diff options
| author | Jenkins <jenkins@review.openstack.org> | 2012-03-19 18:01:19 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2012-03-19 18:01:19 +0000 |
| commit | 5027c9d7150815abe1dde7e4d85d41eb2d0fad4d (patch) | |
| tree | 42d2b9f0974975d76467e625f4c95b1000b2d40b | |
| parent | 7c1e32bba6837eb0937e6e7567aa5e7981db7fec (diff) | |
| parent | 56e41037ba41b2507722dcbc54157cfe4cf4535f (diff) | |
| download | keystone-5027c9d7150815abe1dde7e4d85d41eb2d0fad4d.tar.gz keystone-5027c9d7150815abe1dde7e4d85d41eb2d0fad4d.tar.xz keystone-5027c9d7150815abe1dde7e4d85d41eb2d0fad4d.zip | |
Merge "docstring cleanup to remove sphinx warnings"
| -rw-r--r-- | keystone/common/policy.py | 17 | ||||
| -rw-r--r-- | keystone/policy/backends/rules.py | 6 |
2 files changed, 14 insertions, 9 deletions
diff --git a/keystone/common/policy.py b/keystone/common/policy.py index 34492f73..b90f98cb 100644 --- a/keystone/common/policy.py +++ b/keystone/common/policy.py @@ -49,6 +49,7 @@ def enforce(match_list, target_dict, credentials_dict): """Enforces authorization of some rules against credentials. :param match_list: nested tuples of data to match against + The basic brain supports three types of match lists: 1) rules looks like: ('rule:compute:get_instance',) @@ -68,14 +69,14 @@ def enforce(match_list, target_dict, credentials_dict): perform simple boolean logic. For example, the following rule would return True if the creds contain the role 'admin' OR the if the tenant_id matches the target dict AND the the creds contains the - role 'compute_sysadmin': + role 'compute_sysadmin':: - { - "rule:combined": ( - 'role:admin', - ('tenant_id:%(tenant_id)s', 'role:compute_sysadmin') - ) - } + { + "rule:combined": ( + 'role:admin', + ('tenant_id:%(tenant_id)s', 'role:compute_sysadmin') + ) + } Note that rule and role are reserved words in the credentials match, so @@ -84,10 +85,12 @@ def enforce(match_list, target_dict, credentials_dict): reserved word. :param target_dict: dict of object properties + Target dicts contain as much information as we can about the object being operated on. :param credentials_dict: dict of actor properties + Credentials dicts contain as much information as we can about the user performing the action. diff --git a/keystone/policy/backends/rules.py b/keystone/policy/backends/rules.py index 1d12a999..56c01bd3 100644 --- a/keystone/policy/backends/rules.py +++ b/keystone/policy/backends/rules.py @@ -76,14 +76,16 @@ def enforce(credentials, action, target): :param credentials: user credentials :param action: string representing the action to be checked + this should be colon separated for clarity. i.e. compute:create_instance compute:attach_volume volume:attach_volume :param object: dictionary representing the object of the action - for object creation this should be a dictionary representing the - location of the object e.g. {'tenant_id': object.tenant_id} + for object creation this should be a dictionary + representing the location of the object e.g. + {'tenant_id': object.tenant_id} :raises: `exception.Forbidden` if verification fails. |