diff options
| author | Brian Waldon <bcwaldon@gmail.com> | 2012-01-16 15:28:49 -0800 |
|---|---|---|
| committer | Brian Waldon <bcwaldon@gmail.com> | 2012-01-16 16:07:40 -0800 |
| commit | 85518a93ef01ae997ecfc0687d89ba87f7607f54 (patch) | |
| tree | 9d7928af887d05d8b1052ea5c9cabee82247f4bb /nova/common | |
| parent | 1fd26203b29d6432325ae1365e3dcbecc9d97864 (diff) | |
| download | nova-85518a93ef01ae997ecfc0687d89ba87f7607f54.tar.gz nova-85518a93ef01ae997ecfc0687d89ba87f7607f54.tar.xz nova-85518a93ef01ae997ecfc0687d89ba87f7607f54.zip | |
Add default policy rule
If a specific rule is not found, we will check the rule defined in FLAGS.policy_default_action.
Change-Id: Ib1b1aa4bbeec74bdb1562d0fc649d33838076f01
Diffstat (limited to 'nova/common')
| -rw-r--r-- | nova/common/policy.py | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/nova/common/policy.py b/nova/common/policy.py index b7cd3cf41..d8d29d6b0 100644 --- a/nova/common/policy.py +++ b/nova/common/policy.py @@ -104,13 +104,14 @@ def enforce(match_list, target_dict, credentials_dict): class Brain(object): """Implements policy checking.""" @classmethod - def load_json(cls, data): + def load_json(cls, data, default_rule=None): """Init a brain using json instead of a rules dictionary.""" rules_dict = json.loads(data) - return cls(rules=rules_dict) + return cls(rules=rules_dict, default_rule=default_rule) - def __init__(self, rules=None): + def __init__(self, rules=None, default_rule=None): self.rules = rules or {} + self.default_rule = default_rule def add_rule(self, key, match): self.rules[key] = match @@ -154,7 +155,11 @@ class Brain(object): try: new_match_list = self.rules[match] except KeyError: - return False + if self.default_rule and match != self.default_rule: + new_match_list = ('rule:%s' % self.default_rule,) + else: + return False + return self.check(new_match_list, target_dict, cred_dict) def _check_role(self, match, target_dict, cred_dict): |