From 8c5d8610aa341cdd0927d87a80f31b46a252b5cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Rossigneux?= Date: Fri, 20 Sep 2013 11:30:21 +0200 Subject: [PATCH] Policy bug fixes. Change-Id: I2fab74a7bf1b7d9f36b1c3b8e555902b94c2a89b --- kwapi/drivers/driver_manager.py | 2 +- kwapi/plugins/api/acl.py | 10 ++++-- kwapi/plugins/rrd/rrd.py | 4 +-- kwapi/policy.py | 55 --------------------------------- 4 files changed, 11 insertions(+), 60 deletions(-) delete mode 100644 kwapi/policy.py diff --git a/kwapi/drivers/driver_manager.py b/kwapi/drivers/driver_manager.py index 2b263cd..7dc9846 100644 --- a/kwapi/drivers/driver_manager.py +++ b/kwapi/drivers/driver_manager.py @@ -91,7 +91,7 @@ def check_drivers_alive(): if not driver_thread.is_alive(): LOG.warning('%s(probe_ids=%s, kwargs=%s) is crashed' % (driver_thread.__class__.__name__, - driver_thread.probe_ids, driver_thread.kwargs)) + driver_thread.probe_ids, driver_thread.kwargs)) new_thread = load_driver(driver_thread.__class__.__name__, driver_thread.probe_ids, driver_thread.kwargs diff --git a/kwapi/plugins/api/acl.py b/kwapi/plugins/api/acl.py index 7b36a8d..83e2f2e 100644 --- a/kwapi/plugins/api/acl.py +++ b/kwapi/plugins/api/acl.py @@ -20,8 +20,9 @@ import flask import keystoneclient.middleware.auth_token as auth_token from oslo.config import cfg -from kwapi import policy +from kwapi.openstack.common import policy +_ENFORCER = None OPT_GROUP_NAME = 'keystone_authtoken' @@ -46,5 +47,10 @@ def install(app, conf): def check(): """Checks application access.""" headers = flask.request.headers - if not policy.check_is_admin(headers.get('X-Roles', "").split(",")): + global _ENFORCER + if not _ENFORCER: + _ENFORCER = policy.Enforcer() + if not _ENFORCER.enforce('context_is_admin', + {}, + {'roles': headers.get('X-Roles', "").split(",")}): return "Access denied", 401 diff --git a/kwapi/plugins/rrd/rrd.py b/kwapi/plugins/rrd/rrd.py index d411deb..fbca801 100644 --- a/kwapi/plugins/rrd/rrd.py +++ b/kwapi/plugins/rrd/rrd.py @@ -158,8 +158,8 @@ def create_rrd_file(filename): for scale in scales.keys(): args.append('RRA:AVERAGE:0.5:%s:%s' % (scales[scale][0]['resolution'], - scales[scale][0]['interval'] / - scales[scale][0]['resolution'])) + scales[scale][0]['interval'] / + scales[scale][0]['resolution'])) rrdtool.create(args) diff --git a/kwapi/policy.py b/kwapi/policy.py deleted file mode 100644 index 79a113f..0000000 --- a/kwapi/policy.py +++ /dev/null @@ -1,55 +0,0 @@ -# vim: tabstop=4 shiftwidth=4 softtabstop=4 - -# Copyright (c) 2011 OpenStack, LLC. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -"""Policy Engine For Kwapi""" - -import os - -from oslo.config import cfg - -from kwapi.openstack.common import policy -from kwapi import utils - -_POLICY_PATH = None -_POLICY_CACHE = {} - - -def init(): - global _POLICY_PATH - global _POLICY_CACHE - if not _POLICY_PATH: - _POLICY_PATH = cfg.CONF.policy_file - if not os.path.exists(_POLICY_PATH): - _POLICY_PATH = cfg.CONF.find_file(_POLICY_PATH) - if not _POLICY_PATH: - raise cfg.ConfigFilesNotFoundError([cfg.CONF.policy_file]) - utils.read_cached_file(_POLICY_PATH, _POLICY_CACHE, - reload_func=_set_rules) - - -def _set_rules(data): - default_rule = cfg.CONF.policy_default_rule - policy.set_rules(policy.Rules.load_json(data, default_rule)) - - -def check_is_admin(roles): - """Whether or not roles contains 'admin' role according to policy setting. - - """ - init() - - return policy.check('context_is_admin', {}, {'roles': roles})