openstack
/
oslo.context
Code Issues Proposed changes

Implement system-scope 

The context should carry some information that all services will need
in order to enforce scoping. System scope can be implemented here
and available for projects when they start adding scope types to
policies.

bp system-scope

Change-Id: I02fdaccfdd002d60b0b51c5d3327c783009cf35e
This commit is contained in:
Lance Bragstad 2017-12-29 21:28:17 +00:00
parent 92b96644eb
commit 1a40b3d43b
2 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
oslo_context/context.py
View File

@ -49,6 +49,7 @@ _ENVIRON_HEADERS = {
'project_id': ['HTTP_X_PROJECT_ID', 'project_id': ['HTTP_X_PROJECT_ID',
'HTTP_X_TENANT_ID', 'HTTP_X_TENANT_ID',
'HTTP_X_TENANT'], 'HTTP_X_TENANT'],
'system_scope': ['HTTP_OPENSTACK_SYSTEM_SCOPE'],
'user_domain_id': ['HTTP_X_USER_DOMAIN_ID'], 'user_domain_id': ['HTTP_X_USER_DOMAIN_ID'],
'project_domain_id': ['HTTP_X_PROJECT_DOMAIN_ID'], 'project_domain_id': ['HTTP_X_PROJECT_DOMAIN_ID'],
'user_name': ['HTTP_X_USER_NAME'], 'user_name': ['HTTP_X_USER_NAME'],
@ -219,7 +220,8 @@ class RequestContext(object):
service_project_domain_id=None, service_project_domain_id=None,
service_project_domain_name=None, service_project_domain_name=None,
service_roles=None, service_roles=None,
global_request_id=None): global_request_id=None,
system_scope=None):
"""Initialize the RequestContext """Initialize the RequestContext
:param overwrite: Set to False to ensure that the greenthread local :param overwrite: Set to False to ensure that the greenthread local
@ -228,6 +230,11 @@ class RequestContext(object):
the token as the admin project. Defaults to the token as the admin project. Defaults to
True for backwards compatibility. True for backwards compatibility.
:type is_admin_project: bool :type is_admin_project: bool
:param system_scope: The system scope of a token. The value ``all``
represents the entire deployment system. A service
ID represents a specific service within the
deployment system.
:type system_scope: string
""" """
# setting to private variables to avoid triggering subclass properties # setting to private variables to avoid triggering subclass properties
self._user_id = user_id self._user_id = user_id
@ -240,6 +247,7 @@ class RequestContext(object):
self.user_name = user_name self.user_name = user_name
self.project_name = project_name self.project_name = project_name
self.domain_name = domain_name self.domain_name = domain_name
self.system_scope = system_scope
self.user_domain_name = user_domain_name self.user_domain_name = user_domain_name
self.project_domain_name = project_domain_name self.project_domain_name = project_domain_name
self.is_admin = is_admin self.is_admin = is_admin
@ -309,6 +317,7 @@ class RequestContext(object):
return _DeprecatedPolicyValues({ return _DeprecatedPolicyValues({
'user_id': self.user_id, 'user_id': self.user_id,
'user_domain_id': self.user_domain_id, 'user_domain_id': self.user_domain_id,
'system_scope': self.system_scope,
'project_id': self.project_id, 'project_id': self.project_id,
'project_domain_id': self.project_domain_id, 'project_domain_id': self.project_domain_id,
'roles': self.roles, 'roles': self.roles,
@ -330,6 +339,7 @@ class RequestContext(object):
return {'user': self.user_id, return {'user': self.user_id,
'tenant': self.project_id, 'tenant': self.project_id,
'system_scope': self.system_scope,
'project': self.project_id, 'project': self.project_id,
'domain': self.domain_id, 'domain': self.domain_id,
'user_domain': self.user_domain_id, 'user_domain': self.user_domain_id,

28
oslo_context/tests/test_context.py
View File

@ -554,6 +554,7 @@ class ContextTest(test_base.BaseTestCase):
self.assertEqual({'user_id': user, self.assertEqual({'user_id': user,
'user_domain_id': user_domain, 'user_domain_id': user_domain,
'system_scope': None,
'project_id': tenant, 'project_id': tenant,
'project_domain_id': project_domain, 'project_domain_id': project_domain,
'roles': roles, 'roles': roles,
@ -565,6 +566,32 @@ class ContextTest(test_base.BaseTestCase):
'service_roles': service_roles}, 'service_roles': service_roles},
ctx.to_policy_values()) ctx.to_policy_values())
# NOTE(lbragstad): This string has special meaning in that the value
# ``all`` represents the entire deployment system.
system_all = 'all'
ctx = context.RequestContext(user=user,
user_domain=user_domain,
system_scope=system_all,
roles=roles,
service_user_id=service_user_id,
service_project_id=service_project_id,
service_roles=service_roles)
self.assertEqual({'user_id': user,
'user_domain_id': user_domain,
'system_scope': system_all,
'project_id': None,
'project_domain_id': None,
'roles': roles,
'is_admin_project': True,
'service_user_id': service_user_id,
'service_user_domain_id': None,
'service_project_id': service_project_id,
'service_project_domain_id': None,
'service_roles': service_roles},
ctx.to_policy_values())
ctx = context.RequestContext(user=user, ctx = context.RequestContext(user=user,
user_domain=user_domain, user_domain=user_domain,
tenant=tenant, tenant=tenant,
@ -577,6 +604,7 @@ class ContextTest(test_base.BaseTestCase):
self.assertEqual({'user_id': user, self.assertEqual({'user_id': user,
'user_domain_id': user_domain, 'user_domain_id': user_domain,
'system_scope': None,
'project_id': tenant, 'project_id': tenant,
'project_domain_id': project_domain, 'project_domain_id': project_domain,
'roles': roles, 'roles': roles,