Browse Source

Implement system-scope

The context should carry some information that all services will need
in order to enforce scoping. System scope can be implemented here
and available for projects when they start adding scope types to
policies.

bp system-scope

Change-Id: I02fdaccfdd002d60b0b51c5d3327c783009cf35e
Lance Bragstad 1 year ago
parent
commit
1a40b3d43b
2 changed files with 39 additions and 1 deletions
  1. 11
    1
      oslo_context/context.py
  2. 28
    0
      oslo_context/tests/test_context.py

+ 11
- 1
oslo_context/context.py View File

@@ -49,6 +49,7 @@ _ENVIRON_HEADERS = {
49 49
     'project_id': ['HTTP_X_PROJECT_ID',
50 50
                    'HTTP_X_TENANT_ID',
51 51
                    'HTTP_X_TENANT'],
52
+    'system_scope': ['HTTP_OPENSTACK_SYSTEM_SCOPE'],
52 53
     'user_domain_id': ['HTTP_X_USER_DOMAIN_ID'],
53 54
     'project_domain_id': ['HTTP_X_PROJECT_DOMAIN_ID'],
54 55
     'user_name': ['HTTP_X_USER_NAME'],
@@ -219,7 +220,8 @@ class RequestContext(object):
219 220
                  service_project_domain_id=None,
220 221
                  service_project_domain_name=None,
221 222
                  service_roles=None,
222
-                 global_request_id=None):
223
+                 global_request_id=None,
224
+                 system_scope=None):
223 225
         """Initialize the RequestContext
224 226
 
225 227
         :param overwrite: Set to False to ensure that the greenthread local
@@ -228,6 +230,11 @@ class RequestContext(object):
228 230
                                  the token as the admin project. Defaults to
229 231
                                  True for backwards compatibility.
230 232
         :type is_admin_project: bool
233
+        :param system_scope: The system scope of a token. The value ``all``
234
+                             represents the entire deployment system. A service
235
+                             ID represents a specific service within the
236
+                             deployment system.
237
+        :type system_scope: string
231 238
         """
232 239
         # setting to private variables to avoid triggering subclass properties
233 240
         self._user_id = user_id
@@ -240,6 +247,7 @@ class RequestContext(object):
240 247
         self.user_name = user_name
241 248
         self.project_name = project_name
242 249
         self.domain_name = domain_name
250
+        self.system_scope = system_scope
243 251
         self.user_domain_name = user_domain_name
244 252
         self.project_domain_name = project_domain_name
245 253
         self.is_admin = is_admin
@@ -309,6 +317,7 @@ class RequestContext(object):
309 317
         return _DeprecatedPolicyValues({
310 318
             'user_id': self.user_id,
311 319
             'user_domain_id': self.user_domain_id,
320
+            'system_scope': self.system_scope,
312 321
             'project_id': self.project_id,
313 322
             'project_domain_id': self.project_domain_id,
314 323
             'roles': self.roles,
@@ -330,6 +339,7 @@ class RequestContext(object):
330 339
 
331 340
         return {'user': self.user_id,
332 341
                 'tenant': self.project_id,
342
+                'system_scope': self.system_scope,
333 343
                 'project': self.project_id,
334 344
                 'domain': self.domain_id,
335 345
                 'user_domain': self.user_domain_id,

+ 28
- 0
oslo_context/tests/test_context.py View File

@@ -554,6 +554,7 @@ class ContextTest(test_base.BaseTestCase):
554 554
 
555 555
         self.assertEqual({'user_id': user,
556 556
                           'user_domain_id': user_domain,
557
+                          'system_scope': None,
557 558
                           'project_id': tenant,
558 559
                           'project_domain_id': project_domain,
559 560
                           'roles': roles,
@@ -565,6 +566,32 @@ class ContextTest(test_base.BaseTestCase):
565 566
                           'service_roles': service_roles},
566 567
                          ctx.to_policy_values())
567 568
 
569
+        # NOTE(lbragstad): This string has special meaning in that the value
570
+        # ``all`` represents the entire deployment system.
571
+        system_all = 'all'
572
+
573
+        ctx = context.RequestContext(user=user,
574
+                                     user_domain=user_domain,
575
+                                     system_scope=system_all,
576
+                                     roles=roles,
577
+                                     service_user_id=service_user_id,
578
+                                     service_project_id=service_project_id,
579
+                                     service_roles=service_roles)
580
+
581
+        self.assertEqual({'user_id': user,
582
+                          'user_domain_id': user_domain,
583
+                          'system_scope': system_all,
584
+                          'project_id': None,
585
+                          'project_domain_id': None,
586
+                          'roles': roles,
587
+                          'is_admin_project': True,
588
+                          'service_user_id': service_user_id,
589
+                          'service_user_domain_id': None,
590
+                          'service_project_id': service_project_id,
591
+                          'service_project_domain_id': None,
592
+                          'service_roles': service_roles},
593
+                         ctx.to_policy_values())
594
+
568 595
         ctx = context.RequestContext(user=user,
569 596
                                      user_domain=user_domain,
570 597
                                      tenant=tenant,
@@ -577,6 +604,7 @@ class ContextTest(test_base.BaseTestCase):
577 604
 
578 605
         self.assertEqual({'user_id': user,
579 606
                           'user_domain_id': user_domain,
607
+                          'system_scope': None,
580 608
                           'project_id': tenant,
581 609
                           'project_domain_id': project_domain,
582 610
                           'roles': roles,

Loading…
Cancel
Save