Add convenient method to get admin roles and permissions
admin roles and admin permissions (like 'openstack.roles.xxxx') depends on OPENSTACK_KEYSTONE_ADMIN_ROLES. These information is needed with openstack_auth and Horizon at least as common information. So, this patch provide these methods as a convenient method at openstack_auth. Change-Id: Idad1860684b1e772fc31f16fc8c0263e49fc3919 Closes-Bug: #1536896
This commit is contained in:
parent
7f26e7d2d0
commit
d779eb6fe3
|
@ -294,7 +294,7 @@ class KeystoneBackend(object):
|
|||
return set()
|
||||
# TODO(gabrielhurley): Integrate policy-driven RBAC
|
||||
# when supported by Keystone.
|
||||
role_perms = {"openstack.roles.%s" % role['name'].lower()
|
||||
role_perms = {utils.get_role_permission(role['name'])
|
||||
for role in user.roles}
|
||||
|
||||
services = []
|
||||
|
|
|
@ -19,6 +19,7 @@ from django.contrib import auth
|
|||
from django.core.urlresolvers import reverse
|
||||
from django import http
|
||||
from django import test
|
||||
from django.test.utils import override_settings
|
||||
from keystoneauth1 import exceptions as keystone_exceptions
|
||||
from keystoneauth1.identity import v2 as v2_auth
|
||||
from keystoneauth1.identity import v3 as v3_auth
|
||||
|
@ -1107,3 +1108,22 @@ class PolicyTestCaseV3Admin(PolicyTestCase):
|
|||
value = policy.check((("identity", "admin_or_cloud_admin"),),
|
||||
request=self.request)
|
||||
self.assertTrue(value)
|
||||
|
||||
|
||||
class RoleTestCaseAdmin(test.TestCase):
|
||||
|
||||
def test_get_admin_roles_with_default_value(self):
|
||||
admin_roles = utils.get_admin_roles()
|
||||
self.assertSetEqual({'admin'}, admin_roles)
|
||||
|
||||
@override_settings(OPENSTACK_KEYSTONE_ADMIN_ROLES=['foO', 'BAR', 'admin'])
|
||||
def test_get_admin_roles(self):
|
||||
admin_roles = utils.get_admin_roles()
|
||||
self.assertSetEqual({'foo', 'bar', 'admin'}, admin_roles)
|
||||
|
||||
@override_settings(OPENSTACK_KEYSTONE_ADMIN_ROLES=['foO', 'BAR', 'admin'])
|
||||
def test_get_admin_permissions(self):
|
||||
admin_permissions = utils.get_admin_permissions()
|
||||
self.assertSetEqual({'openstack.roles.foo',
|
||||
'openstack.roles.bar',
|
||||
'openstack.roles.admin'}, admin_permissions)
|
||||
|
|
|
@ -297,10 +297,7 @@ class User(models.AbstractBaseUser, models.AnonymousUser):
|
|||
|
||||
Returns ``True`` or ``False``.
|
||||
"""
|
||||
admin_roles = {role.lower() for role in getattr(
|
||||
settings,
|
||||
'OPENSTACK_KEYSTONE_ADMIN_ROLES',
|
||||
['admin'])}
|
||||
admin_roles = utils.get_admin_roles()
|
||||
user_roles = {role['name'].lower() for role in self.roles}
|
||||
return not admin_roles.isdisjoint(user_roles)
|
||||
|
||||
|
|
|
@ -390,3 +390,48 @@ def get_endpoint_region(endpoint):
|
|||
def using_cookie_backed_sessions():
|
||||
engine = getattr(settings, 'SESSION_ENGINE', '')
|
||||
return "signed_cookies" in engine
|
||||
|
||||
|
||||
def get_admin_roles():
|
||||
"""Common function for getting the admin roles from settings
|
||||
|
||||
Returns:
|
||||
Set object including all admin roles.
|
||||
If there is no role, this will return empty.
|
||||
{
|
||||
"foo", "bar", "admin"
|
||||
}
|
||||
"""
|
||||
admin_roles = {role.lower() for role
|
||||
in getattr(settings, 'OPENSTACK_KEYSTONE_ADMIN_ROLES',
|
||||
['admin'])}
|
||||
return admin_roles
|
||||
|
||||
|
||||
def get_role_permission(role):
|
||||
"""Common function for getting the permission froms arg
|
||||
|
||||
This format is 'openstack.roles.xxx' and 'xxx' is a real role name.
|
||||
|
||||
Returns:
|
||||
String like "openstack.roles.admin"
|
||||
If role is None, this will return None.
|
||||
"""
|
||||
return "openstack.roles.%s" % role.lower()
|
||||
|
||||
|
||||
def get_admin_permissions():
|
||||
"""Common function for getting the admin permissions from settings
|
||||
|
||||
This format is 'openstack.roles.xxx' and 'xxx' is a real role name.
|
||||
|
||||
Returns:
|
||||
Set object including all admin permission.
|
||||
If there is no permission, this will return empty.
|
||||
{
|
||||
"openstack.roles.foo",
|
||||
"openstack.roles.bar",
|
||||
"openstack.roles.admin"
|
||||
}
|
||||
"""
|
||||
return {get_role_permission(role) for role in get_admin_roles()}
|
||||
|
|
Loading…
Reference in New Issue