diff options
author | termie <github@anarkystic.com> | 2012-02-28 16:50:48 -0800 |
---|---|---|
committer | termie <github@anarkystic.com> | 2012-03-08 14:06:32 -0800 |
commit | a2f2274c69df2ca5b040a69173f3eb7eb030c561 (patch) | |
tree | c57294737b6fe1bda4706d95e08863d4f81c958e /keystone/policy | |
parent | e5254d48b133f3ec9798cc8eb48a03cb69ff2d97 (diff) | |
download | keystone-a2f2274c69df2ca5b040a69173f3eb7eb030c561.tar.gz keystone-a2f2274c69df2ca5b040a69173f3eb7eb030c561.tar.xz keystone-a2f2274c69df2ca5b040a69173f3eb7eb030c561.zip |
port common policy code to keystone
keystone.common.policy is copied from nova
leave simple backend in as a shim until devstack stops referencing it
Change-Id: Ibd579cfeb99465706d525b6565818a2d8f5f3b7c
Diffstat (limited to 'keystone/policy')
-rw-r--r-- | keystone/policy/backends/rules.py | 104 | ||||
-rw-r--r-- | keystone/policy/backends/simple.py | 22 | ||||
-rw-r--r-- | keystone/policy/core.py | 10 |
3 files changed, 118 insertions, 18 deletions
diff --git a/keystone/policy/backends/rules.py b/keystone/policy/backends/rules.py new file mode 100644 index 00000000..1d12a999 --- /dev/null +++ b/keystone/policy/backends/rules.py @@ -0,0 +1,104 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright (c) 2011 OpenStack, LLC. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +"""Rules-based Policy Engine.""" + +from keystone import config +from keystone import exception +from keystone import policy +from keystone.common import logging +from keystone.common import policy as common_policy +from keystone.common import utils +from keystone.openstack.common import cfg + + +policy_opts = [ + cfg.StrOpt('policy_file', + default='policy.json', + help=_('JSON file representing policy')), + cfg.StrOpt('policy_default_rule', + default='default', + help=_('Rule checked when requested rule is not found')), + ] + + +CONF = config.CONF +CONF.register_opts(policy_opts) + + +LOG = logging.getLogger('keystone.policy.backends.rules') + + +_POLICY_PATH = None +_POLICY_CACHE = {} + + +def reset(): + global _POLICY_PATH + global _POLICY_CACHE + _POLICY_PATH = None + _POLICY_CACHE = {} + common_policy.reset() + + +def init(): + global _POLICY_PATH + global _POLICY_CACHE + if not _POLICY_PATH: + _POLICY_PATH = utils.find_config(CONF.policy_file) + utils.read_cached_file(_POLICY_PATH, + _POLICY_CACHE, + reload_func=_set_brain) + + +def _set_brain(data): + default_rule = CONF.policy_default_rule + common_policy.set_brain( + common_policy.HttpBrain.load_json(data, default_rule)) + + +def enforce(credentials, action, target): + """Verifies that the action is valid on the target in this context. + + :param credentials: user credentials + :param action: string representing the action to be checked + this should be colon separated for clarity. + i.e. compute:create_instance + compute:attach_volume + volume:attach_volume + + :param object: dictionary representing the object of the action + for object creation this should be a dictionary representing the + location of the object e.g. {'tenant_id': object.tenant_id} + + :raises: `exception.Forbidden` if verification fails. + + """ + init() + + match_list = ('rule:%s' % action,) + + try: + common_policy.enforce(match_list, target, credentials) + except common_policy.NotAuthorized: + raise exception.Forbidden(action=action) + + +class Policy(policy.Driver): + def enforce(self, credentials, action, target): + LOG.debug('enforce %s: %s', action, credentials) + enforce(credentials, action, target) diff --git a/keystone/policy/backends/simple.py b/keystone/policy/backends/simple.py index ed357425..9d490f6c 100644 --- a/keystone/policy/backends/simple.py +++ b/keystone/policy/backends/simple.py @@ -14,24 +14,10 @@ # License for the specific language governing permissions and limitations # under the License. +# This file exists as a shim to get devstack testing to pass. +# It will be removed once devstack has been updated. -from keystone.common import logging +from keystone.policy.backends import rules -class TrivialTrue(object): - def can_haz(self, target, credentials): - return True - - -class SimpleMatch(object): - def can_haz(self, target, credentials): - """Check whether key-values in target are present in credentials.""" - # TODO(termie): handle ANDs, probably by providing a tuple instead of a - # string - for requirement in target: - key, match = requirement.split(':', 1) - check = credentials.get(key) - if check is None or isinstance(check, basestring): - check = [check] - if match in check: - return True +SimpleMatch = rules.Policy diff --git a/keystone/policy/core.py b/keystone/policy/core.py index fea1ef81..a89c6083 100644 --- a/keystone/policy/core.py +++ b/keystone/policy/core.py @@ -33,3 +33,13 @@ class Manager(manager.Manager): def __init__(self): super(Manager, self).__init__(CONF.policy.driver) + + +class Driver(object): + def enforce(context, credentials, action, target): + """Verify that a user is authorized to perform action. + + For more information on a full implementation of this see: + `keystone.common.policy.enforce`. + """ + raise NotImplementedError() |