summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--keystone-moon/examples/moon/policies/policy_admin/assignment.json66
-rw-r--r--keystone-moon/examples/moon/policies/policy_admin/metadata.json9
-rw-r--r--keystone-moon/examples/moon/policies/policy_admin/metarule.json6
-rw-r--r--keystone-moon/examples/moon/policies/policy_admin/perimeter.json53
-rw-r--r--keystone-moon/examples/moon/policies/policy_admin/rule.json80
-rw-r--r--keystone-moon/examples/moon/policies/policy_admin/scope.json80
-rw-r--r--keystone-moon/examples/moon/policies/policy_authz/assignment.json2
-rw-r--r--keystone-moon/examples/moon/policies/policy_authz/metadata.json8
-rw-r--r--keystone-moon/examples/moon/policies/policy_authz/metarule.json2
-rw-r--r--keystone-moon/examples/moon/policies/policy_authz/scope.json2
-rw-r--r--keystone-moon/examples/moon/policies/policy_root/assignment.json39
-rw-r--r--keystone-moon/examples/moon/policies/policy_root/metadata.json (renamed from keystone-moon/examples/moon/policies/policy_super/metadata.json)6
-rw-r--r--keystone-moon/examples/moon/policies/policy_root/metarule.json (renamed from keystone-moon/examples/moon/policies/policy_super/metarule.json)0
-rw-r--r--keystone-moon/examples/moon/policies/policy_root/perimeter.json31
-rw-r--r--keystone-moon/examples/moon/policies/policy_root/rule.json44
-rw-r--r--keystone-moon/examples/moon/policies/policy_root/scope.json39
-rw-r--r--keystone-moon/examples/moon/policies/policy_super/assignment.json24
-rw-r--r--keystone-moon/examples/moon/policies/policy_super/perimeter.json16
-rw-r--r--keystone-moon/examples/moon/policies/policy_super/rule.json14
-rw-r--r--keystone-moon/examples/moon/policies/policy_super/scope.json24
-rw-r--r--keystone-moon/examples/moon/super_extension/policy/assignment.json26
-rw-r--r--keystone-moon/examples/moon/super_extension/policy/configuration.json43
-rw-r--r--keystone-moon/examples/moon/super_extension/policy/metadata.json26
-rw-r--r--keystone-moon/examples/moon/super_extension/policy/perimeter.json10
-rw-r--r--keystone-moon/keystone/contrib/moon/backends/__init__.py1
-rw-r--r--keystone-moon/keystone/contrib/moon/backends/memory.py19
-rw-r--r--keystone-moon/keystone/contrib/moon/backends/sql.py8
-rw-r--r--keystone-moon/keystone/contrib/moon/controllers.py46
-rw-r--r--keystone-moon/keystone/contrib/moon/core.py255
-rw-r--r--keystone-moon/keystone/contrib/moon/exception.py20
-rw-r--r--keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py208
31 files changed, 640 insertions, 567 deletions
diff --git a/keystone-moon/examples/moon/policies/policy_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_admin/assignment.json
index 9b183a3c..b77bd810 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/assignment.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/assignment.json
@@ -1,41 +1,47 @@
{
"subject_assignments": {
- "domain":{
- "admin": ["ft"],
- "demo": ["xx"]
- },
- "role": {
- "admin": ["admin"]
+ "role": {
+ "admin": ["root_role"]
}
},
-
"action_assignments": {
- "access": {
- "read": ["admin", "user"],
- "write": ["admin"],
- "create": ["admin"],
- "delete": ["admin"]
+ "action_id": {
+ "read": ["read"],
+ "write": ["write"]
}
},
-
"object_assignments": {
- "id": {
- "subjects": ["subjects"],
- "objects": ["objects"],
- "actions": ["actions"],
- "subject_categories": ["subject_categories"],
- "object_categories": ["object_categories"],
- "action_categories": ["action_categories"],
- "subject_category_scope": ["subject_category_scope"],
- "object_category_scope": ["object_category_scope"],
- "action_category_scope": ["action_category_scope"],
- "sub_rules": ["sub_rules"],
- "sub_meta_rule": ["sub_meta_rule"],
- "subject_assignments": ["subject_assignments"],
- "object_assignments": ["object_assignments"],
- "action_assignments": ["action_assignments"],
- "sub_meta_rule_relations": ["sub_meta_rule_relations"],
- "aggregation_algorithms": ["aggregation_algorithms"]
+ "object_id": {
+ "authz.subjects": ["authz.subjects"],
+ "authz.objects": ["authz.objects"],
+ "authz.actions": ["authz.actions"],
+ "authz.subject_categories": ["authz.subject_categories"],
+ "authz.object_categories": ["authz.object_categories"],
+ "authz.action_categories": ["authz.action_categories"],
+ "authz.subject_category_scopes": ["authz.subject_category_scopes"],
+ "authz.object_category_scopes": ["authz.object_category_scopes"],
+ "authz.action_category_scopes": ["authz.action_category_scopes"],
+ "authz.subject_assignments": ["authz.subject_assignments"],
+ "authz.object_assignments": ["authz.object_assignments"],
+ "authz.action_assignments": ["authz.action_assignments"],
+ "authz.aggregation_algorithm": ["authz.aggregation_algorithm"],
+ "authz.sub_meta_rules": ["authz.sub_meta_rules"],
+ "authz.rules": ["authz.rules"],
+ "admin.subjects": ["admin.subjects"],
+ "admin.objects": ["admin.objects"],
+ "admin.actions": ["admin.actions"],
+ "admin.subject_categories": ["admin.subject_categories"],
+ "admin.object_categories": ["admin.object_categories"],
+ "admin.action_categories": ["admin.action_categories"],
+ "admin.subject_category_scopes": ["admin.subject_category_scopes"],
+ "admin.object_category_scopes": ["admin.object_category_scopes"],
+ "admin.action_category_scopes": ["admin.action_category_scopes"],
+ "admin.subject_assignments": ["admin.subject_assignments"],
+ "admin.object_assignments": ["admin.object_assignments"],
+ "admin.action_assignments": ["admin.action_assignments"],
+ "admin.aggregation_algorithm": ["admin.aggregation_algorithm"],
+ "admin.sub_meta_rules": ["admin.sub_meta_rules"],
+ "admin.rules": ["admin.rules"]
}
}
}
diff --git a/keystone-moon/examples/moon/policies/policy_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_admin/metadata.json
index 29770673..9ee8a11d 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/metadata.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/metadata.json
@@ -1,19 +1,18 @@
{
- "name": "MLS_metadata",
+ "name": "RBAC Admin Policy",
"model": "RBAC",
"genre": "admin",
"description": "",
"subject_categories": [
- "domain",
- "role"
+ "role"
],
"action_categories": [
- "access"
+ "action_id"
],
"object_categories": [
- "id"
+ "object_id"
]
}
diff --git a/keystone-moon/examples/moon/policies/policy_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_admin/metarule.json
index 1cb06eb5..86dbfad2 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/metarule.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/metarule.json
@@ -1,9 +1,9 @@
{
"sub_meta_rules": {
"rbac_rule": {
- "subject_categories": ["role", "domain"],
- "action_categories": ["access"],
- "object_categories": ["id"],
+ "subject_categories": ["role"],
+ "action_categories": ["action_id"],
+ "object_categories": ["object_id"],
"algorithm": "inclusion"
}
},
diff --git a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json
index 7716986d..a796dae9 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json
@@ -1,30 +1,41 @@
{
"subjects": [
- "admin",
- "demo"
+ "admin"
],
"actions": [
"read",
- "write",
- "create",
- "delete"
+ "write"
],
"objects": [
- "subjects",
- "objects",
- "actions",
- "subject_categories",
- "object_categories",
- "action_categories",
- "subject_category_scope",
- "object_category_scope",
- "action_category_scope",
- "rules",
- "subject_assignments",
- "object_assignments",
- "action_assignments",
- "sub_meta_rule_algorithm",
- "aggregation_algorithm",
- "sub_meta_rules"
+ "authz.subjects",
+ "authz.objects",
+ "authz.actions",
+ "authz.subject_categories",
+ "authz.object_categories",
+ "authz.action_categories",
+ "authz.subject_category_scopes",
+ "authz.object_category_scopes",
+ "authz.action_category_scopes",
+ "authz.subject_assignments",
+ "authz.object_assignments",
+ "authz.action_assignments",
+ "authz.aggregation_algorithm",
+ "authz.sub_meta_rules",
+ "authz.rules",
+ "admin.subjects",
+ "admin.objects",
+ "admin.actions",
+ "admin.subject_categories",
+ "admin.object_categories",
+ "admin.action_categories",
+ "admin.subject_category_scopes",
+ "admin.object_category_scopes",
+ "admin.action_category_scopes",
+ "admin.subject_assignments",
+ "admin.object_assignments",
+ "admin.action_assignments",
+ "admin.aggregation_algorithm",
+ "admin.sub_meta_rules",
+ "admin.rules"
]
}
diff --git a/keystone-moon/examples/moon/policies/policy_admin/rule.json b/keystone-moon/examples/moon/policies/policy_admin/rule.json
index 650405a9..e80c61c1 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/rule.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/rule.json
@@ -1,22 +1,64 @@
{
- "rbac_rule":[
-
- ["admin" , "ft", "admin", "subjects"],
- ["admin" , "ft", "admin", "objects"],
- ["admin" , "ft", "admin", "actions"],
- ["admin" , "ft", "admin", "subject_categories"],
- ["admin" , "ft", "admin", "object_categories"],
- ["admin" , "ft", "admin", "action_categories"],
- ["admin" , "ft", "admin", "subject_category_scope"],
- ["admin" , "ft", "admin", "object_category_scope"],
- ["admin" , "ft", "admin", "action_category_scope"],
- ["admin" , "ft", "admin", "sub_rules"],
- ["admin" , "ft", "admin", "sub_meta_rule"],
- ["admin" , "ft", "admin", "subject_assignments"],
- ["admin" , "ft", "admin", "object_assignments"],
- ["admin" , "ft", "admin", "action_assignments"],
- ["admin" , "ft", "admin", "sub_meta_rule_relations"],
- ["admin" , "ft", "admin", "aggregation_algorithms"]
-
+ "rbac_rule":[
+ ["root_role" , "read", "authz.subjects"],
+ ["root_role" , "read", "authz.objects"],
+ ["root_role" , "read", "authz.actions"],
+ ["root_role" , "read", "authz.subject_categories"],
+ ["root_role" , "read", "authz.object_categories"],
+ ["root_role" , "read", "authz.action_categories"],
+ ["root_role" , "read", "authz.subject_category_scopes"],
+ ["root_role" , "read", "authz.object_category_scopes"],
+ ["root_role" , "read", "authz.action_category_scopes"],
+ ["root_role" , "read", "authz.subject_assignments"],
+ ["root_role" , "read", "authz.object_assignments"],
+ ["root_role" , "read", "authz.action_assignments"],
+ ["root_role" , "read", "authz.aggregation_algorithm"],
+ ["root_role" , "read", "authz.sub_meta_rules"],
+ ["root_role" , "read", "authz.rules"],
+ ["root_role" , "write", "authz.subjects"],
+ ["root_role" , "write", "authz.objects"],
+ ["root_role" , "write", "authz.actions"],
+ ["root_role" , "write", "authz.subject_categories"],
+ ["root_role" , "write", "authz.object_categories"],
+ ["root_role" , "write", "authz.action_categories"],
+ ["root_role" , "write", "authz.subject_category_scopes"],
+ ["root_role" , "write", "authz.object_category_scopes"],
+ ["root_role" , "write", "authz.action_category_scopes"],
+ ["root_role" , "write", "authz.subject_assignments"],
+ ["root_role" , "write", "authz.object_assignments"],
+ ["root_role" , "write", "authz.action_assignments"],
+ ["root_role" , "write", "authz.aggregation_algorithm"],
+ ["root_role" , "write", "authz.sub_meta_rules"],
+ ["root_role" , "write", "authz.rules"],
+ ["root_role" , "read", "admin.subjects"],
+ ["root_role" , "read", "admin.objects"],
+ ["root_role" , "read", "admin.actions"],
+ ["root_role" , "read", "admin.subject_categories"],
+ ["root_role" , "read", "admin.object_categories"],
+ ["root_role" , "read", "admin.action_categories"],
+ ["root_role" , "read", "admin.subject_category_scopes"],
+ ["root_role" , "read", "admin.object_category_scopes"],
+ ["root_role" , "read", "admin.action_category_scopes"],
+ ["root_role" , "read", "admin.subject_assignments"],
+ ["root_role" , "read", "admin.object_assignments"],
+ ["root_role" , "read", "admin.action_assignments"],
+ ["root_role" , "read", "admin.aggregation_algorithm"],
+ ["root_role" , "read", "admin.sub_meta_rules"],
+ ["root_role" , "read", "admin.rules"],
+ ["root_role" , "write", "admin.subjects"],
+ ["root_role" , "write", "admin.objects"],
+ ["root_role" , "write", "admin.actions"],
+ ["root_role" , "write", "admin.subject_categories"],
+ ["root_role" , "write", "admin.object_categories"],
+ ["root_role" , "write", "admin.action_categories"],
+ ["root_role" , "write", "admin.subject_category_scopes"],
+ ["root_role" , "write", "admin.object_category_scopes"],
+ ["root_role" , "write", "admin.action_category_scopes"],
+ ["root_role" , "write", "admin.subject_assignments"],
+ ["root_role" , "write", "admin.object_assignments"],
+ ["root_role" , "write", "admin.action_assignments"],
+ ["root_role" , "write", "admin.aggregation_algorithm"],
+ ["root_role" , "write", "admin.sub_meta_rules"],
+ ["root_role" , "write", "admin.rules"]
]
}
diff --git a/keystone-moon/examples/moon/policies/policy_admin/scope.json b/keystone-moon/examples/moon/policies/policy_admin/scope.json
index 3742a5e4..74b1d019 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/scope.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/scope.json
@@ -1,39 +1,47 @@
{
- "subject_scopes": {
- "role": [
- "admin"
- ],
- "domain": [
- "ft",
- "xx"
- ]
- },
-
- "action_scopes": {
- "access": [
- "admin",
- "user"
- ]
- },
-
- "object_scopes": {
- "id": [
- "subjects",
- "objects",
- "actions",
- "subject_categories",
- "object_categories",
- "action_categories",
- "subject_category_scope",
- "object_category_scope",
- "action_category_scope",
- "sub_rules",
- "sub_meta_rule",
- "subject_assignments",
- "object_assignments",
- "action_assignments",
- "sub_meta_rule_relations",
- "aggregation_algorithms"
- ]
+ "subject_scopes": {
+ "role": [
+ "root_role"
+ ]
+ },
+ "action_scopes": {
+ "action_id": [
+ "read",
+ "write"
+ ]
+ },
+ "object_scopes": {
+ "action_id": [
+ "authz.subjects",
+ "authz.objects",
+ "authz.actions",
+ "authz.subject_categories",
+ "authz.object_categories",
+ "authz.action_categories",
+ "authz.subject_category_scopes",
+ "authz.object_category_scopes",
+ "authz.action_category_scopes",
+ "authz.subject_assignments",
+ "authz.object_assignments",
+ "authz.action_assignments",
+ "authz.aggregation_algorithm",
+ "authz.sub_meta_rules",
+ "authz.rules",
+ "admin.subjects",
+ "admin.objects",
+ "admin.actions",
+ "admin.subject_categories",
+ "admin.object_categories",
+ "admin.action_categories",
+ "admin.subject_category_scopes",
+ "admin.object_category_scopes",
+ "admin.action_category_scopes",
+ "admin.subject_assignments",
+ "admin.object_assignments",
+ "admin.action_assignments",
+ "admin.aggregation_algorithm",
+ "admin.sub_meta_rules",
+ "admin.rules"
+ ]
}
}
diff --git a/keystone-moon/examples/moon/policies/policy_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_authz/assignment.json
index ebab0ec6..6482830c 100644
--- a/keystone-moon/examples/moon/policies/policy_authz/assignment.json
+++ b/keystone-moon/examples/moon/policies/policy_authz/assignment.json
@@ -56,7 +56,7 @@
"file1": ["storage"],
"file2": ["storage"]
},
- "id": {
+ "object_id": {
"servers": ["servers"],
"vm1": ["vm1"],
"vm2": ["vm2"],
diff --git a/keystone-moon/examples/moon/policies/policy_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_authz/metadata.json
index 4a5a5a1a..d0db90db 100644
--- a/keystone-moon/examples/moon/policies/policy_authz/metadata.json
+++ b/keystone-moon/examples/moon/policies/policy_authz/metadata.json
@@ -1,8 +1,8 @@
{
- "name": "MLS_metadata",
- "model": "MLS",
+ "name": "Multiple_Policy",
+ "model": "Multiple",
"genre": "authz",
- "description": "Multi Layer Security authorization policy",
+ "description": "Multiple Security Policies",
"subject_categories": [
"subject_security_level",
@@ -18,6 +18,6 @@
"object_categories": [
"object_security_level",
"type",
- "id"
+ "object_id"
]
}
diff --git a/keystone-moon/examples/moon/policies/policy_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_authz/metarule.json
index df683ca9..c9afd6c2 100644
--- a/keystone-moon/examples/moon/policies/policy_authz/metarule.json
+++ b/keystone-moon/examples/moon/policies/policy_authz/metarule.json
@@ -15,7 +15,7 @@
"rbac_rule": {
"subject_categories": ["role", "domain"],
"action_categories": ["access"],
- "object_categories": ["id"],
+ "object_categories": ["object_id"],
"algorithm": "inclusion"
}
},
diff --git a/keystone-moon/examples/moon/policies/policy_authz/scope.json b/keystone-moon/examples/moon/policies/policy_authz/scope.json
index 4b69e469..9b313daf 100644
--- a/keystone-moon/examples/moon/policies/policy_authz/scope.json
+++ b/keystone-moon/examples/moon/policies/policy_authz/scope.json
@@ -38,7 +38,7 @@
"computing",
"storage"
],
- "id": [
+ "object_id": [
"servers",
"vm1",
"vm2",
diff --git a/keystone-moon/examples/moon/policies/policy_root/assignment.json b/keystone-moon/examples/moon/policies/policy_root/assignment.json
new file mode 100644
index 00000000..2852de0c
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_root/assignment.json
@@ -0,0 +1,39 @@
+{
+ "subject_assignments": {
+ "role": {
+ "admin": ["root_role"]
+ }
+ },
+
+ "action_assignments": {
+ "action_id": {
+ "read": ["read"],
+ "write": ["write"]
+ }
+ },
+
+ "object_assignments": {
+ "object_id": {
+ "templates": ["templates"],
+ "sub_meta_rule_algorithm": ["sub_meta_rule_relations"],
+ "aggregation_algorithms": ["aggregation_algorithms"],
+ "tenants": ["tenants"],
+ "intra_extensions": ["intra_extensions"],
+ "admin.subjects": ["admin.subjects"],
+ "admin.objects": ["admin.objects"],
+ "admin.actions": ["admin.actions"],
+ "admin.subject_categories": ["admin.subject_categories"],
+ "admin.object_categories": ["admin.object_categories"],
+ "admin.action_categories": ["admin.action_categories"],
+ "admin.subject_category_scopes": ["admin.subject_category_scopes"],
+ "admin.object_category_scopes": ["admin.object_category_scopes"],
+ "admin.action_category_scopes": ["admin.action_category_scopes"],
+ "admin.subject_assignments": ["admin.subject_assignments"],
+ "admin.object_assignments": ["admin.object_assignments"],
+ "admin.action_assignments": ["admin.action_assignments"],
+ "admin.aggregation_algorithm": ["admin.aggregation_algorithm"],
+ "admin.sub_meta_rules": ["admin.sub_meta_rules"],
+ "admin.rules": ["admin.rules"]
+ }
+ }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_super/metadata.json b/keystone-moon/examples/moon/policies/policy_root/metadata.json
index a67670e9..3e4b0f28 100644
--- a/keystone-moon/examples/moon/policies/policy_super/metadata.json
+++ b/keystone-moon/examples/moon/policies/policy_root/metadata.json
@@ -1,8 +1,8 @@
{
- "name": "Super_Extension",
+ "name": "Root Policy",
"model": "RBAC",
- "genre": "authz",
- "description": "",
+ "genre": "admin",
+ "description": "root extension",
"subject_categories": [
"role"
diff --git a/keystone-moon/examples/moon/policies/policy_super/metarule.json b/keystone-moon/examples/moon/policies/policy_root/metarule.json
index 86dbfad2..86dbfad2 100644
--- a/keystone-moon/examples/moon/policies/policy_super/metarule.json
+++ b/keystone-moon/examples/moon/policies/policy_root/metarule.json
diff --git a/keystone-moon/examples/moon/policies/policy_root/perimeter.json b/keystone-moon/examples/moon/policies/policy_root/perimeter.json
new file mode 100644
index 00000000..788a27f2
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_root/perimeter.json
@@ -0,0 +1,31 @@
+{
+ "subjects": [
+ "admin"
+ ],
+ "actions": [
+ "read",
+ "write"
+ ],
+ "objects": [
+ "templates",
+ "aggregation_algorithms",
+ "sub_meta_rule_algorithms",
+ "tenants",
+ "intra_extensions",
+ "admin.subjects",
+ "admin.objects",
+ "admin.actions",
+ "admin.subject_categories",
+ "admin.object_categories",
+ "admin.action_categories",
+ "admin.subject_category_scopes",
+ "admin.object_category_scopes",
+ "admin.action_category_scopes",
+ "admin.subject_assignments",
+ "admin.object_assignments",
+ "admin.action_assignments",
+ "admin.aggregation_algorithm",
+ "admin.sub_meta_rules",
+ "admin.rules"
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_root/rule.json b/keystone-moon/examples/moon/policies/policy_root/rule.json
new file mode 100644
index 00000000..9bbd5e4c
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_root/rule.json
@@ -0,0 +1,44 @@
+{
+ "rbac_rule":[
+ ["root_role" , "read", "templates"],
+ ["root_role" , "read", "aggregation_algorithms"],
+ ["root_role" , "read", "sub_meta_rule_algorithms"],
+ ["root_role" , "read", "tenants"],
+ ["root_role" , "read", "intra_extensions"],
+ ["root_role" , "write", "templates"],
+ ["root_role" , "write", "aggregation_algorithms"],
+ ["root_role" , "write", "sub_meta_rule_algorithms"],
+ ["root_role" , "write", "tenants"],
+ ["root_role" , "write", "intra_extensions"],
+ ["root_role" , "read", "admin.subjects"],
+ ["root_role" , "read", "admin.objects"],
+ ["root_role" , "read", "admin.actions"],
+ ["root_role" , "read", "admin.subject_categories"],
+ ["root_role" , "read", "admin.object_categories"],
+ ["root_role" , "read", "admin.action_categories"],
+ ["root_role" , "read", "admin.subject_category_scopes"],
+ ["root_role" , "read", "admin.object_category_scopes"],
+ ["root_role" , "read", "admin.action_category_scopes"],
+ ["root_role" , "read", "admin.subject_assignments"],
+ ["root_role" , "read", "admin.object_assignments"],
+ ["root_role" , "read", "admin.action_assignments"],
+ ["root_role" , "read", "admin.aggregation_algorithm"],
+ ["root_role" , "read", "admin.sub_meta_rules"],
+ ["root_role" , "read", "admin.rules"],
+ ["root_role" , "write", "admin.subjects"],
+ ["root_role" , "write", "admin.objects"],
+ ["root_role" , "write", "admin.actions"],
+ ["root_role" , "write", "admin.subject_categories"],
+ ["root_role" , "write", "admin.object_categories"],
+ ["root_role" , "write", "admin.action_categories"],
+ ["root_role" , "write", "admin.subject_category_scopes"],
+ ["root_role" , "write", "admin.object_category_scopes"],
+ ["root_role" , "write", "admin.action_category_scopes"],
+ ["root_role" , "write", "admin.subject_assignments"],
+ ["root_role" , "write", "admin.object_assignments"],
+ ["root_role" , "write", "admin.action_assignments"],
+ ["root_role" , "write", "admin.aggregation_algorithm"],
+ ["root_role" , "write", "admin.sub_meta_rules"],
+ ["root_role" , "write", "admin.rules"]
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_root/scope.json b/keystone-moon/examples/moon/policies/policy_root/scope.json
new file mode 100644
index 00000000..43f9ced8
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_root/scope.json
@@ -0,0 +1,39 @@
+{
+ "subject_scopes": {
+ "role": [
+ "root_role"
+ ]
+ },
+
+ "action_scopes": {
+ "action_id": [
+ "read",
+ "write"
+ ]
+ },
+
+ "object_scopes": {
+ "object_id": [
+ "templates",
+ "aggregation_algorithms",
+ "sub_meta_rule_algorithms",
+ "tenants",
+ "intra_extensions",
+ "admin.subjects",
+ "admin.objects",
+ "admin.actions",
+ "admin.subject_categories",
+ "admin.object_categories",
+ "admin.action_categories",
+ "admin.subject_category_scopes",
+ "admin.object_category_scopes",
+ "admin.action_category_scopes",
+ "admin.subject_assignments",
+ "admin.object_assignments",
+ "admin.action_assignments",
+ "admin.aggregation_algorithm",
+ "admin.sub_meta_rules",
+ "admin.rules"
+ ]
+ }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_super/assignment.json b/keystone-moon/examples/moon/policies/policy_super/assignment.json
deleted file mode 100644
index 352575aa..00000000
--- a/keystone-moon/examples/moon/policies/policy_super/assignment.json
+++ /dev/null
@@ -1,24 +0,0 @@
-{
- "subject_assignments": {
- "role": {
- "super_admin": ["admin"]
- }
- },
-
- "action_assignments": {
- "action_id": {
- "read": ["read"],
- "write": ["write"]
- }
- },
-
- "object_assignments": {
- "object_id": {
- "templates": ["templates"],
- "sub_meta_rule_algorithm": ["sub_meta_rule_relations"],
- "aggregation_algorithms": ["aggregation_algorithms"],
- "tenants": ["tenants"],
- "intra_extensions": ["intra_extensions"]
- }
- }
-}
diff --git a/keystone-moon/examples/moon/policies/policy_super/perimeter.json b/keystone-moon/examples/moon/policies/policy_super/perimeter.json
deleted file mode 100644
index 3a7364bc..00000000
--- a/keystone-moon/examples/moon/policies/policy_super/perimeter.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
- "subjects": [
- "super_admin"
- ],
- "actions": [
- "read",
- "write"
- ],
- "objects": [
- "templates",
- "aggregation_algorithms",
- "sub_meta_rule_algorithms",
- "tenants",
- "intra_extensions"
- ]
-}
diff --git a/keystone-moon/examples/moon/policies/policy_super/rule.json b/keystone-moon/examples/moon/policies/policy_super/rule.json
deleted file mode 100644
index b3115a90..00000000
--- a/keystone-moon/examples/moon/policies/policy_super/rule.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
- "rbac_rule":[
- ["admin" , "read", "templates"],
- ["admin" , "read", "aggregation_algorithms"],
- ["admin" , "read", "sub_meta_rule_algorithms"],
- ["admin" , "read", "tenants"],
- ["admin" , "read", "intra_extensions"],
- ["admin" , "write", "templates"],
- ["admin" , "write", "aggregation_algorithms"],
- ["admin" , "write", "sub_meta_rule_algorithms"],
- ["admin" , "write", "tenants"],
- ["admin" , "write", "intra_extensions"]
- ]
-}
diff --git a/keystone-moon/examples/moon/policies/policy_super/scope.json b/keystone-moon/examples/moon/policies/policy_super/scope.json
deleted file mode 100644
index d581c747..00000000
--- a/keystone-moon/examples/moon/policies/policy_super/scope.json
+++ /dev/null
@@ -1,24 +0,0 @@
-{
- "subject_scopes": {
- "role": [
- "admin"
- ]
- },
-
- "action_scopes": {
- "action_id": [
- "read",
- "write"
- ]
- },
-
- "object_scopes": {
- "object_id": [
- "templates",
- "aggregation_algorithms",
- "sub_meta_rule_algorithms",
- "tenants",
- "intra_extensions"
- ]
- }
-}
diff --git a/keystone-moon/examples/moon/super_extension/policy/assignment.json b/keystone-moon/examples/moon/super_extension/policy/assignment.json
deleted file mode 100644
index 352d3928..00000000
--- a/keystone-moon/examples/moon/super_extension/policy/assignment.json
+++ /dev/null
@@ -1,26 +0,0 @@
-{
- "subject_category_assignments": {
- "role":{
- "admin": [
- "super_user",
- "super_admin",
- "super_root",
- "inter_extension_user",
- "inter_extension_admin",
- "inter_extension_root"
- ]
- }
- },
- "object_category_assignments": {
- "action": {
- "intra_extension": [],
- "mapping": [],
- "inter_extension": []
- },
- "object_id": {
- "intra_extension": ["intra_extension"],
- "mapping": ["mapping"],
- "inter_extension": ["inter_extension"]
- }
- }
-}
diff --git a/keystone-moon/examples/moon/super_extension/policy/configuration.json b/keystone-moon/examples/moon/super_extension/policy/configuration.json
deleted file mode 100644
index 18918e7f..00000000
--- a/keystone-moon/examples/moon/super_extension/policy/configuration.json
+++ /dev/null
@@ -1,43 +0,0 @@
-{
- "subject_category_values": {
- "role": [
- "super_user",
- "super_admin",
- "super_root",
- "inter_extension_user",
- "inter_extension_admin",
- "inter_extension_root"
- ]
- },
-
- "object_category_values": {
- "action": [
- "list",
- "create",
- "destroy",
- "delegate"
- ],
- "object_id": [
- "intra_extension",
- "mapping",
- "inter_extension"
- ]
- },
-
- "rules":{
- "permission": [
- ["super_user", "intra_extension", "list"],
- ["super_admin", "intra_extension", "create"],
- ["super_admin", "intra_extension", "destroy"],
- ["super_root", "intra_extension", "delegate"],
- ["super_user", "mapping", "list"],
- ["super_admin", "mapping", "create"],
- ["super_admin", "mapping", "destroy"],
- ["super_root", "mapping", "delegate"],
- ["inter_extension_user", "inter_extension", "list"],
- ["inter_extension_admin", "inter_extension", "create"],
- ["inter_extension_admin", "inter_extension", "destroy"],
- ["inter_extension_root", "inter_extension", "delegate"]
- ]
- }
-} \ No newline at end of file
diff --git a/keystone-moon/examples/moon/super_extension/policy/metadata.json b/keystone-moon/examples/moon/super_extension/policy/metadata.json
deleted file mode 100644
index 316bfcb7..00000000
--- a/keystone-moon/examples/moon/super_extension/policy/metadata.json
+++ /dev/null
@@ -1,26 +0,0 @@
-{
- "name": "RBAC_metadata",
- "model": "RBAC",
- "genre": "super",
- "description": "",
-
- "subject_categories": [
- "role"
- ],
-
- "object_categories": [
- "object_id",
- "action"
- ],
-
- "meta_rule": {
- "sub_meta_rules": {
- "permission": {
- "subject_categories": ["role"],
- "object_categories": ["object_id", "action"],
- "relation": "permission"
- }
- },
- "aggregation": "and_true_aggregation"
- }
-}
diff --git a/keystone-moon/examples/moon/super_extension/policy/perimeter.json b/keystone-moon/examples/moon/super_extension/policy/perimeter.json
deleted file mode 100644
index 5d511654..00000000
--- a/keystone-moon/examples/moon/super_extension/policy/perimeter.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
- "subjects": [
- "admin"
- ],
- "objects": [
- "intra_extension",
- "mapping",
- "inter_extension"
- ]
-} \ No newline at end of file
diff --git a/keystone-moon/keystone/contrib/moon/backends/__init__.py b/keystone-moon/keystone/contrib/moon/backends/__init__.py
index 28b42dd4..237bdc3e 100644
--- a/keystone-moon/keystone/contrib/moon/backends/__init__.py
+++ b/keystone-moon/keystone/contrib/moon/backends/__init__.py
@@ -90,6 +90,7 @@ rules = {
sub_meta_rule_id1: {
rule_id1: [subject_scope1, subject_scope2, ..., action_scope1, ..., object_scope1, ... ],
rule_id2: [subject_scope3, subject_scope4, ..., action_scope3, ..., object_scope3, ... ],
+ rule_id3: [thomas, write, admin.subjects]
...},
sub_meta_rule_id2: { },
...}
diff --git a/keystone-moon/keystone/contrib/moon/backends/memory.py b/keystone-moon/keystone/contrib/moon/backends/memory.py
index ddc06831..b2efb723 100644
--- a/keystone-moon/keystone/contrib/moon/backends/memory.py
+++ b/keystone-moon/keystone/contrib/moon/backends/memory.py
@@ -36,21 +36,4 @@ class ConfigurationConnector(ConfigurationDriver):
return self.aggregation_algorithm_dict
def get_sub_meta_rule_algorithm_dict(self):
- return self.sub_meta_rule_algorithm_dict
-
-# class SuperExtensionConnector(SuperExtensionDriver):
-#
-# def __init__(self):
-# super(SuperExtensionConnector, self).__init__()
-# # Super_Extension is loaded every time the server is started
-# self.__uuid = uuid4().hex
-# # self.__super_extension = Extension()
-# _policy_abs_dir = os.path.join(CONF.moon.super_extension_directory, 'policy')
-# # self.__super_extension.load_from_json(_policy_abs_dir)
-#
-# def get_super_extensions(self):
-# return None
-#
-# def admin(self, sub, obj, act):
-# # return self.__super_extension.authz(sub, obj, act)
-# return True
+ return self.sub_meta_rule_algorithm_dict \ No newline at end of file
diff --git a/keystone-moon/keystone/contrib/moon/backends/sql.py b/keystone-moon/keystone/contrib/moon/backends/sql.py
index 3b331dda..b2e91db0 100644
--- a/keystone-moon/keystone/contrib/moon/backends/sql.py
+++ b/keystone-moon/keystone/contrib/moon/backends/sql.py
@@ -310,7 +310,6 @@ class Rule(sql.ModelBase, sql.DictBase):
__all_objects__ = (
- IntraExtensionUnknown,
Tenant,
Subject,
Object,
@@ -362,10 +361,7 @@ class TenantConnector(TenantDriver):
ref = query.first()
tenant_ref = ref.to_dict()
tenant_ref.update(tenant_dict)
- new_tenant = Tenant(
- id=tenant_id,
- tenant=tenant_ref
- )
+ new_tenant = Tenant(id=tenant_id, tenant=tenant_ref)
for attr in Tenant.attributes:
if attr != 'id':
setattr(ref, attr, getattr(new_tenant, attr))
@@ -382,8 +378,6 @@ class IntraExtensionConnector(IntraExtensionDriver):
ref_list = query.all()
return {_ref.id: _ref.intraextension for _ref in ref_list}
- # TODO (dthom): load_intra_extension(self):
-
def del_intra_extension(self, intra_extension_id):
with sql.transaction() as session:
ref = session.query(IntraExtension).get(intra_extension_id)
diff --git a/keystone-moon/keystone/contrib/moon/controllers.py b/keystone-moon/keystone/contrib/moon/controllers.py
index d8737dd9..fadc2731 100644
--- a/keystone-moon/keystone/contrib/moon/controllers.py
+++ b/keystone-moon/keystone/contrib/moon/controllers.py
@@ -94,6 +94,7 @@ class Tenants(controller.V3Controller):
tenant_id = kw.get("tenant_id", None)
return self.tenant_api.del_tenant(user_id, tenant_id)
+ @controller.protected()
def set_tenant(self, context, **kw):
user_id = self._get_user_id_from_token(context.get('token_id'))
tenant_id = kw.get('id', None)
@@ -142,22 +143,25 @@ class IntraExtensions(controller.V3Controller):
def add_intra_extension(self, context, **kw):
user_id = self._get_user_id_from_token(context.get('token_id'))
intra_extension_dict = dict()
- intra_extension_dict["intra_extension_name"] = kw.get("intra_extension_name", dict())
- intra_extension_dict["subject_categories"] = kw.get("subject_categories", dict())
- intra_extension_dict["object_categories"] = kw.get("object_categories", dict())
- intra_extension_dict["action_categories"] = kw.get("action_categories", dict())
- intra_extension_dict["subjects"] = kw.get("subjects", dict())
- intra_extension_dict["objects"] = kw.get("objects", dict())
- intra_extension_dict["actions"] = kw.get("actions", dict())
- intra_extension_dict["subject_category_scopes"] = kw.get("subject_category_scopes", dict())
- intra_extension_dict["object_category_scopes"] = kw.get("object_category_scopes", dict())
- intra_extension_dict["action_category_scopes"] = kw.get("action_category_scopes", dict())
- intra_extension_dict["subject_assignments"] = kw.get("subject_assignments", dict())
- intra_extension_dict["object_assignments"] = kw.get("object_assignments", dict())
- intra_extension_dict["action_assignments"] = kw.get("action_assignments", dict())
- intra_extension_dict["aggregation_algorithm"] = kw.get("aggregation_algorithm", dict())
- intra_extension_dict["sub_meta_rules"] = kw.get("sub_meta_rules", dict())
- intra_extension_dict["rules"] = kw.get("rules", dict())
+ intra_extension_dict["name"] = kw.get("intra_extension_name", None)
+ intra_extension_dict["model"] = kw.get("intra_extension_model", None)
+ intra_extension_dict["genre"] = kw.get("intra_extension_genre", None)
+ intra_extension_dict["description"] = kw.get("intra_extension_description", None)
+ intra_extension_dict["subject_categories"] = kw.get("intra_extension_subject_categories", dict())
+ intra_extension_dict["object_categories"] = kw.get("intra_extension_object_categories", dict())
+ intra_extension_dict["action_categories"] = kw.get("intra_extension_action_categories", dict())
+ intra_extension_dict["subjects"] = kw.get("intra_extension_subjects", dict())
+ intra_extension_dict["objects"] = kw.get("intra_extension_objects", dict())
+ intra_extension_dict["actions"] = kw.get("intra_extension_actions", dict())
+ intra_extension_dict["subject_category_scopes"] = kw.get("intra_extension_subject_category_scopes", dict())
+ intra_extension_dict["object_category_scopes"] = kw.get("intra_extension_object_category_scopes", dict())
+ intra_extension_dict["action_category_scopes"] = kw.get("intra_extension_action_category_scopes", dict())
+ intra_extension_dict["subject_assignments"] = kw.get("intra_extension_subject_assignments", dict())
+ intra_extension_dict["object_assignments"] = kw.get("intra_extension_object_assignments", dict())
+ intra_extension_dict["action_assignments"] = kw.get("intra_extension_action_assignments", dict())
+ intra_extension_dict["aggregation_algorithm"] = kw.get("intra_extension_aggregation_algorithm", dict())
+ intra_extension_dict["sub_meta_rules"] = kw.get("intra_extension_sub_meta_rules", dict())
+ intra_extension_dict["rules"] = kw.get("intra_extension_rules", dict())
return self.admin_api.load_intra_extension_dict(user_id, intra_extension_dict)
@controller.protected()
@@ -179,6 +183,7 @@ class IntraExtensions(controller.V3Controller):
intra_extension_dict = dict()
intra_extension_dict["name"] = kw.get("intra_extension_name", None)
intra_extension_dict["model"] = kw.get("intra_extension_model", None)
+ intra_extension_dict["genre"] = kw.get("intra_extension_genre", None)
intra_extension_dict["description"] = kw.get("intra_extension_description", None)
return self.admin_api.set_intra_extension_dict(user_id, ie_id, intra_extension_dict)
@@ -781,13 +786,6 @@ class InterExtensions(controller.V3Controller):
# return self.interextension_api.delete_inter_extension(kw["inter_extension_id"])
-@dependency.requires('authz_api')
-class SuperExtensions(controller.V3Controller):
-
- def __init__(self):
- super(SuperExtensions, self).__init__()
-
-
@dependency.requires('moonlog_api', 'authz_api')
class Logs(controller.V3Controller):
@@ -803,7 +801,5 @@ class Logs(controller.V3Controller):
def get_logs(self, context, **kw):
user_id = self._get_user_id_from_token(context.get('token_id'))
options = kw.get("options", "")
- # FIXME (dthom): the authorization for get_logs must be done with an intra_extension
- #if self.authz_api.admin(user["name"], "logs", "read"):
return self.moonlog_api.get_logs(user_id, options)
diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py
index fcb8ebfa..7761130e 100644
--- a/keystone-moon/keystone/contrib/moon/core.py
+++ b/keystone-moon/keystone/contrib/moon/core.py
@@ -25,9 +25,9 @@ from keystone.contrib.moon.algorithms import *
CONF = config.CONF
LOG = log.getLogger(__name__)
-DEFAULT_USER_ID = uuid4().hex # default user_id for internal invocation
-SUPER_TENANT_ID = uuid4().hex
-SUPER_EXTENSION_ID = uuid4().hex
+# TODO: call functions to get these 2 variables
+ADMIN_ID = uuid4().hex # default user_id for internal invocation
+ROOT_EXTENSION_ID = uuid4().hex
_OPTS = [
@@ -104,35 +104,54 @@ def filter_input(func_or_str):
def enforce(action_names, object_name, **extra):
_action_name_list = action_names
+ _object_name = object_name
def wrap(func):
def wrapped(*args):
# global actions
self = args[0]
- user_name = args[1]
- intra_extension_id = args[2]
- if intra_extension_id not in self.admin_api.get_intra_extensions(DEFAULT_USER_ID):
- raise IntraExtensionUnknown()
-
- tenants_dict = self.tenant_api.get_tenants_dict(DEFAULT_USER_ID)
+ user_id = args[1]
intra_admin_extension_id = None
- tenant_name = None
- for tenant_id in tenants_dict:
- if tenants_dict[tenant_id]['intra_authz_extension_id'] is intra_extension_id:
- intra_admin_extension_id = tenants_dict[tenant_id]['intra_admin_extension_id']
- tenant_name = tenants_dict[tenant_id]['name']
+ try:
+ intra_extension_id = args[2]
+ except:
+ intra_admin_extension_id = ROOT_EXTENSION_ID
+
+ intra_extensions_dict = self.admin_api.get_intra_extensions(ADMIN_ID)
+ if intra_extension_id not in intra_extensions_dict:
+ raise IntraExtensionUnknown()
+ tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID)
+ for _tenant_id in tenants_dict:
+ if tenants_dict[_tenant_id]['intra_authz_extension_id'] is intra_extension_id or \
+ tenants_dict[_tenant_id]['intra_admin_extension_id'] is intra_extension_id:
+ intra_admin_extension_id = tenants_dict[_tenant_id]['intra_admin_extension_id']
if not intra_admin_extension_id:
- args[0].moonlog_api.warning("No admin IntraExtension found, authorization granted by default.")
+ args[0].moonlog_api.warning("No Intra_Admin_Extension found, authorization granted by default.")
return func(*args)
else:
- authz_result = False
+ objects_dict = self.admin_api.get_objects_dict(ADMIN_ID, intra_admin_extension_id)
+ object_name = intra_extensions_dict[intra_extension_id]['genre'] + '.' + _object_name
+ object_id = None
+ for _object_id in objects_dict:
+ if objects_dict[_object_id]['name'] is object_name:
+ object_id = _object_id
+ break
if type(_action_name_list) in (str, unicode):
action_name_list = (_action_name_list, )
else:
action_name_list = _action_name_list
- for action_name in action_name_list:
- if self.authz_api.authz(tenant_name, user_name, object_name, action_name, 'admin'):
+ actions_dict = self.admin_api.get_actions_dict(ADMIN_ID, intra_admin_extension_id)
+ action_id_list = list()
+ for _action_name in action_name_list:
+ for _action_id in actions_dict:
+ if actions_dict[_action_id]['name'] is _action_name:
+ action_id_list.append(_action_id)
+ break
+
+ authz_result = False
+ for action_id in action_id_list:
+ if self.driver.authz(intra_admin_extension_id, user_id, object_id, action_id):
authz_result = True
else:
authz_result = False
@@ -143,42 +162,6 @@ def enforce(action_names, object_name, **extra):
return wrap
-def super_enforce(action_names, object_name, **extra):
- _action_name_list = action_names
-
- def wrap(func):
- def wrapped(*args):
- # global actions
- return func(*args)
- # self = args[0]
- # user_name = args[1]
- # intra_extension_id = SUPER_EXTENSION_ID
- # if intra_extension_id not in self.admin_api.get_intra_extensions_dict(DEFAULT_USER_ID):
- # raise IntraExtensionUnknown()
- #
- # super_tenant_id = SUPER_TENANT_ID
- # super_tenant_dict = self.tenant_api.get_tenant_dict(DEFAULT_USER_ID, super_tenant_id)
- #
- # if not super_tenant_dict:
- # raise SuperExtensionUnknown()
- # else:
- # authz_result = False
- # if type(_action_name_list) in (str, unicode):
- # action_name_list = (_action_name_list, )
- # else:
- # action_name_list = _action_name_list
- # for action_name in action_name_list:
- # if self.authz_api.authz(super_tenant_dict['name'], user_name, object_name, action_name, 'authz'):
- # authz_result = True
- # else:
- # authz_result = False
- # break
- # if authz_result:
- # return func(*args)
- return wrapped
- return wrap
-
-
@dependency.provider('configuration_api')
@dependency.requires('moonlog_api')
class ConfigurationManager(manager.Manager):
@@ -186,7 +169,7 @@ class ConfigurationManager(manager.Manager):
def __init__(self):
super(ConfigurationManager, self).__init__(CONF.moon.configuration_driver)
- @super_enforce("read", "templates")
+ @enforce("read", "templates")
def get_policy_templates_dict(self, user_id):
"""
Return a dictionary of all policy templates
@@ -194,7 +177,7 @@ class ConfigurationManager(manager.Manager):
"""
return self.driver.get_policy_templates_dict()
- @super_enforce("read", "templates")
+ @enforce("read", "templates")
def get_policy_template_id_from_name(self, user_id, policy_template_name):
policy_template_dict = self.driver.get_policy_templates_dict()
for policy_template_id in policy_template_dict:
@@ -202,7 +185,7 @@ class ConfigurationManager(manager.Manager):
return policy_template_id
return None
- @super_enforce("read", "aggregation_algorithms")
+ @enforce("read", "aggregation_algorithms")
def get_aggregation_algorithms_dict(self, user_id):
"""
Return a dictionary of all aggregation algorithm
@@ -210,7 +193,7 @@ class ConfigurationManager(manager.Manager):
"""
return self.driver.get_aggregation_algorithms_dict()
- @super_enforce("read", "aggregation_algorithms")
+ @enforce("read", "aggregation_algorithms")
def get_aggregation_algorithm_id_from_name(self, user_id, aggregation_algorithm_name):
aggregation_algorithm_dict = self.driver.get_aggregation_algorithms_dict()
for aggregation_algorithm_id in aggregation_algorithm_dict:
@@ -218,7 +201,7 @@ class ConfigurationManager(manager.Manager):
return aggregation_algorithm_id
return None
- @super_enforce("read", "sub_meta_rule_algorithms")
+ @enforce("read", "sub_meta_rule_algorithms")
def get_sub_meta_rule_algorithms_dict(self, user_id):
"""
Return a dictionary of sub_meta_rule algorithm
@@ -226,7 +209,7 @@ class ConfigurationManager(manager.Manager):
"""
return self.driver.get_sub_meta_rule_algorithms_dict()
- @super_enforce("read", "sub_meta_rule_algorithms")
+ @enforce("read", "sub_meta_rule_algorithms")
def get_sub_meta_rule_algorithm_id_from_name(self, sub_meta_rule_algorithm_name):
sub_meta_rule_algorithm_dict = self.driver.get_sub_meta_rule_algorithms_dict()
for sub_meta_rule_algorithm_id in sub_meta_rule_algorithm_dict:
@@ -242,7 +225,7 @@ class TenantManager(manager.Manager):
def __init__(self):
super(TenantManager, self).__init__(CONF.moon.tenant_driver)
- @super_enforce("read", "tenants")
+ @enforce("read", "tenants")
def get_tenants_dict(self, user_id):
"""
Return a dictionary with all tenants
@@ -259,31 +242,60 @@ class TenantManager(manager.Manager):
"""
return self.driver.get_tenants_dict()
- @super_enforce(("read", "write"), "tenants")
+ @enforce(("read", "write"), "tenants")
def add_tenant_dict(self, user_id, tenant_dict):
tenants_dict = self.driver.get_tenants_dict()
for tenant_id in tenants_dict:
if tenants_dict[tenant_id]['name'] is tenant_dict['name']:
raise TenantAddedNameExisting()
+
+ # Sync users between intra_authz_extension and intra_admin_extension
+ if tenant_dict['intra_admin_extension']:
+ if not tenant_dict['intra_authz_extension']:
+ raise TenantNoIntraAuthzExtension
+ else:
+ authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension'])
+ admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension'])
+ for _subject_id in authz_subjects_dict:
+ if _subject_id not in admin_subjects_dict:
+ self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension'], authz_subjects_dict[_subject_id])
+ for _subject_id in admin_subjects_dict:
+ if _subject_id not in authz_subjects_dict:
+ self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension'], admin_subjects_dict[_subject_id])
return self.driver.add_tenant_dict(uuid4().hex, tenant_dict)
- @super_enforce("read", "tenants")
+ @enforce("read", "tenants")
def get_tenant_dict(self, user_id, tenant_id):
tenants_dict = self.driver.get_tenants_dict()
if tenant_id not in tenants_dict:
raise TenantUnknown()
return tenants_dict[tenant_id]
- @super_enforce(("read", "write"), "tenants")
+ @enforce(("read", "write"), "tenants")
def del_tenant(self, user_id, tenant_id):
if tenant_id not in self.driver.get_tenants_dict():
raise TenantUnknown()
self.driver.del_tenant(tenant_id)
- @super_enforce(("read", "write"), "tenants")
+ @enforce(("read", "write"), "tenants")
def set_tenant_dict(self, user_id, tenant_id, tenant_dict):
- if tenant_id not in self.driver.get_tenants_dict():
+ tenants_dict = self.driver.get_tenants_dict()
+ if tenant_id not in tenants_dict:
raise TenantUnknown()
+
+ # Sync users between intra_authz_extension and intra_admin_extension
+ if tenant_dict['intra_admin_extension']:
+ if not tenant_dict['intra_authz_extension']:
+ raise TenantNoIntraAuthzExtension
+ else:
+ authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension'])
+ admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension'])
+ for _subject_id in authz_subjects_dict:
+ if _subject_id not in admin_subjects_dict:
+ self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension'], authz_subjects_dict[_subject_id])
+ for _subject_id in admin_subjects_dict:
+ if _subject_id not in authz_subjects_dict:
+ self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension'], admin_subjects_dict[_subject_id])
return self.driver.set_tenant_dict(tenant_id, tenant_dict)
@@ -291,7 +303,6 @@ class TenantManager(manager.Manager):
class IntraExtensionManager(manager.Manager):
def __init__(self):
- self.__genre__ = None
driver = CONF.moon.intraextension_driver
super(IntraExtensionManager, self).__init__(driver)
@@ -335,9 +346,9 @@ class IntraExtensionManager(manager.Manager):
for category in meta_data_dict["action_categories"]:
action_assignment_dict[category] = self.driver.get_action_assignment_list(
intra_extension_id, action_id)[category]
- authz_buffer['subject_attributes'] = dict()
- authz_buffer['object_attributes'] = dict()
- authz_buffer['action_attributes'] = dict()
+ authz_buffer['subject_assignments'] = dict()
+ authz_buffer['object_assignments'] = dict()
+ authz_buffer['action_assignments'] = dict()
for _subject_category in meta_data_dict['subject_categories']:
authz_buffer['subject_assignments'][_subject_category] = subject_assignment_dict[_subject_category]
for _object_category in meta_data_dict['object_categories']:
@@ -385,7 +396,7 @@ class IntraExtensionManager(manager.Manager):
return False
- @super_enforce("read", "intra_extensions")
+ @enforce("read", "intra_extensions")
def get_intra_extensions_dict(self, user_id):
"""
:param user_id:
@@ -647,13 +658,13 @@ class IntraExtensionManager(manager.Manager):
rules[sub_rule_id].append(subrule)
self.driver.set_rule_dict(intra_extension_dict["id"], sub_rule_id, uuid4().hex, rules)
- @super_enforce(("read", "write"), "intra_extensions")
+ @enforce(("read", "write"), "intra_extensions")
def load_intra_extension_dict(self, user_id, intra_extension_dict):
ie_dict = dict()
- # TODO: clean some values
ie_dict['id'] = uuid4().hex
ie_dict["name"] = filter_input(intra_extension_dict["name"])
- ie_dict["model"] = filter_input(intra_extension_dict["policymodel"])
+ ie_dict["model"] = filter_input(intra_extension_dict["model"])
+ ie_dict["genre"] = filter_input(intra_extension_dict["genre"])
ie_dict["description"] = filter_input(intra_extension_dict["description"])
ref = self.driver.set_intra_extension_dict(ie_dict['id'], ie_dict)
self.moonlog_api.debug("Creation of IE: {}".format(ref))
@@ -667,7 +678,7 @@ class IntraExtensionManager(manager.Manager):
self.__load_rule_file(ie_dict, policy_dir)
return ref
- @super_enforce("read", "intra_extensions")
+ @enforce("read", "intra_extensions")
def get_intra_extension_dict(self, user_id, intra_extension_id):
"""
:param user_id:
@@ -677,13 +688,13 @@ class IntraExtensionManager(manager.Manager):
raise IntraExtensionUnknown()
return self.driver.get_intra_extensions_dict()[intra_extension_id]
- @super_enforce(("read", "write"), "intra_extensions")
+ @enforce(("read", "write"), "intra_extensions")
def del_intra_extension(self, user_id, intra_extension_id):
if intra_extension_id not in self.driver.get_intra_extensions_dict():
raise IntraExtensionUnknown()
return self.driver.del_intra_extension(intra_extension_id)
- @super_enforce(("read", "write"), "intra_extensions")
+ @enforce(("read", "write"), "intra_extensions")
def set_intra_extension_dict(self, user_id, intra_extension_id, intra_extension_dict):
if intra_extension_id not in self.driver.get_intra_extensions_dict():
raise IntraExtensionUnknown()
@@ -1306,7 +1317,7 @@ class IntraExtensionManager(manager.Manager):
@enforce(("read", "write"), "aggregation_algorithm")
def set_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict):
if aggregation_algorithm_id:
- if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms(DEFAULT_USER_ID):
+ if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms(ROOT_ID):
raise AggregationAlgorithmUnknown()
else:
aggregation_algorithm_id = uuid4().hex
@@ -1455,11 +1466,9 @@ class IntraExtensionManager(manager.Manager):
@dependency.provider('authz_api')
-@dependency.requires('identity_api', 'tenant_api', 'moonlog_api')
class IntraExtensionAuthzManager(IntraExtensionManager):
def __init__(self):
- self.__genre__ = "authz"
super(IntraExtensionAuthzManager, self).__init__()
def authz(self, tenant_name, subject_name, object_name, action_name, genre="authz"):
@@ -1467,14 +1476,14 @@ class IntraExtensionAuthzManager(IntraExtensionManager):
"""Check authorization for a particular action.
:return: True or False or raise an exception
"""
- tenants_dict = self.tenant_api.get_tenants_dict(DEFAULT_USER_ID)
+ tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID)
tenant_id = None
for _tenant_id in tenants_dict:
if tenants_dict[_tenant_id] is tenant_name:
tenant_id = _tenant_id
break
- intra_extension_id = self.tenant_api.get_tenant_dict(DEFAULT_USER_ID, tenant_id)[genre]
+ intra_extension_id = self.tenant_api.get_tenant_dict(ADMIN_ID, tenant_id)[genre]
if not intra_extension_id:
raise TenantNoIntraExtension()
@@ -1501,15 +1510,57 @@ class IntraExtensionAuthzManager(IntraExtensionManager):
raise ActionUnknown()
return super(IntraExtensionAuthzManager, self).authz(intra_extension_id, subject_id, object_id, action_id)
+ def add_subject_dict(self, user_id, intra_extension_id, subject_dict):
+ # TODO: sync with intra_admin_extension subjects table, need double check in both authz and admin
+ return
+
+ def del_subject(self, user_id, intra_extension_id, subject_id):
+ # TODO: sync with intra_admin_extension subjects table, need double check in both authz and admin
+ pass
+
+ def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict):
+ # TODO: sync with intra_admin_extension subjects table, need double check in both authz and admin
+ return
+
+ # TODO: for other no heritaged functions, add raise AuthzException()
+
@dependency.provider('admin_api')
-@dependency.requires('identity_api', 'tenant_api', 'moonlog_api')
class IntraExtensionAdminManager(IntraExtensionManager):
def __init__(self):
- self.__genre__ = "admin"
super(IntraExtensionAdminManager, self).__init__()
+ def add_subject_dict(self, user_id, intra_extension_id, subject_dict):
+ # TODO: sync with intra_authz_extension subjects table, need double check in both authz and admin
+ return
+
+ def del_subject(self, user_id, intra_extension_id, subject_id):
+ # TODO: sync with intra_authz_extension subjects table, need double check in both authz and admin
+ pass
+
+ def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict):
+ # TODO: sync with intra_authz_extension subjects table, need double check in both authz and admin
+ return
+
+ def add_object_dict(self, user_id, intra_extension_id, object_name):
+ raise ObjectsWriteNoAuthorized()
+
+ def set_object_dict(self, user_id, intra_extension_id, object_id, object_dict):
+ raise ObjectsWriteNoAuthorized()
+
+ def del_object(self, user_id, intra_extension_id, object_id):
+ raise ObjectsWriteNoAuthorized()
+
+ def add_action_dict(self, user_id, intra_extension_id, action_name):
+ raise ActionsWriteNoAuthorized()
+
+ def set_action_dict(self, user_id, intra_extension_id, action_id, action_dict):
+ raise ActionsWriteNoAuthorized()
+
+ def del_action(self, user_id, intra_extension_id, action_id):
+ raise ActionsWriteNoAuthorized()
+
@dependency.provider('moonlog_api')
class LogManager(manager.Manager):
@@ -1741,10 +1792,6 @@ class IntraExtensionDriver(object):
def get_intra_extensions_dict(self):
raise exception.NotImplemented() # pragma: no cover
- # TODO: check with load
- # def add_intra_extensions_dict(self):
- # raise exception.NotImplemented() # pragma: no cover
-
def del_intra_extension(self, intra_extension_id):
raise exception.NotImplemented() # pragma: no cover
@@ -1979,18 +2026,6 @@ class LogDriver(object):
raise exception.NotImplemented() # pragma: no cover
-# @dependency.provider('superextension_api')
-# class SuperExtensionManager(manager.Manager):
-#
-# def __init__(self):
-# driver = CONF.moon.superextension_driver
-# super(SuperExtensionManager, self).__init__(driver)
-#
-# def authz(self, sub, obj, act):
-# #return self.driver.admin(sub, obj, act)
-# return True
-
-
# @dependency.provider('interextension_api')
# @dependency.requires('identity_api')
# class InterExtensionManager(manager.Manager):
@@ -2028,26 +2063,6 @@ class LogDriver(object):
# return ref
#
#
-# class SuperExtensionDriver(object):
-#
-# def __init__(self):
-# self.__super_extension = None
-#
-# def admin(self, sub, obj, act):
-# return self.__super_extension.authz(sub, obj, act)
-#
-# def delegate(self, delegating_uuid, delegated_uuid, privilege): # TODO later
-# pass
-#
-# # Getter and Setter for SuperExtensions
-#
-# def get_super_extensions(self):
-# raise exception.NotImplemented() # pragma: no cover
-#
-# def create_super_extensions(self, super_id, super_extension):
-# raise exception.NotImplemented() # pragma: no cover
-#
-#
# class InterExtensionDriver(object):
#
# # Getter and Setter for InterExtensions
diff --git a/keystone-moon/keystone/contrib/moon/exception.py b/keystone-moon/keystone/contrib/moon/exception.py
index 37116d68..d2e67030 100644
--- a/keystone-moon/keystone/contrib/moon/exception.py
+++ b/keystone-moon/keystone/contrib/moon/exception.py
@@ -69,6 +69,12 @@ class TenantNoIntraExtension(TenantException):
logger = "ERROR"
+class TenantNoIntraAuthzExtension(TenantNoIntraExtension):
+ message_format = _("The tenant has not intra_admin_extension.")
+ code = 400
+ title = 'Tenant No Intra_Admin_Extension'
+ logger = "ERROR"
+
# Exceptions for IntraExtension
@@ -230,6 +236,20 @@ class ActionNameExisting(AdminPerimeter):
logger = "ERROR"
+class ObjectsWriteNoAuthorized(AdminPerimeter):
+ message_format = _("The modification on Objects is not authorized.")
+ code = 400
+ title = 'Objects Write No Authorized'
+ logger = "AUTHZ"
+
+
+class ActionsWriteNoAuthorized(AdminPerimeter):
+ message_format = _("The modification on Actions is not authorized.")
+ code = 400
+ title = 'Actions Write No Authorized'
+ logger = "AUTHZ"
+
+
class SubjectScopeUnknown(AdminScope):
message_format = _("The given subject scope is unknown.")
code = 400
diff --git a/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py b/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py
index a49ca206..352b69ac 100644
--- a/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py
+++ b/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py
@@ -12,156 +12,183 @@ def upgrade(migrate_engine):
meta.bind = migrate_engine
intra_extension_table = sql.Table(
- 'intra_extension',
+ 'intra_extensions',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('name', sql.String(64), nullable=False),
- sql.Column('model', sql.String(64), nullable=True),
- sql.Column('description', sql.Text(), nullable=True),
+ sql.Column('intra_extension', k_sql.JsonBlob(), nullable=True),
mysql_engine='InnoDB',
mysql_charset='utf8')
intra_extension_table.create(migrate_engine, checkfirst=True)
- subjects_table = sql.Table(
- 'subject',
+ tenant_table = sql.Table(
+ 'tenants',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('subjects', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('tenant', k_sql.JsonBlob(), nullable=True),
mysql_engine='InnoDB',
mysql_charset='utf8')
- subjects_table.create(migrate_engine, checkfirst=True)
+ tenant_table.create(migrate_engine, checkfirst=True)
- objects_table = sql.Table(
- 'object',
+ subject_categories_table = sql.Table(
+ 'subject_categories',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('objects', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('subject_category', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- objects_table.create(migrate_engine, checkfirst=True)
+ subject_categories_table.create(migrate_engine, checkfirst=True)
- actions_table = sql.Table(
- 'action',
+ object_categories_table = sql.Table(
+ 'object_categories',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('actions', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('object_category', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- actions_table.create(migrate_engine, checkfirst=True)
+ object_categories_table.create(migrate_engine, checkfirst=True)
- subject_categories_table = sql.Table(
- 'subject_category',
+ action_categories_table = sql.Table(
+ 'action_categories',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('subject_categories', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('action_category', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- subject_categories_table.create(migrate_engine, checkfirst=True)
+ action_categories_table.create(migrate_engine, checkfirst=True)
- object_categories_table = sql.Table(
- 'object_category',
+ subjects_table = sql.Table(
+ 'subjects',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('object_categories', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('subject', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- object_categories_table.create(migrate_engine, checkfirst=True)
+ subjects_table.create(migrate_engine, checkfirst=True)
- action_categories_table = sql.Table(
- 'action_category',
+ objects_table = sql.Table(
+ 'objects',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('action_categories', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('object', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- action_categories_table.create(migrate_engine, checkfirst=True)
+ objects_table.create(migrate_engine, checkfirst=True)
- subject_category_values_table = sql.Table(
- 'subject_category_scope',
+ actions_table = sql.Table(
+ 'actions',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('subject_category_scope', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('action', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- subject_category_values_table.create(migrate_engine, checkfirst=True)
+ actions_table.create(migrate_engine, checkfirst=True)
- object_category_values_table = sql.Table(
- 'object_category_scope',
+ subject_scopes_table = sql.Table(
+ 'subject_scopes',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('object_category_scope', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('subject_scope', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ sql.Column('subject_category_id', sql.ForeignKey("subject_categories.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- object_category_values_table.create(migrate_engine, checkfirst=True)
+ subject_scopes_table.create(migrate_engine, checkfirst=True)
- action_category_values_table = sql.Table(
- 'action_category_scope',
+ object_scopes_table = sql.Table(
+ 'object_scopes',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('action_category_scope', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('object_scope', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ sql.Column('object_category_id', sql.ForeignKey("object_categories.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- action_category_values_table.create(migrate_engine, checkfirst=True)
+ object_scopes_table.create(migrate_engine, checkfirst=True)
- subject_category_assignments_table = sql.Table(
- 'subject_category_assignment',
+ action_scopes_table = sql.Table(
+ 'action_category_scopes',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('subject_category_assignments', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('action_scope', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ sql.Column('action_category_id', sql.ForeignKey("action_categories.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- subject_category_assignments_table.create(migrate_engine, checkfirst=True)
+ action_scopes_table.create(migrate_engine, checkfirst=True)
- object_category_assignments_table = sql.Table(
- 'object_category_assignment',
+ subject_assignments_table = sql.Table(
+ 'subject_assignments',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('object_category_assignments', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('subject_category_assignment', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ sql.Column('subject_id', sql.ForeignKey("subjects.id"), nullable=False),
+ sql.Column('subject_category_id', sql.ForeignKey("subject_categories.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- object_category_assignments_table.create(migrate_engine, checkfirst=True)
+ subject_assignments_table.create(migrate_engine, checkfirst=True)
- action_category_assignments_table = sql.Table(
- 'action_category_assignment',
+ object_assignments_table = sql.Table(
+ 'object_assignments',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('action_category_assignments', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('object_assignments', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ sql.Column('object_id', sql.ForeignKey("objects.id"), nullable=False),
+ sql.Column('object_category_id', sql.ForeignKey("object_categories.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- action_category_assignments_table.create(migrate_engine, checkfirst=True)
+ object_assignments_table.create(migrate_engine, checkfirst=True)
- meta_rule_table = sql.Table(
- 'metarule',
+ action_assignments_table = sql.Table(
+ 'action_assignments',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('sub_meta_rules', k_sql.JsonBlob(), nullable=True),
- sql.Column('aggregation', sql.Text(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('action_assignment', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ sql.Column('action_id', sql.ForeignKey("actions.id"), nullable=False),
+ sql.Column('action_category_id', sql.ForeignKey("action_categories.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- meta_rule_table.create(migrate_engine, checkfirst=True)
+ action_assignments_table.create(migrate_engine, checkfirst=True)
- rule_table = sql.Table(
- 'rule',
+ aggregation_algorithm_table = sql.Table(
+ 'aggregation_algorithm',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('rules', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('aggregation_algorithm', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- rule_table.create(migrate_engine, checkfirst=True)
+ aggregation_algorithm_table.create(migrate_engine, checkfirst=True)
+
+ sub_meta_rules_table = sql.Table(
+ 'sub_meta_rules',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('sub_meta_rule', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ sub_meta_rules_table.create(migrate_engine, checkfirst=True)
+
+ rules_table = sql.Table(
+ 'rules',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('rule', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ rules_table.create(migrate_engine, checkfirst=True)
+
+ # TODO: load root_extension
def downgrade(migrate_engine):
@@ -169,21 +196,22 @@ def downgrade(migrate_engine):
meta.bind = migrate_engine
for _table in (
- 'subject',
- 'object',
- 'action',
- 'subject_category',
- 'object_category',
- 'action_category',
- 'subject_category_scope',
- 'object_category_scope',
- 'action_category_scope',
- 'subject_category_assignment',
- 'object_category_assignment',
- 'action_category_assignment',
- 'metarule',
- 'rule',
- 'intra_extension',
+ 'rules',
+ 'sub_meta_rules',
+ 'action_category_assignments',
+ 'object_category_assignments',
+ 'subject_category_assignments',
+ 'action_category_scopes',
+ 'object_category_scopes',
+ 'subject_category_scopes',
+ 'actions',
+ 'objects',
+ 'subjects',
+ 'action_categories',
+ 'object_categories',
+ 'subject_categories',
+ 'tenants',
+ 'intra_extensions'
):
try:
table = sql.Table(_table, meta, autoload=True)