rename policy to permission and create IAM Policy api

deli/counter/auth/policy.py → deli/counter/auth/permission.py

@@ -1,4 +1,4 @@
-SYSTEM_POLICIES = [
+SYSTEM_PERMISSIONS = [
     # Roles
     {
         "name": "roles:system:create",
@@ -20,6 +20,15 @@
         "name": "roles:system:delete",
         "description": "Ability to delete a system role"
     },
+    # Policy
+    {
+        "name": "policy:system:get",
+        "description": "Ability to get system policies"
+    },
+    {
+        "name": "policy:system:set",
+        "description": "Ability to set system policies"
+    },
     # Flavors
     {
         "name": "flavors:create",
@@ -105,7 +114,7 @@
     },
 ]
 
-PROJECT_POLICIES = [
+PROJECT_PERMISSIONS = [
     # Project
     {
         "name": "projects:get",
@@ -165,6 +174,15 @@
             'editor'
         ]
     },
+    # Policy
+    {
+        "name": "policy:project:get",
+        "description": "Ability to get project policies"
+    },
+    {
+        "name": "policy:project:set",
+        "description": "Ability to set project policies"
+    },
     # Volumes
     {
         "name": "volumes:create",

deli/counter/auth/token.py

@@ -10,7 +10,7 @@
 from jose import jwt
 from simple_settings import settings
 
-from deli.counter.auth.policy import SYSTEM_POLICIES
+from deli.counter.auth.permission import SYSTEM_PERMISSIONS
 from deli.kubernetes.resources.project import Project
 from deli.kubernetes.resources.v1alpha1.iam_group.model import IAMSystemGroup
 from deli.kubernetes.resources.v1alpha1.iam_policy.model import IAMPolicy
@@ -196,14 +196,15 @@ def get_projects(self) -> List[Project]:
 
         return projects
 
-    def enforce_policy(self, policy, project=None):
+    def enforce_permission(self, permission, project=None):
         if len(self.system_roles) > 0:
-            if policy in [p['name'] for p in SYSTEM_POLICIES]:
+            if permission in [p['name'] for p in SYSTEM_PERMISSIONS]:
                 for role_name in self.system_roles:
                     role = IAMSystemRole.get(role_name)
-                    if role is not None and policy in role.policies:
+                    if role is not None and permission in role.permissions:
                         return
-                raise cherrypy.HTTPError(403, "Insufficient permissions (%s) to perform the requested action." % policy)
+                raise cherrypy.HTTPError(403,
+                                         "Insufficient permissions (%s) to perform the requested action." % permission)
 
         if project is not None:
             project_policy = IAMPolicy.get(project.name)
@@ -212,10 +213,10 @@ def enforce_policy(self, policy, project=None):
             project_roles = self.find_roles(project_policy)
             for role_name in project_roles:
                 role = IAMProjectRole.get(project, role_name)
-                if role is not None and policy in role.policies:
+                if role is not None and permission in role.permissions:
                     return
 
             raise cherrypy.HTTPError(403, "Insufficient permissions (%s) to perform the "
-                                          "requested action in the project %s." % (policy, project.name))
+                                          "requested action in the project %s." % (permission, project.name))
 
-        raise cherrypy.HTTPError(403, "Insufficient permissions (%s) to perform the requested action." % policy)
+        raise cherrypy.HTTPError(403, "Insufficient permissions (%s) to perform the requested action." % permission)

deli/counter/http/mounts/root/mount.py

@@ -46,11 +46,11 @@ def validate_token(self):
             # The email will contain the project
             cherrypy.request.login = token.email + '/' + token.metadata['instance']
 
-    def enforce_policy(self, policy_name):
+    def enforce_permission(self, permission_name):
         project = None
         if hasattr(cherrypy.request, 'project'):
             project = cherrypy.request.project
-        cherrypy.request.token.enforce_policy(policy_name, project=project)
+        cherrypy.request.token.enforce_permission(permission_name, project=project)
 
     def validate_project_scope(self, delete_param=False):
         if 'project_name' in cherrypy.request.params:
@@ -82,7 +82,7 @@ def __setup_tools(self):
         cherrypy.tools.project_scope = cherrypy.Tool('on_start_resource', self.validate_project_scope, priority=30)
 
         cherrypy.tools.resource_object = cherrypy.Tool('before_request_body', self.resource_object, priority=40)
-        cherrypy.tools.enforce_policy = cherrypy.Tool('before_request_body', self.enforce_policy, priority=50)
+        cherrypy.tools.enforce_permission = cherrypy.Tool('before_request_body', self.enforce_permission, priority=50)
 
     def __setup_kubernetes(self):
         if settings.KUBE_CONFIG is not None or settings.KUBE_MASTER is not None:

deli/counter/http/mounts/root/routes/compute/v1/flavor.py

@@ -17,7 +17,7 @@ def __init__(self):
     @Route(methods=[RequestMethods.POST])
     @cherrypy.tools.model_in(cls=RequestCreateFlavor)
     @cherrypy.tools.model_out(cls=ResponseFlavor)
-    @cherrypy.tools.enforce_policy(policy_name="flavors:create")
+    @cherrypy.tools.enforce_permission(permission_name="flavors:create")
     def create(self):
         """Create a flavor
         ---
@@ -85,7 +85,7 @@ def list(self, limit, marker):
     @Route(route='{flavor_name}', methods=[RequestMethods.DELETE])
     @cherrypy.tools.model_params(cls=ParamsFlavor)
     @cherrypy.tools.resource_object(id_param="flavor_name", cls=Flavor)
-    @cherrypy.tools.enforce_policy(policy_name="flavors:delete")
+    @cherrypy.tools.enforce_permission(permission_name="flavors:delete")
     def delete(self, **_):
         """Delete a Flavor
         ---

deli/counter/http/mounts/root/routes/compute/v1/images.py

@@ -21,7 +21,7 @@ def __init__(self):
     @Route(methods=[RequestMethods.POST])
     @cherrypy.tools.model_in(cls=RequestCreateImage)
     @cherrypy.tools.model_out(cls=ResponseImage)
-    @cherrypy.tools.enforce_policy(policy_name="images:create")
+    @cherrypy.tools.enforce_permission(permission_name="images:create")
     def create(self):
         """Create an image
         ---
@@ -66,7 +66,7 @@ def create(self):
     @cherrypy.tools.model_params(cls=ParamsImage)
     @cherrypy.tools.model_out(cls=ResponseImage)
     @cherrypy.tools.resource_object(id_param="image_name", cls=Image)
-    @cherrypy.tools.enforce_policy(policy_name="images:get")
+    @cherrypy.tools.enforce_permission(permission_name="images:get")
     def get(self, **_):
         """Get an image
         ---
@@ -86,7 +86,7 @@ def get(self, **_):
     @Route()
     @cherrypy.tools.model_params(cls=ParamsListImage)
     @cherrypy.tools.model_out_pagination(cls=ResponseImage)
-    @cherrypy.tools.enforce_policy(policy_name="images:list")
+    @cherrypy.tools.enforce_permission(permission_name="images:list")
     def list(self, region_name, visibility: ImageVisibility, limit: int, marker: uuid.UUID):
         """List images
         ---
@@ -118,7 +118,7 @@ def list(self, region_name, visibility: ImageVisibility, limit: int, marker: uui
     @Route(route='{image_name}', methods=[RequestMethods.DELETE])
     @cherrypy.tools.model_params(cls=ParamsImage)
     @cherrypy.tools.resource_object(id_param="image_name", cls=Image)
-    @cherrypy.tools.enforce_policy(policy_name="images:delete")
+    @cherrypy.tools.enforce_permission(permission_name="images:delete")
     def delete(self, **_):
         """Delete an image
         ---

deli/counter/http/mounts/root/routes/compute/v1/instance.py

@@ -31,7 +31,7 @@ def __init__(self):
     @Route(methods=[RequestMethods.POST])
     @cherrypy.tools.model_in(cls=RequestCreateInstance)
     @cherrypy.tools.model_out(cls=ResponseInstance)
-    @cherrypy.tools.enforce_policy(policy_name="instances:create")
+    @cherrypy.tools.enforce_permission(permission_name="instances:create")
     def create(self):
         """Create an instance
         ---
@@ -180,7 +180,7 @@ def create(self):
     @cherrypy.tools.model_params(cls=ParamsInstance)
     @cherrypy.tools.model_out(cls=ResponseInstance)
     @cherrypy.tools.resource_object(id_param="instance_name", cls=Instance)
-    @cherrypy.tools.enforce_policy(policy_name="instances:get")
+    @cherrypy.tools.enforce_permission(permission_name="instances:get")
     def get(self, **_):
         """Get an instance
         ---
@@ -198,7 +198,7 @@ def get(self, **_):
     @Route()
     @cherrypy.tools.model_params(cls=ParamsListInstance)
     @cherrypy.tools.model_out_pagination(cls=ResponseInstance)
-    @cherrypy.tools.enforce_policy(policy_name="instances:list")
+    @cherrypy.tools.enforce_permission(permission_name="instances:list")
     def list(self, image_name, region_name, zone_name, limit: int, marker: uuid.UUID):
         """List instances
         ---
@@ -244,7 +244,7 @@ def list(self, image_name, region_name, zone_name, limit: int, marker: uuid.UUID
     @Route(route='{instance_name}', methods=[RequestMethods.DELETE])
     @cherrypy.tools.model_params(cls=ParamsInstance)
     @cherrypy.tools.resource_object(id_param="instance_name", cls=Instance)
-    @cherrypy.tools.enforce_policy(policy_name="instances:delete")
+    @cherrypy.tools.enforce_permission(permission_name="instances:delete")
     def delete(self, **_):
         """Delete an instance
         ---
@@ -272,7 +272,7 @@ def delete(self, **_):
     @Route(route='{instance_name}/action/start', methods=[RequestMethods.PUT])
     @cherrypy.tools.model_params(cls=ParamsInstance)
     @cherrypy.tools.resource_object(id_param="instance_name", cls=Instance)
-    @cherrypy.tools.enforce_policy(policy_name="instances:action:stop")
+    @cherrypy.tools.enforce_permission(permission_name="instances:action:stop")
     def action_start(self, **_):
         """Start an instance
         ---
@@ -302,7 +302,7 @@ def action_start(self, **_):
     @cherrypy.tools.model_params(cls=ParamsInstance)
     @cherrypy.tools.model_in(cls=RequestInstancePowerOffRestart)
     @cherrypy.tools.resource_object(id_param="instance_name", cls=Instance)
-    @cherrypy.tools.enforce_policy(policy_name="instances:action:start")
+    @cherrypy.tools.enforce_permission(permission_name="instances:action:start")
     def action_stop(self, **_):
         """Stop an instance
         ---
@@ -335,7 +335,7 @@ def action_stop(self, **_):
     @cherrypy.tools.model_params(cls=ParamsInstance)
     @cherrypy.tools.model_in(cls=RequestInstancePowerOffRestart)
     @cherrypy.tools.resource_object(id_param="instance_name", cls=Instance)
-    @cherrypy.tools.enforce_policy(policy_name="instances:action:restart")
+    @cherrypy.tools.enforce_permission(permission_name="instances:action:restart")
     def action_restart(self, **_):
         """Restart an instance
         ---
@@ -369,7 +369,7 @@ def action_restart(self, **_):
     @cherrypy.tools.model_in(cls=RequestInstanceImage)
     @cherrypy.tools.model_out(cls=ResponseImage)
     @cherrypy.tools.resource_object(id_param="instance_name", cls=Instance)
-    @cherrypy.tools.enforce_policy(policy_name="instances:action:image")
+    @cherrypy.tools.enforce_permission(permission_name="instances:action:image")
     def action_image(self, **_):
         """Image an instance
         ---

deli/counter/http/mounts/root/routes/compute/v1/keypairs.py

@@ -19,7 +19,7 @@ def __init__(self):
     @Route(methods=[RequestMethods.POST])
     @cherrypy.tools.model_in(cls=RequestCreateKeypair)
     @cherrypy.tools.model_out(cls=ResponseKeypair)
-    @cherrypy.tools.enforce_policy(policy_name="keypairs:create")
+    @cherrypy.tools.enforce_permission(permission_name="keypairs:create")
     def create(self):
         """Create a keypair
         ---
@@ -52,7 +52,7 @@ def create(self):
     @cherrypy.tools.model_params(cls=ParamsKeypair)
     @cherrypy.tools.model_out(cls=ResponseKeypair)
     @cherrypy.tools.resource_object(id_param="keypair_name", cls=Keypair)
-    @cherrypy.tools.enforce_policy(policy_name="keypairs:get")
+    @cherrypy.tools.enforce_permission(permission_name="keypairs:get")
     def get(self, **_):
         """Get a keypair
         ---
@@ -70,7 +70,7 @@ def get(self, **_):
     @Route()
     @cherrypy.tools.model_params(cls=ParamsListKeypair)
     @cherrypy.tools.model_out_pagination(cls=ResponseKeypair)
-    @cherrypy.tools.enforce_policy(policy_name="keypairs:list")
+    @cherrypy.tools.enforce_permission(permission_name="keypairs:list")
     def list(self, limit: int, marker: uuid.UUID):
         """List keypairs
         ---
@@ -91,7 +91,7 @@ def list(self, limit: int, marker: uuid.UUID):
     @Route(route='{keypair_name}', methods=[RequestMethods.DELETE])
     @cherrypy.tools.model_params(cls=ParamsKeypair)
     @cherrypy.tools.resource_object(id_param="keypair_name", cls=Keypair)
-    @cherrypy.tools.enforce_policy(policy_name="keypairs:delete")
+    @cherrypy.tools.enforce_permission(permission_name="keypairs:delete")
     def delete(self, **_):
         """Delete a keypair
         ---

deli/counter/http/mounts/root/routes/compute/v1/network_ports.py

@@ -19,7 +19,7 @@ def __init__(self):
     @cherrypy.tools.model_params(cls=ParamsNetworkPort)
     @cherrypy.tools.model_out(cls=ResponseNetworkPort)
     @cherrypy.tools.resource_object(id_param="network_port_id", cls=NetworkPort)
-    @cherrypy.tools.enforce_policy(policy_name="network_ports:get")
+    @cherrypy.tools.enforce_permission(permission_name="network_ports:get")
     def get(self, **_):
         """Get a network port
         ---
@@ -37,7 +37,7 @@ def get(self, **_):
     @Route()
     @cherrypy.tools.model_params(cls=ParamsListNetworkPort)
     @cherrypy.tools.model_out_pagination(cls=ResponseNetworkPort)
-    @cherrypy.tools.enforce_policy(policy_name="network_ports:list")
+    @cherrypy.tools.enforce_permission(permission_name="network_ports:list")
     def list(self, limit, marker):
         """List network ports
         ---
@@ -58,7 +58,7 @@ def list(self, limit, marker):
     @Route(route='{network_port_id}', methods=[RequestMethods.DELETE])
     @cherrypy.tools.model_params(cls=ParamsNetworkPort)
     @cherrypy.tools.resource_object(id_param="network_port_id", cls=NetworkPort)
-    @cherrypy.tools.enforce_policy(policy_name="network_ports:delete")
+    @cherrypy.tools.enforce_permission(permission_name="network_ports:delete")
     def delete(self, **_):
         """Delete a network port
         ---

deli/counter/http/mounts/root/routes/compute/v1/networks.py

@@ -21,7 +21,7 @@ def __init__(self):
     @Route(methods=[RequestMethods.POST])
     @cherrypy.tools.model_in(cls=RequestCreateNetwork)
     @cherrypy.tools.model_out(cls=ResponseNetwork)
-    @cherrypy.tools.enforce_policy(policy_name="networks:create")
+    @cherrypy.tools.enforce_permission(permission_name="networks:create")
     def create(self):
         """Create a network
         ---
@@ -50,8 +50,6 @@ def create(self):
             raise cherrypy.HTTPError(409, 'Can only create a network with a region in the following state: %s'.format(
                 ResourceState.Created))
 
-        # TODO: check duplicate (or overlapping) cidr
-
         network = Network()
         network.name = request.name
         network.port_group = request.port_group
@@ -118,7 +116,7 @@ def list(self, region, limit: int, marker: uuid.UUID):
     @Route(route='{network_name}', methods=[RequestMethods.DELETE])
     @cherrypy.tools.model_params(cls=ParamsNetwork)
     @cherrypy.tools.resource_object(id_param="network_name", cls=Network)
-    @cherrypy.tools.enforce_policy(policy_name="networks:delete")
+    @cherrypy.tools.enforce_permission(permission_name="networks:delete")
     def delete(self, **_):
         """Delete a network
         ---