19f9a4bbd4
This adds the basic framework for registering and using default policy rules. Rules should be defined and returned from a module in nova/policies/, and then added to the list in nova/policies/__init__.py. A new context.can() method has been added for policy enforcement of registered rules. It has the same parameters as the enforce() method currently being used. To establish the full pattern for usage the policy checks in the servers API module have been registered and converted to the new usage. Now that some policy checks are registered they're being used properly by tests. Some tests have been updated so that the instance project_id matches the context project_id in order to pass the 'admin_or_owner' check. Change-Id: I71b3d1233255125cb280a000b990329f5b03fdfd Partially-Implements: bp policy-in-code
25 lines
877 B
Python
25 lines
877 B
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from oslo_policy import policy
|
|
|
|
rules = [
|
|
policy.RuleDefault('context_is_admin', 'role:admin'),
|
|
policy.RuleDefault('admin_or_owner',
|
|
'is_admin:True or project_id:%(project_id)s'),
|
|
policy.RuleDefault('admin_api', 'is_admin:True'),
|
|
]
|
|
|
|
|
|
def list_rules():
|
|
return rules
|