From 560de6a37f7bb9511be11b00c2adb2a03435360f Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Fri, 11 Dec 2020 19:58:34 +0000 Subject: [PATCH] Pass context objects to oslo.policy directly This oslo.policy Enforcer() object understands oslo.context RequestContext objects and will translate the appropriate policy values for you if it's passed into enforcement. This lowers the bar for people interacting with oslo.policy because they don't have to translate important authorization inforamtion from RequestContext into a dictionary, specifically for policy enforcement. Instead, they can just pass in the context object and oslo.policy will know what to do. This commit updates the policy module to do just that and moves the credential tranlations to where it's needed, for logging. Change-Id: I942da4b1880cf2312af2f8e15aef9f33be991f87 --- placement/policy.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/placement/policy.py b/placement/policy.py index 1710f29e2..cbed50f9b 100644 --- a/placement/policy.py +++ b/placement/policy.py @@ -77,17 +77,17 @@ def authorize(context, action, target, do_raise=True): :returns: non-False value (not necessarily "True") if authorized, and the exact value False if not authorized and do_raise is False. """ - credentials = context.to_policy_values() try: # NOTE(mriedem): The "action" kwarg is for the PolicyNotAuthorized exc. return _ENFORCER.authorize( - action, target, credentials, do_raise=do_raise, + action, target, context, do_raise=do_raise, exc=exception.PolicyNotAuthorized, action=action) except policy.PolicyNotRegistered: with excutils.save_and_reraise_exception(): LOG.exception('Policy not registered') except Exception: with excutils.save_and_reraise_exception(): + credentials = context.to_policy_values() LOG.debug('Policy check for %(action)s failed with credentials ' '%(credentials)s', {'action': action, 'credentials': credentials})