diff options
author | WuKong <rebirthmonkey@gmail.com> | 2015-06-30 18:47:29 +0200 |
---|---|---|
committer | WuKong <rebirthmonkey@gmail.com> | 2015-06-30 18:47:29 +0200 |
commit | b8c756ecdd7cced1db4300935484e8c83701c82e (patch) | |
tree | 87e51107d82b217ede145de9d9d59e2100725bd7 /keystone-moon/keystone/policy | |
parent | c304c773bae68fb854ed9eab8fb35c4ef17cf136 (diff) |
migrate moon code from github to opnfv
Change-Id: Ice53e368fd1114d56a75271aa9f2e598e3eba604
Signed-off-by: WuKong <rebirthmonkey@gmail.com>
Diffstat (limited to 'keystone-moon/keystone/policy')
-rw-r--r-- | keystone-moon/keystone/policy/__init__.py | 17 | ||||
-rw-r--r-- | keystone-moon/keystone/policy/backends/__init__.py | 0 | ||||
-rw-r--r-- | keystone-moon/keystone/policy/backends/rules.py | 92 | ||||
-rw-r--r-- | keystone-moon/keystone/policy/backends/sql.py | 79 | ||||
-rw-r--r-- | keystone-moon/keystone/policy/controllers.py | 56 | ||||
-rw-r--r-- | keystone-moon/keystone/policy/core.py | 135 | ||||
-rw-r--r-- | keystone-moon/keystone/policy/routers.py | 24 | ||||
-rw-r--r-- | keystone-moon/keystone/policy/schema.py | 36 |
8 files changed, 439 insertions, 0 deletions
diff --git a/keystone-moon/keystone/policy/__init__.py b/keystone-moon/keystone/policy/__init__.py new file mode 100644 index 00000000..4cd96793 --- /dev/null +++ b/keystone-moon/keystone/policy/__init__.py @@ -0,0 +1,17 @@ +# Copyright 2012 OpenStack Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystone.policy import controllers # noqa +from keystone.policy.core import * # noqa +from keystone.policy import routers # noqa diff --git a/keystone-moon/keystone/policy/backends/__init__.py b/keystone-moon/keystone/policy/backends/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/keystone-moon/keystone/policy/backends/__init__.py diff --git a/keystone-moon/keystone/policy/backends/rules.py b/keystone-moon/keystone/policy/backends/rules.py new file mode 100644 index 00000000..011dd542 --- /dev/null +++ b/keystone-moon/keystone/policy/backends/rules.py @@ -0,0 +1,92 @@ +# Copyright (c) 2011 OpenStack, LLC. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +"""Policy engine for keystone""" + +from oslo_config import cfg +from oslo_log import log +from oslo_policy import policy as common_policy + +from keystone import exception +from keystone import policy + + +CONF = cfg.CONF +LOG = log.getLogger(__name__) + + +_ENFORCER = None + + +def reset(): + global _ENFORCER + _ENFORCER = None + + +def init(): + global _ENFORCER + if not _ENFORCER: + _ENFORCER = common_policy.Enforcer(CONF) + + +def enforce(credentials, action, target, do_raise=True): + """Verifies that the action is valid on the target in this context. + + :param credentials: user credentials + :param action: string representing the action to be checked, which + should be colon separated for clarity. + :param target: dictionary representing the object of the action + for object creation this should be a dictionary + representing the location of the object e.g. + {'project_id': object.project_id} + :raises: `exception.Forbidden` if verification fails. + + Actions should be colon separated for clarity. For example: + + * identity:list_users + + """ + init() + + # Add the exception arguments if asked to do a raise + extra = {} + if do_raise: + extra.update(exc=exception.ForbiddenAction, action=action, + do_raise=do_raise) + + return _ENFORCER.enforce(action, target, credentials, **extra) + + +class Policy(policy.Driver): + def enforce(self, credentials, action, target): + LOG.debug('enforce %(action)s: %(credentials)s', { + 'action': action, + 'credentials': credentials}) + enforce(credentials, action, target) + + def create_policy(self, policy_id, policy): + raise exception.NotImplemented() + + def list_policies(self): + raise exception.NotImplemented() + + def get_policy(self, policy_id): + raise exception.NotImplemented() + + def update_policy(self, policy_id, policy): + raise exception.NotImplemented() + + def delete_policy(self, policy_id): + raise exception.NotImplemented() diff --git a/keystone-moon/keystone/policy/backends/sql.py b/keystone-moon/keystone/policy/backends/sql.py new file mode 100644 index 00000000..b2cccd01 --- /dev/null +++ b/keystone-moon/keystone/policy/backends/sql.py @@ -0,0 +1,79 @@ +# Copyright 2012 OpenStack LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystone.common import sql +from keystone import exception +from keystone.policy.backends import rules + + +class PolicyModel(sql.ModelBase, sql.DictBase): + __tablename__ = 'policy' + attributes = ['id', 'blob', 'type'] + id = sql.Column(sql.String(64), primary_key=True) + blob = sql.Column(sql.JsonBlob(), nullable=False) + type = sql.Column(sql.String(255), nullable=False) + extra = sql.Column(sql.JsonBlob()) + + +class Policy(rules.Policy): + + @sql.handle_conflicts(conflict_type='policy') + def create_policy(self, policy_id, policy): + session = sql.get_session() + + with session.begin(): + ref = PolicyModel.from_dict(policy) + session.add(ref) + + return ref.to_dict() + + def list_policies(self): + session = sql.get_session() + + refs = session.query(PolicyModel).all() + return [ref.to_dict() for ref in refs] + + def _get_policy(self, session, policy_id): + """Private method to get a policy model object (NOT a dictionary).""" + ref = session.query(PolicyModel).get(policy_id) + if not ref: + raise exception.PolicyNotFound(policy_id=policy_id) + return ref + + def get_policy(self, policy_id): + session = sql.get_session() + + return self._get_policy(session, policy_id).to_dict() + + @sql.handle_conflicts(conflict_type='policy') + def update_policy(self, policy_id, policy): + session = sql.get_session() + + with session.begin(): + ref = self._get_policy(session, policy_id) + old_dict = ref.to_dict() + old_dict.update(policy) + new_policy = PolicyModel.from_dict(old_dict) + ref.blob = new_policy.blob + ref.type = new_policy.type + ref.extra = new_policy.extra + + return ref.to_dict() + + def delete_policy(self, policy_id): + session = sql.get_session() + + with session.begin(): + ref = self._get_policy(session, policy_id) + session.delete(ref) diff --git a/keystone-moon/keystone/policy/controllers.py b/keystone-moon/keystone/policy/controllers.py new file mode 100644 index 00000000..e6eb9bca --- /dev/null +++ b/keystone-moon/keystone/policy/controllers.py @@ -0,0 +1,56 @@ +# Copyright 2012 OpenStack Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystone.common import controller +from keystone.common import dependency +from keystone.common import validation +from keystone import notifications +from keystone.policy import schema + + +@dependency.requires('policy_api') +class PolicyV3(controller.V3Controller): + collection_name = 'policies' + member_name = 'policy' + + @controller.protected() + @validation.validated(schema.policy_create, 'policy') + def create_policy(self, context, policy): + ref = self._assign_unique_id(self._normalize_dict(policy)) + initiator = notifications._get_request_audit_info(context) + ref = self.policy_api.create_policy(ref['id'], ref, initiator) + return PolicyV3.wrap_member(context, ref) + + @controller.filterprotected('type') + def list_policies(self, context, filters): + hints = PolicyV3.build_driver_hints(context, filters) + refs = self.policy_api.list_policies(hints=hints) + return PolicyV3.wrap_collection(context, refs, hints=hints) + + @controller.protected() + def get_policy(self, context, policy_id): + ref = self.policy_api.get_policy(policy_id) + return PolicyV3.wrap_member(context, ref) + + @controller.protected() + @validation.validated(schema.policy_update, 'policy') + def update_policy(self, context, policy_id, policy): + initiator = notifications._get_request_audit_info(context) + ref = self.policy_api.update_policy(policy_id, policy, initiator) + return PolicyV3.wrap_member(context, ref) + + @controller.protected() + def delete_policy(self, context, policy_id): + initiator = notifications._get_request_audit_info(context) + return self.policy_api.delete_policy(policy_id, initiator) diff --git a/keystone-moon/keystone/policy/core.py b/keystone-moon/keystone/policy/core.py new file mode 100644 index 00000000..1f02803f --- /dev/null +++ b/keystone-moon/keystone/policy/core.py @@ -0,0 +1,135 @@ +# Copyright 2012 OpenStack Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +"""Main entry point into the Policy service.""" + +import abc + +from oslo_config import cfg +import six + +from keystone.common import dependency +from keystone.common import manager +from keystone import exception +from keystone import notifications + + +CONF = cfg.CONF + + +@dependency.provider('policy_api') +class Manager(manager.Manager): + """Default pivot point for the Policy backend. + + See :mod:`keystone.common.manager.Manager` for more details on how this + dynamically calls the backend. + + """ + _POLICY = 'policy' + + def __init__(self): + super(Manager, self).__init__(CONF.policy.driver) + + def create_policy(self, policy_id, policy, initiator=None): + ref = self.driver.create_policy(policy_id, policy) + notifications.Audit.created(self._POLICY, policy_id, initiator) + return ref + + def get_policy(self, policy_id): + try: + return self.driver.get_policy(policy_id) + except exception.NotFound: + raise exception.PolicyNotFound(policy_id=policy_id) + + def update_policy(self, policy_id, policy, initiator=None): + if 'id' in policy and policy_id != policy['id']: + raise exception.ValidationError('Cannot change policy ID') + try: + ref = self.driver.update_policy(policy_id, policy) + except exception.NotFound: + raise exception.PolicyNotFound(policy_id=policy_id) + notifications.Audit.updated(self._POLICY, policy_id, initiator) + return ref + + @manager.response_truncated + def list_policies(self, hints=None): + # NOTE(henry-nash): Since the advantage of filtering or list limiting + # of policies at the driver level is minimal, we leave this to the + # caller. + return self.driver.list_policies() + + def delete_policy(self, policy_id, initiator=None): + try: + ret = self.driver.delete_policy(policy_id) + except exception.NotFound: + raise exception.PolicyNotFound(policy_id=policy_id) + notifications.Audit.deleted(self._POLICY, policy_id, initiator) + return ret + + +@six.add_metaclass(abc.ABCMeta) +class Driver(object): + + def _get_list_limit(self): + return CONF.policy.list_limit or CONF.list_limit + + @abc.abstractmethod + def enforce(self, context, credentials, action, target): + """Verify that a user is authorized to perform action. + + For more information on a full implementation of this see: + `keystone.policy.backends.rules.Policy.enforce` + """ + raise exception.NotImplemented() # pragma: no cover + + @abc.abstractmethod + def create_policy(self, policy_id, policy): + """Store a policy blob. + + :raises: keystone.exception.Conflict + + """ + raise exception.NotImplemented() # pragma: no cover + + @abc.abstractmethod + def list_policies(self): + """List all policies.""" + raise exception.NotImplemented() # pragma: no cover + + @abc.abstractmethod + def get_policy(self, policy_id): + """Retrieve a specific policy blob. + + :raises: keystone.exception.PolicyNotFound + + """ + raise exception.NotImplemented() # pragma: no cover + + @abc.abstractmethod + def update_policy(self, policy_id, policy): + """Update a policy blob. + + :raises: keystone.exception.PolicyNotFound + + """ + raise exception.NotImplemented() # pragma: no cover + + @abc.abstractmethod + def delete_policy(self, policy_id): + """Remove a policy blob. + + :raises: keystone.exception.PolicyNotFound + + """ + raise exception.NotImplemented() # pragma: no cover diff --git a/keystone-moon/keystone/policy/routers.py b/keystone-moon/keystone/policy/routers.py new file mode 100644 index 00000000..5daadc81 --- /dev/null +++ b/keystone-moon/keystone/policy/routers.py @@ -0,0 +1,24 @@ +# Copyright 2012 OpenStack Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from keystone.common import router +from keystone.common import wsgi +from keystone.policy import controllers + + +class Routers(wsgi.RoutersBase): + + def append_v3_routers(self, mapper, routers): + policy_controller = controllers.PolicyV3() + routers.append(router.Router(policy_controller, 'policies', 'policy', + resource_descriptions=self.v3_resources)) diff --git a/keystone-moon/keystone/policy/schema.py b/keystone-moon/keystone/policy/schema.py new file mode 100644 index 00000000..512c4ce7 --- /dev/null +++ b/keystone-moon/keystone/policy/schema.py @@ -0,0 +1,36 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +_policy_properties = { + 'blob': { + 'type': 'string' + }, + 'type': { + 'type': 'string', + 'maxLength': 255 + } +} + +policy_create = { + 'type': 'object', + 'properties': _policy_properties, + 'required': ['blob', 'type'], + 'additionalProperties': True +} + +policy_update = { + 'type': 'object', + 'properties': _policy_properties, + 'minProperties': 1, + 'additionalProperties': True +} |