Add more credentials information to check_is_admin

Currently, It can specify only user_id when checking admin. Add more information for checking admin because it is not enough in multi-domain configuration. Change-Id: I31913b393cb0f763d00e71e27aa96551bf04ce5d closes-bug:1688021
2017-05-04 00:09:48 +08:00 · 2017-05-04 00:09:48 +08:00 · a2e0810482
commit a2e0810482
parent 5fc0254f79
1 changed files with 2 additions and 7 deletions
--- a/karbor/policy.py
+++ b/karbor/policy.py
@ -75,21 +75,16 @@ def enforce(context, action, target):
 def check_is_admin(roles, context=None):
    """Whether or not user is admin according to policy setting.

-       Can use roles or user_id from context to determine if user is admin.
-       In a multi-domain configuration, roles alone may not be sufficient.
    """
    init()

    # include project_id on target to avoid KeyError if context_is_admin
    # policy definition is missing, and default admin_or_owner rule
-    # attempts to apply.  Since our credentials dict does not include a
-    # project_id, this target can never match as a generic rule.
+    # attempts to apply.
    target = {'project_id': ''}
    if context is None:
        credentials = {'roles': roles}
    else:
-        credentials = {'roles': context.roles,
-                       'user_id': context.user_id
-                       }
+        credentials = context.to_dict()

    return _ENFORCER.enforce('context_is_admin', target, credentials)