Add default policy rule

If a specific rule is not found, we will check the rule defined in FLAGS.policy_default_action. Change-Id: Ib1b1aa4bbeec74bdb1562d0fc649d33838076f01
2012-01-16 15:28:49 -08:00
parent baa5476901
commit 4b8356ac85
2 changed files with 17 additions and 8 deletions
--- a/nova/common/policy.py
+++ b/nova/common/policy.py
@@ -104,13 +104,14 @@ def enforce(match_list, target_dict, credentials_dict):
 class Brain(object):
    """Implements policy checking."""
    @classmethod
-    def load_json(cls, data):
+    def load_json(cls, data, default_rule=None):
        """Init a brain using json instead of a rules dictionary."""
        rules_dict = json.loads(data)
-        return cls(rules=rules_dict)
+        return cls(rules=rules_dict, default_rule=default_rule)

-    def __init__(self, rules=None):
+    def __init__(self, rules=None, default_rule=None):
        self.rules = rules or {}
+        self.default_rule = default_rule

    def add_rule(self, key, match):
        self.rules[key] = match
@@ -154,7 +155,11 @@ class Brain(object):
        try:
            new_match_list = self.rules[match]
        except KeyError:
-            return False
+            if self.default_rule and match != self.default_rule:
+                new_match_list = ('rule:%s' % self.default_rule,)
+            else:
+                return False
+
        return self.check(new_match_list, target_dict, cred_dict)

    def _check_role(self, match, target_dict, cred_dict):
--- a/nova/policy.py
+++ b/nova/policy.py
@@ -25,6 +25,8 @@ from nova import utils
 FLAGS = flags.FLAGS
 flags.DEFINE_string('policy_file', 'policy.json',
                    _('JSON file representing policy'))
+flags.DEFINE_string('policy_default_rule', 'default',
+                    _('Rule checked when requested rule is not found'))

 _POLICY_PATH = None
 _POLICY_CACHE = {}
@@ -48,7 +50,8 @@ def init():


 def _set_brain(data):
-    policy.set_brain(policy.HttpBrain.load_json(data))
+    default_rule = FLAGS.policy_default_rule
+    policy.set_brain(policy.HttpBrain.load_json(data, default_rule))


 def enforce(context, action, target):
@@ -69,10 +72,11 @@ def enforce(context, action, target):

    """
    init()
+
    match_list = ('rule:%s' % action,)
-    target_dict = target
-    credentials_dict = context.to_dict()
+    credentials = context.to_dict()
+
    try:
-        policy.enforce(match_list, target_dict, credentials_dict)
+        policy.enforce(match_list, target, credentials)
    except policy.NotAuthorized:
        raise exception.PolicyNotAuthorized(action=action)