Fix is_admin check via policy

When we create an admin context internally, we need to make sure that all of the policy actions that are available to that context are still available. This wasn't working in some cases because we were looking for a hard-coded role called 'admin'. Fixes bug 1039093 Change-Id: I939f834a63c9e6e6e7c87b115bd469466da66a69
2012-08-20 10:11:34 -07:00 · 2012-08-20 10:11:34 -07:00 · 5b97dfc648
commit 5b97dfc648
parent fe9bf4a7b3
2 changed files with 8 additions and 3 deletions
--- a/nova/policy.py
+++ b/nova/policy.py
@ -90,17 +90,22 @@ def enforce(context, action, target):
    match_list = ('rule:%s' % action,)
    credentials = context.to_dict()

+    # NOTE(vish): This is to work around the following launchpad bug:
+    #             https://bugs.launchpad.net/openstack-common/+bug/1039132
+    #             It can be removed when that bug is fixed.
+    credentials['is_admin'] = unicode(credentials['is_admin'])
+
    policy.enforce(match_list, target, credentials,
                   exception.PolicyNotAuthorized, action=action)


-def check_admin_role(roles):
+def check_is_admin(roles):
    """Whether or not roles contains 'admin' role according to policy setting.

    """
    init()

-    action = 'admin'
+    action = 'context_is_admin'
    match_list = ('rule:%s' % action,)
    target = {}
    credentials = {'roles': roles}
--- a/nova/tests/policy.json
+++ b/nova/tests/policy.json
@ -1,5 +1,5 @@
 {
-    "admin": [["role:admin"], ["role:administrator"]],
+    "context_is_admin": [["role:admin"], ["role:administrator"]],
    "compute:create": [],
    "compute:create:attach_network": [],
    "compute:create:attach_volume": [],