Add project_id based target policy check

Generate project_id target before doing policy check, then the rules like the following can really take effect: - "owner": "project_id:%(project_id)s"
2015-03-13 00:02:08 -04:00 · 2015-03-13 00:02:08 -04:00 · 1cccb953a5
parent 3425f7b16b
commit 1cccb953a5
1 changed files with 7 additions and 1 deletions
--- a/senlin/api/openstack/v1/util.py
+++ b/senlin/api/openstack/v1/util.py
@ -29,9 +29,15 @@ def policy_enforce(handler):
    def handle_cluster_method(controller, req, tenant_id, **kwargs):
        if req.context.tenant_id != tenant_id:
            raise exc.HTTPForbidden()
+
+        # Enable project_id based target check
+        target = {
+            'project_id': tenant_id,
+        }
        allowed = req.context.policy.enforce(context=req.context,
                                             action=handler.__name__,
-                                             scope=controller.REQUEST_SCOPE)
+                                             scope=controller.REQUEST_SCOPE,
+                                             target=target)
        if not allowed:
            raise exc.HTTPForbidden()
        return handler(controller, req, **kwargs)