Merge "Remove the policy check with function's parameter"
This commit is contained in:
commit
481a491592
mogan
@ -90,21 +90,9 @@ instance_policies = [
|
|||||||
policy.RuleDefault('mogan:instance:update',
|
policy.RuleDefault('mogan:instance:update',
|
||||||
'rule:default',
|
'rule:default',
|
||||||
description='Update Instance records'),
|
description='Update Instance records'),
|
||||||
policy.RuleDefault('mogan:instance:set_power_state:on',
|
policy.RuleDefault('mogan:instance:set_power_state',
|
||||||
'rule:default',
|
'rule:default',
|
||||||
description='Start an instance'),
|
description='Perform the power action on an instance'),
|
||||||
policy.RuleDefault('mogan:instance:set_power_state:off',
|
|
||||||
'rule:default',
|
|
||||||
description='Stop an instance'),
|
|
||||||
policy.RuleDefault('mogan:instance:set_power_state:soft_off',
|
|
||||||
'rule:default',
|
|
||||||
description='Soft stop an instance'),
|
|
||||||
policy.RuleDefault('mogan:instance:set_power_state:reboot',
|
|
||||||
'rule:default',
|
|
||||||
description='Reboot an instance'),
|
|
||||||
policy.RuleDefault('mogan:instance:set_power_state:soft_reboot',
|
|
||||||
'rule:default',
|
|
||||||
description='Soft reboot an instance'),
|
|
||||||
policy.RuleDefault('mogan:instance:get_networks',
|
policy.RuleDefault('mogan:instance:get_networks',
|
||||||
'rule:default',
|
'rule:default',
|
||||||
description='Get Instance network information'),
|
description='Get Instance network information'),
|
||||||
@ -117,16 +105,11 @@ instance_policies = [
|
|||||||
policy.RuleDefault('mogan:instance:set_lock_state',
|
policy.RuleDefault('mogan:instance:set_lock_state',
|
||||||
'rule:default',
|
'rule:default',
|
||||||
description='Lock/UnLock an instance'),
|
description='Lock/UnLock an instance'),
|
||||||
policy.RuleDefault('mogan:instance:set_provision_state:rebuild',
|
policy.RuleDefault('mogan:instance:set_provision_state',
|
||||||
'rule:default',
|
'rule:default',
|
||||||
description='Rebuild an instance'),
|
description='Set the provision state of an instance'),
|
||||||
]
|
]
|
||||||
|
|
||||||
FUNC_PARAMS_INTERESTED = {
|
|
||||||
'power': ['target'],
|
|
||||||
'provision': ['target']
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
def list_policies():
|
def list_policies():
|
||||||
policies = (default_policies
|
policies = (default_policies
|
||||||
@ -196,21 +179,6 @@ def authorize(rule, target, creds, *args, **kwargs):
|
|||||||
raise exception.HTTPForbidden(resource=rule)
|
raise exception.HTTPForbidden(resource=rule)
|
||||||
|
|
||||||
|
|
||||||
def _add_action_extra(action, fn, *args, **kwargs):
|
|
||||||
func_name = fn.__name__
|
|
||||||
if func_name in FUNC_PARAMS_INTERESTED:
|
|
||||||
fn_args = fn.__dict__['_pecan']['argspec'][0][1:]
|
|
||||||
for param in FUNC_PARAMS_INTERESTED[func_name]:
|
|
||||||
if param in kwargs:
|
|
||||||
if kwargs[param]:
|
|
||||||
action = '%s:%s' % (action, kwargs[param])
|
|
||||||
elif param in fn_args:
|
|
||||||
param_value = args[fn_args.index(param)]
|
|
||||||
if param_value:
|
|
||||||
action = '%s:%s' % (action, param_value)
|
|
||||||
return action
|
|
||||||
|
|
||||||
|
|
||||||
# NOTE(Shaohe Feng): This decorator MUST appear first (the outermost
|
# NOTE(Shaohe Feng): This decorator MUST appear first (the outermost
|
||||||
# decorator) on an API method for it to work correctly
|
# decorator) on an API method for it to work correctly
|
||||||
def authorize_wsgi(api_name, act=None, need_target=True):
|
def authorize_wsgi(api_name, act=None, need_target=True):
|
||||||
@ -221,7 +189,7 @@ def authorize_wsgi(api_name, act=None, need_target=True):
|
|||||||
:param need_target: Whether need target for authorization. Such as,
|
:param need_target: Whether need target for authorization. Such as,
|
||||||
when create some resource , maybe target is not needed.
|
when create some resource , maybe target is not needed.
|
||||||
example:
|
example:
|
||||||
from magnum.common import policy
|
from mogan.common import policy
|
||||||
class InstancesController(rest.RestController):
|
class InstancesController(rest.RestController):
|
||||||
....
|
....
|
||||||
@policy.authorize_wsgi("mogan:instance", "delete")
|
@policy.authorize_wsgi("mogan:instance", "delete")
|
||||||
@ -276,12 +244,10 @@ def authorize_wsgi(api_name, act=None, need_target=True):
|
|||||||
# the credentials with itself.
|
# the credentials with itself.
|
||||||
target = {'project_id': context.tenant,
|
target = {'project_id': context.tenant,
|
||||||
'user_id': context.user}
|
'user_id': context.user}
|
||||||
action_with_extra = _add_action_extra(action, fn, *args, **kwargs)
|
|
||||||
try:
|
try:
|
||||||
authorize(action_with_extra, target, credentials)
|
authorize(action, target, credentials)
|
||||||
except Exception:
|
except Exception:
|
||||||
return return_error(403)
|
return return_error(403)
|
||||||
|
|
||||||
return fn(self, *args, **kwargs)
|
return fn(self, *args, **kwargs)
|
||||||
return handle
|
return handle
|
||||||
|
|
||||||
|
@ -31,15 +31,10 @@ class TestAuthorizeWsgi(base.TestCase):
|
|||||||
def power(self, instance_uuid, target):
|
def power(self, instance_uuid, target):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
power.__dict__['_pecan'] = {
|
|
||||||
'argspec': [['self', 'instance_uuid', 'target']]}
|
|
||||||
self.fake_power = power
|
|
||||||
|
|
||||||
def lock(self, instance_uuid, target):
|
def lock(self, instance_uuid, target):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
lock.__dict__['_pecan'] = {
|
self.fake_power = power
|
||||||
'argspec': [['self', 'instance_uuid', 'target']]}
|
|
||||||
self.fake_lock = lock
|
self.fake_lock = lock
|
||||||
|
|
||||||
@mock.patch('pecan.request')
|
@mock.patch('pecan.request')
|
||||||
@ -69,7 +64,7 @@ class TestAuthorizeWsgi(base.TestCase):
|
|||||||
'reboot')
|
'reboot')
|
||||||
self.assertEqual(403, mocked_pecan_response.status)
|
self.assertEqual(403, mocked_pecan_response.status)
|
||||||
self.assertEqual('Access was denied to the following resource: '
|
self.assertEqual('Access was denied to the following resource: '
|
||||||
'mogan:instance:set_power_state:reboot',
|
'mogan:instance:set_power_state',
|
||||||
data['faultstring'])
|
data['faultstring'])
|
||||||
|
|
||||||
@mock.patch('pecan.request')
|
@mock.patch('pecan.request')
|
||||||
|
Loading…
x
Reference in New Issue
Block a user