Use to_policy_values from context for policy
The oslo.context to_policy_values provide the standard arguments that should be passed to oslo.policy for enforcement. By using these values heat will automatically gain support for new things like is_admin_project as they are supported by oslo_context. Because previously the whole to_dict was passed to policy enforcement we are actually removing a whole bunch of options that could be used in policy enforcement - however from a practical perspective i'm not sure anyone would have used them. Closes-Bug: #1602081 Change-Id: I244ed767e2077cf43d55104779484b64bd28c85f
This commit is contained in:
parent
dd093f1891
commit
528945425e
|
@ -194,6 +194,20 @@ class RequestContext(context.RequestContext):
|
|||
project_domain_id=values.get('project_domain')
|
||||
)
|
||||
|
||||
def to_policy_values(self):
|
||||
policy = super(RequestContext, self).to_policy_values()
|
||||
|
||||
# NOTE(jamielennox): These are deprecated values passed to oslo.policy
|
||||
# for enforcement. They shouldn't be needed as the base class defines
|
||||
# what should be used when writing policy but are maintained for
|
||||
# compatibility.
|
||||
policy['user'] = self.user_id
|
||||
policy['tenant'] = self.tenant_id
|
||||
policy['is_admin'] = self.is_admin
|
||||
policy['auth_token_info'] = self.auth_token_info
|
||||
|
||||
return policy
|
||||
|
||||
@property
|
||||
def keystone_v3_endpoint(self):
|
||||
if self.auth_url:
|
||||
|
|
|
@ -62,7 +62,7 @@ class Enforcer(object):
|
|||
:returns: A non-False value if access is allowed.
|
||||
"""
|
||||
do_raise = False if not exc else True
|
||||
credentials = context.to_dict()
|
||||
credentials = context.to_policy_values()
|
||||
return self.enforcer.enforce(rule, target, credentials,
|
||||
do_raise, exc=exc, *args, **kwargs)
|
||||
|
||||
|
|
|
@ -175,7 +175,8 @@ class TestPolicyEnforcer(common.HeatTestCase):
|
|||
enforcer = policy.Enforcer()
|
||||
ctx = utils.dummy_context(roles=['admin'])
|
||||
self.m.StubOutWithMock(base_policy.Enforcer, 'enforce')
|
||||
base_policy.Enforcer.enforce('context_is_admin', {}, ctx.to_dict(),
|
||||
base_policy.Enforcer.enforce('context_is_admin', {},
|
||||
ctx.to_policy_values(),
|
||||
False, exc=None).AndReturn(True)
|
||||
self.m.ReplayAll()
|
||||
self.assertTrue(enforcer.check_is_admin(ctx))
|
||||
|
|
Loading…
Reference in New Issue