openstack/blazar
Code Issues Proposed changes
c2bada17ce
blazar/climate/policy.py
Cristian A Sanchez 6b26ecaf75 Change references of tenant to project 
Refernces from tenant to project were made in several
places, including DB, HTTP Headers, configuration items,
json in responses and devstack integration. Additionally,
a migration script using Alembic was included.

Implements: blueprint tenant-to-project-ref
Change-Id: I4b21182f555ccd412a4ca4e0ce753f07edcd07f8
2014-04-17 11:16:09 -03:00

112 lines
3.4 KiB
Python
Raw Blame History

# Copyright (c) 2013 Bull.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Policy Engine For Climate."""
import functools
from oslo.config import cfg
from climate import context
from climate import exceptions
from climate.openstack.common import log as logging
from climate.openstack.common import policy
CONF = cfg.CONF
LOG = logging.getLogger(__name__)
_ENFORCER = None
def reset():
global _ENFORCER
if _ENFORCER:
_ENFORCER.clear()
_ENFORCER = None
def init():
global _ENFORCER
if not _ENFORCER:
LOG.debug("Enforcer not present, recreating at init stage.")
_ENFORCER = policy.Enforcer()
def set_rules(data, default_rule=None):
default_rule = default_rule or CONF.policy_default_rule
if not _ENFORCER:
LOG.debug("Enforcer not present, recreating at rules stage.")
init()
if default_rule:
_ENFORCER.default_rule = default_rule
_ENFORCER.set_rules(policy.Rules.load_json(data, default_rule))
def enforce(context, action, target, do_raise=True):
"""Verifies that the action is valid on the target in this context.
:param context: climate context
:param action: string representing the action to be checked
this should be colon separated for clarity.
i.e. ``compute:create_instance``,
``compute:attach_volume``,
``volume:attach_volume``
:param target: dictionary representing the object of the action
for object creation this should be a dictionary representing the
location of the object e.g. ``{'project_id': context.project_id}``
:param do_raise: if True (the default), raises PolicyNotAuthorized;
if False, returns False
:raises climate.exceptions.PolicyNotAuthorized: if verification fails
and do_raise is True.
:return: returns a non-False value (not necessarily "True") if
authorized, and the exact value False if not authorized and
do_raise is False.
"""
init()
credentials = context.to_dict()
# Add the exceptions arguments if asked to do a raise
extra = {}
if do_raise:
extra.update(exc=exceptions.PolicyNotAuthorized, action=action)
return _ENFORCER.enforce(action, target, credentials, do_raise=do_raise,
**extra)
def authorize(extension, action=None, api='climate', ctx=None,
target=None):
def decorator(func):
@functools.wraps(func)
def wrapped(self, *args, **kwargs):
cur_ctx = ctx or context.current()
tgt = target or {'project_id': cur_ctx.project_id,
'user_id': cur_ctx.user_id}
if action is None:
act = '%s:%s' % (api, extension)
else:
act = '%s:%s:%s' % (api, extension, action)
enforce(cur_ctx, act, tgt)
return func(self, *args, **kwargs)
return wrapped
return decorator
View Git Blame Copy Permalink