Refactor policies to use constant values

Changes repeated use of strings to a list of constant values for the
policies used to validate access to the APIs of Shipyard.

Change-Id: Ie1cac7b0587ddcf907e81ffee14fa43042b812b5
This commit is contained in:
Bryan Strassner 2018-08-08 10:58:55 -05:00
parent 0341954f00
commit 3dffa4cc79
11 changed files with 47 additions and 30 deletions

View File

@ -67,7 +67,7 @@ class ActionsResource(BaseResource):
The actions resource represent the asyncrhonous invocations of shipyard
"""
@policy.ApiEnforcer('workflow_orchestrator:list_actions')
@policy.ApiEnforcer(policy.LIST_ACTIONS)
def on_get(self, req, resp, **kwargs):
"""
Return actions that have been invoked through shipyard.
@ -76,7 +76,7 @@ class ActionsResource(BaseResource):
resp.body = self.to_json(self.get_all_actions())
resp.status = falcon.HTTP_200
@policy.ApiEnforcer('workflow_orchestrator:create_action')
@policy.ApiEnforcer(policy.CREATE_ACTION)
def on_post(self, req, resp, **kwargs):
"""
Accept an action into shipyard

View File

@ -34,7 +34,7 @@ class ActionsControlResource(BaseResource):
'stop': self.stop_dag
}
@policy.ApiEnforcer('workflow_orchestrator:invoke_action_control')
@policy.ApiEnforcer(policy.INVOKE_ACTION_CONTROL)
def on_post(self, req, resp, **kwargs):
"""
Returns that a control was recevied (202 response)

View File

@ -28,7 +28,7 @@ class ActionsIdResource(BaseResource):
"""
The actions resource represent the asyncrhonous invocations of shipyard
"""
@policy.ApiEnforcer('workflow_orchestrator:get_action')
@policy.ApiEnforcer(policy.GET_ACTION)
def on_get(self, req, resp, **kwargs):
"""
Return actions that have been invoked through shipyard.

View File

@ -24,7 +24,7 @@ class ActionsStepsResource(BaseResource):
"""
The actions steps resource is the steps of an action
"""
@policy.ApiEnforcer('workflow_orchestrator:get_action_step')
@policy.ApiEnforcer(policy.GET_ACTION_STEP)
def on_get(self, req, resp, **kwargs):
"""
Return step details for an action step

View File

@ -34,7 +34,7 @@ class ActionsStepsLogsResource(BaseResource):
the names of the logs as 1.log, 2.log, 3.log, etc.
"""
@policy.ApiEnforcer('workflow_orchestrator:get_action_step_logs')
@policy.ApiEnforcer(policy.GET_ACTION_STEP_LOGS)
def on_get(self, req, resp, **kwargs):
"""
Returns the logs of an action step

View File

@ -25,7 +25,7 @@ class ActionsValidationsResource(BaseResource):
The actions validations resource is the validtions of an action
"""
@policy.ApiEnforcer('workflow_orchestrator:get_action_validation')
@policy.ApiEnforcer(policy.GET_ACTION_VALIDATION)
def on_get(self, req, resp, **kwargs):
"""
Return validation details for an action validation

View File

@ -30,7 +30,7 @@ class WorkflowResource(BaseResource):
/api/v1.0/workflows
"""
@policy.ApiEnforcer('workflow_orchestrator:list_workflows')
@policy.ApiEnforcer(policy.LIST_WORKFLOWS)
def on_get(self, req, resp):
"""
Return actions that have been invoked through shipyard.
@ -60,7 +60,7 @@ class WorkflowIdResource(BaseResource):
/api/v1/workflows/{workflow_id}
"""
@policy.ApiEnforcer('workflow_orchestrator:get_workflow')
@policy.ApiEnforcer(policy.GET_WORKFLOW)
def on_get(self, req, resp, workflow_id):
"""
Retrieve the step details of workflows invoked in Airflow.

View File

@ -38,7 +38,7 @@ class ConfigDocsStatusResource(BaseResource):
statuses
"""
@policy.ApiEnforcer('workflow_orchestrator:get_configdocs_status')
@policy.ApiEnforcer(policy.GET_CONFIGDOCS_STATUS)
def on_get(self, req, resp):
"""Returns a list of the configdocs and their statuses"""
versions = req.params.get('versions') or None
@ -53,7 +53,7 @@ class ConfigDocsResource(BaseResource):
documents into Shipyard.
"""
@policy.ApiEnforcer('workflow_orchestrator:create_configdocs')
@policy.ApiEnforcer(policy.CREATE_CONFIGDOCS)
@api_lock(ApiLockType.CONFIGDOCS_UPDATE)
def on_post(self, req, resp, collection_id):
"""
@ -92,7 +92,7 @@ class ConfigDocsResource(BaseResource):
resp.location = '/api/v1.0/configdocs/{}'.format(collection_id)
resp.body = self.to_json(validations)
@policy.ApiEnforcer('workflow_orchestrator:get_configdocs')
@policy.ApiEnforcer(policy.GET_CONFIGDOCS)
def on_get(self, req, resp, collection_id):
"""
Returns a collection of documents
@ -178,7 +178,7 @@ class CommitConfigDocsResource(BaseResource):
unable_to_commmit = 'Unable to commit configuration documents'
@policy.ApiEnforcer('workflow_orchestrator:commit_configdocs')
@policy.ApiEnforcer(policy.COMMIT_CONFIGDOCS)
@api_lock(ApiLockType.CONFIGDOCS_UPDATE)
def on_post(self, req, resp):
"""

View File

@ -37,7 +37,7 @@ class RenderedConfigDocsResource(BaseResource):
in a complete or rendered state.
"""
@policy.ApiEnforcer('workflow_orchestrator:get_renderedconfigdocs')
@policy.ApiEnforcer(policy.GET_RENDEREDCONFIGDOCS)
def on_get(self, req, resp):
"""
Returns the whole set of rendered documents

View File

@ -30,7 +30,7 @@ class StatusResource(BaseResource):
node status and power state
"""
@policy.ApiEnforcer('workflow_orchestrator:get_site_statuses')
@policy.ApiEnforcer(policy.GET_SITE_STATUSES)
def on_get(self, req, resp, **kwargs):
"""
Return site based statuses that has been invoked through shipyard.

View File

@ -25,6 +25,23 @@ CONF = cfg.CONF
LOG = logging.getLogger(__name__)
policy_engine = None
# Policy name constants
LIST_ACTIONS = 'workflow_orchestrator:list_actions'
CREATE_ACTION = 'workflow_orchestrator:create_action'
GET_ACTION = 'workflow_orchestrator:get_action'
GET_ACTION_STEP = 'workflow_orchestrator:get_action_step'
GET_ACTION_STEP_LOGS = 'workflow_orchestrator:get_action_step_logs'
GET_ACTION_VALIDATION = 'workflow_orchestrator:get_action_validation'
INVOKE_ACTION_CONTROL = 'workflow_orchestrator:invoke_action_control'
GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status'
CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs'
GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs'
COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs'
GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs'
LIST_WORKFLOWS = 'workflow_orchestrator:list_workflows'
GET_WORKFLOW = 'workflow_orchestrator:get_workflow'
GET_SITE_STATUSES = 'workflow_orchestrator:get_site_statuses'
class ShipyardPolicy(object):
"""
@ -44,7 +61,7 @@ class ShipyardPolicy(object):
# Orchestrator Policy
task_rules = [
policy.DocumentedRuleDefault(
'workflow_orchestrator:list_actions',
LIST_ACTIONS,
RULE_ADMIN_REQUIRED,
'List workflow actions invoked by users',
[{
@ -53,7 +70,7 @@ class ShipyardPolicy(object):
}]
),
policy.DocumentedRuleDefault(
'workflow_orchestrator:create_action',
CREATE_ACTION,
RULE_ADMIN_REQUIRED,
'Create a workflow action',
[{
@ -62,7 +79,7 @@ class ShipyardPolicy(object):
}]
),
policy.DocumentedRuleDefault(
'workflow_orchestrator:get_action',
GET_ACTION,
RULE_ADMIN_REQUIRED,
'Retrieve an action by its id',
[{
@ -71,7 +88,7 @@ class ShipyardPolicy(object):
}]
),
policy.DocumentedRuleDefault(
'workflow_orchestrator:get_action_step',
GET_ACTION_STEP,
RULE_ADMIN_REQUIRED,
'Retrieve an action step by its id',
[{
@ -80,7 +97,7 @@ class ShipyardPolicy(object):
}]
),
policy.DocumentedRuleDefault(
'workflow_orchestrator:get_action_step_logs',
GET_ACTION_STEP_LOGS,
RULE_ADMIN_REQUIRED,
'Retrieve logs of an action step by its id',
[{
@ -89,7 +106,7 @@ class ShipyardPolicy(object):
}]
),
policy.DocumentedRuleDefault(
'workflow_orchestrator:get_action_validation',
GET_ACTION_VALIDATION,
RULE_ADMIN_REQUIRED,
'Retrieve an action validation by its id',
[{
@ -99,7 +116,7 @@ class ShipyardPolicy(object):
}]
),
policy.DocumentedRuleDefault(
'workflow_orchestrator:invoke_action_control',
INVOKE_ACTION_CONTROL,
RULE_ADMIN_REQUIRED,
'Send a control to an action',
[{
@ -108,7 +125,7 @@ class ShipyardPolicy(object):
}]
),
policy.DocumentedRuleDefault(
'workflow_orchestrator:get_configdocs_status',
GET_CONFIGDOCS_STATUS,
RULE_ADMIN_REQUIRED,
'Retrieve the status of the configdocs',
[{
@ -117,7 +134,7 @@ class ShipyardPolicy(object):
}]
),
policy.DocumentedRuleDefault(
'workflow_orchestrator:create_configdocs',
CREATE_CONFIGDOCS,
RULE_ADMIN_REQUIRED,
'Ingest configuration documents for the site design',
[{
@ -126,7 +143,7 @@ class ShipyardPolicy(object):
}]
),
policy.DocumentedRuleDefault(
'workflow_orchestrator:get_configdocs',
GET_CONFIGDOCS,
RULE_ADMIN_REQUIRED,
'Retrieve a collection of configuration documents',
[{
@ -135,7 +152,7 @@ class ShipyardPolicy(object):
}]
),
policy.DocumentedRuleDefault(
'workflow_orchestrator:commit_configdocs',
COMMIT_CONFIGDOCS,
RULE_ADMIN_REQUIRED,
('Move documents from the Shipyard buffer to the committed '
'documents'),
@ -145,7 +162,7 @@ class ShipyardPolicy(object):
}]
),
policy.DocumentedRuleDefault(
'workflow_orchestrator:get_renderedconfigdocs',
GET_RENDEREDCONFIGDOCS,
RULE_ADMIN_REQUIRED,
('Retrieve the configuration documents rendered by Deckhand into '
'a complete design'),
@ -155,7 +172,7 @@ class ShipyardPolicy(object):
}]
),
policy.DocumentedRuleDefault(
'workflow_orchestrator:list_workflows',
LIST_WORKFLOWS,
RULE_ADMIN_REQUIRED,
('Retrieve the list of workflows (DAGs) that have been invoked '
'in Airflow, whether via Shipyard or scheduled'),
@ -165,7 +182,7 @@ class ShipyardPolicy(object):
}]
),
policy.DocumentedRuleDefault(
'workflow_orchestrator:get_workflow',
GET_WORKFLOW,
RULE_ADMIN_REQUIRED,
('Retrieve the detailed information for a workflow (DAG) from '
'Airflow'),
@ -175,7 +192,7 @@ class ShipyardPolicy(object):
}]
),
policy.DocumentedRuleDefault(
'workflow_orchestrator:get_site_statuses',
GET_SITE_STATUSES,
RULE_ADMIN_REQUIRED,
'Retrieve the statuses for the site',
[{