d08f4913ca
This commit adds support for RBAC using oslo.policy. This allows Zaqar for having a fine-grained access control to the resources it exposes. As of this patch, the implementation allows to have access control in a per-operation basis rather than specific resources. Co-Authored-by: Thomas Herve <therve@redhat.com> Co-Authored-by: Flavio Percoco <flaper87@gmail.com> blueprint: fine-grained-permissions Change-Id: I90374a11815ac2bd9d31768588719d2d4c4e7f5d
45 lines
1.2 KiB
Python
45 lines
1.2 KiB
Python
# Copyright (c) 2015 Catalyst IT Ltd.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
"""Policy enforcer of Zaqar"""
|
|
|
|
import functools
|
|
|
|
from oslo_policy import policy
|
|
|
|
ENFORCER = None
|
|
|
|
|
|
def setup_policy(conf):
|
|
global ENFORCER
|
|
|
|
ENFORCER = policy.Enforcer(conf)
|
|
|
|
|
|
def enforce(rule):
|
|
# Late import to prevent cycles
|
|
from zaqar.transport.wsgi import errors
|
|
|
|
def decorator(func):
|
|
@functools.wraps(func)
|
|
def handler(*args, **kwargs):
|
|
ctx = args[1].env['zaqar.context']
|
|
ENFORCER.enforce(rule, {}, ctx.to_dict(), do_raise=True,
|
|
exc=errors.HTTPForbidden)
|
|
|
|
return func(*args, **kwargs)
|
|
return handler
|
|
|
|
return decorator
|