Add convenient method to get admin roles and permissions
admin roles and admin permissions (like 'openstack.roles.xxxx') depends on OPENSTACK_KEYSTONE_ADMIN_ROLES. These information is needed with openstack_auth and Horizon at least as common information. So, this patch provide these methods as a convenient method at openstack_auth. Change-Id: Idad1860684b1e772fc31f16fc8c0263e49fc3919 Closes-Bug: #1536896
This commit is contained in:
parent
7f26e7d2d0
commit
d779eb6fe3
@ -294,7 +294,7 @@ class KeystoneBackend(object):
|
|||||||
return set()
|
return set()
|
||||||
# TODO(gabrielhurley): Integrate policy-driven RBAC
|
# TODO(gabrielhurley): Integrate policy-driven RBAC
|
||||||
# when supported by Keystone.
|
# when supported by Keystone.
|
||||||
role_perms = {"openstack.roles.%s" % role['name'].lower()
|
role_perms = {utils.get_role_permission(role['name'])
|
||||||
for role in user.roles}
|
for role in user.roles}
|
||||||
|
|
||||||
services = []
|
services = []
|
||||||
|
@ -19,6 +19,7 @@ from django.contrib import auth
|
|||||||
from django.core.urlresolvers import reverse
|
from django.core.urlresolvers import reverse
|
||||||
from django import http
|
from django import http
|
||||||
from django import test
|
from django import test
|
||||||
|
from django.test.utils import override_settings
|
||||||
from keystoneauth1 import exceptions as keystone_exceptions
|
from keystoneauth1 import exceptions as keystone_exceptions
|
||||||
from keystoneauth1.identity import v2 as v2_auth
|
from keystoneauth1.identity import v2 as v2_auth
|
||||||
from keystoneauth1.identity import v3 as v3_auth
|
from keystoneauth1.identity import v3 as v3_auth
|
||||||
@ -1107,3 +1108,22 @@ class PolicyTestCaseV3Admin(PolicyTestCase):
|
|||||||
value = policy.check((("identity", "admin_or_cloud_admin"),),
|
value = policy.check((("identity", "admin_or_cloud_admin"),),
|
||||||
request=self.request)
|
request=self.request)
|
||||||
self.assertTrue(value)
|
self.assertTrue(value)
|
||||||
|
|
||||||
|
|
||||||
|
class RoleTestCaseAdmin(test.TestCase):
|
||||||
|
|
||||||
|
def test_get_admin_roles_with_default_value(self):
|
||||||
|
admin_roles = utils.get_admin_roles()
|
||||||
|
self.assertSetEqual({'admin'}, admin_roles)
|
||||||
|
|
||||||
|
@override_settings(OPENSTACK_KEYSTONE_ADMIN_ROLES=['foO', 'BAR', 'admin'])
|
||||||
|
def test_get_admin_roles(self):
|
||||||
|
admin_roles = utils.get_admin_roles()
|
||||||
|
self.assertSetEqual({'foo', 'bar', 'admin'}, admin_roles)
|
||||||
|
|
||||||
|
@override_settings(OPENSTACK_KEYSTONE_ADMIN_ROLES=['foO', 'BAR', 'admin'])
|
||||||
|
def test_get_admin_permissions(self):
|
||||||
|
admin_permissions = utils.get_admin_permissions()
|
||||||
|
self.assertSetEqual({'openstack.roles.foo',
|
||||||
|
'openstack.roles.bar',
|
||||||
|
'openstack.roles.admin'}, admin_permissions)
|
||||||
|
@ -297,10 +297,7 @@ class User(models.AbstractBaseUser, models.AnonymousUser):
|
|||||||
|
|
||||||
Returns ``True`` or ``False``.
|
Returns ``True`` or ``False``.
|
||||||
"""
|
"""
|
||||||
admin_roles = {role.lower() for role in getattr(
|
admin_roles = utils.get_admin_roles()
|
||||||
settings,
|
|
||||||
'OPENSTACK_KEYSTONE_ADMIN_ROLES',
|
|
||||||
['admin'])}
|
|
||||||
user_roles = {role['name'].lower() for role in self.roles}
|
user_roles = {role['name'].lower() for role in self.roles}
|
||||||
return not admin_roles.isdisjoint(user_roles)
|
return not admin_roles.isdisjoint(user_roles)
|
||||||
|
|
||||||
|
@ -390,3 +390,48 @@ def get_endpoint_region(endpoint):
|
|||||||
def using_cookie_backed_sessions():
|
def using_cookie_backed_sessions():
|
||||||
engine = getattr(settings, 'SESSION_ENGINE', '')
|
engine = getattr(settings, 'SESSION_ENGINE', '')
|
||||||
return "signed_cookies" in engine
|
return "signed_cookies" in engine
|
||||||
|
|
||||||
|
|
||||||
|
def get_admin_roles():
|
||||||
|
"""Common function for getting the admin roles from settings
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
Set object including all admin roles.
|
||||||
|
If there is no role, this will return empty.
|
||||||
|
{
|
||||||
|
"foo", "bar", "admin"
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
admin_roles = {role.lower() for role
|
||||||
|
in getattr(settings, 'OPENSTACK_KEYSTONE_ADMIN_ROLES',
|
||||||
|
['admin'])}
|
||||||
|
return admin_roles
|
||||||
|
|
||||||
|
|
||||||
|
def get_role_permission(role):
|
||||||
|
"""Common function for getting the permission froms arg
|
||||||
|
|
||||||
|
This format is 'openstack.roles.xxx' and 'xxx' is a real role name.
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
String like "openstack.roles.admin"
|
||||||
|
If role is None, this will return None.
|
||||||
|
"""
|
||||||
|
return "openstack.roles.%s" % role.lower()
|
||||||
|
|
||||||
|
|
||||||
|
def get_admin_permissions():
|
||||||
|
"""Common function for getting the admin permissions from settings
|
||||||
|
|
||||||
|
This format is 'openstack.roles.xxx' and 'xxx' is a real role name.
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
Set object including all admin permission.
|
||||||
|
If there is no permission, this will return empty.
|
||||||
|
{
|
||||||
|
"openstack.roles.foo",
|
||||||
|
"openstack.roles.bar",
|
||||||
|
"openstack.roles.admin"
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
return {get_role_permission(role) for role in get_admin_roles()}
|
||||||
|
Loading…
Reference in New Issue
Block a user