主要维护者¶
- 主要维护者
未知
- 其他贡献者
无
毕业策略¶
将策略 API 毕业为一个独立的库。
策略代码涉及安全问题,需要作为库进行管理。如果存在 CVE 级别的缺陷,部署修复程序应该需要部署库的新版本,而不是同步每个单独的项目。
库名称¶
新的库将被命名为 oslo.policy。
内容¶
openstack/common/policy.py
tests/unit/test_policy.py
tests/var/policy.d
tests/var/policy.2.d
tests/var/policy.json
早期采用者¶
Keystone
公共 API¶
from oslo_policy import policy
所有现有的公共函数和类将保持公共。
class Rules(dict):
"""A store for rules. Handles the default_rule setting directly."""
class Enforcer(object):
"""Responsible for loading and enforcing rules.
:param policy_file: Custom policy file to use, if none is
specified, `CONF.policy_file` will be
used.
:param rules: Default dictionary / Rules to use. It will be
considered just in the first instantiation. If
`load_rules(True)`, `clear()` or `set_rules(True)`
is called this will be overwritten.
:param default_rule: Default rule to use, CONF.default_rule will
be used if none is specified.
:param use_conf: Whether to load rules from cache or config file.
:param overwrite: Whether to overwrite existing rules when reload rules
from config file.
"""
Rules 类有一个加载规则的方法,目前仅通过 json 文件。
def load_json(cls, data, default_rule=None):
"""Allow loading of JSON rule data."""
Enforcer 类处理规则和执行操作,这些操作由以下公共方法执行
def set_rules(self, rules, overwrite=True, use_conf=False):
"""Create a new Rules object based on the provided dict of rules.
:param rules: New rules to use. It should be an instance of dict.
:param overwrite: Whether to overwrite current rules or update them
with the new rules.
:param use_conf: Whether to reload rules from cache or config file.
"""
def clear(self):
"""Clears Enforcer rules, policy's cache and policy's path."""
def load_rules(self, force_reload=False):
"""Loads policy_path's rules.
Policy file is cached and will be reloaded if modified.
:param force_reload: Whether to reload rules from config file.
"""
def enforce(self, rule, target, creds, do_raise=False,
exc=None, *args, **kwargs):
"""Checks authorization of a rule against the target and credentials.
:param rule: A string or BaseCheck instance specifying the rule
to evaluate.
:param target: As much information about the object being operated
on as possible, as a dictionary.
:param creds: As much information about the user performing the
action as possible, as a dictionary.
:param do_raise: Whether to raise an exception or not if check
fails.
:param exc: Class of the exception to raise if the check fails.
Any remaining arguments passed to enforce() (both
positional and keyword arguments) will be passed to
the exception class. If not specified, PolicyNotAuthorized
will be used.
:return: Returns False if the policy does not allow the action and
exc is not provided; otherwise, returns a value that
evaluates to True. Note: for rules using the "case"
expression, this True value will be the specified string
from the expression.
"""
一个基本的检查类以及一些默认扩展:FalseCheck、TrueCheck、Check、NotCheck、AndCheck、OrCheck、RoleCheck、HttpCheck 和 GenericCheck。这些检查用于验证规则。
class BaseCheck(object):
"""Abstract base class for Check classes."""
实现¶
负责人¶
- 主要负责人
Adam Young ayoung ayoung@redhat.com
- 其他贡献者
Rodrigo Duarte rodrigodsousa rodrigods@lsd.ufcg.edu.br
安全联系人¶
- 安全联系人
ayoung
里程碑¶
kilo-2
工作项¶
采用说明¶
发布后,使用 oslo.policy 的项目应该更改导入 policy.py 的方式,以使用 oslo_policy 模块,而不是当前的 <project>.openstack.common。 此外,他们需要将库添加到需求中(添加到 requirements.txt 和/或 test-requirements.txt 文件)。
文档影响¶
库需要自己的文档,但这将在毕业后完成。
依赖项¶
无
参考资料¶
注意
本作品采用知识共享署名 3.0 非移植许可协议授权。 http://creativecommons.org/licenses/by/3.0/legalcode
