diff options
author | Henry Nash <henryn@linux.vnet.ibm.com> | 2013-02-16 03:44:34 +0000 |
---|---|---|
committer | Henry Nash <henryn@linux.vnet.ibm.com> | 2013-02-19 08:52:26 +0000 |
commit | a7149c0133a0c62c86a6321e6b793cf91e951ca4 (patch) | |
tree | 023ea3731dda4bee8b52995b4ba3e1de99d9f9e1 /keystone/policy | |
parent | b9d8a20fff3518d3027cb95d37c1b9a13a6dea32 (diff) | |
download | keystone-a7149c0133a0c62c86a6321e6b793cf91e951ca4.tar.gz keystone-a7149c0133a0c62c86a6321e6b793cf91e951ca4.tar.xz keystone-a7149c0133a0c62c86a6321e6b793cf91e951ca4.zip |
Update the Keystone policy engine to the latest openstack common
Fixes Bug #1126037
Change-Id: I246bc9c0c2eb0f4af97c11588c80e4bcea06e747
Diffstat (limited to 'keystone/policy')
-rw-r--r-- | keystone/policy/backends/rules.py | 30 |
1 files changed, 14 insertions, 16 deletions
diff --git a/keystone/policy/backends/rules.py b/keystone/policy/backends/rules.py index 3441ebea..aa0228cc 100644 --- a/keystone/policy/backends/rules.py +++ b/keystone/policy/backends/rules.py @@ -15,12 +15,12 @@ # License for the specific language governing permissions and limitations # under the License. -"""Rules-based Policy Engine.""" +"""Policy engine for keystone""" import os.path from keystone.common import logging -from keystone.common import policy as common_policy +from keystone.openstack.common import policy as common_policy from keystone.common import utils from keystone import config from keystone import exception @@ -52,16 +52,16 @@ def init(): _POLICY_PATH = CONF.find_file(_POLICY_PATH) utils.read_cached_file(_POLICY_PATH, _POLICY_CACHE, - reload_func=_set_brain) + reload_func=_set_rules) -def _set_brain(data): +def _set_rules(data): default_rule = CONF.policy_default_rule - common_policy.set_brain(common_policy.HttpBrain.load_json(data, - default_rule)) + common_policy.set_rules(common_policy.Rules.load_json( + data, default_rule)) -def enforce(credentials, action, target): +def enforce(credentials, action, target, do_raise=True): """Verifies that the action is valid on the target in this context. :param credentials: user credentials @@ -70,24 +70,22 @@ def enforce(credentials, action, target): :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. - {'tenant_id': object.tenant_id} + {'project_id': object.project_id} :raises: `exception.Forbidden` if verification fails. Actions should be colon separated for clarity. For example: - * compute:create_instance - * compute:attach_volume - * volume:attach_volume + * identity:list_users """ init() - match_list = ('rule:%s' % action,) + # Add the exception arguments if asked to do a raise + extra = {} + if do_raise: + extra.update(exc=exception.ForbiddenAction, action=action) - try: - common_policy.enforce(match_list, target, credentials) - except common_policy.NotAuthorized: - raise exception.ForbiddenAction(action=action) + return common_policy.check(action, target, credentials, **extra) class Policy(policy.Driver): |