From d82b74b62f08fe226c17f2415fe1367e4a0d3a4f Mon Sep 17 00:00:00 2001 From: Ekaterina Chernova Date: Fri, 27 Feb 2015 11:05:07 +0300 Subject: [PATCH] Update API policy * Set admin rule for a several API calls and remove direct check in code * Now admin can configure policy.json and enable package management for regular users * Update common policy module Closes-Bug: #1412868 Change-Id: I8d0725b613564529d32a5acef289f4822f32915c --- etc/murano/policy.json | 8 ++++++-- murano/common/policy.py | 10 ++++++++++ murano/context.py | 5 +++++ murano/db/catalog/api.py | 2 -- murano/tests/functional/api/base.py | 5 ++++- 5 files changed, 25 insertions(+), 5 deletions(-) diff --git a/etc/murano/policy.json b/etc/murano/policy.json index feb8cb62..6eaa70bd 100644 --- a/etc/murano/policy.json +++ b/etc/murano/policy.json @@ -1,6 +1,10 @@ { - "context_is_admin": "role:admin or is_admin:True", + "context_is_admin": "role:admin", + "admin_api": "is_admin:True", + "default": "", - "default": "" + "update_package": "rule:admin_api", + "upload_package": "rule:admin_api", + "delete_package": "rule:admin_api" } diff --git a/murano/common/policy.py b/murano/common/policy.py index fd447bb0..e246da45 100644 --- a/murano/common/policy.py +++ b/murano/common/policy.py @@ -85,3 +85,13 @@ def check(rule, ctxt, target={}, do_raise=True, exc=exceptions.HTTPForbidden): LOG.audit(_("Policy check failed for rule " "'%(rule)s' on target: %(target)s"), {'rule': rule, 'target': repr(target)}, extra=extra) + + +def check_is_admin(context): + """Check if the given context is associated with an admin role. + + :param context: Murano request context + :returns: A non-False value if context role is admin. + """ + return check('context_is_admin', context, + context.to_dict(), do_raise=False) diff --git a/murano/context.py b/murano/context.py index 44cb8889..99a83ed2 100644 --- a/murano/context.py +++ b/murano/context.py @@ -12,6 +12,8 @@ # License for the specific language governing permissions and limitations # under the License. +from murano.common import policy + class RequestContext(object): """Stores information about the security context under which the user @@ -30,6 +32,9 @@ class RequestContext(object): self.is_admin = is_admin self.roles = roles or [] + if self.is_admin is None: + self.is_admin = policy.check_is_admin(self) + def to_dict(self): return { 'user': self.user, diff --git a/murano/db/catalog/api.py b/murano/db/catalog/api.py index a2b869de..65f1be72 100644 --- a/murano/db/catalog/api.py +++ b/murano/db/catalog/api.py @@ -60,8 +60,6 @@ def _package_get(package_id_or_name, session): def _authorize_package(package, context, allow_public=False): - if context.is_admin: - return if package.owner_id != context.tenant: if not allow_public: diff --git a/murano/tests/functional/api/base.py b/murano/tests/functional/api/base.py index ed287adb..2eeae484 100644 --- a/murano/tests/functional/api/base.py +++ b/murano/tests/functional/api/base.py @@ -19,6 +19,7 @@ import uuid import requests from tempest import clients +from tempest.common import cred_provider from tempest.common import isolated_creds from tempest import config from tempest import test @@ -230,7 +231,9 @@ class TestCase(test.BaseTestCase): # If no credentials are provided, the Manager will use those # in CONF.identity and generate an auth_provider from them - mgr = clients.Manager() + cls.creds = cred_provider.get_configured_credentials( + credential_type='identity_admin') + mgr = clients.Manager(cls.creds) cls.client = MuranoClient(mgr.auth_provider) def setUp(self):