diff options
| author | termie <github@anarkystic.com> | 2011-11-17 11:58:43 -0800 |
|---|---|---|
| committer | termie <github@anarkystic.com> | 2011-11-17 11:58:43 -0800 |
| commit | 860aa86e0305c8cdc4cc509e971c39003ef0a5ea (patch) | |
| tree | 54fb8d5c82c9733977b6baf09360c414aa05c24c | |
| parent | 63943c98c6ed74d42398bda38b4ddfbc3ddd4283 (diff) | |
add the policy code
| -rw-r--r-- | keystonelight/backends/policy.py | 23 | ||||
| -rw-r--r-- | keystonelight/keystone_compat.py | 11 | ||||
| -rw-r--r-- | keystonelight/policy.py | 18 |
3 files changed, 50 insertions, 2 deletions
diff --git a/keystonelight/backends/policy.py b/keystonelight/backends/policy.py new file mode 100644 index 00000000..780cf0aa --- /dev/null +++ b/keystonelight/backends/policy.py @@ -0,0 +1,23 @@ + + +class TrivialTrue(object): + def __init__(self, options): + self.options = options + + def can_haz(self, target, credentials): + return True + + +class SimpleMatch(object): + def __init__(self, options): + self.options = options + + def can_haz(self, target, credentials): + """Check whether key-values in target are present in credentials.""" + # TODO(termie): handle ANDs, probably by providing a tuple instead of a + # string + for requirement in target: + key, match = requirement.split(':', 1) + check = credentials.get(key) + if check == match: + return True diff --git a/keystonelight/keystone_compat.py b/keystonelight/keystone_compat.py index 83fb5700..807a10bc 100644 --- a/keystonelight/keystone_compat.py +++ b/keystonelight/keystone_compat.py @@ -44,7 +44,6 @@ class KeystoneController(service.BaseApplication): self.identity_api = identity.Manager(options) self.token_api = token.Manager(options) self.policy_api = policy.Manager(options) - pass def noop(self, context): return {} @@ -155,7 +154,15 @@ class KeystoneController(service.BaseApplication): Optionally, also ensure that it is owned by a specific tenant. """ - assert context['is_admin'] + # TODO(termie): this stuff should probably be moved to middleware + if not context['is_admin']: + user_token_ref = self.token_api.get_token(context['token_id']) + creds = user_token_ref['extras'].copy() + creds['user_id'] = user_token_ref['user'].get('id') + creds['tenant_id'] = user_token_ref['tenant'].get('id') + # Accept either is_admin or the admin role + assert self.policy_api.can_haz(('is_admin:1', 'roles:admin'), + creds) token_ref = self.token_api.get_token(context=context, token_id=token_id) diff --git a/keystonelight/policy.py b/keystonelight/policy.py new file mode 100644 index 00000000..147c6501 --- /dev/null +++ b/keystonelight/policy.py @@ -0,0 +1,18 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# the catalog interfaces + +import uuid + +from keystonelight import utils + + +class Manager(object): + def __init__(self, options): + self.options = options + self.driver = utils.import_object(options['policy_driver'], + options=options) + + def can_haz(self, context, target, credentials): + """Check whether the given creds can perform action on target.""" + return self.driver.can_haz(target, credentials) |