Merge "Add Oslo Policy options for policy file location"
This commit is contained in:
commit
1fa5c547d1
|
@ -361,12 +361,17 @@ conf:
|
||||||
workflow_orchestrator:create_action: rule:admin_required
|
workflow_orchestrator:create_action: rule:admin_required
|
||||||
workflow_orchestrator:get_action: rule:admin_required
|
workflow_orchestrator:get_action: rule:admin_required
|
||||||
workflow_orchestrator:get_action_step: rule:admin_required
|
workflow_orchestrator:get_action_step: rule:admin_required
|
||||||
|
workflow_orchestrator:get_action_step_logs: rule:admin_required
|
||||||
workflow_orchestrator:get_action_validation: rule:admin_required
|
workflow_orchestrator:get_action_validation: rule:admin_required
|
||||||
workflow_orchestrator:invoke_action_control: rule:admin_required
|
workflow_orchestrator:invoke_action_control: rule:admin_required
|
||||||
|
workflow_orchestrator:get_configdocs_status: rule:admin_required
|
||||||
workflow_orchestrator:create_configdocs: rule:admin_required
|
workflow_orchestrator:create_configdocs: rule:admin_required
|
||||||
workflow_orchestrator:get_configdocs: rule:admin_required
|
workflow_orchestrator:get_configdocs: rule:admin_required
|
||||||
workflow_orchestrator:commit_configdocs: rule:admin_required
|
workflow_orchestrator:commit_configdocs: rule:admin_required
|
||||||
workflow_orchestrator:get_renderedconfigdocs: rule:admin_required
|
workflow_orchestrator:get_renderedconfigdocs: rule:admin_required
|
||||||
|
workflow_orchestrator:list_workflows: rule:admin_required
|
||||||
|
workflow_orchestrator:get_workflow: rule:admin_required
|
||||||
|
workflow_orchestrator:get_site_statuses: rule:admin_required
|
||||||
paste:
|
paste:
|
||||||
app:shipyard-api:
|
app:shipyard-api:
|
||||||
paste.app_factory: shipyard_airflow.shipyard_api:paste_start_shipyard
|
paste.app_factory: shipyard_airflow.shipyard_api:paste_start_shipyard
|
||||||
|
@ -385,17 +390,6 @@ conf:
|
||||||
service_type: armada
|
service_type: armada
|
||||||
drydock:
|
drydock:
|
||||||
service_type: physicalprovisioner
|
service_type: physicalprovisioner
|
||||||
verify_site_query_interval: 10
|
|
||||||
verify_site_task_timeout: 60
|
|
||||||
prepare_site_query_interval: 10
|
|
||||||
prepare_site_task_timeout: 300
|
|
||||||
prepare_node_query_interval: 30
|
|
||||||
prepare_node_task_timeout: 1800
|
|
||||||
deploy_node_query_interval: 30
|
|
||||||
deploy_node_task_timeout: 3600
|
|
||||||
destroy_node_query_interval: 30
|
|
||||||
destroy_node_task_timeout: 900
|
|
||||||
cluster_join_check_backoff_time: 120
|
|
||||||
promenade:
|
promenade:
|
||||||
service_type: kubernetesprovisioner
|
service_type: kubernetesprovisioner
|
||||||
keystone_authtoken:
|
keystone_authtoken:
|
||||||
|
@ -416,6 +410,11 @@ conf:
|
||||||
worker_port: 8793
|
worker_port: 8793
|
||||||
k8s_logs:
|
k8s_logs:
|
||||||
ucp_namespace: 'ucp'
|
ucp_namespace: 'ucp'
|
||||||
|
oslo_policy:
|
||||||
|
policy_file: /etc/shipyard/policy.yaml
|
||||||
|
# If non-existent rule is used, the request should be denied. The
|
||||||
|
# deny_all rule is hard coded in the policy.py code to allow no access.
|
||||||
|
policy_default_rule: deny_all
|
||||||
airflow_config_file:
|
airflow_config_file:
|
||||||
path: /usr/local/airflow/airflow.cfg
|
path: /usr/local/airflow/airflow.cfg
|
||||||
airflow:
|
airflow:
|
||||||
|
|
|
@ -49,13 +49,20 @@ class ShipyardPolicy(object):
|
||||||
"""
|
"""
|
||||||
|
|
||||||
RULE_ADMIN_REQUIRED = 'rule:admin_required'
|
RULE_ADMIN_REQUIRED = 'rule:admin_required'
|
||||||
|
RULE_DENY_ALL = 'rule:deny_all'
|
||||||
|
|
||||||
# Base Policy
|
# Base Policy
|
||||||
base_rules = [
|
base_rules = [
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
'admin_required',
|
'admin_required',
|
||||||
'role:admin',
|
'role:admin',
|
||||||
description='Actions requiring admin authority'),
|
description='Actions requiring admin authority'
|
||||||
|
),
|
||||||
|
policy.RuleDefault(
|
||||||
|
'deny_all',
|
||||||
|
'!',
|
||||||
|
description='Rule to deny all access. Used for default denial'
|
||||||
|
),
|
||||||
]
|
]
|
||||||
|
|
||||||
# Orchestrator Policy
|
# Orchestrator Policy
|
||||||
|
@ -251,7 +258,7 @@ class ApiEnforcer(object):
|
||||||
authorized = True
|
authorized = True
|
||||||
except:
|
except:
|
||||||
# couldn't service the auth request
|
# couldn't service the auth request
|
||||||
LOG.error(
|
LOG.exception(
|
||||||
"Error - Expectation Failed - action: %s", self.action)
|
"Error - Expectation Failed - action: %s", self.action)
|
||||||
raise ApiError(
|
raise ApiError(
|
||||||
title="Expectation Failed",
|
title="Expectation Failed",
|
||||||
|
|
|
@ -44,4 +44,6 @@ validation_read_timeout = 300
|
||||||
service_type = shipyard
|
service_type = shipyard
|
||||||
[logging]
|
[logging]
|
||||||
named_log_levels = keystoneauth:ERROR,cheese:WARN,pumpkins:INFO
|
named_log_levels = keystoneauth:ERROR,cheese:WARN,pumpkins:INFO
|
||||||
|
[oslo_policy]
|
||||||
|
policy_file = /etc/shipyard/policy.yaml
|
||||||
|
policy_default_rule = deny_all
|
||||||
|
|
|
@ -13,18 +13,7 @@ upgrade_db = false
|
||||||
[deckhand]
|
[deckhand]
|
||||||
service_type = deckhand
|
service_type = deckhand
|
||||||
[drydock]
|
[drydock]
|
||||||
cluster_join_check_backoff_time = 120
|
|
||||||
deploy_node_query_interval = 30
|
|
||||||
deploy_node_task_timeout = 3600
|
|
||||||
destroy_node_query_interval = 30
|
|
||||||
destroy_node_task_timeout = 900
|
|
||||||
prepare_node_query_interval = 30
|
|
||||||
prepare_node_task_timeout = 1800
|
|
||||||
prepare_site_query_interval = 10
|
|
||||||
prepare_site_task_timeout = 300
|
|
||||||
service_type = physicalprovisioner
|
service_type = physicalprovisioner
|
||||||
verify_site_query_interval = 10
|
|
||||||
verify_site_task_timeout = 60
|
|
||||||
[keystone_authtoken]
|
[keystone_authtoken]
|
||||||
auth_section = keystone_authtoken
|
auth_section = keystone_authtoken
|
||||||
auth_type = password
|
auth_type = password
|
||||||
|
@ -53,3 +42,6 @@ validation_connect_timeout = 5
|
||||||
validation_read_timeout = 300
|
validation_read_timeout = 300
|
||||||
[shipyard]
|
[shipyard]
|
||||||
service_type = shipyard
|
service_type = shipyard
|
||||||
|
[oslo_policy]
|
||||||
|
policy_file = /etc/shipyard/policy.yaml
|
||||||
|
policy_default_rule = deny_all
|
||||||
|
|
Loading…
Reference in New Issue