Allow generic rules in context_is_admin rule in policy.

context_is_admin role is used by nova to check if the current user is the admin. But it can only check role rules. The fix allow generic rules in context_is_admin. DocImpact Fixes bug 1118142 Change-Id: Ib4823a67fe63d5356fc8c9280a2013b8855f5217
author: Wenhao Xu <xuwenhao2008@gmail.com> 2013-02-07 17:18:12 +0800
committer: Wenhao Xu <xuwenhao2008@gmail.com> 2013-02-12 10:16:00 +0800
commit: 1d07c12ecad0ace2caae7baecd9f0f669b62cc35 (patch)
tree: ba1402953c7e1dccb2f8a8f53e153a79fa373a2d /nova/policy.py
parent: fe16fded3d4ecfe71d7d0d0d4adbbb8d3cc0da48 (diff)
download: nova-1d07c12ecad0ace2caae7baecd9f0f669b62cc35.tar.gz
nova-1d07c12ecad0ace2caae7baecd9f0f669b62cc35.tar.xz
nova-1d07c12ecad0ace2caae7baecd9f0f669b62cc35.zip
1 files changed, 4 insertions, 3 deletions
diff --git a/nova/policy.py b/nova/policy.py
index 27e261eac..ac2f2e730 100644
--- a/nova/policy.py
+++ b/nova/policy.py
@@ -101,14 +101,15 @@ def enforce(context, action, target, do_raise=True):
     return policy.check(action, target, credentials, **extra)
 
 
-def check_is_admin(roles):
+def check_is_admin(context):
     """Whether or not roles contains 'admin' role according to policy setting.
 
     """
     init()
 
-    target = {}
-    credentials = {'roles': roles}
+    #the target is user-self
+    credentials = context.to_dict()
+    target = credentials
 
     return policy.check('context_is_admin', target, credentials)
author	Wenhao Xu <xuwenhao2008@gmail.com>	2013-02-07 17:18:12 +0800
committer	Wenhao Xu <xuwenhao2008@gmail.com>	2013-02-12 10:16:00 +0800
commit	1d07c12ecad0ace2caae7baecd9f0f669b62cc35 (patch)
tree	ba1402953c7e1dccb2f8a8f53e153a79fa373a2d /nova/policy.py
parent	fe16fded3d4ecfe71d7d0d0d4adbbb8d3cc0da48 (diff)
download	nova-1d07c12ecad0ace2caae7baecd9f0f669b62cc35.tar.gz nova-1d07c12ecad0ace2caae7baecd9f0f669b62cc35.tar.xz nova-1d07c12ecad0ace2caae7baecd9f0f669b62cc35.zip