diff options
Diffstat (limited to 'designate/common/policies')
-rw-r--r-- | designate/common/policies/__init__.py | 2 | ||||
-rw-r--r-- | designate/common/policies/base.py | 7 | ||||
-rw-r--r-- | designate/common/policies/recordset.py | 45 | ||||
-rw-r--r-- | designate/common/policies/shared_zones.py | 116 | ||||
-rw-r--r-- | designate/common/policies/zone.py | 4 |
5 files changed, 163 insertions, 11 deletions
diff --git a/designate/common/policies/__init__.py b/designate/common/policies/__init__.py index 67e842c1..4c4590f2 100644 --- a/designate/common/policies/__init__.py +++ b/designate/common/policies/__init__.py @@ -25,6 +25,7 @@ from designate.common.policies import quota from designate.common.policies import record from designate.common.policies import recordset from designate.common.policies import service_status +from designate.common.policies import shared_zones from designate.common.policies import tenant from designate.common.policies import tld from designate.common.policies import tsigkey @@ -45,6 +46,7 @@ def list_rules(): record.list_rules(), recordset.list_rules(), service_status.list_rules(), + shared_zones.list_rules(), tenant.list_rules(), tld.list_rules(), tsigkey.list_rules(), diff --git a/designate/common/policies/base.py b/designate/common/policies/base.py index a0674674..ef2fdca7 100644 --- a/designate/common/policies/base.py +++ b/designate/common/policies/base.py @@ -66,6 +66,10 @@ SYSTEM_OR_PROJECT_READER_OR_ALL_TENANTS_READER = ( ALL_TENANTS_READER + ')' ) +SYSTEM_OR_PROJECT_READER_OR_SHARED = ( + SYSTEM_OR_PROJECT_READER + ' or ("True":%(zone_shared)s)' +) + RULE_ZONE_TRANSFER = ( '(' + SYSTEM_ADMIN_OR_PROJECT_MEMBER + ') or ' 'project_id:%(target_project_id)s or ' @@ -79,6 +83,9 @@ RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' LEGACY_RULE_ZONE_TRANSFER = "rule:admin_or_owner OR " \ "project_id:%(target_tenant_id)s " \ "OR None:%(target_tenant_id)s" +RULE_ADMIN_OR_OWNER_OR_SHARED = ( + RULE_ADMIN_OR_OWNER + ' or ("True":%(zone_shared)s)' +) deprecated_default = policy.DeprecatedRule( name="default", diff --git a/designate/common/policies/recordset.py b/designate/common/policies/recordset.py index 6dad34fc..0b6f1614 100644 --- a/designate/common/policies/recordset.py +++ b/designate/common/policies/recordset.py @@ -28,9 +28,20 @@ RULE_ZONE_PRIMARY_OR_ADMIN = ( "('PRIMARY':%(zone_type)s and rule:admin_or_owner) " "OR ('SECONDARY':%(zone_type)s AND is_admin:True)") +RULE_ZONE_PRIMARY_OR_ADMIN_OR_SHARED = ( + "('PRIMARY':%(zone_type)s AND (rule:admin_or_owner OR " + "'True':%(zone_shared)s)) " + "OR ('SECONDARY':%(zone_type)s AND is_admin:True)") + +RULE_ADMIN_OR_OWNER_PRIMARY = ( + "rule:admin or (\'PRIMARY\':%(zone_type)s and " + "(rule:owner or project_id:%(recordset_project_id)s))" +) + + deprecated_create_recordset = policy.DeprecatedRule( name="create_recordset", - check_str=RULE_ZONE_PRIMARY_OR_ADMIN, + check_str=RULE_ZONE_PRIMARY_OR_ADMIN_OR_SHARED, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) @@ -42,7 +53,7 @@ deprecated_get_recordsets = policy.DeprecatedRule( ) deprecated_get_recordset = policy.DeprecatedRule( name="get_recordset", - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.RULE_ADMIN_OR_OWNER_OR_SHARED, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) @@ -60,13 +71,13 @@ deprecated_find_recordsets = policy.DeprecatedRule( ) deprecated_update_recordset = policy.DeprecatedRule( name="update_recordset", - check_str=RULE_ZONE_PRIMARY_OR_ADMIN, + check_str=RULE_ADMIN_OR_OWNER_PRIMARY, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) deprecated_delete_recordset = policy.DeprecatedRule( name="delete_recordset", - check_str=RULE_ZONE_PRIMARY_OR_ADMIN, + check_str=RULE_ADMIN_OR_OWNER_PRIMARY, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) @@ -86,11 +97,27 @@ SYSTEM_ADMIN_AND_PRIMARY_ZONE = ( SYSTEM_ADMIN_AND_SECONDARY_ZONE = ( '(' + base.SYSTEM_ADMIN + ') and (\'SECONDARY\':%(zone_type)s)' ) +SHARED_AND_PRIMARY_ZONE = ( + '("True":%(zone_shared)s) and (\'PRIMARY\':%(zone_type)s)' +) +RECORDSET_MEMBER_AND_PRIMARY_ZONE = ( + 'role:member and (project_id:%(recordset_project_id)s) and ' + '(\'PRIMARY\':%(zone_type)s)' +) + SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE = ' or '.join( [PROJECT_MEMBER_AND_PRIMARY_ZONE, SYSTEM_ADMIN_AND_PRIMARY_ZONE, - SYSTEM_ADMIN_AND_SECONDARY_ZONE] + SYSTEM_ADMIN_AND_SECONDARY_ZONE, + SHARED_AND_PRIMARY_ZONE] +) + +SYSTEM_ADMIN_OR_PROJECT_MEMBER_RECORD_OWNER_ZONE_TYPE = ' or '.join( + [PROJECT_MEMBER_AND_PRIMARY_ZONE, + SYSTEM_ADMIN_AND_PRIMARY_ZONE, + SYSTEM_ADMIN_AND_SECONDARY_ZONE, + RECORDSET_MEMBER_AND_PRIMARY_ZONE] ) @@ -116,7 +143,7 @@ rules = [ ), policy.DocumentedRuleDefault( name="get_recordset", - check_str=base.SYSTEM_OR_PROJECT_READER, + check_str=base.SYSTEM_OR_PROJECT_READER_OR_SHARED, scope_types=['system', 'project'], description="Get recordset", operations=[ @@ -149,7 +176,7 @@ rules = [ ), policy.DocumentedRuleDefault( name="update_recordset", - check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE, + check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_RECORD_OWNER_ZONE_TYPE, scope_types=['system', 'project'], description="Update recordset", operations=[ @@ -162,7 +189,7 @@ rules = [ ), policy.DocumentedRuleDefault( name="delete_recordset", - check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE, + check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_RECORD_OWNER_ZONE_TYPE, scope_types=['system', 'project'], description="Delete RecordSet", operations=[ @@ -178,7 +205,7 @@ rules = [ check_str=base.SYSTEM_OR_PROJECT_READER, scope_types=['system', 'project'], description="Count recordsets", - deprecated_rule=deprecated_count_recordset + deprecated_rule=deprecated_count_recordset, ) ] diff --git a/designate/common/policies/shared_zones.py b/designate/common/policies/shared_zones.py new file mode 100644 index 00000000..80e85dee --- /dev/null +++ b/designate/common/policies/shared_zones.py @@ -0,0 +1,116 @@ +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +from oslo_log import versionutils +from oslo_policy import policy + +from designate.common.policies import base + + +DEPRECATED_REASON = """ +The shared zones API now supports system scope and default roles. +""" + +deprecated_get_shared_zone = policy.DeprecatedRule( + name="get_zone_share", + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) + +deprecated_share_zone = policy.DeprecatedRule( + name="share_zone", + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) + +deprecated_find_project_zone_share = policy.DeprecatedRule( + name="find_project_zone_share", + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) + +deprecated_unshare_zone = policy.DeprecatedRule( + name="unshare_zone", + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) + +rules = [ + policy.DocumentedRuleDefault( + name="get_zone_share", + check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, + scope_types=['system', 'project'], + description="Get a Zone Share", + operations=[ + { + 'path': '/v2/zones/{zone_id}/shares/{zone_share_id}', + 'method': 'GET' + } + ], + deprecated_rule=deprecated_get_shared_zone + ), + policy.DocumentedRuleDefault( + name="share_zone", + check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, + scope_types=['system', 'project'], + description="Share a Zone", + operations=[ + { + 'path': '/v2/zones/{zone_id}/shares', + 'method': 'POST' + } + ], + deprecated_rule=deprecated_share_zone + ), + policy.DocumentedRuleDefault( + name="find_zone_shares", + # Using rule ANY here because the search criteria will narrow the + # results appropriate for the API call. + check_str=base.RULE_ANY, + description="List Shared Zones", + operations=[ + { + 'path': '/v2/zones/{zone_id}/shares', + 'method': 'GET' + } + ] + ), + policy.RuleDefault( + name="find_project_zone_share", + check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, + scope_types=['system', 'project'], + description="Check the can query for a specific projects shares.", + deprecated_rule=deprecated_find_project_zone_share + ), + policy.DocumentedRuleDefault( + name="unshare_zone", + check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, + scope_types=['system', 'project'], + description="Unshare Zone", + operations=[ + { + 'path': '/v2/zones/{zone_id}/shares/{shared_zone_id}', + 'method': 'DELETE' + } + ], + deprecated_rule=deprecated_unshare_zone + ) +] + + +def list_rules(): + return rules diff --git a/designate/common/policies/zone.py b/designate/common/policies/zone.py index eec02720..a5ad5687 100644 --- a/designate/common/policies/zone.py +++ b/designate/common/policies/zone.py @@ -36,7 +36,7 @@ deprecated_get_zones = policy.DeprecatedRule( ) deprecated_get_zone = policy.DeprecatedRule( name="get_zone", - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.RULE_ADMIN_OR_OWNER_OR_SHARED, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) @@ -124,7 +124,7 @@ rules = [ ), policy.DocumentedRuleDefault( name="get_zone", - check_str=base.SYSTEM_OR_PROJECT_READER, + check_str=base.SYSTEM_OR_PROJECT_READER_OR_SHARED, scope_types=['system', 'project'], description="Get Zone", operations=[ |