diff options
| author | Zhao Chao <zhaochao1984@gmail.com> | 2018-02-12 15:19:58 +0800 |
|---|---|---|
| committer | Zhao Chao <zhaochao1984@gmail.com> | 2018-02-12 18:11:22 +0800 |
| commit | 71ebd353ca79088dd737d5651829ef51829d67dc (patch) | |
| tree | eabf21c4f45593ecd9f593cc02fd2a69cfb401d7 | |
| parent | f0c03c114e93cd580f74d4c31d51760b7a511d29 (diff) | |
| download | trove-71ebd353ca79088dd737d5651829ef51829d67dc.tar.gz | |
Generate policy sample file automatically.
A new entrypoint in setup.cfg and a config file are added for
using olso.policy helper script to generate the sample file.
A new tox target also is added to simplify the environment
setting up. Now policy sample file can be generated
automatically, so the in-repo sample file is no longer needed.
Co-Authored-By: Andrew Laski <andrew@lascii.com>
Partial-Implements: blueprint policy-in-code
Change-Id: Ic336fa154ccc05b5e9db3a8e751a484b1cc5aa9c
Signed-off-by: Zhao Chao <zhaochao1984@gmail.com>
| -rw-r--r-- | .gitignore | 3 | ||||
| -rw-r--r-- | etc/trove/README-policy.generated.md | 19 | ||||
| -rw-r--r-- | etc/trove/policy.yaml.sample | 243 | ||||
| -rw-r--r-- | setup.cfg | 7 | ||||
| -rw-r--r-- | tools/trove-policy-generator.conf | 3 | ||||
| -rw-r--r-- | tox.ini | 3 |
6 files changed, 35 insertions, 243 deletions
@@ -45,3 +45,6 @@ publish-docs/ *~ .*.swp .bak + +# Policy sample +etc/trove/policy.yaml.sample diff --git a/etc/trove/README-policy.generated.md b/etc/trove/README-policy.generated.md new file mode 100644 index 00000000..96619907 --- /dev/null +++ b/etc/trove/README-policy.generated.md @@ -0,0 +1,19 @@ +Generate Trove policies sample +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Trove policies sample are no longer provided, instead it could be generated +by running the following command from the top of the trove directory: + + tox -egenpolicy + + +Use customized policy file +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As Trove uses policy in code now, it's not necessary to add a policy file for +Trove components to run. But when a customized policy is needed, Trove will +take ``/etc/trove/policy.json`` by default. The location of the policy file +can also be overriden by adding following lines in Trove config file: + + [oslo_policy] + policy_file = /path/to/policy/file diff --git a/etc/trove/policy.yaml.sample b/etc/trove/policy.yaml.sample deleted file mode 100644 index 823144dc..00000000 --- a/etc/trove/policy.yaml.sample +++ /dev/null @@ -1,243 +0,0 @@ -# Must be an administrator. -#"admin": "role:admin or is_admin:True" - -# Must be an administrator or owner of the object. -#"admin_or_owner": "rule:admin or tenant:%(tenant)s" - -# Must be an administrator or owner of the object. -#"default": "rule:admin_or_owner" - -# -#"instance:create": "rule:admin_or_owner" - -# -#"instance:delete": "rule:admin_or_owner" - -# -#"instance:force_delete": "rule:admin_or_owner" - -# -#"instance:index": "rule:admin_or_owner" - -# -#"instance:show": "rule:admin_or_owner" - -# -#"instance:update": "rule:admin_or_owner" - -# -#"instance:edit": "rule:admin_or_owner" - -# -#"instance:restart": "rule:admin_or_owner" - -# -#"instance:resize_volume": "rule:admin_or_owner" - -# -#"instance:resize_flavor": "rule:admin_or_owner" - -# -#"instance:reset_status": "rule:admin" - -# -#"instance:promote_to_replica_source": "rule:admin_or_owner" - -# -#"instance:eject_replica_source": "rule:admin_or_owner" - -# -#"instance:configuration": "rule:admin_or_owner" - -# -#"instance:guest_log_list": "rule:admin_or_owner" - -# -#"instance:backups": "rule:admin_or_owner" - -# -#"instance:module_list": "rule:admin_or_owner" - -# -#"instance:module_apply": "rule:admin_or_owner" - -# -#"instance:module_remove": "rule:admin_or_owner" - -# -#"instance:extension:root:create": "rule:admin_or_owner" - -# -#"instance:extension:root:delete": "rule:admin_or_owner" - -# -#"instance:extension:root:index": "rule:admin_or_owner" - -# -#"instance:extension:user:create": "rule:admin_or_owner" - -# -#"instance:extension:user:delete": "rule:admin_or_owner" - -# -#"instance:extension:user:index": "rule:admin_or_owner" - -# -#"instance:extension:user:show": "rule:admin_or_owner" - -# -#"instance:extension:user:update": "rule:admin_or_owner" - -# -#"instance:extension:user:update_all": "rule:admin_or_owner" - -# -#"instance:extension:user_access:update": "rule:admin_or_owner" - -# -#"instance:extension:user_access:delete": "rule:admin_or_owner" - -# -#"instance:extension:user_access:index": "rule:admin_or_owner" - -# -#"instance:extension:database:create": "rule:admin_or_owner" - -# -#"instance:extension:database:delete": "rule:admin_or_owner" - -# -#"instance:extension:database:index": "rule:admin_or_owner" - -# -#"instance:extension:database:show": "rule:admin_or_owner" - -# -#"cluster:create": "rule:admin_or_owner" - -# -#"cluster:delete": "rule:admin_or_owner" - -# -#"cluster:force_delete": "rule:admin_or_owner" - -# -#"cluster:index": "rule:admin_or_owner" - -# -#"cluster:show": "rule:admin_or_owner" - -# -#"cluster:show_instance": "rule:admin_or_owner" - -# -#"cluster:action": "rule:admin_or_owner" - -# -#"cluster:reset-status": "rule:admin" - -# -#"cluster:extension:root:create": "rule:admin_or_owner" - -# -#"cluster:extension:root:delete": "rule:admin_or_owner" - -# -#"cluster:extension:root:index": "rule:admin_or_owner" - -# -#"backup:create": "rule:admin_or_owner" - -# -#"backup:delete": "rule:admin_or_owner" - -# -#"backup:index": "rule:admin_or_owner" - -# -#"backup:show": "rule:admin_or_owner" - -# -#"configuration:create": "rule:admin_or_owner" - -# -#"configuration:delete": "rule:admin_or_owner" - -# -#"configuration:index": "rule:admin_or_owner" - -# -#"configuration:show": "rule:admin_or_owner" - -# -#"configuration:instances": "rule:admin_or_owner" - -# -#"configuration:update": "rule:admin_or_owner" - -# -#"configuration:edit": "rule:admin_or_owner" - -# -#"configuration-parameter:index": "rule:admin_or_owner" - -# -#"configuration-parameter:show": "rule:admin_or_owner" - -# -#"configuration-parameter:index_by_version": "rule:admin_or_owner" - -# -#"configuration-parameter:show_by_version": "rule:admin_or_owner" - -# -#"datastore:index": "" - -# -#"datastore:show": "" - -# -#"datastore:version_show": "" - -# -#"datastore:version_show_by_uuid": "" - -# -#"datastore:version_index": "" - -# -#"datastore:list_associated_flavors": "" - -# -#"datastore:list_associated_volume_types": "" - -# -#"flavor:index": "" - -# -#"flavor:show": "" - -# -#"limits:index": "rule:admin_or_owner" - -# -#"module:create": "rule:admin_or_owner" - -# -#"module:delete": "rule:admin_or_owner" - -# -#"module:index": "rule:admin_or_owner" - -# -#"module:show": "rule:admin_or_owner" - -# -#"module:instances": "rule:admin_or_owner" - -# -#"module:update": "rule:admin_or_owner" - -# -#"module:reapply": "rule:admin_or_owner" - @@ -50,6 +50,13 @@ oslo.messaging.notify.drivers = trove.openstack.common.notifier.rpc_notifier = oslo_messaging.notify.messaging:MessagingDriver trove.openstack.common.notifier.test_notifier = oslo_messaging.notify._impl_test:TestDriver +oslo.policy.policies = + # The sample policies will be ordered by entry point and then by list + # returned from that entry point. If more control is desired split out each + # list_rules method into a separate entry point rather than using the + # aggregate method. + trove = trove.common.policies:list_rules + [global] setup-hooks = pbr.hooks.setup_hook diff --git a/tools/trove-policy-generator.conf b/tools/trove-policy-generator.conf new file mode 100644 index 00000000..c24d8c85 --- /dev/null +++ b/tools/trove-policy-generator.conf @@ -0,0 +1,3 @@ +[DEFAULT] +output_file = etc/trove/policy.yaml.sample +namespace = trove @@ -104,6 +104,9 @@ commands = bandit -r trove -n5 -x tests envdir = {toxworkdir}/bandit commands = bandit-baseline -r trove -n5 -x tests -ii -ll +[testenv:genpolicy] +commands = oslopolicy-sample-generator --config-file=tools/trove-policy-generator.conf + [testenv:install-guide] commands = sphinx-build -a -E -W -d install-guide/build/doctrees -b html install-guide/source install-guide/build/html |