Use to_policy_values from context for policy
The oslo.context to_policy_values provide the standard arguments that should be passed to oslo.policy for enforcement. By using these values heat will automatically gain support for new things like is_admin_project as they are supported by oslo_context. Because previously the whole to_dict was passed to policy enforcement we are actually removing a whole bunch of options that could be used in policy enforcement - however from a practical perspective i'm not sure anyone would have used them. Closes-Bug: #1602081 Change-Id: I244ed767e2077cf43d55104779484b64bd28c85f
This commit is contained in:
parent
dd093f1891
commit
528945425e
|
@ -194,6 +194,20 @@ class RequestContext(context.RequestContext):
|
||||||
project_domain_id=values.get('project_domain')
|
project_domain_id=values.get('project_domain')
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def to_policy_values(self):
|
||||||
|
policy = super(RequestContext, self).to_policy_values()
|
||||||
|
|
||||||
|
# NOTE(jamielennox): These are deprecated values passed to oslo.policy
|
||||||
|
# for enforcement. They shouldn't be needed as the base class defines
|
||||||
|
# what should be used when writing policy but are maintained for
|
||||||
|
# compatibility.
|
||||||
|
policy['user'] = self.user_id
|
||||||
|
policy['tenant'] = self.tenant_id
|
||||||
|
policy['is_admin'] = self.is_admin
|
||||||
|
policy['auth_token_info'] = self.auth_token_info
|
||||||
|
|
||||||
|
return policy
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def keystone_v3_endpoint(self):
|
def keystone_v3_endpoint(self):
|
||||||
if self.auth_url:
|
if self.auth_url:
|
||||||
|
|
|
@ -62,7 +62,7 @@ class Enforcer(object):
|
||||||
:returns: A non-False value if access is allowed.
|
:returns: A non-False value if access is allowed.
|
||||||
"""
|
"""
|
||||||
do_raise = False if not exc else True
|
do_raise = False if not exc else True
|
||||||
credentials = context.to_dict()
|
credentials = context.to_policy_values()
|
||||||
return self.enforcer.enforce(rule, target, credentials,
|
return self.enforcer.enforce(rule, target, credentials,
|
||||||
do_raise, exc=exc, *args, **kwargs)
|
do_raise, exc=exc, *args, **kwargs)
|
||||||
|
|
||||||
|
|
|
@ -175,7 +175,8 @@ class TestPolicyEnforcer(common.HeatTestCase):
|
||||||
enforcer = policy.Enforcer()
|
enforcer = policy.Enforcer()
|
||||||
ctx = utils.dummy_context(roles=['admin'])
|
ctx = utils.dummy_context(roles=['admin'])
|
||||||
self.m.StubOutWithMock(base_policy.Enforcer, 'enforce')
|
self.m.StubOutWithMock(base_policy.Enforcer, 'enforce')
|
||||||
base_policy.Enforcer.enforce('context_is_admin', {}, ctx.to_dict(),
|
base_policy.Enforcer.enforce('context_is_admin', {},
|
||||||
|
ctx.to_policy_values(),
|
||||||
False, exc=None).AndReturn(True)
|
False, exc=None).AndReturn(True)
|
||||||
self.m.ReplayAll()
|
self.m.ReplayAll()
|
||||||
self.assertTrue(enforcer.check_is_admin(ctx))
|
self.assertTrue(enforcer.check_is_admin(ctx))
|
||||||
|
|
Loading…
Reference in New Issue