Add dedicated deployments oslo_policy definitions.

Signed-off-by: Nashwan Azhari <nazhari@cloudbasesolutions.com>

coriolis/api/v1/deployment_actions.py

@@ -4,7 +4,7 @@
 from coriolis.api import wsgi as api_wsgi
 from coriolis import exception
 from coriolis.deployments import api
-from coriolis.policies import migrations as migration_policies
+from coriolis.policies import deployments as deployment_policies
 
 from webob import exc
 
@@ -17,8 +17,7 @@ class DeploymentActionsController(api_wsgi.Controller):
     @api_wsgi.action('cancel')
     def _cancel(self, req, id, body):
         context = req.environ['coriolis.context']
-        # TODO(aznashwan): add policy definitions and checks for deployments:
-        context.can(migration_policies.get_migrations_policy_label("cancel"))
+        context.can(deployment_policies.get_deployments_policy_label("cancel"))
         try:
             force = (body["cancel"] or {}).get("force", False)
 

coriolis/api/v1/deployments.py

@@ -7,7 +7,7 @@ from coriolis.api import wsgi as api_wsgi
 from coriolis.endpoints import api as endpoints_api
 from coriolis import exception
 from coriolis.deployments import api
-from coriolis.policies import migrations as migration_policies
+from coriolis.policies import deployments as deployment_policies
 
 from oslo_config import cfg as conf
 from oslo_log import log as logging
@@ -34,8 +34,7 @@ class DeploymentsController(api_wsgi.Controller):
 
     def show(self, req, id):
         context = req.environ["coriolis.context"]
-        # TODO(aznashwan): add policy definitions and checks for deployments:
-        context.can(migration_policies.get_migrations_policy_label("show"))
+        context.can(deployment_policies.get_deployments_policy_label("show"))
         deployment = self._deployment_api.get_deployment(
             context, id,
             include_task_info=CONF.api.include_task_info_in_deployments_api)
@@ -49,8 +48,7 @@ class DeploymentsController(api_wsgi.Controller):
             req.GET.get("show_deleted", None))
         context = req.environ["coriolis.context"]
         context.show_deleted = show_deleted
-        # TODO(aznashwan): add policy definitions and checks for deployments:
-        context.can(migration_policies.get_migrations_policy_label("list"))
+        context.can(deployment_policies.get_deployments_policy_label("list"))
         return deployment_view.collection(
             self._deployment_api.get_deployments(
                 context,
@@ -95,8 +93,7 @@ class DeploymentsController(api_wsgi.Controller):
     def create(self, req, body):
         deployment_body = body.get("deployment", {})
         context = req.environ['coriolis.context']
-        # TODO(aznashwan): add policy definitions and checks for deployments:
-        context.can(migration_policies.get_migrations_policy_label("create"))
+        context.can(deployment_policies.get_deployments_policy_label("create"))
 
         (replica_id, force, clone_disks, skip_os_morphing,
          instance_osmorphing_minion_pool_mappings,
@@ -114,8 +111,7 @@ class DeploymentsController(api_wsgi.Controller):
 
     def delete(self, req, id):
         context = req.environ['coriolis.context']
-        # TODO(aznashwan): add policy definitions and checks for deployments:
-        context.can(migration_policies.get_migrations_policy_label("delete"))
+        context.can(deployment_policies.get_deployments_policy_label("delete"))
         try:
             self._deployment_api.delete(context, id)
             raise exc.HTTPNoContent()

coriolis/policies/deployments.py

@@ -0,0 +1,80 @@
+# Copyright 2018 Cloudbase Solutions Srl
+# All Rights Reserved.
+
+from oslo_policy import policy
+
+from coriolis.policies import base
+
+
+DEPLOYMENTS_POLICY_PREFIX = "%s:deployments" % base.CORIOLIS_POLICIES_PREFIX
+DEPLOYMENTS_POLICY_DEFAULT_RULE = "rule:admin_or_owner"
+
+
+def get_deployments_policy_label(rule_label):
+    return "%s:%s" % (
+        DEPLOYMENTS_POLICY_PREFIX, rule_label)
+
+
+DEPLOYMENTS_POLICY_DEFAULT_RULES = [
+    policy.DocumentedRuleDefault(
+        get_deployments_policy_label('create'),
+        DEPLOYMENTS_POLICY_DEFAULT_RULE,
+        "Create a deployment",
+        [
+            {
+                "path": "/deployments",
+                "method": "POST"
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        get_deployments_policy_label('list'),
+        DEPLOYMENTS_POLICY_DEFAULT_RULE,
+        "List deployments",
+        [
+            {
+                "path": "/deployments",
+                "method": "GET"
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        get_deployments_policy_label('show'),
+        DEPLOYMENTS_POLICY_DEFAULT_RULE,
+        "Show details for a deployment",
+        [
+            {
+                "path": "/deployment/{deployment_id}",
+                "method": "GET"
+            }
+        ]
+    ),
+    # TODO(aznashwan): deployment actions should ideally be
+    # declared in a separate module
+    policy.DocumentedRuleDefault(
+        get_deployments_policy_label('cancel'),
+        DEPLOYMENTS_POLICY_DEFAULT_RULE,
+        "Cancel a running Migration",
+        [
+            {
+                "path": "/deployments/{deployment_id}/actions/",
+                "method": "POST"
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        get_deployments_policy_label('delete'),
+        DEPLOYMENTS_POLICY_DEFAULT_RULE,
+        "Delete Migration",
+        [
+            {
+                "path": "/deployment/{deployment_id}",
+                "method": "DELETE"
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return DEPLOYMENTS_POLICY_DEFAULT_RULES

coriolis/policy.py

@@ -9,6 +9,7 @@ from oslo_policy import policy
 
 from coriolis import exception
 from coriolis.policies import base
+from coriolis.policies import deployments
 from coriolis.policies import diagnostics
 from coriolis.policies import endpoints
 from coriolis.policies import general
@@ -28,8 +29,9 @@ CONF = conf.CONF
 _ENFORCER = None
 
 DEFAULT_POLICIES_MODULES = [
-    base, endpoints, general, migrations, replicas, replica_schedules,
-    replica_tasks_executions, diagnostics, regions, services, minion_pools]
+    base, deployments, endpoints, general, migrations, replicas,
+    replica_schedules, replica_tasks_executions, diagnostics, regions,
+    services, minion_pools]
 
 
 def reset():

etc/coriolis/policy.yaml

@@ -22,6 +22,13 @@
 "migration:migrations:cancel": "rule:admin_or_owner"
 "migration:migrations:delete": "rule:admin_or_owner"
 
+"migration:deployments:create": "rule:admin_or_owner"
+"migration:deployments:list": "rule:admin_or_owner"
+"migration:deployments:show": "rule:admin_or_owner"
+"migration:deployments:show_execution": "rule:admin_or_owner"
+"migration:deployments:cancel": "rule:admin_or_owner"
+"migration:deployments:delete": "rule:admin_or_owner"
+
 "migration:replicas:create": "rule:admin_or_owner"
 "migration:replicas:list": "rule:admin_or_owner"
 "migration:replicas:show": "rule:admin_or_owner"