Pass context objects to oslo.policy directly

This oslo.policy Enforcer() object understands oslo.context RequestContext objects and will translate the appropriate policy values for you if it's passed into enforcement. This lowers the bar for people interacting with oslo.policy because they don't have to translate important authorization inforamtion from RequestContext into a dictionary, specifically for policy enforcement. Instead, they can just pass in the context object and oslo.policy will know what to do. This commit updates the policy module to do just that and moves the credential tranlations to where it's needed, for logging. Change-Id: I942da4b1880cf2312af2f8e15aef9f33be991f87
2020-12-11 19:58:34 +00:00 · 2020-12-11 19:58:34 +00:00 · 560de6a37f
parent fa95ef8772
commit 560de6a37f
1 changed files with 2 additions and 2 deletions
--- a/placement/policy.py
+++ b/placement/policy.py
@ -77,17 +77,17 @@ def authorize(context, action, target, do_raise=True):
    :returns: non-False value (not necessarily "True") if authorized, and the
        exact value False if not authorized and do_raise is False.
    """
-    credentials = context.to_policy_values()
    try:
        # NOTE(mriedem): The "action" kwarg is for the PolicyNotAuthorized exc.
        return _ENFORCER.authorize(
-            action, target, credentials, do_raise=do_raise,
+            action, target, context, do_raise=do_raise,
            exc=exception.PolicyNotAuthorized, action=action)
    except policy.PolicyNotRegistered:
        with excutils.save_and_reraise_exception():
            LOG.exception('Policy not registered')
    except Exception:
        with excutils.save_and_reraise_exception():
+            credentials = context.to_policy_values()
            LOG.debug('Policy check for %(action)s failed with credentials '
                      '%(credentials)s',
                      {'action': action, 'credentials': credentials})