Set system scope in oslo policy creds object

In tacker.policy.authorize() method, it convert the context object to policy value by context.to_policy_values() and then pass that into oslo.policy enforcer authorize() method. This is fine till now and does not cause any issue but as per SRABC, we need to set if token is system scope (for project scope it is all fine) in oslo policy creds via key 'system'. But context.to_policy_values() method does not set the 'system' key in creds because there it is named as `system_scope`. To fix that we need to explicitly set the 'system' key in creds. Partial implement blueprint implement-project-personas Change-Id: I65d28749a4584661f7f4f596c4d2c39a84730963
2024-01-28 12:01:04 -08:00
parent 71970bc665
commit bd2ff5e817
1 changed files with 20 additions and 0 deletions
--- a/tacker/policy.py
+++ b/tacker/policy.py
@@ -188,6 +188,20 @@ def authorize(context, action, target, do_raise=True, exc=None):

    init()
    credentials = context.to_policy_values()
+    # NOTE(gmann): For system, scope token, oslo.policy check
+    # for a key 'system' in creds. The oslo.context library uses
+    # `system_scope` instead. Because we are converting the context
+    # attribute to creds via context.to_policy_values which does not
+    # convert 'system_scope' key. There are two ways to solve this:
+    # 1. Pass full context to oslo.policy and their it convert this key
+    # but Tacker has special case of enhanced policy conversion
+    # (via _pre_enhanced_policy_check(), method which sets its own
+    # key in creds. So passing full context to oslo.policy make enhance
+    # policy conversion more complex.
+    # 2. Set 'system' key in creds explicitly. This is easy and more
+    # readable way.
+    if context.system_scope:
+        credentials['system'] = context.system_scope
    target, credentials = _pre_enhanced_policy_check(target, credentials)
    if not exc:
        exc = exceptions.PolicyNotAuthorized
@@ -197,6 +211,12 @@ def authorize(context, action, target, do_raise=True, exc=None):
    except policy.PolicyNotRegistered:
        with excutils.save_and_reraise_exception():
            LOG.error('Policy not registered')
+    except policy.InvalidScope:
+        LOG.debug('Policy check for %(action)s failed with scope check '
+                  '%(credentials)s',
+                  {'action': action,
+                   'credentials': credentials})
+        raise exc(action=action)
    except Exception:
        with excutils.save_and_reraise_exception():
            LOG.error('Policy check for %(action)s failed with credentials '