822e568921
This patch just adjust import order to follow PEP8 imports rule. See http://www.python.org/dev/peps/pep-0008/#imports Imports should be grouped in the following order: 1) Standard library imports 2) Related third party imports 3) Local application/library specific imports Change-Id: Ifb56bbe6ba1ed7682c3326d6429fb34d268e7ea4
113 lines
3.4 KiB
Python
113 lines
3.4 KiB
Python
# Copyright (c) 2013 Bull.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
# implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
"""Policy Engine For Climate."""
|
|
|
|
import functools
|
|
|
|
from oslo.config import cfg
|
|
|
|
from climate import context
|
|
from climate import exceptions
|
|
from climate.openstack.common import log as logging
|
|
from climate.openstack.common import policy
|
|
|
|
CONF = cfg.CONF
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
_ENFORCER = None
|
|
|
|
|
|
def reset():
|
|
global _ENFORCER
|
|
|
|
if _ENFORCER:
|
|
_ENFORCER.clear()
|
|
_ENFORCER = None
|
|
|
|
|
|
def init():
|
|
global _ENFORCER
|
|
if not _ENFORCER:
|
|
LOG.debug("Enforcer not present, recreating at init stage.")
|
|
_ENFORCER = policy.Enforcer()
|
|
|
|
|
|
def set_rules(data, default_rule=None):
|
|
default_rule = default_rule or CONF.policy_default_rule
|
|
if not _ENFORCER:
|
|
LOG.debug("Enforcer not present, recreating at rules stage.")
|
|
init()
|
|
if default_rule:
|
|
_ENFORCER.default_rule = default_rule
|
|
_ENFORCER.set_rules(policy.Rules.load_json(data, default_rule))
|
|
|
|
|
|
def enforce(context, action, target, do_raise=True):
|
|
"""Verifies that the action is valid on the target in this context.
|
|
|
|
:param context: climate context
|
|
:param action: string representing the action to be checked
|
|
this should be colon separated for clarity.
|
|
i.e. ``compute:create_instance``,
|
|
``compute:attach_volume``,
|
|
``volume:attach_volume``
|
|
:param target: dictionary representing the object of the action
|
|
for object creation this should be a dictionary representing the
|
|
location of the object e.g. ``{'project_id': context.project_id}``
|
|
:param do_raise: if True (the default), raises PolicyNotAuthorized;
|
|
if False, returns False
|
|
|
|
:raises climate.exceptions.PolicyNotAuthorized: if verification fails
|
|
and do_raise is True.
|
|
|
|
:return: returns a non-False value (not necessarily "True") if
|
|
authorized, and the exact value False if not authorized and
|
|
do_raise is False.
|
|
"""
|
|
|
|
init()
|
|
|
|
credentials = context.to_dict()
|
|
|
|
# Add the exceptions arguments if asked to do a raise
|
|
extra = {}
|
|
if do_raise:
|
|
extra.update(exc=exceptions.PolicyNotAuthorized, action=action)
|
|
|
|
return _ENFORCER.enforce(action, target, credentials, do_raise=do_raise,
|
|
**extra)
|
|
|
|
|
|
def authorize(extension, action=None, api='climate', ctx=None,
|
|
target=None):
|
|
def decorator(func):
|
|
|
|
@functools.wraps(func)
|
|
def wrapped(self, *args, **kwargs):
|
|
cur_ctx = ctx or context.current()
|
|
tgt = target or {'project_id': cur_ctx.project_id,
|
|
'user_id': cur_ctx.user_id}
|
|
if action is None:
|
|
act = '%s:%s' % (api, extension)
|
|
else:
|
|
act = '%s:%s:%s' % (api, extension, action)
|
|
enforce(cur_ctx, act, tgt)
|
|
return func(self, *args, **kwargs)
|
|
|
|
return wrapped
|
|
return decorator
|