup:get_cgsnapshot": "group:nobody", + "consistencygroup:get_all_cgsnapshots": "group:nobody", + + "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api" +} diff --git a/tools/policies/policy.json.d/glance.policy.json b/tools/policies/policy.json.d/glance.policy.json new file mode 100644 index 00000000..5b1f6be7 --- /dev/null +++ b/tools/policies/policy.json.d/glance.policy.json @@ -0,0 +1,63 @@ +{ + "context_is_admin": "role:admin", + "default": "role:admin", + + "add_image": "", + "delete_image": "", + "get_image": "", + "get_images": "", + "modify_image": "", + "publicize_image": "role:admin", + "communitize_image": "", + "copy_from": "", + + "download_image": "", + "upload_image": "", + + "delete_image_location": "", + "get_image_location": "", + "set_image_location": "", + + "add_member": "", + "delete_member": "", + "get_member": "", + "get_members": "", + "modify_member": "", + + "manage_image_cache": "role:admin", + + "get_task": "", + "get_tasks": "", + "add_task": "", + "modify_task": "", + "tasks_api_access": "role:admin", + + "deactivate": "", + "reactivate": "", + + "get_metadef_namespace": "", + "get_metadef_namespaces":"", + "modify_metadef_namespace":"", + "add_metadef_namespace":"", + + "get_metadef_object":"", + "get_metadef_objects":"", + "modify_metadef_object":"", + "add_metadef_object":"", + + "list_metadef_resource_types":"", + "get_metadef_resource_type":"", + "add_metadef_resource_type_association":"", + + "get_metadef_property":"", + "get_metadef_properties":"", + "modify_metadef_property":"", + "add_metadef_property":"", + + "get_metadef_tag":"", + "get_metadef_tags":"", + "modify_metadef_tag":"", + "add_metadef_tag":"", + "add_metadef_tags":"" + +} diff --git a/tools/policies/policy.json.d/keystone.policy.json b/tools/policies/policy.json.d/keystone.policy.json new file mode 100644 index 00000000..263912bf --- /dev/null +++ b/tools/policies/policy.json.d/keystone.policy.json @@ -0,0 +1,260 @@ +{ + "admin_required": "role:admin", + "cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)", + "service_role": "role:service", + "service_or_admin": "rule:admin_required or rule:service_role", + "owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s", + "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner", + "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s", + "service_admin_or_owner": "rule:service_or_admin or rule:owner", + + "default": "rule:admin_required", + + "identity:get_region": "", + "identity:list_regions": "", + "identity:create_region": "rule:cloud_admin", + "identity:update_region": "rule:cloud_admin", + "identity:delete_region": "rule:cloud_admin", + + "identity:get_service": "rule:admin_required", + "identity:list_services": "rule:admin_required", + "identity:create_service": "rule:cloud_admin", + "identity:update_service": "rule:cloud_admin", + "identity:delete_service": "rule:cloud_admin", + + "identity:get_endpoint": "rule:admin_required", + "identity:list_endpoints": "rule:admin_required", + "identity:create_endpoint": "rule:cloud_admin", + "identity:update_endpoint": "rule:cloud_admin", + "identity:delete_endpoint": "rule:cloud_admin", + + "identity:get_registered_limit": "", + "identity:list_registered_limits": "", + "identity:create_registered_limits": "rule:admin_required", + "identity:update_registered_limits": "rule:admin_required", + "identity:delete_registered_limit": "rule:admin_required", + + "identity:get_limit": "", + "identity:list_limits": "", + "identity:create_limits": "rule:admin_required", + "identity:update_limits": "rule:admin_required", + "identity:delete_limit": "rule:admin_required", + + "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s", + "identity:list_domains": "rule:cloud_admin", + "identity:create_domain": "rule:cloud_admin", + "identity:update_domain": "rule:cloud_admin", + "identity:delete_domain": "rule:cloud_admin", + + "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s", + "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s", + "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s", + "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id", + "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id", + "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id", + "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id", + "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id", + "identity:create_project_tag": "rule:admin_required", + "identity:delete_project_tag": "rule:admin_required", + "identity:get_project_tag": "rule:admin_required", + "identity:list_project_tags": "rule:admin_required", + "identity:delete_project_tags": "rule:admin_required", + "identity:update_project_tags": "rule:admin_required", + + "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s", + "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s", + "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule:owner", + "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id", + "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id", + "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id", + "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id", + + "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s", + "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s", + "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", + "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id", + "identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_target_user_domain_id", + "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id", + "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", + "identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", + "identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", + "identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", + "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", + "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", + + "identity:get_credential": "rule:admin_required", + "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s", + "identity:create_credential": "rule:admin_required", + "identity:update_credential": "rule:admin_required", + "identity:delete_credential": "rule:admin_required", + + "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", + "identity:ec2_list_credentials": "rule:admin_required or rule:owner", + "identity:ec2_create_credential": "rule:admin_required or rule:owner", + "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", + + "identity:get_role": "rule:admin_required", + "identity:list_roles": "rule:admin_required", + "identity:create_role": "rule:cloud_admin", + "identity:update_role": "rule:cloud_admin", + "identity:delete_role": "rule:cloud_admin", + + "identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles", + "identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles", + "identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role", + "identity:update_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role", + "identity:delete_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role", + "domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s", + "get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role", + "domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s", + "project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s", + "list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles", + "domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s", + "project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s", + "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s", + "implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)", + + "identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", + "identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", + "identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)", + "identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", + "identity:list_role_inference_rules": "rule:cloud_admin", + "identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", + + "identity:list_system_grants_for_user": "rule:admin_required", + "identity:check_system_grant_for_user": "rule:admin_required", + "identity:create_system_grant_for_user": "rule:admin_required", + "identity:revoke_system_grant_for_user": "rule:admin_required", + + "identity:list_system_grants_for_group": "rule:admin_required", + "identity:check_system_grant_for_group": "rule:admin_required", + "identity:create_system_grant_for_group": "rule:admin_required", + "identity:revoke_system_grant_for_group": "rule:admin_required", + + "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", + "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants", + "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", + "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", + "domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants", + "domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match", + "domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match", + "domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s", + "project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants", + "project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s", + "project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s", + "domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match", + "project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s", + + "admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s", + "admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s", + "admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s", + "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter", + "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter", + "identity:get_policy": "rule:cloud_admin", + "identity:list_policies": "rule:cloud_admin", + "identity:create_policy": "rule:cloud_admin", + "identity:update_policy": "rule:cloud_admin", + "identity:delete_policy": "rule:cloud_admin", + + "identity:check_token": "rule:admin_or_owner", + "identity:validate_token": "rule:service_admin_or_owner", + "identity:validate_token_head": "rule:service_or_admin", + "identity:revocation_list": "rule:service_or_admin", + "identity:revoke_token": "rule:admin_or_owner", + + "identity:create_trust": "user_id:%(trust.trustor_user_id)s", + "identity:list_trusts": "", + "identity:list_roles_for_trust": "", + "identity:get_role_for_trust": "", + "identity:delete_trust": "", + "identity:get_trust": "", + + "identity:create_consumer": "rule:admin_required", + "identity:get_consumer": "rule:admin_required", + "identity:list_consumers": "rule:admin_required", + "identity:delete_consumer": "rule:admin_required", + "identity:update_consumer": "rule:admin_required", + + "identity:authorize_request_token": "rule:admin_required", + "identity:list_access_token_roles": "rule:admin_required", + "identity:get_access_token_role": "rule:admin_required", + "identity:list_access_tokens": "rule:admin_required", + "identity:get_access_token": "rule:admin_required", + "identity:delete_access_token": "rule:admin_required", + + "identity:list_projects_for_endpoint": "rule:admin_required", + "identity:add_endpoint_to_project": "rule:admin_required", + "identity:check_endpoint_in_project": "rule:admin_required", + "identity:list_endpoints_for_project": "rule:admin_required", + "identity:remove_endpoint_from_project": "rule:admin_required", + + "identity:create_endpoint_group": "rule:admin_required", + "identity:list_endpoint_groups": "rule:admin_required", + "identity:get_endpoint_group": "rule:admin_required", + "identity:update_endpoint_group": "rule:admin_required", + "identity:delete_endpoint_group": "rule:admin_required", + "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", + "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", + "identity:get_endpoint_group_in_project": "rule:admin_required", + "identity:list_endpoint_groups_for_project": "rule:admin_required", + "identity:add_endpoint_group_to_project": "rule:admin_required", + "identity:remove_endpoint_group_from_project": "rule:admin_required", + + "identity:create_identity_provider": "rule:cloud_admin", + "identity:list_identity_providers": "rule:cloud_admin", + "identity:get_identity_provider": "rule:cloud_admin", + "identity:update_identity_provider": "rule:cloud_admin", + "identity:delete_identity_provider": "rule:cloud_admin", + + "identity:create_protocol": "rule:cloud_admin", + "identity:update_protocol": "rule:cloud_admin", + "identity:get_protocol": "rule:cloud_admin", + "identity:list_protocols": "rule:cloud_admin", + "identity:delete_protocol": "rule:cloud_admin", + + "identity:create_mapping": "rule:cloud_admin", + "identity:get_mapping": "rule:cloud_admin", + "identity:list_mappings": "rule:cloud_admin", + "identity:delete_mapping": "rule:cloud_admin", + "identity:update_mapping": "rule:cloud_admin", + + "identity:create_service_provider": "rule:cloud_admin", + "identity:list_service_providers": "rule:cloud_admin", + "identity:get_service_provider": "rule:cloud_admin", + "identity:update_service_provider": "rule:cloud_admin", + "identity:delete_service_provider": "rule:cloud_admin", + + "identity:get_auth_catalog": "", + "identity:get_auth_projects": "", + "identity:get_auth_domains": "", + "identity:get_auth_system": "", + + "identity:list_projects_for_user": "", + "identity:list_domains_for_user": "", + + "identity:list_revoke_events": "rule:service_or_admin", + + "identity:create_policy_association_for_endpoint": "rule:cloud_admin", + "identity:check_policy_association_for_endpoint": "rule:cloud_admin", + "identity:delete_policy_association_for_endpoint": "rule:cloud_admin", + "identity:create_policy_association_for_service": "rule:cloud_admin", + "identity:check_policy_association_for_service": "rule:cloud_admin", + "identity:delete_policy_association_for_service": "rule:cloud_admin", + "identity:create_policy_association_for_region_and_service": "rule:cloud_admin", + "identity:check_policy_association_for_region_and_service": "rule:cloud_admin", + "identity:delete_policy_association_for_region_and_service": "rule:cloud_admin", + "identity:get_policy_for_endpoint": "rule:cloud_admin", + "identity:list_endpoints_for_policy": "rule:cloud_admin", + + "identity:create_domain_config": "rule:cloud_admin", + "identity:get_domain_config": "rule:cloud_admin", + "identity:get_security_compliance_domain_config": "", + "identity:update_domain_config": "rule:cloud_admin", + "identity:delete_domain_config": "rule:cloud_admin", + "identity:get_domain_config_default": "rule:cloud_admin", + + "identity:get_application_credential": "rule:admin_or_owner", + "identity:list_application_credentials": "rule:admin_or_owner", + "identity:create_application_credential": "rule:admin_or_owner", + "identity:delete_application_credential": "rule:admin_or_owner" +} diff --git a/tools/policies/policy.json.d/neutron.policy.json b/tools/policies/policy.json.d/neutron.policy.json new file mode 100644 index 00000000..15f17203 --- /dev/null +++ b/tools/policies/policy.json.d/neutron.policy.json @@ -0,0 +1,235 @@ +{ + "context_is_admin": "role:admin or user_name:neutron", + "owner": "tenant_id:%(tenant_id)s", + "admin_or_owner": "rule:context_is_admin or rule:owner", + "context_is_advsvc": "role:advsvc", + "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s", + "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner", + "admin_only": "rule:context_is_admin", + "regular_user": "", + "admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator", + "shared": "field:networks:shared=True", + "shared_subnetpools": "field:subnetpools:shared=True", + "shared_address_scopes": "field:address_scopes:shared=True", + "external": "field:networks:router:external=True", + "default": "rule:admin_or_owner", + + "create_subnet": "rule:admin_or_network_owner", + "create_subnet:segment_id": "rule:admin_only", + "create_subnet:service_types": "rule:admin_only", + "get_subnet": "rule:admin_or_owner or rule:shared", + "get_subnet:segment_id": "rule:admin_only", + "update_subnet": "rule:admin_or_network_owner", + "update_subnet:service_types": "rule:admin_only", + "delete_subnet": "rule:admin_or_network_owner", + + "create_subnetpool": "", + "create_subnetpool:shared": "rule:admin_only", + "create_subnetpool:is_default": "rule:admin_only", + "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools", + "update_subnetpool": "rule:admin_or_owner", + "update_subnetpool:is_default": "rule:admin_only", + "delete_subnetpool": "rule:admin_or_owner", + + "create_address_scope": "", + "create_address_scope:shared": "rule:admin_only", + "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes", + "update_address_scope": "rule:admin_or_owner", + "update_address_scope:shared": "rule:admin_only", + "delete_address_scope": "rule:admin_or_owner", + + "create_network": "", + "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc", + "get_network:router:external": "rule:regular_user", + "get_network:segments": "rule:admin_only", + "get_network:provider:network_type": "rule:admin_only", + "get_network:provider:physical_network": "rule:admin_only", + "get_network:provider:segmentation_id": "rule:admin_only", + "get_network:queue_id": "rule:admin_only", + "get_network_ip_availabilities": "rule:admin_only", + "get_network_ip_availability": "rule:admin_only", + "create_network:shared": "rule:admin_only", + "create_network:router:external": "rule:admin_only", + "create_network:is_default": "rule:admin_only", + "create_network:segments": "rule:admin_only", + "create_network:provider:network_type": "rule:admin_only", + "create_network:provider:physical_network": "rule:admin_only", + "create_network:provider:segmentation_id": "rule:admin_only", + "update_network": "rule:admin_or_owner", + "update_network:segments": "rule:admin_only", + "update_network:shared": "rule:admin_only", + "update_network:provider:network_type": "rule:admin_only", + "update_network:provider:physical_network": "rule:admin_only", + "update_network:provider:segmentation_id": "rule:admin_only", + "update_network:router:external": "rule:admin_only", + "delete_network": "rule:admin_or_owner", + + "create_segment": "rule:admin_only", + "get_segment": "rule:admin_only", + "update_segment": "rule:admin_only", + "delete_segment": "rule:admin_only", + + "network_device": "field:port:device_owner=~^network:", + "create_port": "", + "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared", + "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:binding:host_id": "rule:admin_only", + "create_port:binding:profile": "rule:admin_only", + "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", + "create_port:allowed_address_pairs": "rule:admin_or_network_owner", + "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", + "get_port:queue_id": "rule:admin_only", + "get_port:binding:vif_type": "rule:admin_only", + "get_port:binding:vif_details": "rule:admin_only", + "get_port:binding:host_id": "rule:admin_only", + "get_port:binding:profile": "rule:admin_only", + "update_port": "rule:admin_or_owner or rule:context_is_advsvc", + "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", + "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", + "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner", + "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared", + "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", + "update_port:binding:host_id": "rule:admin_only", + "update_port:binding:profile": "rule:admin_only", + "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", + "update_port:allowed_address_pairs": "rule:admin_or_network_owner", + "update_port:data_plane_status": "rule:admin_or_data_plane_int", + "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", + + "get_router:ha": "rule:admin_only", + "create_router": "rule:regular_user", + "create_router:external_gateway_info:enable_snat": "rule:admin_only", + "create_router:distributed": "rule:admin_only", + "create_router:ha": "rule:admin_only", + "get_router": "http://192.168.1.50:31002/wrapper/authz/grant", + "get_router:distributed": "rule:admin_only", + "update_router": "rule:admin_or_owner", + "update_router:external_gateway_info": "rule:admin_or_owner", + "update_router:external_gateway_info:network_id": "rule:admin_or_owner", + "update_router:external_gateway_info:enable_snat": "rule:admin_only", + "update_router:distributed": "rule:admin_only", + "update_router:ha": "rule:admin_only", + "delete_router": "rule:admin_or_owner", + + "add_router_interface": "rule:admin_or_owner", + "remove_router_interface": "rule:admin_or_owner", + + "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only", + "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only", + + "create_qos_queue": "rule:admin_only", + "get_qos_queue": "rule:admin_only", + + "update_agent": "rule:admin_only", + "delete_agent": "rule:admin_only", + "get_agent": "rule:admin_only", + + "create_dhcp-network": "rule:admin_only", + "delete_dhcp-network": "rule:admin_only", + "get_dhcp-networks": "rule:admin_only", + "create_l3-router": "rule:admin_only", + "delete_l3-router": "rule:admin_only", + "get_l3-routers": "rule:admin_only", + "get_dhcp-agents": "rule:admin_only", + "get_l3-agents": "rule:admin_only", + "get_loadbalancer-agent": "rule:admin_only", + "get_loadbalancer-pools": "rule:admin_only", + "get_agent-loadbalancers": "rule:admin_only", + "get_loadbalancer-hosting-agent": "rule:admin_only", + + "create_floatingip": "rule:regular_user", + "create_floatingip:floating_ip_address": "rule:admin_only", + "update_floatingip": "rule:admin_or_owner", + "delete_floatingip": "rule:admin_or_owner", + "get_floatingip": "rule:admin_or_owner", + + "create_network_profile": "rule:admin_only", + "update_network_profile": "rule:admin_only", + "delete_network_profile": "rule:admin_only", + "get_network_profiles": "", + "get_network_profile": "", + "update_policy_profiles": "rule:admin_only", + "get_policy_profiles": "", + "get_policy_profile": "", + + "create_metering_label": "rule:admin_only", + "delete_metering_label": "rule:admin_only", + "get_metering_label": "rule:admin_only", + + "create_metering_label_rule": "rule:admin_only", + "delete_metering_label_rule": "rule:admin_only", + "get_metering_label_rule": "rule:admin_only", + + "get_service_provider": "rule:regular_user", + "get_lsn": "rule:admin_only", + "create_lsn": "rule:admin_only", + + "create_flavor": "rule:admin_only", + "update_flavor": "rule:admin_only", + "delete_flavor": "rule:admin_only", + "get_flavors": "rule:regular_user", + "get_flavor": "rule:regular_user", + "create_service_profile": "rule:admin_only", + "update_service_profile": "rule:admin_only", + "delete_service_profile": "rule:admin_only", + "get_service_profiles": "rule:admin_only", + "get_service_profile": "rule:admin_only", + + "get_policy": "rule:regular_user", + "create_policy": "rule:admin_only", + "update_policy": "rule:admin_only", + "delete_policy": "rule:admin_only", + "get_policy_bandwidth_limit_rule": "rule:regular_user", + "create_policy_bandwidth_limit_rule": "rule:admin_only", + "delete_policy_bandwidth_limit_rule": "rule:admin_only", + "update_policy_bandwidth_limit_rule": "rule:admin_only", + "get_policy_dscp_marking_rule": "rule:regular_user", + "create_policy_dscp_marking_rule": "rule:admin_only", + "delete_policy_dscp_marking_rule": "rule:admin_only", + "update_policy_dscp_marking_rule": "rule:admin_only", + "get_rule_type": "rule:regular_user", + "get_policy_minimum_bandwidth_rule": "rule:regular_user", + "create_policy_minimum_bandwidth_rule": "rule:admin_only", + "delete_policy_minimum_bandwidth_rule": "rule:admin_only", + "update_policy_minimum_bandwidth_rule": "rule:admin_only", + + "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only", + "create_rbac_policy": "", + "create_rbac_policy:target_tenant": "rule:restrict_wildcard", + "update_rbac_policy": "rule:admin_or_owner", + "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner", + "get_rbac_policy": "rule:admin_or_owner", + "delete_rbac_policy": "rule:admin_or_owner", + + "create_flavor_service_profile": "rule:admin_only", + "delete_flavor_service_profile": "rule:admin_only", + "get_flavor_service_profile": "rule:regular_user", + "get_auto_allocated_topology": "rule:admin_or_owner", + + "create_trunk": "rule:regular_user", + "get_trunk": "rule:admin_or_owner", + "delete_trunk": "rule:admin_or_owner", + "get_subports": "", + "add_subports": "rule:admin_or_owner", + "remove_subports": "rule:admin_or_owner", + + "get_security_groups": "rule:admin_or_owner", + "get_security_group": "rule:admin_or_owner", + "create_security_group": "rule:admin_or_owner", + "update_security_group": "rule:admin_or_owner", + "delete_security_group": "rule:admin_or_owner", + "get_security_group_rules": "rule:admin_or_owner", + "get_security_group_rule": "rule:admin_or_owner", + "create_security_group_rule": "rule:admin_or_owner", + "delete_security_group_rule": "rule:admin_or_owner", + + "get_loggable_resources": "rule:admin_only", + "create_log": "rule:admin_only", + "update_log": "rule:admin_only", + "delete_log": "rule:admin_only", + "get_logs": "rule:admin_only", + "get_log": "rule:admin_only" +} diff --git a/tools/policies/policy.json.d/nova.policy.json b/tools/policies/policy.json.d/nova.policy.json new file mode 100644 index 00000000..da8f5740 --- /dev/null +++ b/tools/policies/policy.json.d/nova.policy.json @@ -0,0 +1,485 @@ +{ + "context_is_admin": "role:admin", + "admin_or_owner": "is_admin:True or project_id:%(project_id)s", + "default": "rule:admin_or_owner", + + "cells_scheduler_filter:TargetCellFilter": "is_admin:True", + + "compute:create": "", + "compute:create:attach_network": "", + "compute:create:attach_volume": "", + "compute:create:forced_host": "is_admin:True", + + "compute:get": "", + "compute:get_all": "", + "compute:get_all_tenants": "is_admin:True", + + "compute:update": "", + + "compute:get_instance_metadata": "", + "compute:get_all_instance_metadata": "", + "compute:get_all_instance_system_metadata": "", + "compute:update_instance_metadata": "", + "compute:delete_instance_metadata": "", + + "compute:get_instance_faults": "", + "compute:get_diagnostics": "", + "compute:get_instance_diagnostics": "", + + "compute:start": "rule:admin_or_owner", + "compute:stop": "rule:admin_or_owner", + + "compute:get_lock": "", + "compute:lock": "rule:admin_or_owner", + "compute:unlock": "rule:admin_or_owner", + "compute:unlock_override": "rule:admin_api", + + "compute:get_vnc_console": "", + "compute:get_spice_console": "", + "compute:get_rdp_console": "", + "compute:get_serial_console": "", + "compute:get_mks_console": "", + "compute:get_console_output": "", + + "compute:reset_network": "", + "compute:inject_network_info": "", + "compute:add_fixed_ip": "", + "compute:remove_fixed_ip": "", + + "compute:attach_volume": "", + "compute:detach_volume": "", + "compute:swap_volume": "", + + "compute:attach_interface": "", + "compute:detach_interface": "", + + "compute:set_admin_password": "", + + "compute:rescue": "", + "compute:unrescue": "", + + "compute:suspend": "", + "compute:resume": "", + + "compute:pause": "", + "compute:unpause": "", + + "compute:shelve": "", + "compute:shelve_offload": "", + "compute:unshelve": "", + + "compute:snapshot": "", + "compute:snapshot_volume_backed": "", + "compute:backup": "", + + "compute:resize": "", + "compute:confirm_resize": "", + "compute:revert_resize": "", + + "compute:rebuild": "", + "compute:reboot": "", + "compute:delete": "rule:admin_or_owner", + "compute:soft_delete": "rule:admin_or_owner", + "compute:force_delete": "rule:admin_or_owner", + + "compute:security_groups:add_to_instance": "", + "compute:security_groups:remove_from_instance": "", + + "compute:restore": "", + + "compute:volume_snapshot_create": "", + "compute:volume_snapshot_delete": "", + + "admin_api": "is_admin:True", + "compute_extension:accounts": "rule:admin_api", + "compute_extension:admin_actions": "rule:admin_api", + "compute_extension:admin_actions:pause": "rule:admin_or_owner", + "compute_extension:admin_actions:unpause": "rule:admin_or_owner", + "compute_extension:admin_actions:suspend": "rule:admin_or_owner", + "compute_extension:admin_actions:resume": "rule:admin_or_owner", + "compute_extension:admin_actions:lock": "rule:admin_or_owner", + "compute_extension:admin_actions:unlock": "rule:admin_or_owner", + "compute_extension:admin_actions:resetNetwork": "rule:admin_api", + "compute_extension:admin_actions:injectNetworkInfo": "rule:admin_api", + "compute_extension:admin_actions:createBackup": "rule:admin_or_owner", + "compute_extension:admin_actions:migrateLive": "rule:admin_api", + "compute_extension:admin_actions:resetState": "rule:admin_api", + "compute_extension:admin_actions:migrate": "rule:admin_api", + "compute_extension:aggregates": "rule:admin_api", + "compute_extension:agents": "rule:admin_api", + "compute_extension:attach_interfaces": "", + "compute_extension:baremetal_nodes": "rule:admin_api", + "compute_extension:cells": "rule:admin_api", + "compute_extension:cells:create": "rule:admin_api", + "compute_extension:cells:delete": "rule:admin_api", + "compute_extension:cells:update": "rule:admin_api", + "compute_extension:cells:sync_instances": "rule:admin_api", + "compute_extension:certificates": "", + "compute_extension:cloudpipe": "rule:admin_api", + "compute_extension:cloudpipe_update": "rule:admin_api", + "compute_extension:config_drive": "", + "compute_extension:console_output": "", + "compute_extension:consoles": "", + "compute_extension:createserverext": "", + "compute_extension:deferred_delete": "", + "compute_extension:disk_config": "", + "compute_extension:evacuate": "rule:admin_api", + "compute_extension:extended_server_attributes": "rule:admin_api", + "compute_extension:extended_status": "", + "compute_extension:extended_availability_zone": "", + "compute_extension:extended_ips": "", + "compute_extension:extended_ips_mac": "", + "compute_extension:extended_vif_net": "", + "compute_extension:extended_volumes": "", + "compute_extension:fixed_ips": "rule:admin_api", + "compute_extension:flavor_access": "", + "compute_extension:flavor_access:addTenantAccess": "rule:admin_api", + "compute_extension:flavor_access:removeTenantAccess": "rule:admin_api", + "compute_extension:flavor_disabled": "", + "compute_extension:flavor_rxtx": "", + "compute_extension:flavor_swap": "", + "compute_extension:flavorextradata": "", + "compute_extension:flavorextraspecs:index": "", + "compute_extension:flavorextraspecs:show": "", + "compute_extension:flavorextraspecs:create": "rule:admin_api", + "compute_extension:flavorextraspecs:update": "rule:admin_api", + "compute_extension:flavorextraspecs:delete": "rule:admin_api", + "compute_extension:flavormanage": "rule:admin_api", + "compute_extension:floating_ip_dns": "", + "compute_extension:floating_ip_pools": "", + "compute_extension:floating_ips": "", + "compute_extension:floating_ips_bulk": "rule:admin_api", + "compute_extension:fping": "", + "compute_extension:fping:all_tenants": "rule:admin_api", + "compute_extension:hide_server_addresses": "is_admin:False", + "compute_extension:hosts": "rule:admin_api", + "compute_extension:hypervisors": "rule:admin_api", + "compute_extension:image_size": "", + "compute_extension:instance_actions": "", + "compute_extension:instance_actions:events": "rule:admin_api", + "compute_extension:instance_usage_audit_log": "rule:admin_api", + "compute_extension:keypairs": "", + "compute_extension:keypairs:index": "", + "compute_extension:keypairs:show": "", + "compute_extension:keypairs:create": "", + "compute_extension:keypairs:delete": "", + "compute_extension:multinic": "", + "compute_extension:networks": "rule:admin_api", + "compute_extension:networks:view": "", + "compute_extension:networks_associate": "rule:admin_api", + "compute_extension:os-tenant-networks": "", + "compute_extension:quotas:show": "", + "compute_extension:quotas:update": "rule:admin_api", + "compute_extension:quotas:delete": "rule:admin_api", + "compute_extension:quota_classes": "", + "compute_extension:rescue": "", + "compute_extension:security_group_default_rules": "rule:admin_api", + "compute_extension:security_groups": "", + "compute_extension:server_diagnostics": "rule:admin_api", + "compute_extension:server_groups": "", + "compute_extension:server_password": "", + "compute_extension:server_usage": "", + "compute_extension:services": "rule:admin_api", + "compute_extension:shelve": "", + "compute_extension:shelveOffload": "rule:admin_api", + "compute_extension:simple_tenant_usage:show": "rule:admin_or_owner", + "compute_extension:simple_tenant_usage:list": "rule:admin_api", + "compute_extension:unshelve": "", + "compute_extension:users": "rule:admin_api", + "compute_extension:virtual_interfaces": "", + "compute_extension:virtual_storage_arrays": "", + "compute_extension:volumes": "", + "compute_extension:volume_attachments:index": "", + "compute_extension:volume_attachments:show": "", + "compute_extension:volume_attachments:create": "", + "compute_extension:volume_attachments:update": "", + "compute_extension:volume_attachments:delete": "", + "compute_extension:volumetypes": "", + "compute_extension:availability_zone:list": "", + "compute_extension:availability_zone:detail": "rule:admin_api", + "compute_extension:used_limits_for_admin": "rule:admin_api", + "compute_extension:migrations:index": "rule:admin_api", + "compute_extension:os-assisted-volume-snapshots:create": "rule:admin_api", + "compute_extension:os-assisted-volume-snapshots:delete": "rule:admin_api", + "compute_extension:console_auth_tokens": "rule:admin_api", + "compute_extension:os-server-external-events:create": "rule:admin_api", + + "network:get_all": "", + "network:get": "", + "network:create": "", + "network:delete": "", + "network:associate": "", + "network:disassociate": "", + "network:get_vifs_by_instance": "", + "network:allocate_for_instance": "", + "network:deallocate_for_instance": "", + "network:validate_networks": "", + "network:get_instance_uuids_by_ip_filter": "", + "network:get_instance_id_by_floating_address": "", + "network:setup_networks_on_host": "", + "network:get_backdoor_port": "", + + "network:get_floating_ip": "", + "network:get_floating_ip_pools": "", + "network:get_floating_ip_by_address": "", + "network:get_floating_ips_by_project": "", + "network:get_floating_ips_by_fixed_address": "", + "network:allocate_floating_ip": "", + "network:associate_floating_ip": "", + "network:disassociate_floating_ip": "", + "network:release_floating_ip": "", + "network:migrate_instance_start": "", + "network:migrate_instance_finish": "", + + "network:get_fixed_ip": "", + "network:get_fixed_ip_by_address": "", + "network:add_fixed_ip_to_instance": "", + "network:remove_fixed_ip_from_instance": "", + "network:add_network_to_project": "", + "network:get_instance_nw_info": "", + + "network:get_dns_domains": "", + "network:add_dns_entry": "", + "network:modify_dns_entry": "", + "network:delete_dns_entry": "", + "network:get_dns_entries_by_address": "", + "network:get_dns_entries_by_name": "", + "network:create_private_dns_domain": "", + "network:create_public_dns_domain": "", + "network:delete_dns_domain": "", + "network:attach_external_network": "rule:admin_api", + "network:get_vif_by_mac_address": "", + + "os_compute_api:servers:detail:get_all_tenants": "is_admin:True", + "os_compute_api:servers:index:get_all_tenants": "is_admin:True", + "os_compute_api:servers:confirm_resize": "", + "os_compute_api:servers:create": "", + "os_compute_api:servers:create:attach_network": "", + "os_compute_api:servers:create:attach_volume": "", + "os_compute_api:servers:create:forced_host": "rule:admin_api", + "os_compute_api:servers:delete": "", + "os_compute_api:servers:update": "", + "os_compute_api:servers:detail": "", + "os_compute_api:servers:index": "", + "os_compute_api:servers:reboot": "", + "os_compute_api:servers:rebuild": "", + "os_compute_api:servers:resize": "", + "os_compute_api:servers:revert_resize": "", + "os_compute_api:servers:show": "", + "os_compute_api:servers:create_image": "", + "os_compute_api:servers:create_image:allow_volume_backed": "", + "os_compute_api:servers:start": "rule:admin_or_owner", + "os_compute_api:servers:stop": "rule:admin_or_owner", + "os_compute_api:os-access-ips:discoverable": "", + "os_compute_api:os-access-ips": "", + "os_compute_api:os-admin-actions": "rule:admin_api", + "os_compute_api:os-admin-actions:discoverable": "", + "os_compute_api:os-admin-actions:reset_network": "rule:admin_api", + "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api", + "os_compute_api:os-admin-actions:reset_state": "rule:admin_api", + "os_compute_api:os-admin-password": "", + "os_compute_api:os-admin-password:discoverable": "", + "os_compute_api:os-aggregates:discoverable": "", + "os_compute_api:os-aggregates:index": "rule:admin_api", + "os_compute_api:os-aggregates:create": "rule:admin_api", + "os_compute_api:os-aggregates:show": "rule:admin_api", + "os_compute_api:os-aggregates:update": "rule:admin_api", + "os_compute_api:os-aggregates:delete": "rule:admin_api", + "os_compute_api:os-aggregates:add_host": "rule:admin_api", + "os_compute_api:os-aggregates:remove_host": "rule:admin_api", + "os_compute_api:os-aggregates:set_metadata": "rule:admin_api", + "os_compute_api:os-agents": "rule:admin_api", + "os_compute_api:os-agents:discoverable": "", + "os_compute_api:os-attach-interfaces": "", + "os_compute_api:os-attach-interfaces:discoverable": "", + "os_compute_api:os-baremetal-nodes": "rule:admin_api", + "os_compute_api:os-baremetal-nodes:discoverable": "", + "os_compute_api:os-block-device-mapping-v1:discoverable": "", + "os_compute_api:os-cells": "rule:admin_api", + "os_compute_api:os-cells:create": "rule:admin_api", + "os_compute_api:os-cells:delete": "rule:admin_api", + "os_compute_api:os-cells:update": "rule:admin_api", + "os_compute_api:os-cells:sync_instances": "rule:admin_api", + "os_compute_api:os-cells:discoverable": "", + "os_compute_api:os-certificates:create": "", + "os_compute_api:os-certificates:show": "", + "os_compute_api:os-certificates:discoverable": "", + "os_compute_api:os-cloudpipe": "rule:admin_api", + "os_compute_api:os-cloudpipe:discoverable": "", + "os_compute_api:os-config-drive": "", + "os_compute_api:os-consoles:discoverable": "", + "os_compute_api:os-consoles:create": "", + "os_compute_api:os-consoles:delete": "", + "os_compute_api:os-consoles:index": "", + "os_compute_api:os-consoles:show": "", + "os_compute_api:os-console-output:discoverable": "", + "os_compute_api:os-console-output": "", + "os_compute_api:os-remote-consoles": "", + "os_compute_api:os-remote-consoles:discoverable": "", + "os_compute_api:os-create-backup:discoverable": "", + "os_compute_api:os-create-backup": "rule:admin_or_owner", + "os_compute_api:os-deferred-delete": "", + "os_compute_api:os-deferred-delete:discoverable": "", + "os_compute_api:os-disk-config": "", + "os_compute_api:os-disk-config:discoverable": "", + "os_compute_api:os-evacuate": "rule:admin_api", + "os_compute_api:os-evacuate:discoverable": "", + "os_compute_api:os-extended-server-attributes": "rule:admin_api", + "os_compute_api:os-extended-server-attributes:discoverable": "", + "os_compute_api:os-extended-status": "", + "os_compute_api:os-extended-status:discoverable": "", + "os_compute_api:os-extended-availability-zone": "", + "os_compute_api:os-extended-availability-zone:discoverable": "", + "os_compute_api:extensions": "", + "os_compute_api:extension_info:discoverable": "", + "os_compute_api:os-extended-volumes": "", + "os_compute_api:os-extended-volumes:discoverable": "", + "os_compute_api:os-fixed-ips": "rule:admin_api", + "os_compute_api:os-fixed-ips:discoverable": "", + "os_compute_api:os-flavor-access": "", + "os_compute_api:os-flavor-access:discoverable": "", + "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api", + "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api", + "os_compute_api:os-flavor-rxtx": "", + "os_compute_api:os-flavor-rxtx:discoverable": "", + "os_compute_api:flavors:discoverable": "", + "os_compute_api:os-flavor-extra-specs:discoverable": "", + "os_compute_api:os-flavor-extra-specs:index": "", + "os_compute_api:os-flavor-extra-specs:show": "", + "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api", + "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api", + "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api", + "os_compute_api:os-flavor-manage:discoverable": "", + "os_compute_api:os-flavor-manage": "rule:admin_api", + "os_compute_api:os-floating-ip-dns": "", + "os_compute_api:os-floating-ip-dns:discoverable": "", + "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api", + "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api", + "os_compute_api:os-floating-ip-pools": "", + "os_compute_api:os-floating-ip-pools:discoverable": "", + "os_compute_api:os-floating-ips": "", + "os_compute_api:os-floating-ips:discoverable": "", + "os_compute_api:os-floating-ips-bulk": "rule:admin_api", + "os_compute_api:os-floating-ips-bulk:discoverable": "", + "os_compute_api:os-fping": "", + "os_compute_api:os-fping:discoverable": "", + "os_compute_api:os-fping:all_tenants": "rule:admin_api", + "os_compute_api:os-hide-server-addresses": "is_admin:False", + "os_compute_api:os-hide-server-addresses:discoverable": "", + "os_compute_api:os-hosts": "rule:admin_api", + "os_compute_api:os-hosts:discoverable": "", + "os_compute_api:os-hypervisors": "rule:admin_api", + "os_compute_api:os-hypervisors:discoverable": "", + "os_compute_api:images:discoverable": "", + "os_compute_api:image-size": "", + "os_compute_api:image-size:discoverable": "", + "os_compute_api:os-instance-actions": "", + "os_compute_api:os-instance-actions:discoverable": "", + "os_compute_api:os-instance-actions:events": "rule:admin_api", + "os_compute_api:os-instance-usage-audit-log": "rule:admin_api", + "os_compute_api:os-instance-usage-audit-log:discoverable": "", + "os_compute_api:ips:discoverable": "", + "os_compute_api:ips:index": "rule:admin_or_owner", + "os_compute_api:ips:show": "rule:admin_or_owner", + "os_compute_api:os-keypairs:discoverable": "", + "os_compute_api:os-keypairs": "", + "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s", + "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s", + "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s", + "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s", + "os_compute_api:limits:discoverable": "", + "os_compute_api:limits": "", + "os_compute_api:os-lock-server:discoverable": "", + "os_compute_api:os-lock-server:lock": "rule:admin_or_owner", + "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner", + "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api", + "os_compute_api:os-migrate-server:discoverable": "", + "os_compute_api:os-migrate-server:migrate": "rule:admin_api", + "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api", + "os_compute_api:os-multinic": "", + "os_compute_api:os-multinic:discoverable": "", + "os_compute_api:os-networks": "rule:admin_api", + "os_compute_api:os-networks:view": "", + "os_compute_api:os-networks:discoverable": "", + "os_compute_api:os-networks-associate": "rule:admin_api", + "os_compute_api:os-networks-associate:discoverable": "", + "os_compute_api:os-pause-server:discoverable": "", + "os_compute_api:os-pause-server:pause": "rule:admin_or_owner", + "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner", + "os_compute_api:os-pci:pci_servers": "", + "os_compute_api:os-pci:discoverable": "", + "os_compute_api:os-pci:index": "rule:admin_api", + "os_compute_api:os-pci:detail": "rule:admin_api", + "os_compute_api:os-pci:show": "rule:admin_api", + "os_compute_api:os-personality:discoverable": "", + "os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "", + "os_compute_api:os-quota-sets:discoverable": "", + "os_compute_api:os-quota-sets:show": "rule:admin_or_owner", + "os_compute_api:os-quota-sets:defaults": "", + "os_compute_api:os-quota-sets:update": "rule:admin_api", + "os_compute_api:os-quota-sets:delete": "rule:admin_api", + "os_compute_api:os-quota-sets:detail": "rule:admin_api", + "os_compute_api:os-quota-class-sets:update": "rule:admin_api", + "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s", + "os_compute_api:os-quota-class-sets:discoverable": "", + "os_compute_api:os-rescue": "", + "os_compute_api:os-rescue:discoverable": "", + "os_compute_api:os-scheduler-hints:discoverable": "", + "os_compute_api:os-security-group-default-rules:discoverable": "", + "os_compute_api:os-security-group-default-rules": "rule:admin_api", + "os_compute_api:os-security-groups": "", + "os_compute_api:os-security-groups:discoverable": "", + "os_compute_api:os-server-diagnostics": "rule:admin_api", + "os_compute_api:os-server-diagnostics:discoverable": "", + "os_compute_api:os-server-password": "", + "os_compute_api:os-server-password:discoverable": "", + "os_compute_api:os-server-usage": "", + "os_compute_api:os-server-usage:discoverable": "", + "os_compute_api:os-server-groups": "", + "os_compute_api:os-server-groups:discoverable": "", + "os_compute_api:os-services": "rule:admin_api", + "os_compute_api:os-services:discoverable": "", + "os_compute_api:server-metadata:discoverable": "", + "os_compute_api:server-metadata:index": "rule:admin_or_owner", + "os_compute_api:server-metadata:show": "rule:admin_or_owner", + "os_compute_api:server-metadata:delete": "rule:admin_or_owner", + "os_compute_api:server-metadata:create": "rule:admin_or_owner", + "os_compute_api:server-metadata:update": "rule:admin_or_owner", + "os_compute_api:server-metadata:update_all": "rule:admin_or_owner", + "os_compute_api:servers:discoverable": "", + "os_compute_api:os-shelve:shelve": "", + "os_compute_api:os-shelve:shelve:discoverable": "", + "os_compute_api:os-shelve:shelve_offload": "rule:admin_api", + "os_compute_api:os-simple-tenant-usage:discoverable": "", + "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner", + "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api", + "os_compute_api:os-suspend-server:discoverable": "", + "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner", + "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner", + "os_compute_api:os-tenant-networks": "rule:admin_or_owner", + "os_compute_api:os-tenant-networks:discoverable": "", + "os_compute_api:os-shelve:unshelve": "", + "os_compute_api:os-user-data:discoverable": "", + "os_compute_api:os-virtual-interfaces": "", + "os_compute_api:os-virtual-interfaces:discoverable": "", + "os_compute_api:os-volumes": "", + "os_compute_api:os-volumes:discoverable": "", + "os_compute_api:os-volumes-attachments:index": "", + "os_compute_api:os-volumes-attachments:show": "", + "os_compute_api:os-volumes-attachments:create": "", + "os_compute_api:os-volumes-attachments:update": "", + "os_compute_api:os-volumes-attachments:delete": "", + "os_compute_api:os-volumes-attachments:discoverable": "", + "os_compute_api:os-availability-zone:list": "", + "os_compute_api:os-availability-zone:discoverable": "", + "os_compute_api:os-availability-zone:detail": "rule:admin_api", + "os_compute_api:os-used-limits": "rule:admin_api", + "os_compute_api:os-used-limits:discoverable": "", + "os_compute_api:os-migrations:index": "rule:admin_api", + "os_compute_api:os-migrations:discoverable": "", + "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api", + "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api", + "os_compute_api:os-assisted-volume-snapshots:discoverable": "", + "os_compute_api:os-console-auth-tokens": "rule:admin_api", + "os_compute_api:os-server-external-events:create": "rule:admin_api" +} |