add more credentials information to check_is_admin

Currently, It can specify only user_id when checking admin. Add more information for checking admin because it is not enough in multi-domain configuration. Change-Id: I5e3d6b88e8286b50bc0641163fadf27199fb4a55 closes-bug: 1619597
2016-09-02 19:09:51 +09:00 · 2016-09-02 19:09:51 +09:00 · eb6ed41a54
parent 29e00a3c63
commit eb6ed41a54
1 changed files with 2 additions and 7 deletions
--- a/cinder/policy.py
+++ b/cinder/policy.py
@ -73,21 +73,16 @@ def enforce(context, action, target):
 def check_is_admin(roles, context=None):
    """Whether or not user is admin according to policy setting.

-       Can use roles or user_id from context to determine if user is admin.
-       In a multi-domain configuration, roles alone may not be sufficient.
    """
    init()

    # include project_id on target to avoid KeyError if context_is_admin
    # policy definition is missing, and default admin_or_owner rule
-    # attempts to apply.  Since our credentials dict does not include a
-    # project_id, this target can never match as a generic rule.
+    # attempts to apply.
    target = {'project_id': ''}
    if context is None:
        credentials = {'roles': roles}
    else:
-        credentials = {'roles': context.roles,
-                       'user_id': context.user_id
-                       }
+        credentials = context.to_dict()

    return _ENFORCER.enforce('context_is_admin', target, credentials)