summaryrefslogtreecommitdiff
path: root/designate/common/policies
diff options
context:
space:
mode:
Diffstat (limited to 'designate/common/policies')
-rw-r--r--designate/common/policies/__init__.py2
-rw-r--r--designate/common/policies/base.py7
-rw-r--r--designate/common/policies/recordset.py45
-rw-r--r--designate/common/policies/shared_zones.py116
-rw-r--r--designate/common/policies/zone.py4
5 files changed, 163 insertions, 11 deletions
diff --git a/designate/common/policies/__init__.py b/designate/common/policies/__init__.py
index 67e842c1..4c4590f2 100644
--- a/designate/common/policies/__init__.py
+++ b/designate/common/policies/__init__.py
@@ -25,6 +25,7 @@ from designate.common.policies import quota
from designate.common.policies import record
from designate.common.policies import recordset
from designate.common.policies import service_status
+from designate.common.policies import shared_zones
from designate.common.policies import tenant
from designate.common.policies import tld
from designate.common.policies import tsigkey
@@ -45,6 +46,7 @@ def list_rules():
record.list_rules(),
recordset.list_rules(),
service_status.list_rules(),
+ shared_zones.list_rules(),
tenant.list_rules(),
tld.list_rules(),
tsigkey.list_rules(),
diff --git a/designate/common/policies/base.py b/designate/common/policies/base.py
index a0674674..ef2fdca7 100644
--- a/designate/common/policies/base.py
+++ b/designate/common/policies/base.py
@@ -66,6 +66,10 @@ SYSTEM_OR_PROJECT_READER_OR_ALL_TENANTS_READER = (
ALL_TENANTS_READER + ')'
)
+SYSTEM_OR_PROJECT_READER_OR_SHARED = (
+ SYSTEM_OR_PROJECT_READER + ' or ("True":%(zone_shared)s)'
+)
+
RULE_ZONE_TRANSFER = (
'(' + SYSTEM_ADMIN_OR_PROJECT_MEMBER + ') or '
'project_id:%(target_project_id)s or '
@@ -79,6 +83,9 @@ RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
LEGACY_RULE_ZONE_TRANSFER = "rule:admin_or_owner OR " \
"project_id:%(target_tenant_id)s " \
"OR None:%(target_tenant_id)s"
+RULE_ADMIN_OR_OWNER_OR_SHARED = (
+ RULE_ADMIN_OR_OWNER + ' or ("True":%(zone_shared)s)'
+)
deprecated_default = policy.DeprecatedRule(
name="default",
diff --git a/designate/common/policies/recordset.py b/designate/common/policies/recordset.py
index 6dad34fc..0b6f1614 100644
--- a/designate/common/policies/recordset.py
+++ b/designate/common/policies/recordset.py
@@ -28,9 +28,20 @@ RULE_ZONE_PRIMARY_OR_ADMIN = (
"('PRIMARY':%(zone_type)s and rule:admin_or_owner) "
"OR ('SECONDARY':%(zone_type)s AND is_admin:True)")
+RULE_ZONE_PRIMARY_OR_ADMIN_OR_SHARED = (
+ "('PRIMARY':%(zone_type)s AND (rule:admin_or_owner OR "
+ "'True':%(zone_shared)s)) "
+ "OR ('SECONDARY':%(zone_type)s AND is_admin:True)")
+
+RULE_ADMIN_OR_OWNER_PRIMARY = (
+ "rule:admin or (\'PRIMARY\':%(zone_type)s and "
+ "(rule:owner or project_id:%(recordset_project_id)s))"
+)
+
+
deprecated_create_recordset = policy.DeprecatedRule(
name="create_recordset",
- check_str=RULE_ZONE_PRIMARY_OR_ADMIN,
+ check_str=RULE_ZONE_PRIMARY_OR_ADMIN_OR_SHARED,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
)
@@ -42,7 +53,7 @@ deprecated_get_recordsets = policy.DeprecatedRule(
)
deprecated_get_recordset = policy.DeprecatedRule(
name="get_recordset",
- check_str=base.RULE_ADMIN_OR_OWNER,
+ check_str=base.RULE_ADMIN_OR_OWNER_OR_SHARED,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
)
@@ -60,13 +71,13 @@ deprecated_find_recordsets = policy.DeprecatedRule(
)
deprecated_update_recordset = policy.DeprecatedRule(
name="update_recordset",
- check_str=RULE_ZONE_PRIMARY_OR_ADMIN,
+ check_str=RULE_ADMIN_OR_OWNER_PRIMARY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_delete_recordset = policy.DeprecatedRule(
name="delete_recordset",
- check_str=RULE_ZONE_PRIMARY_OR_ADMIN,
+ check_str=RULE_ADMIN_OR_OWNER_PRIMARY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
)
@@ -86,11 +97,27 @@ SYSTEM_ADMIN_AND_PRIMARY_ZONE = (
SYSTEM_ADMIN_AND_SECONDARY_ZONE = (
'(' + base.SYSTEM_ADMIN + ') and (\'SECONDARY\':%(zone_type)s)'
)
+SHARED_AND_PRIMARY_ZONE = (
+ '("True":%(zone_shared)s) and (\'PRIMARY\':%(zone_type)s)'
+)
+RECORDSET_MEMBER_AND_PRIMARY_ZONE = (
+ 'role:member and (project_id:%(recordset_project_id)s) and '
+ '(\'PRIMARY\':%(zone_type)s)'
+)
+
SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE = ' or '.join(
[PROJECT_MEMBER_AND_PRIMARY_ZONE,
SYSTEM_ADMIN_AND_PRIMARY_ZONE,
- SYSTEM_ADMIN_AND_SECONDARY_ZONE]
+ SYSTEM_ADMIN_AND_SECONDARY_ZONE,
+ SHARED_AND_PRIMARY_ZONE]
+)
+
+SYSTEM_ADMIN_OR_PROJECT_MEMBER_RECORD_OWNER_ZONE_TYPE = ' or '.join(
+ [PROJECT_MEMBER_AND_PRIMARY_ZONE,
+ SYSTEM_ADMIN_AND_PRIMARY_ZONE,
+ SYSTEM_ADMIN_AND_SECONDARY_ZONE,
+ RECORDSET_MEMBER_AND_PRIMARY_ZONE]
)
@@ -116,7 +143,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name="get_recordset",
- check_str=base.SYSTEM_OR_PROJECT_READER,
+ check_str=base.SYSTEM_OR_PROJECT_READER_OR_SHARED,
scope_types=['system', 'project'],
description="Get recordset",
operations=[
@@ -149,7 +176,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name="update_recordset",
- check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE,
+ check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_RECORD_OWNER_ZONE_TYPE,
scope_types=['system', 'project'],
description="Update recordset",
operations=[
@@ -162,7 +189,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name="delete_recordset",
- check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE,
+ check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_RECORD_OWNER_ZONE_TYPE,
scope_types=['system', 'project'],
description="Delete RecordSet",
operations=[
@@ -178,7 +205,7 @@ rules = [
check_str=base.SYSTEM_OR_PROJECT_READER,
scope_types=['system', 'project'],
description="Count recordsets",
- deprecated_rule=deprecated_count_recordset
+ deprecated_rule=deprecated_count_recordset,
)
]
diff --git a/designate/common/policies/shared_zones.py b/designate/common/policies/shared_zones.py
new file mode 100644
index 00000000..80e85dee
--- /dev/null
+++ b/designate/common/policies/shared_zones.py
@@ -0,0 +1,116 @@
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+from oslo_log import versionutils
+from oslo_policy import policy
+
+from designate.common.policies import base
+
+
+DEPRECATED_REASON = """
+The shared zones API now supports system scope and default roles.
+"""
+
+deprecated_get_shared_zone = policy.DeprecatedRule(
+ name="get_zone_share",
+ check_str=base.RULE_ADMIN_OR_OWNER,
+ deprecated_reason=DEPRECATED_REASON,
+ deprecated_since=versionutils.deprecated.WALLABY
+)
+
+deprecated_share_zone = policy.DeprecatedRule(
+ name="share_zone",
+ check_str=base.RULE_ADMIN_OR_OWNER,
+ deprecated_reason=DEPRECATED_REASON,
+ deprecated_since=versionutils.deprecated.WALLABY
+)
+
+deprecated_find_project_zone_share = policy.DeprecatedRule(
+ name="find_project_zone_share",
+ check_str=base.RULE_ADMIN_OR_OWNER,
+ deprecated_reason=DEPRECATED_REASON,
+ deprecated_since=versionutils.deprecated.WALLABY
+)
+
+deprecated_unshare_zone = policy.DeprecatedRule(
+ name="unshare_zone",
+ check_str=base.RULE_ADMIN_OR_OWNER,
+ deprecated_reason=DEPRECATED_REASON,
+ deprecated_since=versionutils.deprecated.WALLABY
+)
+
+rules = [
+ policy.DocumentedRuleDefault(
+ name="get_zone_share",
+ check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+ scope_types=['system', 'project'],
+ description="Get a Zone Share",
+ operations=[
+ {
+ 'path': '/v2/zones/{zone_id}/shares/{zone_share_id}',
+ 'method': 'GET'
+ }
+ ],
+ deprecated_rule=deprecated_get_shared_zone
+ ),
+ policy.DocumentedRuleDefault(
+ name="share_zone",
+ check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+ scope_types=['system', 'project'],
+ description="Share a Zone",
+ operations=[
+ {
+ 'path': '/v2/zones/{zone_id}/shares',
+ 'method': 'POST'
+ }
+ ],
+ deprecated_rule=deprecated_share_zone
+ ),
+ policy.DocumentedRuleDefault(
+ name="find_zone_shares",
+ # Using rule ANY here because the search criteria will narrow the
+ # results appropriate for the API call.
+ check_str=base.RULE_ANY,
+ description="List Shared Zones",
+ operations=[
+ {
+ 'path': '/v2/zones/{zone_id}/shares',
+ 'method': 'GET'
+ }
+ ]
+ ),
+ policy.RuleDefault(
+ name="find_project_zone_share",
+ check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+ scope_types=['system', 'project'],
+ description="Check the can query for a specific projects shares.",
+ deprecated_rule=deprecated_find_project_zone_share
+ ),
+ policy.DocumentedRuleDefault(
+ name="unshare_zone",
+ check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+ scope_types=['system', 'project'],
+ description="Unshare Zone",
+ operations=[
+ {
+ 'path': '/v2/zones/{zone_id}/shares/{shared_zone_id}',
+ 'method': 'DELETE'
+ }
+ ],
+ deprecated_rule=deprecated_unshare_zone
+ )
+]
+
+
+def list_rules():
+ return rules
diff --git a/designate/common/policies/zone.py b/designate/common/policies/zone.py
index eec02720..a5ad5687 100644
--- a/designate/common/policies/zone.py
+++ b/designate/common/policies/zone.py
@@ -36,7 +36,7 @@ deprecated_get_zones = policy.DeprecatedRule(
)
deprecated_get_zone = policy.DeprecatedRule(
name="get_zone",
- check_str=base.RULE_ADMIN_OR_OWNER,
+ check_str=base.RULE_ADMIN_OR_OWNER_OR_SHARED,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
)
@@ -124,7 +124,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name="get_zone",
- check_str=base.SYSTEM_OR_PROJECT_READER,
+ check_str=base.SYSTEM_OR_PROJECT_READER_OR_SHARED,
scope_types=['system', 'project'],
description="Get Zone",
operations=[
View Lorry Controller Status