8ccdecc7d1
As we are moving to the new S-RBAC policies, we want to use "service" role for all service to service communication. See [1] for details. This require from Context class property similar to old "is_advsvc" but with new naming convention and using new policy rule. This patch adds this new property together with all required policies and rules. For now "ContextBase.is_advsvc" property will return True if one of the advsvc OR service_role will be True to make it working in the same way with both old and new policies but once we will get rid of the old policies we should also remove is_advsvc property from the ContextBase class. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-2 Change-Id: Ic401db8b4e2745234e61fe2c05afd5b4ab719a03
29 lines
989 B
Python
29 lines
989 B
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
|
|
def policy_and(*args):
|
|
return ' and '.join(args)
|
|
|
|
|
|
def policy_or(*args):
|
|
return ' or '.join(args)
|
|
|
|
|
|
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
|
RULE_ADMIN_ONLY = 'rule:admin_only'
|
|
RULE_ANY = 'rule:regular_user'
|
|
RULE_ADVSVC = 'rule:context_is_advsvc'
|
|
RULE_SERVICE_ROLE = 'rule:service_api'
|
|
RULE_ADMIN_OR_NET_OWNER = 'rule:admin_or_network_owner'
|
|
RULE_ADMIN_OR_PARENT_OWNER = 'rule:admin_or_ext_parent_owner'
|