openstack/barbican
Code Issues Proposed changes
barbican/barbican/context.py
John Wood 8a15a923d6 Add role based access control (RBAC) to Barbican 
Barbican must support RBAC on its various REST methods. This commit adds logic to enforce
RBAC rules defined in a policy.json to the REST resource API methods they need to
protect for unauthorized access. The implementation utilizes the latest oslo policy
module updates to read, parse and enforce RBAC rules.

Change-Id: I94b1709532540947ab3f1c9878c883a1fd167183
Implements: blueprint rbac-add-support
2013-08-20 21:30:35 -05:00

94 lines
3.3 KiB
Python
Raw Blame History

# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright 2011-2012 OpenStack LLC.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from barbican.openstack.common import policy
from barbican.openstack.common import local
from barbican.openstack.common import uuidutils
class RequestContext(object):
"""
Stores information about the security context under which the user
accesses the system, as well as additional request information.
"""
def __init__(self, auth_tok=None, user=None, tenant=None, roles=None,
is_admin=False, read_only=False, show_deleted=False,
owner_is_tenant=True, service_catalog=None,
policy_enforcer=None):
self.auth_tok = auth_tok
self.user = user
self.tenant = tenant
self.roles = roles or []
self.read_only = read_only
# TODO(jwood): self._show_deleted = show_deleted
# (mkbhanda) possibly domain could be owner
# brings us to the key scope question
self.owner_is_tenant = owner_is_tenant
self.request_id = uuidutils.generate_uuid()
self.service_catalog = service_catalog
self.policy_enforcer = policy_enforcer or policy.Enforcer()
self.is_admin = is_admin
# TODO(jwood): Is this needed?
# if not self.is_admin:
# self.is_admin = \
# self.policy_enforcer.check_is_admin(self)
if not hasattr(local.store, 'context'):
self.update_store()
def to_dict(self):
# NOTE(ameade): These keys are named to correspond with the default
# format string for logging the context in openstack common
return {
'request_id': self.request_id,
#NOTE(bcwaldon): openstack-common logging expects 'user'
'user': self.user,
'user_id': self.user,
#NOTE(bcwaldon): openstack-common logging expects 'tenant'
'tenant': self.tenant,
'tenant_id': self.tenant,
'project_id': self.tenant,
# TODO(jwood): 'is_admin': self.is_admin,
# TODO(jwood): 'read_deleted': self.show_deleted,
'roles': self.roles,
'auth_token': self.auth_tok,
'service_catalog': self.service_catalog,
}
@classmethod
def from_dict(cls, values):
return cls(**values)
def update_store(self):
local.store.context = self
@property
def owner(self):
"""Return the owner to correlate with key."""
return self.tenant if self.owner_is_tenant else self.user
# TODO(jwood):
# @property
# def show_deleted(self):
# """Admins can see deleted by default"""
# if self._show_deleted or self.is_admin:
# return True
# return False
View Git Blame Copy Permalink