Update API policy

* Set admin rule for a several API calls and remove direct check in code
* Now admin can configure policy.json and enable package management for regular users
* Update common policy module

Closes-Bug: #1412868

Change-Id: I8d0725b613564529d32a5acef289f4822f32915c
This commit is contained in:
Ekaterina Chernova 2015-02-27 11:05:07 +03:00
parent 67d980e5a8
commit d82b74b62f
5 changed files with 25 additions and 5 deletions

View File

@ -1,6 +1,10 @@
{
"context_is_admin": "role:admin or is_admin:True",
"context_is_admin": "role:admin",
"admin_api": "is_admin:True",
"default": "",
"default": ""
"update_package": "rule:admin_api",
"upload_package": "rule:admin_api",
"delete_package": "rule:admin_api"
}

View File

@ -85,3 +85,13 @@ def check(rule, ctxt, target={}, do_raise=True, exc=exceptions.HTTPForbidden):
LOG.audit(_("Policy check failed for rule "
"'%(rule)s' on target: %(target)s"),
{'rule': rule, 'target': repr(target)}, extra=extra)
def check_is_admin(context):
"""Check if the given context is associated with an admin role.
:param context: Murano request context
:returns: A non-False value if context role is admin.
"""
return check('context_is_admin', context,
context.to_dict(), do_raise=False)

View File

@ -12,6 +12,8 @@
# License for the specific language governing permissions and limitations
# under the License.
from murano.common import policy
class RequestContext(object):
"""Stores information about the security context under which the user
@ -30,6 +32,9 @@ class RequestContext(object):
self.is_admin = is_admin
self.roles = roles or []
if self.is_admin is None:
self.is_admin = policy.check_is_admin(self)
def to_dict(self):
return {
'user': self.user,

View File

@ -60,8 +60,6 @@ def _package_get(package_id_or_name, session):
def _authorize_package(package, context, allow_public=False):
if context.is_admin:
return
if package.owner_id != context.tenant:
if not allow_public:

View File

@ -19,6 +19,7 @@ import uuid
import requests
from tempest import clients
from tempest.common import cred_provider
from tempest.common import isolated_creds
from tempest import config
from tempest import test
@ -230,7 +231,9 @@ class TestCase(test.BaseTestCase):
# If no credentials are provided, the Manager will use those
# in CONF.identity and generate an auth_provider from them
mgr = clients.Manager()
cls.creds = cred_provider.get_configured_credentials(
credential_type='identity_admin')
mgr = clients.Manager(cls.creds)
cls.client = MuranoClient(mgr.auth_provider)
def setUp(self):