Add check_is_admin to common.policy.Enforcer
Currently we have no concept of admin-ness inside Heat, so it's not possible for deployers to specify a hierarchy within a project such that some users have more privileged access than others. The first step is to provide a means to specify in the policy a rule which describes who is admin, then we can correctly set is_admin in the context based on that rule. blueprint: request-scoping-policy Change-Id: Idd1fb5f4e52bda87c70830d66e0c931bfe879347
This commit is contained in:
parent
01fb048330
commit
d414b46c59
@ -95,5 +95,13 @@ class Enforcer(object):
|
||||
"""
|
||||
return self._check(context, action, target)
|
||||
|
||||
def check_is_admin(self, context):
|
||||
"""Whether or not roles contains 'admin' role according to policy.json
|
||||
|
||||
:param context: Heat request context
|
||||
:returns: A non-False value if the user is admin according to policy
|
||||
"""
|
||||
return self._check(context, 'context_is_admin', target={}, exc=None)
|
||||
|
||||
def clear(self):
|
||||
self.enforcer.clear()
|
||||
|
3
heat/tests/policy/check_admin.json
Normal file
3
heat/tests/policy/check_admin.json
Normal file
@ -0,0 +1,3 @@
|
||||
{
|
||||
"context_is_admin": "role:admin"
|
||||
}
|
@ -173,3 +173,17 @@ class TestPolicyEnforcer(HeatTestCase):
|
||||
exc=None, default_rule=default_rule)
|
||||
action = 'no_such_action'
|
||||
self.assertFalse(enforcer.enforce(ctx, action))
|
||||
|
||||
def test_check_admin(self):
|
||||
self.stub_policyfile('check_admin.json')
|
||||
|
||||
enforcer = policy.Enforcer()
|
||||
|
||||
ctx = utils.dummy_context(roles=[])
|
||||
self.assertFalse(enforcer.check_is_admin(ctx))
|
||||
|
||||
ctx = utils.dummy_context(roles=['not_admin'])
|
||||
self.assertFalse(enforcer.check_is_admin(ctx))
|
||||
|
||||
ctx = utils.dummy_context(roles=['admin'])
|
||||
self.assertTrue(enforcer.check_is_admin(ctx))
|
||||
|
Loading…
Reference in New Issue
Block a user