Policy bug fixes.

Change-Id: I2fab74a7bf1b7d9f36b1c3b8e555902b94c2a89b
This commit is contained in:
François Rossigneux 2013-09-20 11:30:21 +02:00
parent f7c77bb200
commit 8c5d8610aa
4 changed files with 11 additions and 60 deletions

View File

@ -91,7 +91,7 @@ def check_drivers_alive():
if not driver_thread.is_alive():
LOG.warning('%s(probe_ids=%s, kwargs=%s) is crashed'
% (driver_thread.__class__.__name__,
driver_thread.probe_ids, driver_thread.kwargs))
driver_thread.probe_ids, driver_thread.kwargs))
new_thread = load_driver(driver_thread.__class__.__name__,
driver_thread.probe_ids,
driver_thread.kwargs

View File

@ -20,8 +20,9 @@ import flask
import keystoneclient.middleware.auth_token as auth_token
from oslo.config import cfg
from kwapi import policy
from kwapi.openstack.common import policy
_ENFORCER = None
OPT_GROUP_NAME = 'keystone_authtoken'
@ -46,5 +47,10 @@ def install(app, conf):
def check():
"""Checks application access."""
headers = flask.request.headers
if not policy.check_is_admin(headers.get('X-Roles', "").split(",")):
global _ENFORCER
if not _ENFORCER:
_ENFORCER = policy.Enforcer()
if not _ENFORCER.enforce('context_is_admin',
{},
{'roles': headers.get('X-Roles', "").split(",")}):
return "Access denied", 401

View File

@ -158,8 +158,8 @@ def create_rrd_file(filename):
for scale in scales.keys():
args.append('RRA:AVERAGE:0.5:%s:%s'
% (scales[scale][0]['resolution'],
scales[scale][0]['interval'] /
scales[scale][0]['resolution']))
scales[scale][0]['interval'] /
scales[scale][0]['resolution']))
rrdtool.create(args)

View File

@ -1,55 +0,0 @@
# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright (c) 2011 OpenStack, LLC.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Policy Engine For Kwapi"""
import os
from oslo.config import cfg
from kwapi.openstack.common import policy
from kwapi import utils
_POLICY_PATH = None
_POLICY_CACHE = {}
def init():
global _POLICY_PATH
global _POLICY_CACHE
if not _POLICY_PATH:
_POLICY_PATH = cfg.CONF.policy_file
if not os.path.exists(_POLICY_PATH):
_POLICY_PATH = cfg.CONF.find_file(_POLICY_PATH)
if not _POLICY_PATH:
raise cfg.ConfigFilesNotFoundError([cfg.CONF.policy_file])
utils.read_cached_file(_POLICY_PATH, _POLICY_CACHE,
reload_func=_set_rules)
def _set_rules(data):
default_rule = cfg.CONF.policy_default_rule
policy.set_rules(policy.Rules.load_json(data, default_rule))
def check_is_admin(roles):
"""Whether or not roles contains 'admin' role according to policy setting.
"""
init()
return policy.check('context_is_admin', {}, {'roles': roles})