1902e2adf6
The primary goal of the library policy module is to support the context module during the enforcement of service and admin rules, and as such an enforcer is needed. Incidentally the enforcer is stored in a global variable whose name is the same as the enforcer's used by neutron's policy engine. To avoid confusion, this patch revises some parts of the library's policy module to make sure the cut of responsibilities is better defined. It finally makes the policy module private to avoid any danger of mixing up the enforcer instances. Change-Id: Ie55d557aa3e24678aed2fb3b5c590485f54fe792
68 lines
2.2 KiB
Python
68 lines
2.2 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from oslo_config import cfg
|
|
from oslo_policy import policy
|
|
|
|
|
|
_ROLE_ENFORCER = None
|
|
_ADMIN_CTX_POLICY = 'context_is_admin'
|
|
_ADVSVC_CTX_POLICY = 'context_is_advsvc'
|
|
|
|
|
|
def init(conf=cfg.CONF, policy_file=None):
|
|
"""Initialize the global enforcer if not already initialized.
|
|
|
|
Initialize the global enforcer (and load its rules) if not already
|
|
initialized; otherwise this is a no-op.
|
|
|
|
:param conf: The configuration to initialize the global enforcer with.
|
|
Defaults to oslo_config.cfg.CONF.
|
|
:param policy_file: The policy file to initialize the global enforcer
|
|
with.
|
|
:returns: None.
|
|
"""
|
|
|
|
global _ROLE_ENFORCER
|
|
if not _ROLE_ENFORCER:
|
|
_ROLE_ENFORCER = policy.Enforcer(conf, policy_file=policy_file)
|
|
_ROLE_ENFORCER.load_rules(True)
|
|
|
|
|
|
def _check_rule(context, rule):
|
|
init()
|
|
# the target is user-self
|
|
credentials = context.to_policy_values()
|
|
if rule not in _ROLE_ENFORCER.rules:
|
|
return False
|
|
return _ROLE_ENFORCER.enforce(rule, credentials, credentials)
|
|
|
|
|
|
def check_is_admin(context):
|
|
"""Verify context has admin rights according to the global policy settings.
|
|
|
|
:param context: The context object.
|
|
:returns: True if the context has admin rights (as per the global
|
|
enforcer) and False otherwise.
|
|
"""
|
|
return _check_rule(context, _ADMIN_CTX_POLICY)
|
|
|
|
|
|
def check_is_advsvc(context):
|
|
"""Verify context has advsvc rights according to global policy settings.
|
|
|
|
:param context: The context object.
|
|
:returns: True if the context has advsvc rights (as per the global
|
|
enforcer) and False otherwise.
|
|
"""
|
|
return _check_rule(context, _ADVSVC_CTX_POLICY)
|