openstack/deb-murano
Code Issues Proposed changes

Update API policy

Browse Source 
* Set admin rule for a several API calls and remove direct check in code
* Now admin can configure policy.json and enable package management for regular users
* Update common policy module

Closes-Bug: #1412868

Change-Id: I8d0725b613564529d32a5acef289f4822f32915c
This commit is contained in:
Ekaterina Chernova 2015-02-27 11:05:07 +03:00
parent 67d980e5a8
commit d82b74b62f
5 changed files with 25 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
etc/murano/policy.json
View File

@ -1,6 +1,10 @@
{ {
"context_is_admin": "role:admin or is_admin:True", "context_is_admin": "role:admin",
"admin_api": "is_admin:True",
"default": "",
"default": "" "update_package": "rule:admin_api",
"upload_package": "rule:admin_api",
"delete_package": "rule:admin_api"
} }

10
murano/common/policy.py
View File

@ -85,3 +85,13 @@ def check(rule, ctxt, target={}, do_raise=True, exc=exceptions.HTTPForbidden):
LOG.audit(_("Policy check failed for rule " LOG.audit(_("Policy check failed for rule "
"'%(rule)s' on target: %(target)s"), "'%(rule)s' on target: %(target)s"),
{'rule': rule, 'target': repr(target)}, extra=extra) {'rule': rule, 'target': repr(target)}, extra=extra)
def check_is_admin(context):
"""Check if the given context is associated with an admin role.
:param context: Murano request context
:returns: A non-False value if context role is admin.
"""
return check('context_is_admin', context,
context.to_dict(), do_raise=False)

5
murano/context.py
View File

@ -12,6 +12,8 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from murano.common import policy
class RequestContext(object): class RequestContext(object):
"""Stores information about the security context under which the user """Stores information about the security context under which the user
@ -30,6 +32,9 @@ class RequestContext(object):
self.is_admin = is_admin self.is_admin = is_admin
self.roles = roles or [] self.roles = roles or []
if self.is_admin is None:
self.is_admin = policy.check_is_admin(self)
def to_dict(self): def to_dict(self):
return { return {
'user': self.user, 'user': self.user,

2
murano/db/catalog/api.py
View File

@ -60,8 +60,6 @@ def _package_get(package_id_or_name, session):
def _authorize_package(package, context, allow_public=False): def _authorize_package(package, context, allow_public=False):
if context.is_admin:
return
if package.owner_id != context.tenant: if package.owner_id != context.tenant:
if not allow_public: if not allow_public:

5
murano/tests/functional/api/base.py
View File

@ -19,6 +19,7 @@ import uuid
import requests import requests
from tempest import clients from tempest import clients
from tempest.common import cred_provider
from tempest.common import isolated_creds from tempest.common import isolated_creds
from tempest import config from tempest import config
from tempest import test from tempest import test
@ -230,7 +231,9 @@ class TestCase(test.BaseTestCase):
# If no credentials are provided, the Manager will use those # If no credentials are provided, the Manager will use those
# in CONF.identity and generate an auth_provider from them # in CONF.identity and generate an auth_provider from them
mgr = clients.Manager() cls.creds = cred_provider.get_configured_credentials(
credential_type='identity_admin')
mgr = clients.Manager(cls.creds)
cls.client = MuranoClient(mgr.auth_provider) cls.client = MuranoClient(mgr.auth_provider)
def setUp(self): def setUp(self):