Remove old style policy checks
Since the main policy engine moved to django_openstack_auth, the policy.py file handles the check for POLICY_CHECK_FUNCTION and just returns True if it is not defined. This eliminates the need for all the special casing that is being removed in this patch. One special case (not test related) was left in place, that is in admin/dashboard.py which has more complex behavior if the operator is not using policy. Change-Id: I5523632d3459b68693fcc781bd024aea1180c110
This commit is contained in:
parent
c701552d6a
commit
6868cb70e1
@ -1287,8 +1287,7 @@ def get_feature_permission(request, feature, operation=None):
|
|||||||
|
|
||||||
# Check policy
|
# Check policy
|
||||||
feature_policies = feature_info.get('policies')
|
feature_policies = feature_info.get('policies')
|
||||||
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
|
if feature_policies:
|
||||||
if feature_policies and policy_check:
|
|
||||||
policy_name = feature_policies.get(operation)
|
policy_name = feature_policies.get(operation)
|
||||||
if not policy_name:
|
if not policy_name:
|
||||||
# Translators: Only used inside Horizon code and invisible to users
|
# Translators: Only used inside Horizon code and invisible to users
|
||||||
|
@ -15,7 +15,6 @@
|
|||||||
|
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
from django.conf import settings
|
|
||||||
from django.core.urlresolvers import reverse
|
from django.core.urlresolvers import reverse
|
||||||
from django import shortcuts
|
from django import shortcuts
|
||||||
from django.utils.http import urlencode
|
from django.utils.http import urlencode
|
||||||
@ -29,14 +28,13 @@ from horizon import messages
|
|||||||
from horizon import tables
|
from horizon import tables
|
||||||
|
|
||||||
from openstack_dashboard import api
|
from openstack_dashboard import api
|
||||||
|
from openstack_dashboard import policy
|
||||||
from openstack_dashboard.usage import quotas
|
from openstack_dashboard.usage import quotas
|
||||||
from openstack_dashboard.utils import filters
|
from openstack_dashboard.utils import filters
|
||||||
|
|
||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
|
|
||||||
POLICY_CHECK = getattr(settings, "POLICY_CHECK_FUNCTION", lambda p, r: True)
|
|
||||||
|
|
||||||
|
|
||||||
class AllocateIP(tables.LinkAction):
|
class AllocateIP(tables.LinkAction):
|
||||||
name = "allocate"
|
name = "allocate"
|
||||||
@ -61,12 +59,12 @@ class AllocateIP(tables.LinkAction):
|
|||||||
self.classes = classes
|
self.classes = classes
|
||||||
|
|
||||||
if api.base.is_service_enabled(request, "network"):
|
if api.base.is_service_enabled(request, "network"):
|
||||||
policy = (("network", "create_floatingip"),)
|
policy_rules = (("network", "create_floatingip"),)
|
||||||
else:
|
else:
|
||||||
policy = (("compute", "compute_extension:floating_ips"),
|
policy_rules = (("compute", "compute_extension:floating_ips"),
|
||||||
("compute", "network:allocate_floating_ip"),)
|
("compute", "network:allocate_floating_ip"),)
|
||||||
|
|
||||||
return POLICY_CHECK(policy, request)
|
return policy.check(policy_rules, request)
|
||||||
|
|
||||||
|
|
||||||
class ReleaseIPs(tables.BatchAction):
|
class ReleaseIPs(tables.BatchAction):
|
||||||
@ -94,12 +92,12 @@ class ReleaseIPs(tables.BatchAction):
|
|||||||
|
|
||||||
def allowed(self, request, fip=None):
|
def allowed(self, request, fip=None):
|
||||||
if api.base.is_service_enabled(request, "network"):
|
if api.base.is_service_enabled(request, "network"):
|
||||||
policy = (("network", "delete_floatingip"),)
|
policy_rules = (("network", "delete_floatingip"),)
|
||||||
else:
|
else:
|
||||||
policy = (("compute", "compute_extension:floating_ips"),
|
policy_rules = (("compute", "compute_extension:floating_ips"),
|
||||||
("compute", "network:release_floating_ip"),)
|
("compute", "network:release_floating_ip"),)
|
||||||
|
|
||||||
return POLICY_CHECK(policy, request)
|
return policy.check(policy_rules, request)
|
||||||
|
|
||||||
def action(self, request, obj_id):
|
def action(self, request, obj_id):
|
||||||
api.network.tenant_floating_ip_release(request, obj_id)
|
api.network.tenant_floating_ip_release(request, obj_id)
|
||||||
@ -114,12 +112,12 @@ class AssociateIP(tables.LinkAction):
|
|||||||
|
|
||||||
def allowed(self, request, fip):
|
def allowed(self, request, fip):
|
||||||
if api.base.is_service_enabled(request, "network"):
|
if api.base.is_service_enabled(request, "network"):
|
||||||
policy = (("network", "update_floatingip"),)
|
policy_rules = (("network", "update_floatingip"),)
|
||||||
else:
|
else:
|
||||||
policy = (("compute", "compute_extension:floating_ips"),
|
policy_rules = (("compute", "compute_extension:floating_ips"),
|
||||||
("compute", "network:associate_floating_ip"),)
|
("compute", "network:associate_floating_ip"),)
|
||||||
|
|
||||||
return not fip.port_id and POLICY_CHECK(policy, request)
|
return not fip.port_id and policy.check(policy_rules, request)
|
||||||
|
|
||||||
def get_link_url(self, datum):
|
def get_link_url(self, datum):
|
||||||
base_url = reverse(self.url)
|
base_url = reverse(self.url)
|
||||||
@ -136,12 +134,12 @@ class DisassociateIP(tables.Action):
|
|||||||
|
|
||||||
def allowed(self, request, fip):
|
def allowed(self, request, fip):
|
||||||
if api.base.is_service_enabled(request, "network"):
|
if api.base.is_service_enabled(request, "network"):
|
||||||
policy = (("network", "update_floatingip"),)
|
policy_rules = (("network", "update_floatingip"),)
|
||||||
else:
|
else:
|
||||||
policy = (("compute", "compute_extension:floating_ips"),
|
policy_rules = (("compute", "compute_extension:floating_ips"),
|
||||||
("compute", "network:disassociate_floating_ip"),)
|
("compute", "network:disassociate_floating_ip"),)
|
||||||
|
|
||||||
return fip.port_id and POLICY_CHECK(policy, request)
|
return fip.port_id and policy.check(policy_rules, request)
|
||||||
|
|
||||||
def single(self, table, request, obj_id):
|
def single(self, table, request, obj_id):
|
||||||
try:
|
try:
|
||||||
|
@ -26,10 +26,6 @@ from openstack_dashboard.usage import quotas
|
|||||||
from openstack_dashboard.utils import filters
|
from openstack_dashboard.utils import filters
|
||||||
|
|
||||||
|
|
||||||
POLICY_CHECK = getattr(settings, "POLICY_CHECK_FUNCTION",
|
|
||||||
lambda policy, request, target: True)
|
|
||||||
|
|
||||||
|
|
||||||
class DeleteGroup(policy.PolicyTargetMixin, tables.DeleteAction):
|
class DeleteGroup(policy.PolicyTargetMixin, tables.DeleteAction):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
@ -51,11 +47,11 @@ class DeleteGroup(policy.PolicyTargetMixin, tables.DeleteAction):
|
|||||||
def allowed(self, request, security_group=None):
|
def allowed(self, request, security_group=None):
|
||||||
policy_target = self.get_policy_target(request, security_group)
|
policy_target = self.get_policy_target(request, security_group)
|
||||||
if api.base.is_service_enabled(request, "network"):
|
if api.base.is_service_enabled(request, "network"):
|
||||||
policy = (("network", "delete_security_group"),)
|
policy_rules = (("network", "delete_security_group"),)
|
||||||
else:
|
else:
|
||||||
policy = (("compute", "compute_extension:security_groups"),)
|
policy_rules = (("compute", "compute_extension:security_groups"),)
|
||||||
|
|
||||||
if not POLICY_CHECK(policy, request, policy_target):
|
if not policy.check(policy_rules, request, policy_target):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
if not security_group:
|
if not security_group:
|
||||||
@ -75,9 +71,9 @@ class CreateGroup(tables.LinkAction):
|
|||||||
|
|
||||||
def allowed(self, request, security_group=None):
|
def allowed(self, request, security_group=None):
|
||||||
if api.base.is_service_enabled(request, "network"):
|
if api.base.is_service_enabled(request, "network"):
|
||||||
policy = (("network", "create_security_group"),)
|
policy_rules = (("network", "create_security_group"),)
|
||||||
else:
|
else:
|
||||||
policy = (("compute", "compute_extension:security_groups"),)
|
policy_rules = (("compute", "compute_extension:security_groups"),)
|
||||||
|
|
||||||
usages = quotas.tenant_quota_usages(request)
|
usages = quotas.tenant_quota_usages(request)
|
||||||
if usages['security_groups'].get('available', 1) <= 0:
|
if usages['security_groups'].get('available', 1) <= 0:
|
||||||
@ -88,7 +84,7 @@ class CreateGroup(tables.LinkAction):
|
|||||||
self.verbose_name = _("Create Security Group")
|
self.verbose_name = _("Create Security Group")
|
||||||
self.classes = [c for c in self.classes if c != "disabled"]
|
self.classes = [c for c in self.classes if c != "disabled"]
|
||||||
|
|
||||||
return POLICY_CHECK(policy, request, target={})
|
return policy.check(policy_rules, request, target={})
|
||||||
|
|
||||||
|
|
||||||
class EditGroup(policy.PolicyTargetMixin, tables.LinkAction):
|
class EditGroup(policy.PolicyTargetMixin, tables.LinkAction):
|
||||||
@ -101,11 +97,11 @@ class EditGroup(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
def allowed(self, request, security_group=None):
|
def allowed(self, request, security_group=None):
|
||||||
policy_target = self.get_policy_target(request, security_group)
|
policy_target = self.get_policy_target(request, security_group)
|
||||||
if api.base.is_service_enabled(request, "network"):
|
if api.base.is_service_enabled(request, "network"):
|
||||||
policy = (("network", "update_security_group"),)
|
policy_rules = (("network", "update_security_group"),)
|
||||||
else:
|
else:
|
||||||
policy = (("compute", "compute_extension:security_groups"),)
|
policy_rules = (("compute", "compute_extension:security_groups"),)
|
||||||
|
|
||||||
if not POLICY_CHECK(policy, request, policy_target):
|
if not policy.check(policy_rules, request, policy_target):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
if not security_group:
|
if not security_group:
|
||||||
@ -122,11 +118,11 @@ class ManageRules(policy.PolicyTargetMixin, tables.LinkAction):
|
|||||||
def allowed(self, request, security_group=None):
|
def allowed(self, request, security_group=None):
|
||||||
policy_target = self.get_policy_target(request, security_group)
|
policy_target = self.get_policy_target(request, security_group)
|
||||||
if api.base.is_service_enabled(request, "network"):
|
if api.base.is_service_enabled(request, "network"):
|
||||||
policy = (("network", "get_security_group"),)
|
policy_rules = (("network", "get_security_group"),)
|
||||||
else:
|
else:
|
||||||
policy = (("compute", "compute_extension:security_groups"),)
|
policy_rules = (("compute", "compute_extension:security_groups"),)
|
||||||
|
|
||||||
return POLICY_CHECK(policy, request, policy_target)
|
return policy.check(policy_rules, request, policy_target)
|
||||||
|
|
||||||
|
|
||||||
class SecurityGroupsFilterAction(tables.FilterAction):
|
class SecurityGroupsFilterAction(tables.FilterAction):
|
||||||
@ -161,11 +157,11 @@ class CreateRule(tables.LinkAction):
|
|||||||
|
|
||||||
def allowed(self, request, security_group_rule=None):
|
def allowed(self, request, security_group_rule=None):
|
||||||
if api.base.is_service_enabled(request, "network"):
|
if api.base.is_service_enabled(request, "network"):
|
||||||
policy = (("network", "create_security_group_rule"),)
|
policy_rules = (("network", "create_security_group_rule"),)
|
||||||
else:
|
else:
|
||||||
policy = (("compute", "compute_extension:security_groups"),)
|
policy_rules = (("compute", "compute_extension:security_groups"),)
|
||||||
|
|
||||||
return POLICY_CHECK(policy, request, target={})
|
return policy.check(policy_rules, request, target={})
|
||||||
|
|
||||||
def get_link_url(self):
|
def get_link_url(self):
|
||||||
return reverse(self.url, args=[self.table.kwargs['security_group_id']])
|
return reverse(self.url, args=[self.table.kwargs['security_group_id']])
|
||||||
@ -190,11 +186,11 @@ class DeleteRule(tables.DeleteAction):
|
|||||||
|
|
||||||
def allowed(self, request, security_group_rule=None):
|
def allowed(self, request, security_group_rule=None):
|
||||||
if api.base.is_service_enabled(request, "network"):
|
if api.base.is_service_enabled(request, "network"):
|
||||||
policy = (("network", "delete_security_group_rule"),)
|
policy_rules = (("network", "delete_security_group_rule"),)
|
||||||
else:
|
else:
|
||||||
policy = (("compute", "compute_extension:security_groups"),)
|
policy_rules = (("compute", "compute_extension:security_groups"),)
|
||||||
|
|
||||||
return POLICY_CHECK(policy, request, target={})
|
return policy.check(policy_rules, request, target={})
|
||||||
|
|
||||||
def delete(self, request, obj_id):
|
def delete(self, request, obj_id):
|
||||||
api.network.security_group_rule_delete(request, obj_id)
|
api.network.security_group_rule_delete(request, obj_id)
|
||||||
|
@ -216,16 +216,15 @@ class TogglePause(tables.BatchAction):
|
|||||||
self.paused = instance.status == "PAUSED"
|
self.paused = instance.status == "PAUSED"
|
||||||
if self.paused:
|
if self.paused:
|
||||||
self.current_present_action = UNPAUSE
|
self.current_present_action = UNPAUSE
|
||||||
policy = (("compute", "compute_extension:admin_actions:unpause"),)
|
policy_rules = (
|
||||||
|
("compute", "compute_extension:admin_actions:unpause"),)
|
||||||
else:
|
else:
|
||||||
self.current_present_action = PAUSE
|
self.current_present_action = PAUSE
|
||||||
policy = (("compute", "compute_extension:admin_actions:pause"),)
|
policy_rules = (
|
||||||
|
("compute", "compute_extension:admin_actions:pause"),)
|
||||||
|
|
||||||
has_permission = True
|
has_permission = policy.check(
|
||||||
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
|
policy_rules, request,
|
||||||
if policy_check:
|
|
||||||
has_permission = policy_check(
|
|
||||||
policy, request,
|
|
||||||
target={'project_id': getattr(instance, 'tenant_id', None)})
|
target={'project_id': getattr(instance, 'tenant_id', None)})
|
||||||
|
|
||||||
return (has_permission
|
return (has_permission
|
||||||
@ -284,16 +283,15 @@ class ToggleSuspend(tables.BatchAction):
|
|||||||
self.suspended = instance.status == "SUSPENDED"
|
self.suspended = instance.status == "SUSPENDED"
|
||||||
if self.suspended:
|
if self.suspended:
|
||||||
self.current_present_action = RESUME
|
self.current_present_action = RESUME
|
||||||
policy = (("compute", "compute_extension:admin_actions:resume"),)
|
policy_rules = (
|
||||||
|
("compute", "compute_extension:admin_actions:resume"),)
|
||||||
else:
|
else:
|
||||||
self.current_present_action = SUSPEND
|
self.current_present_action = SUSPEND
|
||||||
policy = (("compute", "compute_extension:admin_actions:suspend"),)
|
policy_rules = (
|
||||||
|
("compute", "compute_extension:admin_actions:suspend"),)
|
||||||
|
|
||||||
has_permission = True
|
has_permission = policy.check(
|
||||||
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
|
policy_rules, request,
|
||||||
if policy_check:
|
|
||||||
has_permission = policy_check(
|
|
||||||
policy, request,
|
|
||||||
target={'project_id': getattr(instance, 'tenant_id', None)})
|
target={'project_id': getattr(instance, 'tenant_id', None)})
|
||||||
|
|
||||||
return (has_permission
|
return (has_permission
|
||||||
@ -351,16 +349,13 @@ class ToggleShelve(tables.BatchAction):
|
|||||||
self.shelved = instance.status == "SHELVED_OFFLOADED"
|
self.shelved = instance.status == "SHELVED_OFFLOADED"
|
||||||
if self.shelved:
|
if self.shelved:
|
||||||
self.current_present_action = UNSHELVE
|
self.current_present_action = UNSHELVE
|
||||||
policy = (("compute", "compute_extension:unshelve"),)
|
policy_rules = (("compute", "compute_extension:unshelve"),)
|
||||||
else:
|
else:
|
||||||
self.current_present_action = SHELVE
|
self.current_present_action = SHELVE
|
||||||
policy = (("compute", "compute_extension:shelve"),)
|
policy_rules = (("compute", "compute_extension:shelve"),)
|
||||||
|
|
||||||
has_permission = True
|
has_permission = policy.check(
|
||||||
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
|
policy_rules, request,
|
||||||
if policy_check:
|
|
||||||
has_permission = policy_check(
|
|
||||||
policy, request,
|
|
||||||
target={'project_id': getattr(instance, 'tenant_id', None)})
|
target={'project_id': getattr(instance, 'tenant_id', None)})
|
||||||
|
|
||||||
return (has_permission
|
return (has_permission
|
||||||
|
@ -13,19 +13,10 @@
|
|||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
|
|
||||||
from openstack_dashboard.api import base
|
from openstack_dashboard.api import base
|
||||||
|
from openstack_dashboard import policy
|
||||||
from openstack_dashboard.usage import quotas
|
from openstack_dashboard.usage import quotas
|
||||||
|
|
||||||
|
|
||||||
def _has_permission(request, policy):
|
|
||||||
has_permission = True
|
|
||||||
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
|
|
||||||
|
|
||||||
if policy_check:
|
|
||||||
has_permission = policy_check(policy, request)
|
|
||||||
|
|
||||||
return has_permission
|
|
||||||
|
|
||||||
|
|
||||||
def _quota_exceeded(request, quota):
|
def _quota_exceeded(request, quota):
|
||||||
usages = quotas.tenant_quota_usages(request)
|
usages = quotas.tenant_quota_usages(request)
|
||||||
available = usages.get(quota, {}).get('available', 1)
|
available = usages.get(quota, {}).get('available', 1)
|
||||||
@ -39,15 +30,15 @@ def get_context(request, context=None):
|
|||||||
|
|
||||||
network_config = getattr(settings, 'OPENSTACK_NEUTRON_NETWORK', {})
|
network_config = getattr(settings, 'OPENSTACK_NEUTRON_NETWORK', {})
|
||||||
|
|
||||||
context['launch_instance_allowed'] = _has_permission(
|
context['launch_instance_allowed'] = policy.check(
|
||||||
request, (("compute", "compute:create"),))
|
(("compute", "compute:create"),), request)
|
||||||
context['instance_quota_exceeded'] = _quota_exceeded(request, 'instances')
|
context['instance_quota_exceeded'] = _quota_exceeded(request, 'instances')
|
||||||
context['create_network_allowed'] = _has_permission(
|
context['create_network_allowed'] = policy.check(
|
||||||
request, (("network", "create_network"),))
|
(("network", "create_network"),), request)
|
||||||
context['network_quota_exceeded'] = _quota_exceeded(request, 'networks')
|
context['network_quota_exceeded'] = _quota_exceeded(request, 'networks')
|
||||||
context['create_router_allowed'] = (
|
context['create_router_allowed'] = (
|
||||||
network_config.get('enable_router', True) and
|
network_config.get('enable_router', True) and
|
||||||
_has_permission(request, (("network", "create_router"),)))
|
policy.check((("network", "create_router"),), request))
|
||||||
context['router_quota_exceeded'] = _quota_exceeded(request, 'routers')
|
context['router_quota_exceeded'] = _quota_exceeded(request, 'routers')
|
||||||
context['console_type'] = getattr(settings, 'CONSOLE_TYPE', 'AUTO')
|
context['console_type'] = getattr(settings, 'CONSOLE_TYPE', 'AUTO')
|
||||||
context['show_ng_launch'] = (
|
context['show_ng_launch'] = (
|
||||||
|
Loading…
Reference in New Issue
Block a user