Merge "[policy in code] Add support for attachment resource"

Author: Jenkins

Diff for: cinder/context.py

@@ -25,7 +25,9 @@
 from oslo_utils import timeutils
 import six
 
+from cinder import exception
 from cinder.i18n import _
+from cinder.objects import base as objects_base
 from cinder import policy
 
 context_opts = [
@@ -94,7 +96,7 @@ def __init__(self, user_id=None, project_id=None, is_admin=None,
         # when policy.check_is_admin invokes request logging
         # to make it loggable.
         if self.is_admin is None:
-            self.is_admin = policy.check_is_admin(self.roles, self)
+            self.is_admin = policy.check_is_admin(self)
         elif self.is_admin and 'admin' not in self.roles:
             self.roles.append('admin')
 
@@ -145,6 +147,42 @@ def from_dict(cls, values):
                    user_domain=values.get('user_domain'),
                    project_domain=values.get('project_domain'))
 
+    def authorize(self, action, target=None, target_obj=None, fatal=True):
+        """Verifies that the given action is valid on the target in this context.
+
+        :param action: string representing the action to be checked.
+        :param target: dictionary representing the object of the action
+            for object creation this should be a dictionary representing the
+            location of the object e.g. ``{'project_id': context.project_id}``.
+            If None, then this default target will be considered:
+            {'project_id': self.project_id, 'user_id': self.user_id}
+        :param: target_obj: dictionary representing the object which will be
+            used to update target.
+        :param fatal: if False, will return False when an
+            exception.NotAuthorized occurs.
+
+        :raises cinder.exception.NotAuthorized: if verification fails and fatal
+            is True.
+
+        :return: returns a non-False value (not necessarily "True") if
+            authorized and False if not authorized and fatal is False.
+        """
+        if target is None:
+            target = {'project_id': self.project_id,
+                      'user_id': self.user_id}
+        if isinstance(target_obj, objects_base.CinderObject):
+            # Turn object into dict so target.update can work
+            target.update(
+                target_obj.obj_to_primitive()['versioned_object.data'] or {})
+        else:
+            target.update(target_obj or {})
+        try:
+            return policy.authorize(self, action, target)
+        except exception.NotAuthorized:
+            if fatal:
+                raise
+            return False
+
     def to_policy_values(self):
         policy = super(RequestContext, self).to_policy_values()
 

Diff for: cinder/policies/__init__.py

@@ -0,0 +1,26 @@
+# Copyright (c) 2017 Huawei Technologies Co., Ltd.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import itertools
+
+from cinder.policies import attachments
+from cinder.policies import base
+
+
+def list_rules():
+    return itertools.chain(
+        base.list_rules(),
+        attachments.list_rules()
+    )

Diff for: cinder/policies/attachments.py

@@ -0,0 +1,60 @@
+# Copyright (c) 2017 Huawei Technologies Co., Ltd.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+from cinder.policies import base
+
+
+CREATE_POLICY = 'volume:attachment_create'
+UPDATE_POLICY = 'volume:attachment_update'
+DELETE_POLICY = 'volume:attachment_delete'
+
+attachments_policies = [
+    policy.DocumentedRuleDefault(
+        name=CREATE_POLICY,
+        check_str="",
+        description="""Create attachment.""",
+        operations=[
+            {
+                'method': 'POST',
+                'path': '/attachments'
+            }
+        ]),
+    policy.DocumentedRuleDefault(
+        name=UPDATE_POLICY,
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="""Update attachment.""",
+        operations=[
+            {
+                'method': 'PUT',
+                'path': '/attachments/{attachment_id}'
+            }
+        ]),
+    policy.DocumentedRuleDefault(
+        name=DELETE_POLICY,
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="""Delete attachment.""",
+        operations=[
+            {
+                'method': 'DELETE',
+                'path': '/attachments/{attachment_id}'
+            }
+        ]),
+]
+
+
+def list_rules():
+    return attachments_policies

Diff for: cinder/policies/base.py

@@ -0,0 +1,35 @@
+# Copyright (c) 2017 Huawei Technologies Co., Ltd.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_policy import policy
+
+RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
+RULE_ADMIN_API = 'rule:admin_api'
+
+rules = [
+    policy.RuleDefault('context_is_admin', 'role:admin'),
+    policy.RuleDefault('admin_or_owner',
+                       'is_admin:True or (role:admin and '
+                       'is_admin_project:True) or  project_id:%(project_id)s'),
+    policy.RuleDefault('default',
+                       'rule:admin_or_owner'),
+    policy.RuleDefault('admin_api',
+                       'is_admin:True or (role:admin and '
+                       'is_admin_project:True)'),
+]
+
+
+def list_rules():
+    return rules

Diff for: cinder/policy.py

@@ -15,23 +15,52 @@
 
 """Policy Engine For Cinder"""
 
+import sys
 
 from oslo_config import cfg
+from oslo_log import log as logging
 from oslo_policy import opts as policy_opts
 from oslo_policy import policy
+from oslo_utils import excutils
 
 from cinder import exception
+from cinder import policies
 
 CONF = cfg.CONF
+LOG = logging.getLogger(__name__)
 policy_opts.set_defaults(cfg.CONF, 'policy.json')
 
 _ENFORCER = None
 
 
-def init():
+def reset():
+    global _ENFORCER
+    if _ENFORCER:
+        _ENFORCER.clear()
+        _ENFORCER = None
+
+
+def init(policy_file=None, rules=None, default_rule=None, use_conf=True):
+    """Init an Enforcer class.
+
+        :param policy_file: Custom policy file to use, if none is specified,
+                          `CONF.policy_file` will be used.
+        :param rules: Default dictionary / Rules to use. It will be
+                    considered just in the first instantiation.
+        :param default_rule: Default rule to use, CONF.default_rule will
+                           be used if none is specified.
+        :param use_conf: Whether to load rules from config file.
+    """
+
     global _ENFORCER
     if not _ENFORCER:
-        _ENFORCER = policy.Enforcer(CONF)
+        _ENFORCER = policy.Enforcer(CONF,
+                                    policy_file=policy_file,
+                                    rules=rules,
+                                    default_rule=default_rule,
+                                    use_conf=use_conf)
+        register_rules(_ENFORCER)
+        _ENFORCER.load_rules()
 
 
 def enforce_action(context, action):
@@ -72,19 +101,100 @@ def enforce(context, action, target):
                              action=action)
 
 
-def check_is_admin(roles, context=None):
-    """Whether or not user is admin according to policy setting.
+def set_rules(rules, overwrite=True, use_conf=False):
+    """Set rules based on the provided dict of rules.
 
+       :param rules: New rules to use. It should be an instance of dict.
+       :param overwrite: Whether to overwrite current rules or update them
+                         with the new rules.
+       :param use_conf: Whether to reload rules from config file.
     """
+
+    init(use_conf=False)
+    _ENFORCER.set_rules(rules, overwrite, use_conf)
+
+
+def get_rules():
+    if _ENFORCER:
+        return _ENFORCER.rules
+
+
+def register_rules(enforcer):
+    enforcer.register_defaults(policies.list_rules())
+
+
+def get_enforcer():
+    # This method is for use by oslopolicy CLI scripts. Those scripts need the
+    # 'output-file' and 'namespace' options, but having those in sys.argv means
+    # loading the Cinder config options will fail as those are not expected to
+    # be present. So we pass in an arg list with those stripped out.
+    conf_args = []
+    # Start at 1 because cfg.CONF expects the equivalent of sys.argv[1:]
+    i = 1
+    while i < len(sys.argv):
+        if sys.argv[i].strip('-') in ['namespace', 'output-file']:
+            i += 2
+            continue
+        conf_args.append(sys.argv[i])
+        i += 1
+
+    cfg.CONF(conf_args, project='cinder')
     init()
+    return _ENFORCER
 
-    # include project_id on target to avoid KeyError if context_is_admin
-    # policy definition is missing, and default admin_or_owner rule
-    # attempts to apply.
-    target = {'project_id': ''}
-    if context is None:
-        credentials = {'roles': roles}
-    else:
-        credentials = context.to_dict()
 
-    return _ENFORCER.enforce('context_is_admin', target, credentials)
+def authorize(context, action, target, do_raise=True, exc=None):
+    """Verifies that the action is valid on the target in this context.
+
+       :param context: cinder context
+       :param action: string representing the action to be checked
+           this should be colon separated for clarity.
+           i.e. ``compute:create_instance``,
+           ``compute:attach_volume``,
+           ``volume:attach_volume``
+       :param target: dictionary representing the object of the action
+           for object creation this should be a dictionary representing the
+           location of the object e.g. ``{'project_id': context.project_id}``
+       :param do_raise: if True (the default), raises PolicyNotAuthorized;
+           if False, returns False
+       :param exc: Class of the exception to raise if the check fails.
+                   Any remaining arguments passed to :meth:`authorize` (both
+                   positional and keyword arguments) will be passed to
+                   the exception class. If not specified,
+                   :class:`PolicyNotAuthorized` will be used.
+
+       :raises cinder.exception.PolicyNotAuthorized: if verification fails
+           and do_raise is True. Or if 'exc' is specified it will raise an
+           exception of that type.
+
+       :return: returns a non-False value (not necessarily "True") if
+           authorized, and the exact value False if not authorized and
+           do_raise is False.
+    """
+    init()
+    credentials = context.to_policy_values()
+    if not exc:
+        exc = exception.PolicyNotAuthorized
+    try:
+        result = _ENFORCER.authorize(action, target, credentials,
+                                     do_raise=do_raise, exc=exc, action=action)
+    except policy.PolicyNotRegistered:
+        with excutils.save_and_reraise_exception():
+            LOG.exception('Policy not registered')
+    except Exception:
+        with excutils.save_and_reraise_exception():
+            LOG.error('Policy check for %(action)s failed with credentials '
+                      '%(credentials)s',
+                      {'action': action, 'credentials': credentials})
+    return result
+
+
+def check_is_admin(context):
+    """Whether or not user is admin according to policy setting.
+
+    """
+    init()
+    # the target is user-self
+    credentials = context.to_policy_values()
+    target = credentials
+    return _ENFORCER.authorize('context_is_admin', target, credentials)

Diff for: cinder/test.py

@@ -313,8 +313,9 @@ def override_config(self, name, override, group=None):
 
     def flags(self, **kw):
         """Override CONF variables for a test."""
+        group = kw.pop('group', None)
         for k, v in kw.items():
-            self.override_config(k, v)
+            CONF.set_override(k, v, group)
 
     def start_service(self, name, host=None, **kwargs):
         host = host if host else uuid.uuid4().hex

Diff for: cinder/tests/unit/policy.json

@@ -1,5 +1,4 @@
 {
-    "context_is_admin": "role:admin",
     "admin_api": "is_admin:True",
     "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
 
@@ -113,9 +112,6 @@
     "backup:update": "rule:admin_or_owner",
     "backup:backup_project_attribute": "rule:admin_api",
 
-    "volume:attachment_create": "",
-    "volume:attachment_update": "rule:admin_or_owner",
-    "volume:attachment_delete": "rule:admin_or_owner",
 
     "consistencygroup:create" : "",
     "consistencygroup:delete": "",