Pass context objects to oslo.policy directly
This oslo.policy Enforcer() object understands oslo.context RequestContext objects and will translate the appropriate policy values for you if it's passed into enforcement. This lowers the bar for people interacting with oslo.policy because they don't have to translate important authorization inforamtion from RequestContext into a dictionary, specifically for policy enforcement. Instead, they can just pass in the context object and oslo.policy will know what to do. This commit updates the policy module to do just that and moves the credential tranlations to where it's needed, for logging. Change-Id: I942da4b1880cf2312af2f8e15aef9f33be991f87
This commit is contained in:
parent
fa95ef8772
commit
560de6a37f
|
@ -77,17 +77,17 @@ def authorize(context, action, target, do_raise=True):
|
|||
:returns: non-False value (not necessarily "True") if authorized, and the
|
||||
exact value False if not authorized and do_raise is False.
|
||||
"""
|
||||
credentials = context.to_policy_values()
|
||||
try:
|
||||
# NOTE(mriedem): The "action" kwarg is for the PolicyNotAuthorized exc.
|
||||
return _ENFORCER.authorize(
|
||||
action, target, credentials, do_raise=do_raise,
|
||||
action, target, context, do_raise=do_raise,
|
||||
exc=exception.PolicyNotAuthorized, action=action)
|
||||
except policy.PolicyNotRegistered:
|
||||
with excutils.save_and_reraise_exception():
|
||||
LOG.exception('Policy not registered')
|
||||
except Exception:
|
||||
with excutils.save_and_reraise_exception():
|
||||
credentials = context.to_policy_values()
|
||||
LOG.debug('Policy check for %(action)s failed with credentials '
|
||||
'%(credentials)s',
|
||||
{'action': action, 'credentials': credentials})
|
||||
|
|
Loading…
Reference in New Issue