openstack/cinder
Code Issues Proposed changes

Add policy documentation and sample file

Browse Source 
This patch adds documentation and sample
file for default policy in code feature.

Change-Id: I597971a29ec61a1bf8c991b2715ec7644b2e2692
Partial-Implements: blueprint policy-in-code
This commit is contained in:
TommyLike 2017-10-16 14:23:03 +08:00
parent 5581052415
commit 988f79479e
13 changed files with 58 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cinder/policies/attachments.py
View File

@ -26,7 +26,7 @@ attachments_policies = [
policy.DocumentedRuleDefault(
name=CREATE_POLICY,
check_str="",
description="""Create attachment.""",
description="Create attachment.",
operations=[
{
'method': 'POST',
@ -36,7 +36,7 @@ attachments_policies = [
policy.DocumentedRuleDefault(
name=UPDATE_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""Update attachment.""",
description="Update attachment.",
operations=[
{
'method': 'PUT',
@ -46,7 +46,7 @@ attachments_policies = [
policy.DocumentedRuleDefault(
name=DELETE_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""Delete attachment.""",
description="Delete attachment.",
operations=[
{
'method': 'DELETE',

6
cinder/policies/clusters.py
View File

@ -27,7 +27,7 @@ clusters_policies = [
policy.DocumentedRuleDefault(
name=GET_ALL_POLICY,
check_str=base.RULE_ADMIN_API,
description="""List clusters.""",
description="List clusters.",
operations=[
{
'method': 'GET',
@ -41,7 +41,7 @@ clusters_policies = [
policy.DocumentedRuleDefault(
name=GET_POLICY,
check_str=base.RULE_ADMIN_API,
description="""Show cluster.""",
description="Show cluster.",
operations=[
{
'method': 'GET',
@ -51,7 +51,7 @@ clusters_policies = [
policy.DocumentedRuleDefault(
name=UPDATE_POLICY,
check_str=base.RULE_ADMIN_API,
description="""Update cluster.""",
description="Update cluster.",
operations=[
{
'method': 'PUT',

6
cinder/policies/manageable_volumes.py
View File

@ -28,7 +28,7 @@ manageable_volumes_policies = [
name=LIST_MANAGEABLE_POLICY,
check_str=base.RULE_ADMIN_API,
description=
"""List (in detail) of volumes which are available to manage.""",
"List (in detail) of volumes which are available to manage.",
operations=[
{
'method': 'GET',
@ -42,7 +42,7 @@ manageable_volumes_policies = [
policy.DocumentedRuleDefault(
name=MANAGE_POLICY,
check_str=base.RULE_ADMIN_API,
description="""Manage existing volumes.""",
description="Manage existing volumes.",
operations=[
{
'method': 'POST',
@ -52,7 +52,7 @@ manageable_volumes_policies = [
policy.DocumentedRuleDefault(
name=UNMANAGE_POLICY,
check_str=base.RULE_ADMIN_API,
description="""Stop managing a volume.""",
description="Stop managing a volume.",
operations=[
{
'method': 'POST',

6
cinder/policies/messages.py
View File

@ -27,7 +27,7 @@ messages_policies = [
policy.DocumentedRuleDefault(
name=GET_ALL_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""List messages.""",
description="List messages.",
operations=[
{
'method': 'GET',
@ -37,7 +37,7 @@ messages_policies = [
policy.DocumentedRuleDefault(
name=GET_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""Show message.""",
description="Show message.",
operations=[
{
'method': 'GET',
@ -47,7 +47,7 @@ messages_policies = [
policy.DocumentedRuleDefault(
name=DELETE_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="""Delete message.""",
description="Delete message.",
operations=[
{
'method': 'DELETE',

14
cinder/policies/volume_type.py
View File

@ -27,7 +27,7 @@ volume_type_policies = [
policy.DocumentedRuleDefault(
name=MANAGE_POLICY,
check_str=base.RULE_ADMIN_API,
description="""Create, update and delete volume type.""",
description="Create, update and delete volume type.",
operations=[
{
'method': 'POST',
@ -45,8 +45,8 @@ volume_type_policies = [
policy.DocumentedRuleDefault(
name=ENCRYPTION_POLICY,
check_str=base.RULE_ADMIN_API,
description="""List, show, create, update and delete volume
type encryption.""",
description="List, show, create, update and delete volume "
"type encryption.",
operations=[
{
'method': 'POST',
@ -72,8 +72,8 @@ type encryption.""",
policy.DocumentedRuleDefault(
name=EXTRA_SPEC_POLICY,
check_str=base.RULE_ADMIN_API,
description="""List or show volume type with access type extra
specs attribute.""",
description="List or show volume type with access type extra "
"specs attribute.",
operations=[
{
'method': 'GET',
@ -87,8 +87,8 @@ specs attribute.""",
policy.DocumentedRuleDefault(
name=QOS_POLICY,
check_str=base.RULE_ADMIN_API,
description="""List or show volume type with access type qos specs
id attribute.""",
description="List or show volume type with access type qos specs "
"id attribute.",
operations=[
{
'method': 'GET',

2
cinder/policies/workers.py
View File

@ -25,7 +25,7 @@ workers_policies = [
policy.DocumentedRuleDefault(
name=CLEAN_POLICY,
check_str=base.RULE_ADMIN_API,
description="""Clean up workers.""",
description="Clean up workers.",
operations=[
{
'method': 'POST',

6
doc/source/conf.py
View File

@ -60,12 +60,18 @@ extensions = ['sphinx.ext.autodoc',
'stevedore.sphinxext',
'oslo_config.sphinxconfiggen',
'ext.cinder_driverlist',
'oslo_policy.sphinxext',
'oslo_policy.sphinxpolicygen',
]
config_generator_config_file = (
'../../tools/config/cinder-config-generator.conf')
sample_config_basename = '_static/cinder'
policy_generator_config_file = (
'../../tools/config/cinder-policy-generator.conf')
sample_policy_basename = '_static/cinder'
# autodoc generation is a bit aggressive and a nuisance
# when doing heavy text edit cycles. Execute "export SPHINX_DEBUG=1"
# in your terminal to disable

11
doc/source/configuration/block-storage/policy.rst Normal file
View File

@ -0,0 +1,11 @@
====================
Policy configuration
====================
Configuration
~~~~~~~~~~~~~
The following is an overview of all available policies in Cinder.
.. show-policy::
:config-file: tools/config/cinder-policy-generator.conf

1
doc/source/configuration/index.rst
View File

@ -10,6 +10,7 @@ Cinder Service Configuration
block-storage/backup-drivers.rst
block-storage/schedulers.rst
block-storage/logs.rst
block-storage/policy.rst
block-storage/fc-zoning.rst
block-storage/nested-quota.rst
block-storage/volume-encryption.rst

2
doc/source/index.rst
View File

@ -63,6 +63,8 @@ Configuration Reference
Sample Configuration File <sample_config>
Sample Policy File <sample_policy>
drivers
CLI Reference

17
doc/source/sample_policy.rst Normal file
View File

@ -0,0 +1,17 @@
====================
Cinder Sample Policy
====================
The following is a sample Cinder policy file that has been auto-generated
from default policy values in code. If you're using the default policies, then
the maintenance of this file is not necessary.
It is here to help explain which policy operations protect specific Cinder API,
but it is not suggested to copy and paste into a deployment unless you're planning
on providing a different policy for an operation that is not the default. For
instance, if you want to change the default value of "volume:create", you only
need to keep this single rule in your policy config
file (**/etc/cinder/policy.json**).
The sample policy file can also be viewed in `file form <_static/cinder.policy.yaml.sample>`_.
.. literalinclude:: _static/cinder.policy.yaml.sample

0
etc/cinder/cinder-policy-generator.conf → tools/config/cinder-policy-generator.conf
View File

2
tox.ini
View File

@ -93,7 +93,7 @@ commands = oslo-config-generator --config-file=tools/config/cinder-config-genera
[testenv:genpolicy]
commands = oslopolicy-sample-generator --config-file=etc/cinder/cinder-policy-generator.conf
commands = oslopolicy-sample-generator --config-file=tools/config/cinder-policy-generator.conf
[testenv:genopts]
sitepackages = False