From c07dc2887f0ccab9372014790cda130781f28a09 Mon Sep 17 00:00:00 2001
From: WuKong <rebirthmonkey@gmail.com>
Date: Wed, 22 Jul 2015 15:36:11 +0200
Subject: finish review code
Change-Id: Ic5c9dcff1efe48f39cdb3f614675c0f945fe9a27
Signed-off-by: WuKong <rebirthmonkey@gmail.com>
---
.../keystone/contrib/moon/backends/__init__.py | 1 +
.../keystone/contrib/moon/backends/memory.py | 19 +-
.../keystone/contrib/moon/backends/sql.py | 8 +-
keystone-moon/keystone/contrib/moon/controllers.py | 46 ++--
keystone-moon/keystone/contrib/moon/core.py | 255 +++++++++++----------
keystone-moon/keystone/contrib/moon/exception.py | 20 ++
.../contrib/moon/migrate_repo/versions/001_moon.py | 208 +++++++++--------
7 files changed, 297 insertions(+), 260 deletions(-)
(limited to 'keystone-moon/keystone/contrib')
diff --git a/keystone-moon/keystone/contrib/moon/backends/__init__.py b/keystone-moon/keystone/contrib/moon/backends/__init__.py
index 28b42dd4..237bdc3e 100644
--- a/keystone-moon/keystone/contrib/moon/backends/__init__.py
+++ b/keystone-moon/keystone/contrib/moon/backends/__init__.py
@@ -90,6 +90,7 @@ rules = {
sub_meta_rule_id1: {
rule_id1: [subject_scope1, subject_scope2, ..., action_scope1, ..., object_scope1, ... ],
rule_id2: [subject_scope3, subject_scope4, ..., action_scope3, ..., object_scope3, ... ],
+ rule_id3: [thomas, write, admin.subjects]
...},
sub_meta_rule_id2: { },
...}
diff --git a/keystone-moon/keystone/contrib/moon/backends/memory.py b/keystone-moon/keystone/contrib/moon/backends/memory.py
index ddc06831..b2efb723 100644
--- a/keystone-moon/keystone/contrib/moon/backends/memory.py
+++ b/keystone-moon/keystone/contrib/moon/backends/memory.py
@@ -36,21 +36,4 @@ class ConfigurationConnector(ConfigurationDriver):
return self.aggregation_algorithm_dict
def get_sub_meta_rule_algorithm_dict(self):
- return self.sub_meta_rule_algorithm_dict
-
-# class SuperExtensionConnector(SuperExtensionDriver):
-#
-# def __init__(self):
-# super(SuperExtensionConnector, self).__init__()
-# # Super_Extension is loaded every time the server is started
-# self.__uuid = uuid4().hex
-# # self.__super_extension = Extension()
-# _policy_abs_dir = os.path.join(CONF.moon.super_extension_directory, 'policy')
-# # self.__super_extension.load_from_json(_policy_abs_dir)
-#
-# def get_super_extensions(self):
-# return None
-#
-# def admin(self, sub, obj, act):
-# # return self.__super_extension.authz(sub, obj, act)
-# return True
+ return self.sub_meta_rule_algorithm_dict
\ No newline at end of file
diff --git a/keystone-moon/keystone/contrib/moon/backends/sql.py b/keystone-moon/keystone/contrib/moon/backends/sql.py
index 3b331dda..b2e91db0 100644
--- a/keystone-moon/keystone/contrib/moon/backends/sql.py
+++ b/keystone-moon/keystone/contrib/moon/backends/sql.py
@@ -310,7 +310,6 @@ class Rule(sql.ModelBase, sql.DictBase):
__all_objects__ = (
- IntraExtensionUnknown,
Tenant,
Subject,
Object,
@@ -362,10 +361,7 @@ class TenantConnector(TenantDriver):
ref = query.first()
tenant_ref = ref.to_dict()
tenant_ref.update(tenant_dict)
- new_tenant = Tenant(
- id=tenant_id,
- tenant=tenant_ref
- )
+ new_tenant = Tenant(id=tenant_id, tenant=tenant_ref)
for attr in Tenant.attributes:
if attr != 'id':
setattr(ref, attr, getattr(new_tenant, attr))
@@ -382,8 +378,6 @@ class IntraExtensionConnector(IntraExtensionDriver):
ref_list = query.all()
return {_ref.id: _ref.intraextension for _ref in ref_list}
- # TODO (dthom): load_intra_extension(self):
-
def del_intra_extension(self, intra_extension_id):
with sql.transaction() as session:
ref = session.query(IntraExtension).get(intra_extension_id)
diff --git a/keystone-moon/keystone/contrib/moon/controllers.py b/keystone-moon/keystone/contrib/moon/controllers.py
index d8737dd9..fadc2731 100644
--- a/keystone-moon/keystone/contrib/moon/controllers.py
+++ b/keystone-moon/keystone/contrib/moon/controllers.py
@@ -94,6 +94,7 @@ class Tenants(controller.V3Controller):
tenant_id = kw.get("tenant_id", None)
return self.tenant_api.del_tenant(user_id, tenant_id)
+ @controller.protected()
def set_tenant(self, context, **kw):
user_id = self._get_user_id_from_token(context.get('token_id'))
tenant_id = kw.get('id', None)
@@ -142,22 +143,25 @@ class IntraExtensions(controller.V3Controller):
def add_intra_extension(self, context, **kw):
user_id = self._get_user_id_from_token(context.get('token_id'))
intra_extension_dict = dict()
- intra_extension_dict["intra_extension_name"] = kw.get("intra_extension_name", dict())
- intra_extension_dict["subject_categories"] = kw.get("subject_categories", dict())
- intra_extension_dict["object_categories"] = kw.get("object_categories", dict())
- intra_extension_dict["action_categories"] = kw.get("action_categories", dict())
- intra_extension_dict["subjects"] = kw.get("subjects", dict())
- intra_extension_dict["objects"] = kw.get("objects", dict())
- intra_extension_dict["actions"] = kw.get("actions", dict())
- intra_extension_dict["subject_category_scopes"] = kw.get("subject_category_scopes", dict())
- intra_extension_dict["object_category_scopes"] = kw.get("object_category_scopes", dict())
- intra_extension_dict["action_category_scopes"] = kw.get("action_category_scopes", dict())
- intra_extension_dict["subject_assignments"] = kw.get("subject_assignments", dict())
- intra_extension_dict["object_assignments"] = kw.get("object_assignments", dict())
- intra_extension_dict["action_assignments"] = kw.get("action_assignments", dict())
- intra_extension_dict["aggregation_algorithm"] = kw.get("aggregation_algorithm", dict())
- intra_extension_dict["sub_meta_rules"] = kw.get("sub_meta_rules", dict())
- intra_extension_dict["rules"] = kw.get("rules", dict())
+ intra_extension_dict["name"] = kw.get("intra_extension_name", None)
+ intra_extension_dict["model"] = kw.get("intra_extension_model", None)
+ intra_extension_dict["genre"] = kw.get("intra_extension_genre", None)
+ intra_extension_dict["description"] = kw.get("intra_extension_description", None)
+ intra_extension_dict["subject_categories"] = kw.get("intra_extension_subject_categories", dict())
+ intra_extension_dict["object_categories"] = kw.get("intra_extension_object_categories", dict())
+ intra_extension_dict["action_categories"] = kw.get("intra_extension_action_categories", dict())
+ intra_extension_dict["subjects"] = kw.get("intra_extension_subjects", dict())
+ intra_extension_dict["objects"] = kw.get("intra_extension_objects", dict())
+ intra_extension_dict["actions"] = kw.get("intra_extension_actions", dict())
+ intra_extension_dict["subject_category_scopes"] = kw.get("intra_extension_subject_category_scopes", dict())
+ intra_extension_dict["object_category_scopes"] = kw.get("intra_extension_object_category_scopes", dict())
+ intra_extension_dict["action_category_scopes"] = kw.get("intra_extension_action_category_scopes", dict())
+ intra_extension_dict["subject_assignments"] = kw.get("intra_extension_subject_assignments", dict())
+ intra_extension_dict["object_assignments"] = kw.get("intra_extension_object_assignments", dict())
+ intra_extension_dict["action_assignments"] = kw.get("intra_extension_action_assignments", dict())
+ intra_extension_dict["aggregation_algorithm"] = kw.get("intra_extension_aggregation_algorithm", dict())
+ intra_extension_dict["sub_meta_rules"] = kw.get("intra_extension_sub_meta_rules", dict())
+ intra_extension_dict["rules"] = kw.get("intra_extension_rules", dict())
return self.admin_api.load_intra_extension_dict(user_id, intra_extension_dict)
@controller.protected()
@@ -179,6 +183,7 @@ class IntraExtensions(controller.V3Controller):
intra_extension_dict = dict()
intra_extension_dict["name"] = kw.get("intra_extension_name", None)
intra_extension_dict["model"] = kw.get("intra_extension_model", None)
+ intra_extension_dict["genre"] = kw.get("intra_extension_genre", None)
intra_extension_dict["description"] = kw.get("intra_extension_description", None)
return self.admin_api.set_intra_extension_dict(user_id, ie_id, intra_extension_dict)
@@ -781,13 +786,6 @@ class InterExtensions(controller.V3Controller):
# return self.interextension_api.delete_inter_extension(kw["inter_extension_id"])
-@dependency.requires('authz_api')
-class SuperExtensions(controller.V3Controller):
-
- def __init__(self):
- super(SuperExtensions, self).__init__()
-
-
@dependency.requires('moonlog_api', 'authz_api')
class Logs(controller.V3Controller):
@@ -803,7 +801,5 @@ class Logs(controller.V3Controller):
def get_logs(self, context, **kw):
user_id = self._get_user_id_from_token(context.get('token_id'))
options = kw.get("options", "")
- # FIXME (dthom): the authorization for get_logs must be done with an intra_extension
- #if self.authz_api.admin(user["name"], "logs", "read"):
return self.moonlog_api.get_logs(user_id, options)
diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py
index fcb8ebfa..7761130e 100644
--- a/keystone-moon/keystone/contrib/moon/core.py
+++ b/keystone-moon/keystone/contrib/moon/core.py
@@ -25,9 +25,9 @@ from keystone.contrib.moon.algorithms import *
CONF = config.CONF
LOG = log.getLogger(__name__)
-DEFAULT_USER_ID = uuid4().hex # default user_id for internal invocation
-SUPER_TENANT_ID = uuid4().hex
-SUPER_EXTENSION_ID = uuid4().hex
+# TODO: call functions to get these 2 variables
+ADMIN_ID = uuid4().hex # default user_id for internal invocation
+ROOT_EXTENSION_ID = uuid4().hex
_OPTS = [
@@ -104,35 +104,54 @@ def filter_input(func_or_str):
def enforce(action_names, object_name, **extra):
_action_name_list = action_names
+ _object_name = object_name
def wrap(func):
def wrapped(*args):
# global actions
self = args[0]
- user_name = args[1]
- intra_extension_id = args[2]
- if intra_extension_id not in self.admin_api.get_intra_extensions(DEFAULT_USER_ID):
- raise IntraExtensionUnknown()
-
- tenants_dict = self.tenant_api.get_tenants_dict(DEFAULT_USER_ID)
+ user_id = args[1]
intra_admin_extension_id = None
- tenant_name = None
- for tenant_id in tenants_dict:
- if tenants_dict[tenant_id]['intra_authz_extension_id'] is intra_extension_id:
- intra_admin_extension_id = tenants_dict[tenant_id]['intra_admin_extension_id']
- tenant_name = tenants_dict[tenant_id]['name']
+ try:
+ intra_extension_id = args[2]
+ except:
+ intra_admin_extension_id = ROOT_EXTENSION_ID
+
+ intra_extensions_dict = self.admin_api.get_intra_extensions(ADMIN_ID)
+ if intra_extension_id not in intra_extensions_dict:
+ raise IntraExtensionUnknown()
+ tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID)
+ for _tenant_id in tenants_dict:
+ if tenants_dict[_tenant_id]['intra_authz_extension_id'] is intra_extension_id or \
+ tenants_dict[_tenant_id]['intra_admin_extension_id'] is intra_extension_id:
+ intra_admin_extension_id = tenants_dict[_tenant_id]['intra_admin_extension_id']
if not intra_admin_extension_id:
- args[0].moonlog_api.warning("No admin IntraExtension found, authorization granted by default.")
+ args[0].moonlog_api.warning("No Intra_Admin_Extension found, authorization granted by default.")
return func(*args)
else:
- authz_result = False
+ objects_dict = self.admin_api.get_objects_dict(ADMIN_ID, intra_admin_extension_id)
+ object_name = intra_extensions_dict[intra_extension_id]['genre'] + '.' + _object_name
+ object_id = None
+ for _object_id in objects_dict:
+ if objects_dict[_object_id]['name'] is object_name:
+ object_id = _object_id
+ break
if type(_action_name_list) in (str, unicode):
action_name_list = (_action_name_list, )
else:
action_name_list = _action_name_list
- for action_name in action_name_list:
- if self.authz_api.authz(tenant_name, user_name, object_name, action_name, 'admin'):
+ actions_dict = self.admin_api.get_actions_dict(ADMIN_ID, intra_admin_extension_id)
+ action_id_list = list()
+ for _action_name in action_name_list:
+ for _action_id in actions_dict:
+ if actions_dict[_action_id]['name'] is _action_name:
+ action_id_list.append(_action_id)
+ break
+
+ authz_result = False
+ for action_id in action_id_list:
+ if self.driver.authz(intra_admin_extension_id, user_id, object_id, action_id):
authz_result = True
else:
authz_result = False
@@ -143,42 +162,6 @@ def enforce(action_names, object_name, **extra):
return wrap
-def super_enforce(action_names, object_name, **extra):
- _action_name_list = action_names
-
- def wrap(func):
- def wrapped(*args):
- # global actions
- return func(*args)
- # self = args[0]
- # user_name = args[1]
- # intra_extension_id = SUPER_EXTENSION_ID
- # if intra_extension_id not in self.admin_api.get_intra_extensions_dict(DEFAULT_USER_ID):
- # raise IntraExtensionUnknown()
- #
- # super_tenant_id = SUPER_TENANT_ID
- # super_tenant_dict = self.tenant_api.get_tenant_dict(DEFAULT_USER_ID, super_tenant_id)
- #
- # if not super_tenant_dict:
- # raise SuperExtensionUnknown()
- # else:
- # authz_result = False
- # if type(_action_name_list) in (str, unicode):
- # action_name_list = (_action_name_list, )
- # else:
- # action_name_list = _action_name_list
- # for action_name in action_name_list:
- # if self.authz_api.authz(super_tenant_dict['name'], user_name, object_name, action_name, 'authz'):
- # authz_result = True
- # else:
- # authz_result = False
- # break
- # if authz_result:
- # return func(*args)
- return wrapped
- return wrap
-
-
@dependency.provider('configuration_api')
@dependency.requires('moonlog_api')
class ConfigurationManager(manager.Manager):
@@ -186,7 +169,7 @@ class ConfigurationManager(manager.Manager):
def __init__(self):
super(ConfigurationManager, self).__init__(CONF.moon.configuration_driver)
- @super_enforce("read", "templates")
+ @enforce("read", "templates")
def get_policy_templates_dict(self, user_id):
"""
Return a dictionary of all policy templates
@@ -194,7 +177,7 @@ class ConfigurationManager(manager.Manager):
"""
return self.driver.get_policy_templates_dict()
- @super_enforce("read", "templates")
+ @enforce("read", "templates")
def get_policy_template_id_from_name(self, user_id, policy_template_name):
policy_template_dict = self.driver.get_policy_templates_dict()
for policy_template_id in policy_template_dict:
@@ -202,7 +185,7 @@ class ConfigurationManager(manager.Manager):
return policy_template_id
return None
- @super_enforce("read", "aggregation_algorithms")
+ @enforce("read", "aggregation_algorithms")
def get_aggregation_algorithms_dict(self, user_id):
"""
Return a dictionary of all aggregation algorithm
@@ -210,7 +193,7 @@ class ConfigurationManager(manager.Manager):
"""
return self.driver.get_aggregation_algorithms_dict()
- @super_enforce("read", "aggregation_algorithms")
+ @enforce("read", "aggregation_algorithms")
def get_aggregation_algorithm_id_from_name(self, user_id, aggregation_algorithm_name):
aggregation_algorithm_dict = self.driver.get_aggregation_algorithms_dict()
for aggregation_algorithm_id in aggregation_algorithm_dict:
@@ -218,7 +201,7 @@ class ConfigurationManager(manager.Manager):
return aggregation_algorithm_id
return None
- @super_enforce("read", "sub_meta_rule_algorithms")
+ @enforce("read", "sub_meta_rule_algorithms")
def get_sub_meta_rule_algorithms_dict(self, user_id):
"""
Return a dictionary of sub_meta_rule algorithm
@@ -226,7 +209,7 @@ class ConfigurationManager(manager.Manager):
"""
return self.driver.get_sub_meta_rule_algorithms_dict()
- @super_enforce("read", "sub_meta_rule_algorithms")
+ @enforce("read", "sub_meta_rule_algorithms")
def get_sub_meta_rule_algorithm_id_from_name(self, sub_meta_rule_algorithm_name):
sub_meta_rule_algorithm_dict = self.driver.get_sub_meta_rule_algorithms_dict()
for sub_meta_rule_algorithm_id in sub_meta_rule_algorithm_dict:
@@ -242,7 +225,7 @@ class TenantManager(manager.Manager):
def __init__(self):
super(TenantManager, self).__init__(CONF.moon.tenant_driver)
- @super_enforce("read", "tenants")
+ @enforce("read", "tenants")
def get_tenants_dict(self, user_id):
"""
Return a dictionary with all tenants
@@ -259,31 +242,60 @@ class TenantManager(manager.Manager):
"""
return self.driver.get_tenants_dict()
- @super_enforce(("read", "write"), "tenants")
+ @enforce(("read", "write"), "tenants")
def add_tenant_dict(self, user_id, tenant_dict):
tenants_dict = self.driver.get_tenants_dict()
for tenant_id in tenants_dict:
if tenants_dict[tenant_id]['name'] is tenant_dict['name']:
raise TenantAddedNameExisting()
+
+ # Sync users between intra_authz_extension and intra_admin_extension
+ if tenant_dict['intra_admin_extension']:
+ if not tenant_dict['intra_authz_extension']:
+ raise TenantNoIntraAuthzExtension
+ else:
+ authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension'])
+ admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension'])
+ for _subject_id in authz_subjects_dict:
+ if _subject_id not in admin_subjects_dict:
+ self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension'], authz_subjects_dict[_subject_id])
+ for _subject_id in admin_subjects_dict:
+ if _subject_id not in authz_subjects_dict:
+ self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension'], admin_subjects_dict[_subject_id])
return self.driver.add_tenant_dict(uuid4().hex, tenant_dict)
- @super_enforce("read", "tenants")
+ @enforce("read", "tenants")
def get_tenant_dict(self, user_id, tenant_id):
tenants_dict = self.driver.get_tenants_dict()
if tenant_id not in tenants_dict:
raise TenantUnknown()
return tenants_dict[tenant_id]
- @super_enforce(("read", "write"), "tenants")
+ @enforce(("read", "write"), "tenants")
def del_tenant(self, user_id, tenant_id):
if tenant_id not in self.driver.get_tenants_dict():
raise TenantUnknown()
self.driver.del_tenant(tenant_id)
- @super_enforce(("read", "write"), "tenants")
+ @enforce(("read", "write"), "tenants")
def set_tenant_dict(self, user_id, tenant_id, tenant_dict):
- if tenant_id not in self.driver.get_tenants_dict():
+ tenants_dict = self.driver.get_tenants_dict()
+ if tenant_id not in tenants_dict:
raise TenantUnknown()
+
+ # Sync users between intra_authz_extension and intra_admin_extension
+ if tenant_dict['intra_admin_extension']:
+ if not tenant_dict['intra_authz_extension']:
+ raise TenantNoIntraAuthzExtension
+ else:
+ authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension'])
+ admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension'])
+ for _subject_id in authz_subjects_dict:
+ if _subject_id not in admin_subjects_dict:
+ self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension'], authz_subjects_dict[_subject_id])
+ for _subject_id in admin_subjects_dict:
+ if _subject_id not in authz_subjects_dict:
+ self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension'], admin_subjects_dict[_subject_id])
return self.driver.set_tenant_dict(tenant_id, tenant_dict)
@@ -291,7 +303,6 @@ class TenantManager(manager.Manager):
class IntraExtensionManager(manager.Manager):
def __init__(self):
- self.__genre__ = None
driver = CONF.moon.intraextension_driver
super(IntraExtensionManager, self).__init__(driver)
@@ -335,9 +346,9 @@ class IntraExtensionManager(manager.Manager):
for category in meta_data_dict["action_categories"]:
action_assignment_dict[category] = self.driver.get_action_assignment_list(
intra_extension_id, action_id)[category]
- authz_buffer['subject_attributes'] = dict()
- authz_buffer['object_attributes'] = dict()
- authz_buffer['action_attributes'] = dict()
+ authz_buffer['subject_assignments'] = dict()
+ authz_buffer['object_assignments'] = dict()
+ authz_buffer['action_assignments'] = dict()
for _subject_category in meta_data_dict['subject_categories']:
authz_buffer['subject_assignments'][_subject_category] = subject_assignment_dict[_subject_category]
for _object_category in meta_data_dict['object_categories']:
@@ -385,7 +396,7 @@ class IntraExtensionManager(manager.Manager):
return False
- @super_enforce("read", "intra_extensions")
+ @enforce("read", "intra_extensions")
def get_intra_extensions_dict(self, user_id):
"""
:param user_id:
@@ -647,13 +658,13 @@ class IntraExtensionManager(manager.Manager):
rules[sub_rule_id].append(subrule)
self.driver.set_rule_dict(intra_extension_dict["id"], sub_rule_id, uuid4().hex, rules)
- @super_enforce(("read", "write"), "intra_extensions")
+ @enforce(("read", "write"), "intra_extensions")
def load_intra_extension_dict(self, user_id, intra_extension_dict):
ie_dict = dict()
- # TODO: clean some values
ie_dict['id'] = uuid4().hex
ie_dict["name"] = filter_input(intra_extension_dict["name"])
- ie_dict["model"] = filter_input(intra_extension_dict["policymodel"])
+ ie_dict["model"] = filter_input(intra_extension_dict["model"])
+ ie_dict["genre"] = filter_input(intra_extension_dict["genre"])
ie_dict["description"] = filter_input(intra_extension_dict["description"])
ref = self.driver.set_intra_extension_dict(ie_dict['id'], ie_dict)
self.moonlog_api.debug("Creation of IE: {}".format(ref))
@@ -667,7 +678,7 @@ class IntraExtensionManager(manager.Manager):
self.__load_rule_file(ie_dict, policy_dir)
return ref
- @super_enforce("read", "intra_extensions")
+ @enforce("read", "intra_extensions")
def get_intra_extension_dict(self, user_id, intra_extension_id):
"""
:param user_id:
@@ -677,13 +688,13 @@ class IntraExtensionManager(manager.Manager):
raise IntraExtensionUnknown()
return self.driver.get_intra_extensions_dict()[intra_extension_id]
- @super_enforce(("read", "write"), "intra_extensions")
+ @enforce(("read", "write"), "intra_extensions")
def del_intra_extension(self, user_id, intra_extension_id):
if intra_extension_id not in self.driver.get_intra_extensions_dict():
raise IntraExtensionUnknown()
return self.driver.del_intra_extension(intra_extension_id)
- @super_enforce(("read", "write"), "intra_extensions")
+ @enforce(("read", "write"), "intra_extensions")
def set_intra_extension_dict(self, user_id, intra_extension_id, intra_extension_dict):
if intra_extension_id not in self.driver.get_intra_extensions_dict():
raise IntraExtensionUnknown()
@@ -1306,7 +1317,7 @@ class IntraExtensionManager(manager.Manager):
@enforce(("read", "write"), "aggregation_algorithm")
def set_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict):
if aggregation_algorithm_id:
- if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms(DEFAULT_USER_ID):
+ if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms(ROOT_ID):
raise AggregationAlgorithmUnknown()
else:
aggregation_algorithm_id = uuid4().hex
@@ -1455,11 +1466,9 @@ class IntraExtensionManager(manager.Manager):
@dependency.provider('authz_api')
-@dependency.requires('identity_api', 'tenant_api', 'moonlog_api')
class IntraExtensionAuthzManager(IntraExtensionManager):
def __init__(self):
- self.__genre__ = "authz"
super(IntraExtensionAuthzManager, self).__init__()
def authz(self, tenant_name, subject_name, object_name, action_name, genre="authz"):
@@ -1467,14 +1476,14 @@ class IntraExtensionAuthzManager(IntraExtensionManager):
"""Check authorization for a particular action.
:return: True or False or raise an exception
"""
- tenants_dict = self.tenant_api.get_tenants_dict(DEFAULT_USER_ID)
+ tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID)
tenant_id = None
for _tenant_id in tenants_dict:
if tenants_dict[_tenant_id] is tenant_name:
tenant_id = _tenant_id
break
- intra_extension_id = self.tenant_api.get_tenant_dict(DEFAULT_USER_ID, tenant_id)[genre]
+ intra_extension_id = self.tenant_api.get_tenant_dict(ADMIN_ID, tenant_id)[genre]
if not intra_extension_id:
raise TenantNoIntraExtension()
@@ -1501,15 +1510,57 @@ class IntraExtensionAuthzManager(IntraExtensionManager):
raise ActionUnknown()
return super(IntraExtensionAuthzManager, self).authz(intra_extension_id, subject_id, object_id, action_id)
+ def add_subject_dict(self, user_id, intra_extension_id, subject_dict):
+ # TODO: sync with intra_admin_extension subjects table, need double check in both authz and admin
+ return
+
+ def del_subject(self, user_id, intra_extension_id, subject_id):
+ # TODO: sync with intra_admin_extension subjects table, need double check in both authz and admin
+ pass
+
+ def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict):
+ # TODO: sync with intra_admin_extension subjects table, need double check in both authz and admin
+ return
+
+ # TODO: for other no heritaged functions, add raise AuthzException()
+
@dependency.provider('admin_api')
-@dependency.requires('identity_api', 'tenant_api', 'moonlog_api')
class IntraExtensionAdminManager(IntraExtensionManager):
def __init__(self):
- self.__genre__ = "admin"
super(IntraExtensionAdminManager, self).__init__()
+ def add_subject_dict(self, user_id, intra_extension_id, subject_dict):
+ # TODO: sync with intra_authz_extension subjects table, need double check in both authz and admin
+ return
+
+ def del_subject(self, user_id, intra_extension_id, subject_id):
+ # TODO: sync with intra_authz_extension subjects table, need double check in both authz and admin
+ pass
+
+ def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict):
+ # TODO: sync with intra_authz_extension subjects table, need double check in both authz and admin
+ return
+
+ def add_object_dict(self, user_id, intra_extension_id, object_name):
+ raise ObjectsWriteNoAuthorized()
+
+ def set_object_dict(self, user_id, intra_extension_id, object_id, object_dict):
+ raise ObjectsWriteNoAuthorized()
+
+ def del_object(self, user_id, intra_extension_id, object_id):
+ raise ObjectsWriteNoAuthorized()
+
+ def add_action_dict(self, user_id, intra_extension_id, action_name):
+ raise ActionsWriteNoAuthorized()
+
+ def set_action_dict(self, user_id, intra_extension_id, action_id, action_dict):
+ raise ActionsWriteNoAuthorized()
+
+ def del_action(self, user_id, intra_extension_id, action_id):
+ raise ActionsWriteNoAuthorized()
+
@dependency.provider('moonlog_api')
class LogManager(manager.Manager):
@@ -1741,10 +1792,6 @@ class IntraExtensionDriver(object):
def get_intra_extensions_dict(self):
raise exception.NotImplemented() # pragma: no cover
- # TODO: check with load
- # def add_intra_extensions_dict(self):
- # raise exception.NotImplemented() # pragma: no cover
-
def del_intra_extension(self, intra_extension_id):
raise exception.NotImplemented() # pragma: no cover
@@ -1979,18 +2026,6 @@ class LogDriver(object):
raise exception.NotImplemented() # pragma: no cover
-# @dependency.provider('superextension_api')
-# class SuperExtensionManager(manager.Manager):
-#
-# def __init__(self):
-# driver = CONF.moon.superextension_driver
-# super(SuperExtensionManager, self).__init__(driver)
-#
-# def authz(self, sub, obj, act):
-# #return self.driver.admin(sub, obj, act)
-# return True
-
-
# @dependency.provider('interextension_api')
# @dependency.requires('identity_api')
# class InterExtensionManager(manager.Manager):
@@ -2028,26 +2063,6 @@ class LogDriver(object):
# return ref
#
#
-# class SuperExtensionDriver(object):
-#
-# def __init__(self):
-# self.__super_extension = None
-#
-# def admin(self, sub, obj, act):
-# return self.__super_extension.authz(sub, obj, act)
-#
-# def delegate(self, delegating_uuid, delegated_uuid, privilege): # TODO later
-# pass
-#
-# # Getter and Setter for SuperExtensions
-#
-# def get_super_extensions(self):
-# raise exception.NotImplemented() # pragma: no cover
-#
-# def create_super_extensions(self, super_id, super_extension):
-# raise exception.NotImplemented() # pragma: no cover
-#
-#
# class InterExtensionDriver(object):
#
# # Getter and Setter for InterExtensions
diff --git a/keystone-moon/keystone/contrib/moon/exception.py b/keystone-moon/keystone/contrib/moon/exception.py
index 37116d68..d2e67030 100644
--- a/keystone-moon/keystone/contrib/moon/exception.py
+++ b/keystone-moon/keystone/contrib/moon/exception.py
@@ -69,6 +69,12 @@ class TenantNoIntraExtension(TenantException):
logger = "ERROR"
+class TenantNoIntraAuthzExtension(TenantNoIntraExtension):
+ message_format = _("The tenant has not intra_admin_extension.")
+ code = 400
+ title = 'Tenant No Intra_Admin_Extension'
+ logger = "ERROR"
+
# Exceptions for IntraExtension
@@ -230,6 +236,20 @@ class ActionNameExisting(AdminPerimeter):
logger = "ERROR"
+class ObjectsWriteNoAuthorized(AdminPerimeter):
+ message_format = _("The modification on Objects is not authorized.")
+ code = 400
+ title = 'Objects Write No Authorized'
+ logger = "AUTHZ"
+
+
+class ActionsWriteNoAuthorized(AdminPerimeter):
+ message_format = _("The modification on Actions is not authorized.")
+ code = 400
+ title = 'Actions Write No Authorized'
+ logger = "AUTHZ"
+
+
class SubjectScopeUnknown(AdminScope):
message_format = _("The given subject scope is unknown.")
code = 400
diff --git a/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py b/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py
index a49ca206..352b69ac 100644
--- a/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py
+++ b/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py
@@ -12,156 +12,183 @@ def upgrade(migrate_engine):
meta.bind = migrate_engine
intra_extension_table = sql.Table(
- 'intra_extension',
+ 'intra_extensions',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('name', sql.String(64), nullable=False),
- sql.Column('model', sql.String(64), nullable=True),
- sql.Column('description', sql.Text(), nullable=True),
+ sql.Column('intra_extension', k_sql.JsonBlob(), nullable=True),
mysql_engine='InnoDB',
mysql_charset='utf8')
intra_extension_table.create(migrate_engine, checkfirst=True)
- subjects_table = sql.Table(
- 'subject',
+ tenant_table = sql.Table(
+ 'tenants',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('subjects', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('tenant', k_sql.JsonBlob(), nullable=True),
mysql_engine='InnoDB',
mysql_charset='utf8')
- subjects_table.create(migrate_engine, checkfirst=True)
+ tenant_table.create(migrate_engine, checkfirst=True)
- objects_table = sql.Table(
- 'object',
+ subject_categories_table = sql.Table(
+ 'subject_categories',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('objects', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('subject_category', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- objects_table.create(migrate_engine, checkfirst=True)
+ subject_categories_table.create(migrate_engine, checkfirst=True)
- actions_table = sql.Table(
- 'action',
+ object_categories_table = sql.Table(
+ 'object_categories',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('actions', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('object_category', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- actions_table.create(migrate_engine, checkfirst=True)
+ object_categories_table.create(migrate_engine, checkfirst=True)
- subject_categories_table = sql.Table(
- 'subject_category',
+ action_categories_table = sql.Table(
+ 'action_categories',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('subject_categories', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('action_category', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- subject_categories_table.create(migrate_engine, checkfirst=True)
+ action_categories_table.create(migrate_engine, checkfirst=True)
- object_categories_table = sql.Table(
- 'object_category',
+ subjects_table = sql.Table(
+ 'subjects',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('object_categories', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('subject', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- object_categories_table.create(migrate_engine, checkfirst=True)
+ subjects_table.create(migrate_engine, checkfirst=True)
- action_categories_table = sql.Table(
- 'action_category',
+ objects_table = sql.Table(
+ 'objects',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('action_categories', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('object', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- action_categories_table.create(migrate_engine, checkfirst=True)
+ objects_table.create(migrate_engine, checkfirst=True)
- subject_category_values_table = sql.Table(
- 'subject_category_scope',
+ actions_table = sql.Table(
+ 'actions',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('subject_category_scope', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('action', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- subject_category_values_table.create(migrate_engine, checkfirst=True)
+ actions_table.create(migrate_engine, checkfirst=True)
- object_category_values_table = sql.Table(
- 'object_category_scope',
+ subject_scopes_table = sql.Table(
+ 'subject_scopes',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('object_category_scope', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('subject_scope', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ sql.Column('subject_category_id', sql.ForeignKey("subject_categories.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- object_category_values_table.create(migrate_engine, checkfirst=True)
+ subject_scopes_table.create(migrate_engine, checkfirst=True)
- action_category_values_table = sql.Table(
- 'action_category_scope',
+ object_scopes_table = sql.Table(
+ 'object_scopes',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('action_category_scope', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('object_scope', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ sql.Column('object_category_id', sql.ForeignKey("object_categories.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- action_category_values_table.create(migrate_engine, checkfirst=True)
+ object_scopes_table.create(migrate_engine, checkfirst=True)
- subject_category_assignments_table = sql.Table(
- 'subject_category_assignment',
+ action_scopes_table = sql.Table(
+ 'action_category_scopes',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('subject_category_assignments', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('action_scope', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ sql.Column('action_category_id', sql.ForeignKey("action_categories.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- subject_category_assignments_table.create(migrate_engine, checkfirst=True)
+ action_scopes_table.create(migrate_engine, checkfirst=True)
- object_category_assignments_table = sql.Table(
- 'object_category_assignment',
+ subject_assignments_table = sql.Table(
+ 'subject_assignments',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('object_category_assignments', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('subject_category_assignment', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ sql.Column('subject_id', sql.ForeignKey("subjects.id"), nullable=False),
+ sql.Column('subject_category_id', sql.ForeignKey("subject_categories.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- object_category_assignments_table.create(migrate_engine, checkfirst=True)
+ subject_assignments_table.create(migrate_engine, checkfirst=True)
- action_category_assignments_table = sql.Table(
- 'action_category_assignment',
+ object_assignments_table = sql.Table(
+ 'object_assignments',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('action_category_assignments', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('object_assignments', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ sql.Column('object_id', sql.ForeignKey("objects.id"), nullable=False),
+ sql.Column('object_category_id', sql.ForeignKey("object_categories.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- action_category_assignments_table.create(migrate_engine, checkfirst=True)
+ object_assignments_table.create(migrate_engine, checkfirst=True)
- meta_rule_table = sql.Table(
- 'metarule',
+ action_assignments_table = sql.Table(
+ 'action_assignments',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('sub_meta_rules', k_sql.JsonBlob(), nullable=True),
- sql.Column('aggregation', sql.Text(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('action_assignment', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ sql.Column('action_id', sql.ForeignKey("actions.id"), nullable=False),
+ sql.Column('action_category_id', sql.ForeignKey("action_categories.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- meta_rule_table.create(migrate_engine, checkfirst=True)
+ action_assignments_table.create(migrate_engine, checkfirst=True)
- rule_table = sql.Table(
- 'rule',
+ aggregation_algorithm_table = sql.Table(
+ 'aggregation_algorithm',
meta,
sql.Column('id', sql.String(64), primary_key=True),
- sql.Column('rules', k_sql.JsonBlob(), nullable=True),
- sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+ sql.Column('aggregation_algorithm', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
mysql_engine='InnoDB',
mysql_charset='utf8')
- rule_table.create(migrate_engine, checkfirst=True)
+ aggregation_algorithm_table.create(migrate_engine, checkfirst=True)
+
+ sub_meta_rules_table = sql.Table(
+ 'sub_meta_rules',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('sub_meta_rule', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ sub_meta_rules_table.create(migrate_engine, checkfirst=True)
+
+ rules_table = sql.Table(
+ 'rules',
+ meta,
+ sql.Column('id', sql.String(64), primary_key=True),
+ sql.Column('rule', k_sql.JsonBlob(), nullable=True),
+ sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+ mysql_engine='InnoDB',
+ mysql_charset='utf8')
+ rules_table.create(migrate_engine, checkfirst=True)
+
+ # TODO: load root_extension
def downgrade(migrate_engine):
@@ -169,21 +196,22 @@ def downgrade(migrate_engine):
meta.bind = migrate_engine
for _table in (
- 'subject',
- 'object',
- 'action',
- 'subject_category',
- 'object_category',
- 'action_category',
- 'subject_category_scope',
- 'object_category_scope',
- 'action_category_scope',
- 'subject_category_assignment',
- 'object_category_assignment',
- 'action_category_assignment',
- 'metarule',
- 'rule',
- 'intra_extension',
+ 'rules',
+ 'sub_meta_rules',
+ 'action_category_assignments',
+ 'object_category_assignments',
+ 'subject_category_assignments',
+ 'action_category_scopes',
+ 'object_category_scopes',
+ 'subject_category_scopes',
+ 'actions',
+ 'objects',
+ 'subjects',
+ 'action_categories',
+ 'object_categories',
+ 'subject_categories',
+ 'tenants',
+ 'intra_extensions'
):
try:
table = sql.Table(_table, meta, autoload=True)
--
cgit