From 4713149b6324173624c12469f32dac33f559b124 Mon Sep 17 00:00:00 2001
From: Bryan Strassner <bryan.strassner@gmail.com>
Date: Tue, 7 Aug 2018 16:24:34 -0500
Subject: [PATCH] Add Oslo Policy options for policy file location

Adds options to the configuration of Shipyard to direct oslo_policy to
the location of the /etc/shipyard/policy.yaml file (default location)
allowing for override of default policies via chart or chart override.

Change-Id: I5cf68994c40aa835a631f5b6f67363a2b8a8af0a
---
 charts/shipyard/values.yaml                   | 21 +++++++++----------
 .../_static/shipyard.policy.yaml.sample       |  4 ++++
 .../etc/shipyard/policy.yaml.sample           |  3 ++-
 .../shipyard_airflow/policy.py                | 11 ++++++++--
 .../tests/unit/control/test.conf              |  4 +++-
 tools/resources/shipyard.conf                 | 14 +++----------
 6 files changed, 31 insertions(+), 26 deletions(-)

diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml
index 0ed5b875..0607b547 100644
--- a/charts/shipyard/values.yaml
+++ b/charts/shipyard/values.yaml
@@ -361,12 +361,17 @@ conf:
     workflow_orchestrator:create_action: rule:admin_required
     workflow_orchestrator:get_action: rule:admin_required
     workflow_orchestrator:get_action_step: rule:admin_required
+    workflow_orchestrator:get_action_step_logs: rule:admin_required
     workflow_orchestrator:get_action_validation: rule:admin_required
     workflow_orchestrator:invoke_action_control: rule:admin_required
+    workflow_orchestrator:get_configdocs_status: rule:admin_required
     workflow_orchestrator:create_configdocs: rule:admin_required
     workflow_orchestrator:get_configdocs: rule:admin_required
     workflow_orchestrator:commit_configdocs: rule:admin_required
     workflow_orchestrator:get_renderedconfigdocs: rule:admin_required
+    workflow_orchestrator:list_workflows: rule:admin_required
+    workflow_orchestrator:get_workflow: rule:admin_required
+    workflow_orchestrator:get_site_statuses: rule:admin_required
   paste:
     app:shipyard-api:
       paste.app_factory: shipyard_airflow.shipyard_api:paste_start_shipyard
@@ -385,17 +390,6 @@ conf:
       service_type: armada
     drydock:
       service_type: physicalprovisioner
-      verify_site_query_interval: 10
-      verify_site_task_timeout: 60
-      prepare_site_query_interval: 10
-      prepare_site_task_timeout: 300
-      prepare_node_query_interval: 30
-      prepare_node_task_timeout: 1800
-      deploy_node_query_interval: 30
-      deploy_node_task_timeout: 3600
-      destroy_node_query_interval: 30
-      destroy_node_task_timeout: 900
-      cluster_join_check_backoff_time: 120
     promenade:
       service_type: kubernetesprovisioner
     keystone_authtoken:
@@ -416,6 +410,11 @@ conf:
       worker_port: 8793
     k8s_logs:
       ucp_namespace: 'ucp'
+    oslo_policy:
+      policy_file: /etc/shipyard/policy.yaml
+      # If non-existent rule is used, the request should be denied. The
+      # deny_all rule is hard coded in the policy.py code to allow no access.
+      policy_default_rule: deny_all
   airflow_config_file:
     path: /usr/local/airflow/airflow.cfg
   airflow:
diff --git a/docs/source/_static/shipyard.policy.yaml.sample b/docs/source/_static/shipyard.policy.yaml.sample
index a03094df..b0744edc 100644
--- a/docs/source/_static/shipyard.policy.yaml.sample
+++ b/docs/source/_static/shipyard.policy.yaml.sample
@@ -59,3 +59,7 @@
 # GET  /api/v1.0/workflows/{id}
 #"workflow_orchestrator:get_workflow": "rule:admin_required"
 
+# Retrieve the statuses for the site
+# GET  /api/v1.0/site_statuses
+#"workflow_orchestrator:get_site_statuses": "rule:admin_required"
+
diff --git a/src/bin/shipyard_airflow/etc/shipyard/policy.yaml.sample b/src/bin/shipyard_airflow/etc/shipyard/policy.yaml.sample
index ffbdc7ef..b0744edc 100644
--- a/src/bin/shipyard_airflow/etc/shipyard/policy.yaml.sample
+++ b/src/bin/shipyard_airflow/etc/shipyard/policy.yaml.sample
@@ -59,6 +59,7 @@
 # GET  /api/v1.0/workflows/{id}
 #"workflow_orchestrator:get_workflow": "rule:admin_required"
 
-# Retrieve the status for node provision status
+# Retrieve the statuses for the site
 # GET  /api/v1.0/site_statuses
 #"workflow_orchestrator:get_site_statuses": "rule:admin_required"
+
diff --git a/src/bin/shipyard_airflow/shipyard_airflow/policy.py b/src/bin/shipyard_airflow/shipyard_airflow/policy.py
index e68ba1ca..cf7410be 100644
--- a/src/bin/shipyard_airflow/shipyard_airflow/policy.py
+++ b/src/bin/shipyard_airflow/shipyard_airflow/policy.py
@@ -32,13 +32,20 @@ class ShipyardPolicy(object):
     """
 
     RULE_ADMIN_REQUIRED = 'rule:admin_required'
+    RULE_DENY_ALL = 'rule:deny_all'
 
     # Base Policy
     base_rules = [
         policy.RuleDefault(
             'admin_required',
             'role:admin',
-            description='Actions requiring admin authority'),
+            description='Actions requiring admin authority'
+        ),
+        policy.RuleDefault(
+            'deny_all',
+            '!',
+            description='Rule to deny all access. Used for default denial'
+        ),
     ]
 
     # Orchestrator Policy
@@ -234,7 +241,7 @@ class ApiEnforcer(object):
                     authorized = True
             except:
                 # couldn't service the auth request
-                LOG.error(
+                LOG.exception(
                     "Error - Expectation Failed - action: %s", self.action)
                 raise ApiError(
                     title="Expectation Failed",
diff --git a/src/bin/shipyard_airflow/tests/unit/control/test.conf b/src/bin/shipyard_airflow/tests/unit/control/test.conf
index 584b92ad..9c906740 100644
--- a/src/bin/shipyard_airflow/tests/unit/control/test.conf
+++ b/src/bin/shipyard_airflow/tests/unit/control/test.conf
@@ -44,4 +44,6 @@ validation_read_timeout = 300
 service_type = shipyard
 [logging]
 named_log_levels = keystoneauth:ERROR,cheese:WARN,pumpkins:INFO
-
+[oslo_policy]
+policy_file = /etc/shipyard/policy.yaml
+policy_default_rule = deny_all
diff --git a/tools/resources/shipyard.conf b/tools/resources/shipyard.conf
index 7665e3a8..fcd4d813 100644
--- a/tools/resources/shipyard.conf
+++ b/tools/resources/shipyard.conf
@@ -13,18 +13,7 @@ upgrade_db = false
 [deckhand]
 service_type = deckhand
 [drydock]
-cluster_join_check_backoff_time = 120
-deploy_node_query_interval = 30
-deploy_node_task_timeout = 3600
-destroy_node_query_interval = 30
-destroy_node_task_timeout = 900
-prepare_node_query_interval = 30
-prepare_node_task_timeout = 1800
-prepare_site_query_interval = 10
-prepare_site_task_timeout = 300
 service_type = physicalprovisioner
-verify_site_query_interval = 10
-verify_site_task_timeout = 60
 [keystone_authtoken]
 auth_section = keystone_authtoken
 auth_type = password
@@ -53,3 +42,6 @@ validation_connect_timeout = 5
 validation_read_timeout = 300
 [shipyard]
 service_type = shipyard
+[oslo_policy]
+policy_file = /etc/shipyard/policy.yaml
+policy_default_rule = deny_all