Allow generic rules in context_is_admin rule in policy.

context_is_admin role is used by nova to check if the current user is the admin. But it can only check role rules. The fix allow generic rules in context_is_admin. DocImpact Fixes bug 1118142 Change-Id: Ib4823a67fe63d5356fc8c9280a2013b8855f5217
2013-02-07 17:18:12 +08:00
parent fe16fded3d
commit 1d07c12eca
2 changed files with 7 additions and 7 deletions
--- a/nova/context.py
+++ b/nova/context.py
@@ -65,9 +65,6 @@ class RequestContext(object):
        self.user_id = user_id
        self.project_id = project_id
        self.roles = roles or []
-        self.is_admin = is_admin
-        if self.is_admin is None:
-            self.is_admin = policy.check_is_admin(self.roles)
        self.read_deleted = read_deleted
        self.remote_address = remote_address
        if not timestamp:
@@ -90,7 +87,9 @@ class RequestContext(object):
        self.quota_class = quota_class
        self.user_name = user_name
        self.project_name = project_name
-
+        self.is_admin = is_admin
+        if self.is_admin is None:
+            self.is_admin = policy.check_is_admin(self)
        if overwrite or not hasattr(local.store, 'context'):
            self.update_store()

--- a/nova/policy.py
+++ b/nova/policy.py
@@ -101,14 +101,15 @@ def enforce(context, action, target, do_raise=True):
    return policy.check(action, target, credentials, **extra)


-def check_is_admin(roles):
+def check_is_admin(context):
    """Whether or not roles contains 'admin' role according to policy setting.

    """
    init()

-    target = {}
-    credentials = {'roles': roles}
+    #the target is user-self
+    credentials = context.to_dict()
+    target = credentials

    return policy.check('context_is_admin', target, credentials)