deb-horizon/openstack_dashboard/policy.py
daniel-a-nguyen 2b846515f3 Retrieve domain scoped token
This patch supports using domain scoped tokens against keystone v3.

Use Cases:

Cloud Admin - view and manage identity resources across domains
Domain Admin - view and manage identity resources in the domain logged in
User - view identity project in the domain logged in

Regression:

Supports keystone v2 through local_settings.py configuration
Supports keystone v3 with multidomain = False
Supports keystone v3 with mulitdomain = True

Relates to https://review.openstack.org/#/c/141153/

Background on how to test is here
https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow

Co-Authored-By: Brad Pokorny <Brad_Pokorny@symantec.com>
Co-Authored-By: Brian Tully <brian.tully@hp.com>
Co-Authored-By: Michael Hagedorn <mike.hagedorn@hp.com>
Co-Authored-By: woomatt <matt.wood@hp.com>

Partially Implements: blueprint domain-scoped-tokens

Closes-Bug: #1413851
Change-Id: Iaa19bfef9b0c70304ff81d083c62b218b2d02479
2016-03-08 15:17:38 -08:00

56 lines
2.0 KiB
Python

#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from django.conf import settings
def check(actions, request, target=None):
"""Wrapper of the configurable policy method."""
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
if policy_check:
return policy_check(actions, request, target)
return True
class PolicyTargetMixin(object):
"""Mixin that adds the get_policy_target function
policy_target_attrs - a tuple of tuples which defines
the relationship between attributes in the policy
target dict and attributes in the passed datum object.
policy_target_attrs can be overwritten by sub-classes
which do not use the default, so they can neatly define
their policy target information, without overriding the
entire get_policy_target function.
"""
policy_target_attrs = (("project_id", "tenant_id"),
("user_id", "user_id"),
("domain_id", "domain_id"),
("target.project.domain_id", "domain_id"),
("target.user.domain_id", "domain_id"),
("target.group.domain_id", "domain_id"))
def get_policy_target(self, request, datum=None):
policy_target = {}
for policy_attr, datum_attr in self.policy_target_attrs:
if datum:
policy_target[policy_attr] = getattr(datum, datum_attr, None)
else:
policy_target[policy_attr] = None
return policy_target