Use to_policy_values for policy enforcement
Use the common policy values for all services when enforcing policy decisions. We add all possibly used policy values to maintain backwards compatibility. Change-Id: Ie1d0739ab4dfb0654d8767693dbdba5cd52a30b2 Closes-Bug: #1602081
This commit is contained in:
parent
57cb661869
commit
2e621eeb1c
|
@ -91,6 +91,26 @@ class ContextBase(oslo_context.RequestContext):
|
||||||
})
|
})
|
||||||
return context
|
return context
|
||||||
|
|
||||||
|
def to_policy_values(self):
|
||||||
|
values = super(ContextBase, self).to_policy_values()
|
||||||
|
values['tenant_id'] = self.tenant_id
|
||||||
|
values['is_admin'] = self.is_admin
|
||||||
|
|
||||||
|
# NOTE(jamielennox): These are almost certainly unused and non-standard
|
||||||
|
# but kept for backwards compatibility. Remove them in Pike
|
||||||
|
# (oslo.context from Ocata release already issues deprecation warnings
|
||||||
|
# for non-standard keys).
|
||||||
|
values['user'] = self.user
|
||||||
|
values['tenant'] = self.tenant
|
||||||
|
values['domain'] = self.domain
|
||||||
|
values['user_domain'] = self.user_domain
|
||||||
|
values['project_domain'] = self.project_domain
|
||||||
|
values['tenant_name'] = self.tenant_name
|
||||||
|
values['project_name'] = self.tenant_name
|
||||||
|
values['user_name'] = self.user_name
|
||||||
|
|
||||||
|
return values
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def from_dict(cls, values):
|
def from_dict(cls, values):
|
||||||
return cls(user_id=values.get('user_id', values.get('user')),
|
return cls(user_id=values.get('user_id', values.get('user')),
|
||||||
|
|
|
@ -321,7 +321,7 @@ def _prepare_check(context, action, target, pluralized):
|
||||||
if target is None:
|
if target is None:
|
||||||
target = {}
|
target = {}
|
||||||
match_rule = _build_match_rule(action, target, pluralized)
|
match_rule = _build_match_rule(action, target, pluralized)
|
||||||
credentials = context.to_dict()
|
credentials = context.to_policy_values()
|
||||||
return match_rule, target, credentials
|
return match_rule, target, credentials
|
||||||
|
|
||||||
|
|
||||||
|
@ -410,7 +410,7 @@ def check_is_admin(context):
|
||||||
"""Verify context has admin rights according to policy settings."""
|
"""Verify context has admin rights according to policy settings."""
|
||||||
init()
|
init()
|
||||||
# the target is user-self
|
# the target is user-self
|
||||||
credentials = context.to_dict()
|
credentials = context.to_policy_values()
|
||||||
if ADMIN_CTX_POLICY not in _ENFORCER.rules:
|
if ADMIN_CTX_POLICY not in _ENFORCER.rules:
|
||||||
return False
|
return False
|
||||||
return _ENFORCER.enforce(ADMIN_CTX_POLICY, credentials, credentials)
|
return _ENFORCER.enforce(ADMIN_CTX_POLICY, credentials, credentials)
|
||||||
|
@ -420,7 +420,7 @@ def check_is_advsvc(context):
|
||||||
"""Verify context has advsvc rights according to policy settings."""
|
"""Verify context has advsvc rights according to policy settings."""
|
||||||
init()
|
init()
|
||||||
# the target is user-self
|
# the target is user-self
|
||||||
credentials = context.to_dict()
|
credentials = context.to_policy_values()
|
||||||
if ADVSVC_CTX_POLICY not in _ENFORCER.rules:
|
if ADVSVC_CTX_POLICY not in _ENFORCER.rules:
|
||||||
return False
|
return False
|
||||||
return _ENFORCER.enforce(ADVSVC_CTX_POLICY, credentials, credentials)
|
return _ENFORCER.enforce(ADVSVC_CTX_POLICY, credentials, credentials)
|
||||||
|
|
|
@ -142,3 +142,28 @@ class TestNeutronContext(base.BaseTestCase):
|
||||||
ctx_admin = context.get_admin_context()
|
ctx_admin = context.get_admin_context()
|
||||||
self.assertEqual(req_id_before, oslo_context.get_current().request_id)
|
self.assertEqual(req_id_before, oslo_context.get_current().request_id)
|
||||||
self.assertNotEqual(req_id_before, ctx_admin.request_id)
|
self.assertNotEqual(req_id_before, ctx_admin.request_id)
|
||||||
|
|
||||||
|
def test_to_policy_values(self):
|
||||||
|
values = {
|
||||||
|
'user_id': 'user_id',
|
||||||
|
'tenant_id': 'tenant_id',
|
||||||
|
'is_admin': 'is_admin',
|
||||||
|
'tenant_name': 'tenant_name',
|
||||||
|
'user_name': 'user_name',
|
||||||
|
'domain': 'domain',
|
||||||
|
'user_domain': 'user_domain',
|
||||||
|
'project_domain': 'project_domain',
|
||||||
|
'user_name': 'user_name',
|
||||||
|
}
|
||||||
|
additional_values = {
|
||||||
|
'user': 'user_id',
|
||||||
|
'tenant': 'tenant_id',
|
||||||
|
'project_id': 'tenant_id',
|
||||||
|
'project_name': 'tenant_name',
|
||||||
|
}
|
||||||
|
ctx = context.Context(**values)
|
||||||
|
# apply dict() to get a real dictionary, needed for newer oslo.context
|
||||||
|
# that returns _DeprecatedPolicyValues object instead
|
||||||
|
policy_values = dict(ctx.to_policy_values())
|
||||||
|
self.assertDictSupersetOf(values, policy_values)
|
||||||
|
self.assertDictSupersetOf(additional_values, policy_values)
|
||||||
|
|
Loading…
Reference in New Issue