Use to_policy_values for policy credentials

The base oslo.context defines to_policy_values with all the information that it expects a service to require to enforce policy. Use that instead of throwing everything in to_dict at policy enforcement. Change-Id: I0a42b4425e9dd1bd062c48792c4d116dd370afe3 Closes-Bug: #1602081
2016-09-12 21:39:45 -04:00 · 2016-09-12 21:39:45 -04:00 · 304bc201c0
commit 304bc201c0
parent ba718e35db
2 changed files with 7 additions and 2 deletions
--- a/nova/context.py
+++ b/nova/context.py
@ -277,6 +277,11 @@ class RequestContext(context.RequestContext):
                raise
            return False

+    def to_policy_values(self):
+        policy = super(RequestContext, self).to_policy_values()
+        policy['is_admin'] = self.is_admin
+        return policy
+
    def __str__(self):
        return "<Context %s>" % self.to_dict()

--- a/nova/policy.py
+++ b/nova/policy.py
@ -152,7 +152,7 @@ def authorize(context, action, target, do_raise=True, exc=None):
           do_raise is False.
    """
    init()
-    credentials = context.to_dict()
+    credentials = context.to_policy_values()
    if not exc:
        exc = exception.PolicyNotAuthorized
    try:
@ -177,7 +177,7 @@ def check_is_admin(context):

    init()
    # the target is user-self
-    credentials = context.to_dict()
+    credentials = context.to_policy_values()
    target = credentials
    return _ENFORCER.authorize('context_is_admin', target, credentials)