diff options
author | Petr Malik <pmalik@tesora.com> | 2016-06-27 16:01:42 -0400 |
---|---|---|
committer | Petr Malik <pmalik@tesora.com> | 2016-12-06 21:51:21 +0000 |
commit | 21250cf20c0efbe6d57c4a712c51b80667e53b44 (patch) | |
tree | d18e6ee84986b798e7654e254a2a6894dc8d54f4 /trove/backup | |
parent | 77fd7014c0007c83652dd4fb1f9d3316a97b1ed3 (diff) | |
download | trove-21250cf20c0efbe6d57c4a712c51b80667e53b44.tar.gz |
Add support for Oslo Policies to Trove
The Oslo Policy library provides support for RBAC policy
enforcement across all OpenStack services.
Update the devstack plugin to copy the default policy file
over to /etc/trove in the gate environments.
Note: Not adding a rule for 'reset-password' instance
action as that API was discontinued years ago
and is now just waiting for removal (Bug: 1645866).
DocImpact
Co-Authored-By: Ali Adil <aadil@tesora.com>
Change-Id: Ic443a4c663301840406cad537159eab7b0b5ed1c
Implements: blueprint trove-policy
Diffstat (limited to 'trove/backup')
-rw-r--r-- | trove/backup/service.py | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/trove/backup/service.py b/trove/backup/service.py index 4d505f54..bb14b6bb 100644 --- a/trove/backup/service.py +++ b/trove/backup/service.py @@ -22,6 +22,7 @@ from trove.common.i18n import _ from trove.common import notification from trove.common.notification import StartNotification from trove.common import pagination +from trove.common import policy from trove.common import wsgi LOG = logging.getLogger(__name__) @@ -40,6 +41,7 @@ class BackupController(wsgi.Controller): LOG.debug("Listing backups for tenant %s" % tenant_id) datastore = req.GET.get('datastore') context = req.environ[wsgi.CONTEXT_KEY] + policy.authorize_on_tenant(context, 'backup:index') backups, marker = Backup.list(context, datastore) view = views.BackupViews(backups) paged = pagination.SimplePaginatedDataView(req.url, 'backups', view, @@ -52,11 +54,14 @@ class BackupController(wsgi.Controller): % (tenant_id, id)) context = req.environ[wsgi.CONTEXT_KEY] backup = Backup.get_by_id(context, id) + policy.authorize_on_target(context, 'backup:show', + {'tenant': backup.tenant_id}) return wsgi.Result(views.BackupView(backup).data(), 200) def create(self, req, body, tenant_id): LOG.info(_("Creating a backup for tenant %s"), tenant_id) context = req.environ[wsgi.CONTEXT_KEY] + policy.authorize_on_tenant(context, 'backup:create') data = body['backup'] instance = data['instance'] name = data['name'] @@ -76,6 +81,9 @@ class BackupController(wsgi.Controller): 'ID: %(backup_id)s') % {'tenant_id': tenant_id, 'backup_id': id}) context = req.environ[wsgi.CONTEXT_KEY] + backup = Backup.get_by_id(context, id) + policy.authorize_on_target(context, 'backup:delete', + {'tenant': backup.tenant_id}) context.notification = notification.DBaaSBackupDelete(context, request=req) with StartNotification(context, backup_id=id): |