# Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from neutron.conf.policies import base rules = [ policy.RuleDefault('get_auto_allocated_topology', base.RULE_ADMIN_OR_OWNER, description=("Access rule for getting a project's " "auto-allocated topology")), policy.RuleDefault('delete_auto_allocated_topology', base.RULE_ADMIN_OR_OWNER, description=("Access rule for deleting a project's " "auto-allocated topology")), ] def list_rules(): return rules
# # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from nova.policies import base BASE_POLICY_NAME = 'os_compute_api:os-flavor-access' POLICY_ROOT = 'os_compute_api:os-flavor-access:%s' flavor_access_policies = [ policy.RuleDefault(name=POLICY_ROOT % 'add_tenant_access', check_str=base.RULE_ADMIN_API), policy.RuleDefault(name=POLICY_ROOT % 'discoverable', check_str=base.RULE_ANY), policy.RuleDefault(name=POLICY_ROOT % 'remove_tenant_access', check_str=base.RULE_ADMIN_API), policy.RuleDefault(name=BASE_POLICY_NAME, check_str=base.RULE_ADMIN_OR_OWNER), ] def list_rules(): return flavor_access_policies
# # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from nova.policies import base BASE_POLICY_NAME = 'os_compute_api:os-extended-server-attributes' POLICY_ROOT = 'os_compute_api:os-extended-server-attributes:%s' extended_server_attributes_policies = [ policy.RuleDefault( name=BASE_POLICY_NAME, check_str=base.RULE_ADMIN_API), policy.RuleDefault( name=POLICY_ROOT % 'discoverable', check_str=base.RULE_ANY), ] def list_rules(): return extended_server_attributes_policies
from oslo_versionedobjects import base as object_base import pecan import wsme from cyborg.common import exception _ENFORCER = None CONF = cfg.CONF LOG = log.getLogger(__name__) default_policies = [ # Legacy setting, don't remove. Likely to be overridden by operators who # forget to update their policy.json configuration file. # This gets rolled into the new "is_admin" rule below. policy.RuleDefault('admin_api', 'role:admin or role:administrator', description='Legacy rule for cloud admin access'), # is_public_api is set in the environment from AuthTokenMiddleware policy.RuleDefault('public_api', 'is_public_api:True', description='Internal flag for public API routes'), # The policy check "@" will always accept an access. The empty list # (``[]``) or the empty string (``""``) is equivalent to the "@" policy.RuleDefault('allow', '@', description='any access will be passed'), # the policy check "!" will always reject an access. policy.RuleDefault('deny', '!', description='all access will be forbidden'), policy.RuleDefault('is_admin', 'rule:admin_api', description='Full read/write API access'), policy.RuleDefault('admin_or_owner',
# http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from neutron.conf.policies import base rules = [ policy.RuleDefault( 'external', 'field:networks:router:external=True', description='Rule of external network'), policy.RuleDefault( 'create_network', base.RULE_ANY, description='Access rule for creating network'), policy.RuleDefault( 'create_network:shared', base.RULE_ADMIN_ONLY, description='Access rule for creating shared network'), policy.RuleDefault( 'create_network:router:external', base.RULE_ADMIN_ONLY, description='Access rule for creating external network'), policy.RuleDefault(
def test_str(self): opt = policy.RuleDefault(name='foo', check_str='rule:foo') self.assertEqual('"foo": "rule:foo"', str(opt))
def test_not_equal_name(self): opt1 = policy.RuleDefault(name='foo', check_str='rule:foo', description='foo') opt2 = policy.RuleDefault(name='bar', check_str='rule:foo', description='bar') self.assertNotEqual(opt1, opt2)
# # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from designate.common.policies import base rules = [ policy.DocumentedRuleDefault( name="find_records", check_str=base.RULE_ADMIN_OR_OWNER, description='Find records.', operations=[{ 'path': '/v2/reverse/floatingips/{region}:{floatingip_id}', 'method': 'GET' }, { 'path': '/v2/reverse/floatingips', 'method': 'GET' }]), policy.RuleDefault(name="count_records", check_str=base.RULE_ADMIN_OR_OWNER) ] def list_rules(): return rules
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy COMPUTE_API = 'os_compute_api' NETWORK_ATTACH_EXTERNAL = 'network:attach_external_network' RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' RULE_ADMIN_API = 'rule:admin_api' RULE_ANY = '@' rules = [ policy.RuleDefault('context_is_admin', 'role:admin'), policy.RuleDefault('admin_or_owner', 'is_admin:True or project_id:%(project_id)s'), policy.RuleDefault('admin_api', 'is_admin:True'), policy.RuleDefault(NETWORK_ATTACH_EXTERNAL, 'is_admin:True'), ] def create_rule_default(name, check_str, description, operations): # TODO(sneti): use DocumentedRuleDefault instead of RuleDefault # when oslo.policy library with DocumentedRuleDefault change is released. # formatted_description hack can be removed then. ops = "" for operation in operations: ops += ('%(method)s %(path)s\n' % { 'method': operation['method'],
# http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy RULE_CONTEXT_IS_ADMIN = 'rule:context_is_admin' RULE_ADMIN_OR_OWNER = 'rule:context_is_admin or project_id:%(project_id)s' UNPROTECTED = '' rules = [ policy.RuleDefault(name="context_is_admin", check_str="role:admin"), policy.RuleDefault(name="segregation", check_str=RULE_CONTEXT_IS_ADMIN), policy.RuleDefault(name="admin_or_owner", check_str=RULE_ADMIN_OR_OWNER), policy.RuleDefault(name="default", check_str=RULE_ADMIN_OR_OWNER), policy.DocumentedRuleDefault(name="telemetry:get_alarm", check_str=RULE_ADMIN_OR_OWNER, description='Get an alarm.', operations=[{ 'path': '/v2/alarms/{alarm_id}', 'method': 'GET' }]), policy.DocumentedRuleDefault( name="telemetry:get_alarms", check_str=RULE_ADMIN_OR_OWNER, description='Get all alarms, based on the query provided.', operations=[{
from oslo_config import cfg from oslo_log import log from oslo_policy import policy from ironic.common import exception _ENFORCER = None CONF = cfg.CONF LOG = log.getLogger(__name__) default_policies = [ # Legacy setting, don't remove. Likely to be overridden by operators who # forget to update their policy.json configuration file. # This gets rolled into the new "is_admin" rule below. policy.RuleDefault('admin_api', 'role:admin or role:administrator', description='Legacy rule for cloud admin access'), # is_public_api is set in the environment from AuthTokenMiddleware policy.RuleDefault('public_api', 'is_public_api:True', description='Internal flag for public API routes'), # Generic default to hide passwords in node driver_info # NOTE(deva): the 'show_password' policy setting hides secrets in # driver_info. However, the name exists for legacy # purposes and can not be changed. Changing it will cause # upgrade problems for any operators who have customized # the value of this field policy.RuleDefault('show_password', '!', description='Show or mask secrets within node driver information in API responses'), # noqa # Generic default to hide instance secrets
from oslo_utils import excutils from oslo_utils import importutils import six from tacker._i18n import _ from tacker.api.v1 import attributes from tacker.common import exceptions LOG = logging.getLogger(__name__) _ENFORCER = None ADMIN_CTX_POLICY = 'context_is_admin' _BASE_RULES = [ policy.RuleDefault(ADMIN_CTX_POLICY, 'role:admin', description='Rule for cloud admin access'), # policy.RuleDefault( # _ADVSVC_CTX_POLICY, # 'role:advsvc', # description='Rule for advanced service role access'), ] def reset(): global _ENFORCER if _ENFORCER: _ENFORCER.clear() _ENFORCER = None
# Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy rules = [ policy.RuleDefault( 'get_floatingip_pool', 'rule:regular_user', description='Access rule for getting floating IP pools'), ] def list_rules(): return rules
# Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy rules = [policy.RuleDefault('version:get', '@')] def list_rules(): return rules
def test_authorize_opt_registered(self): self.enforcer.register_default(policy.RuleDefault(name='test', check_str='role:test')) self.assertTrue(self.enforcer.authorize('test', {}, {'roles': ['test']}))
# NOTE(johngarbutt) The base rules here affect so many APIs the list # of related API operations has not been populated. It would be # crazy hard to manually maintain such a list. # NOTE(gmann): Keystone already support implied roles means assignment # of one role implies the assignment of another. New defaults roles # `reader`, `member` also has been added in bootstrap. If the bootstrap # process is re-run, and a `reader`, `member`, or `admin` role already # exists, a role implication chain will be created: `admin` implies # `member` implies `reader`. # For example: If we give access to 'reader' it means the 'admin' and # 'member' also get access. rules = [ policy.RuleDefault( "context_is_admin", "role:admin", "Decides what is required for the 'is_admin:True' check to succeed."), policy.RuleDefault( "admin_or_owner", "is_admin:True or project_id:%(project_id)s", "Default rule for most non-Admin APIs.", deprecated_for_removal=True, deprecated_reason=DEPRECATED_REASON, deprecated_since='21.0.0'), policy.RuleDefault( "admin_api", "is_admin:True", "Default rule for most Admin APIs.", deprecated_for_removal=True, deprecated_reason=DEPRECATED_REASON, deprecated_since='21.0.0'),
def test_rule_is_parsed(self): opt = policy.RuleDefault(name='foo', check_str='rule:foo') self.assertIsInstance(opt.check, _checks.BaseCheck) self.assertEqual('rule:foo', str(opt.check))
# a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy rules = [ policy.RuleDefault('create_metering_label', 'rule:admin_only', description='Access rule for creating metering label'), policy.RuleDefault('get_metering_label', 'rule:admin_only', description='Access rule for getting metering label'), policy.RuleDefault('delete_metering_label', 'rule:admin_only', description='Access rule for deleting metering label'), policy.RuleDefault('create_metering_label_rule', 'rule:admin_only', description=('Access rule for creating ' 'metering label rule')), policy.RuleDefault('get_metering_label_rule', 'rule:admin_only', description=('Access rule for getting ' 'metering label rule')),
def test_equality_less_obvious(self): opt1 = policy.RuleDefault(name='foo', check_str='', description='foo') opt2 = policy.RuleDefault(name='foo', check_str='@', description='bar') self.assertEqual(opt1, opt2)
deprecated_find_pool = policy.DeprecatedRule(name="find_pools", check_str=base.RULE_ADMIN) deprecated_get_pool = policy.DeprecatedRule(name="get_pool", check_str=base.RULE_ADMIN) deprecated_update_pool = policy.DeprecatedRule(name="update_pool", check_str=base.RULE_ADMIN) deprecated_delete_pool = policy.DeprecatedRule(name="delete_pool", check_str=base.RULE_ADMIN) deprecated_zone_created_forced_pool = policy.DeprecatedRule( name="zone_create_forced_pool", check_str=base.RULE_ADMIN) rules = [ policy.RuleDefault(name="create_pool", check_str=base.SYSTEM_ADMIN, scope_types=['system'], description='Create pool.', deprecated_rule=deprecated_create_pool, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY), policy.DocumentedRuleDefault( name="find_pools", check_str=base.SYSTEM_READER, scope_types=['system'], description='Find pool.', operations=[{ 'path': '/v2/pools', 'method': 'GET' }], deprecated_rule=deprecated_find_pools, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY),
import fixtures import mock from oslo_config import cfg from six import moves import stevedore import testtools from oslo_policy import generator from oslo_policy import policy from oslo_policy.tests import base OPTS = { 'base_rules': [ policy.RuleDefault('admin', 'is_admin:True', description='Basic admin check'), policy.DocumentedRuleDefault( 'owner', ('project_id:%' '(project_id)s'), 'This is a long ' 'description to check ' 'that line wrapping ' 'functions properly', [{ 'path': '/foo/', 'method': 'GET' }, { 'path': '/test/', 'method': 'POST' }]) ], 'custom_field':
# Copyright 2016 Cloudbase Solutions Srl # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from nova.policies import base BASE_POLICY_NAME = 'os_compute_api:os-flavor-manage' flavor_manage_policies = [ policy.RuleDefault(name=BASE_POLICY_NAME, check_str=base.RULE_ADMIN_API), ] def list_rules(): return flavor_manage_policies
# a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy rules = [ policy.RuleDefault('secret_acls:put_patch', 'rule:secret_project_admin or ' 'rule:secret_project_creator'), policy.RuleDefault('secret_acls:delete', 'rule:secret_project_admin or ' 'rule:secret_project_creator'), policy.RuleDefault('secret_acls:get', 'rule:all_but_audit and ' 'rule:secret_project_match'), policy.RuleDefault('container_acls:put_patch', 'rule:container_project_admin or ' 'rule:container_project_creator'), policy.RuleDefault('container_acls:delete', 'rule:container_project_admin or ' 'rule:container_project_creator'), policy.RuleDefault('container_acls:get', 'rule:all_but_audit and rule:container_project_match'),
# # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy from nova.policies import base BASE_POLICY_NAME = 'os_compute_api:os-cells' POLICY_ROOT = 'os_compute_api:os-cells:%s' cells_policies = [ policy.RuleDefault(name=POLICY_ROOT % 'discoverable', check_str=base.RULE_ANY), base.create_rule_default(POLICY_ROOT % 'update', base.RULE_ADMIN_API, 'Update an existing cell', [{ 'method': 'PUT', 'path': '/os-cells/{cell_id}' }]), base.create_rule_default(POLICY_ROOT % 'create', base.RULE_ADMIN_API, 'Create a new cell', [{ 'method': 'POST', 'path': '/os-cells' }]), base.create_rule_default( BASE_POLICY_NAME, base.RULE_ADMIN_API, 'List and get detailed info of a given cell or all cells', [{
def setUp(self): super(PolicyTestCase, self).setUp() rules = [ oslo_policy.RuleDefault("true", '@'), oslo_policy.RuleDefault("example:allowed", '@'), oslo_policy.RuleDefault("example:denied", "!"), oslo_policy.RuleDefault("old_action_not_default", "@"), oslo_policy.RuleDefault("new_action", "@"), oslo_policy.RuleDefault("old_action_default", "rule:admin_api"), oslo_policy.RuleDefault("example:get_http", "http://www.example.com"), oslo_policy.RuleDefault( "example:my_file", "role:compute_admin or " "project_id:%(project_id)s"), oslo_policy.RuleDefault("example:early_and_fail", "! and @"), oslo_policy.RuleDefault("example:early_or_success", "@ or !"), oslo_policy.RuleDefault("example:lowercase_admin", "role:admin or role:sysadmin"), oslo_policy.RuleDefault("example:uppercase_admin", "role:ADMIN or role:sysadmin"), ] policy.reset() policy.init() # before a policy rule can be used, its default has to be registered. policy._ENFORCER.register_defaults(rules) self.context = context.RequestContext('fake', 'fake', roles=['member']) self.target = {}
def setUp(self): super(PolicyTestCase, self).setUp() rule = oslo_policy.RuleDefault('has_foo_role', "role:foo") enforcer = policy.get_enforcer() enforcer.register_default(rule)
# All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' ROLE_ADMIN = 'role:admin' UNPROTECTED = '' rules = [ policy.RuleDefault(name='context_is_admin', check_str='role:admin'), policy.RuleDefault(name='admin_or_owner', check_str='is_admin:True or project_id:%(project_id)s'), policy.RuleDefault(name='default', check_str=UNPROTECTED) ] def list_rules(): return rules
DEPRECATED_REASON = ( "The security group API now supports system scope and default roles.") SG_COLLECTION_PATH = '/security-groups' SG_RESOURCE_PATH = '/security-groups/{id}' RULE_COLLECTION_PATH = '/security-group-rules' RULE_RESOURCE_PATH = '/security-group-rules/{id}' RULE_ADMIN_OR_SG_OWNER = 'rule:admin_or_sg_owner' RULE_ADMIN_OWNER_OR_SG_OWNER = 'rule:admin_owner_or_sg_owner' rules = [ policy.RuleDefault( name='admin_or_sg_owner', check_str=base.policy_or('rule:context_is_admin', 'tenant_id:%(security_group:tenant_id)s'), description='Rule for admin or security group owner access'), policy.RuleDefault(name='admin_owner_or_sg_owner', check_str=base.policy_or('rule:owner', RULE_ADMIN_OR_SG_OWNER), description=('Rule for resource owner, ' 'admin or security group owner access')), # TODO(amotoki): admin_or_owner is the right rule? # Does an empty string make more sense for create_security_group? policy.DocumentedRuleDefault( name='create_security_group', check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, scope_types=['system', 'project'], description='Create a security group', operations=[
from oslo_policy import policy from neutron.conf.policies import base DEPRECATED_REASON = ( "The subnet pool API now supports system scope and default roles.") COLLECTION_PATH = '/subnetpools' RESOURCE_PATH = '/subnetpools/{id}' ONBOARD_PATH = '/subnetpools/{id}/onboard_network_subnets' ADD_PREFIXES_PATH = '/subnetpools/{id}/add_prefixes' REMOVE_PREFIXES_PATH = '/subnetpools/{id}/remove_prefixes' rules = [ policy.RuleDefault(name='shared_subnetpools', check_str='field:subnetpools:shared=True', description='Definition of a shared subnetpool'), policy.DocumentedRuleDefault( name='create_subnetpool', check_str=base.PROJECT_MEMBER, scope_types=['project'], description='Create a subnetpool', operations=[ { 'method': 'POST', 'path': COLLECTION_PATH, }, ], deprecated_rule=policy.DeprecatedRule( name='create_subnetpool', check_str=base.RULE_ANY,
# Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_policy import policy rules = [ policy.RuleDefault('admin', 'role:admin'), policy.RuleDefault('observer', 'role:observer'), policy.RuleDefault('creator', 'role:creator'), policy.RuleDefault('audit', 'role:audit'), policy.RuleDefault('service_admin', 'role:key-manager:service-admin'), policy.RuleDefault('admin_or_creator', 'rule:admin or rule:creator'), policy.RuleDefault('all_but_audit', 'rule:admin or rule:observer or rule:creator'), policy.RuleDefault( 'all_users', 'rule:admin or rule:observer or rule:creator or ' 'rule:audit or rule:service_admin'), policy.RuleDefault('secret_project_match', 'project:%(target.secret.project_id)s'), policy.RuleDefault('secret_acl_read', "'read':%(target.secret.read)s"), policy.RuleDefault('secret_private_read', "'False':%(target.secret.read_project_access)s"),