| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
H404 - multi line docstring should start with a summary.
Change-Id: I2099e1ee81ff9657f7a07401b8e8f3327d03bdbd
|
|
|
|
|
|
| |
H306 - imports not in alphabetical order.
Change-Id: Iaa93bcafed562833318ac86241ad36662c2d8ca6
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds some logic that is currently duplicated throughout
Openstack. As part of this de-duplication, the patch also modifies
current implementation.
Major Changes:
* check, set_rules, reset, init are now part of the Enforcer class
* check was renamed into enforce
* init was renamed into load_rules
* It is now possible to load multiple files and have per instance
rules instead of global rules.
* There's a global instance of the Enforcer class that can be used as
main enforcer.
from openstack.common import policy
ENFORCER = policy.ENFORCER
ENFORCER.enforce(rule, target, creds)
Minor Changes:
* Added do_raise to the enforce method
* Enforcer instance is now passed to the Check call.
NOTE: If / once this patch gets in, I'll update other projects and port
them to the latest version.
Change-Id: Ife909bdf3277ef33c2fb1eae16ae261fa6374c63
|
|
|
|
|
|
| |
PEP8 suggestes, "For sequences, use the fact that empty sequences are false."
Change-Id: I4c600a7a6230a55328ee46f7c59f340f37abc18f
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From http://docs.python.org/3.1/whatsnew/3.0.html:
"Python 3.0 uses the concepts of text and (binary) data instead of
Unicode strings and 8-bit strings."
Use six.text_type to Type for representing (Unicode) textual data. This
is unicode() in Python 2 and str in Python 3.
Change-Id: I3da268a714a34a8e626a2590f01b86e414dc3411
Signed-off-by: Chuck Short <chuck.short@canonical.com>
|
|
|
|
|
|
|
| |
Common modules can now safely import other common modules
since update.py will automatically install dependencies.
Change-Id: I0ad12d7e6e623657c40659aca4148439cd03d3fa
|
|
|
|
|
|
|
|
|
|
| |
fixes bug 1154745
The previous update (https://review.openstack.org/#/c/24103/) missed
header files that contained "OpenStack, LLC". This change corrects the
missed files to reflect the OpenStack Foundation.
Change-Id: I9c6de265267485ef2c82ea7e6d8643e82134d102
|
|
|
|
|
|
| |
Caesar's wife must be above reproach.
Change-Id: Iac85a57e71d403360f1567c07c8699057f0772fb
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 3fc46892
After a productive discussion here:
http://lists.openstack.org/pipermail/openstack-dev/2012-October/thread.html#1566
It appears that we don't yet have a really compelling use
case for this and folks are worried about the extra
complexity it brings. I think it's safe to say there's a
consensus that we shouldn't proceed with this idea yet. We
can always revisit this again later if needs be.
|
|/
|
|
|
|
|
|
| |
If we're not changing the value of a global variable, there's no need
to use the 'global' statement. This removes an unnecessary 'global'
statement from the register() function/decorator.
Change-Id: I0d4388f28acf3c9dc5969d86d74f384f1f3d0474
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implements blueprint fine-grained-policy
Add support to the new policy language for finer-grained policy
decisions: policy checks can, using the "case" construct, return
values other than simply "True".
This means that a policy rule can be written that allows for fine
shades of permissions; for instance, a rule could return the values,
"fulladmin", "projectadmin", or False, and the caller can use these
values to decide whether to allow all modifications, only some
modifications, or no modifications at all.
Change-Id: Id2bbee5c34052692af12e4a028256131ed2747fc
|
|
|
|
|
|
|
|
|
| |
Implements blueprint fine-grained-policy
Inverting the sense of a check was not possible with the list-of-lists
syntax, but it clearly makes sense to support it.
Change-Id: Ibd92cd75a279efdafec16a26f9aec33f39614b5c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implements blueprint fine-grained-policy
Add a new policy language with "and" and "or" operators to replace
the old list-of-lists syntax. New '@' and '!' operators are also added.
This new language will enable us add more advanced features than the
old syntax would have allowed.
Backwards compat support for the old list-of-list syntax is retained.
Change-Id: I872cb6abf6f8051c3ff502a0fc7590cff4f63a25
|
|
|
|
|
|
|
|
|
| |
Implements blueprint fine-grained-policy
Remove the deprecated Brain/enforce API and support for using functions
as check types.
Change-Id: Idf79999ad402b2c79072d0547d60c7b0bfa20d5a
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implements blueprint fine-grained-policy
Complete rewrite of the policy engine, with careful thought given to
backwards-compatibility.
Policy rules are now represented internally by a tree of Check
objects.
A new API is added for parsing and enforcing rules:
set_rules(Rules.load_json(data, default_rule=...))
result = check(rule, target, credentials)
reset()
The old Brain/enforce API is deprecated and will be removed soon.
A new API is also added for registering new check types:
@register("key")
class KeyCheck(Check):
def __call__(self, target, creds):
return self.match in creds
Support for using functions as check types is deprecated and will
also be removed soon.
Change-Id: I2951a0de3751bd2ec868e7a661070fed624e4af2
|
|
|
|
|
|
|
| |
Fixed indents which violate pep8 1.3.3
Also added .mailmap file to coalesce commits
Change-Id: Ia7a788a28e6c0fd9cb52fb7ea477cddd7d589e58
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The generic checking in policy allows us to match against data from the
creds_dict using a very simple syntax. For example, in policy.json if
you had something like:
"some_action": [["project_id:foo"]]
it would only allow project foo to perform that action, but something
like:
"some_action": [["is_admin:True"]]
where is_admin is a boolean fails.
This modifies the check to convert the value to unicode before
attempting to compare it. It includes a test.
Fixes bug 1039132
Change-Id: I0e53a6ea2709212d4a1536f901bcf1e717a232ca
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original policy framework allowed new policy checks to be created
through inheritance. This is somewhat clunky and unnecessary in
Python. This change refactors policy.py to allow new policy checks
to be registered using an @register() decorator. One consequence is
that HttpBrain is deprecated.
Care has been taken to ensure backwards compatibility; deprecation
warnings will be emitted for uses of HttpBrain or the inheritance-
based checks.
Change-Id: I3ccef5868906ef64a3c24d6c92533471e89682ba
|
|
|
|
|
|
| |
Fixes bug 1021453.
Change-Id: I05771a588746a0e43fec0078c5c7152dd9d33b9f
|
|
|
|
|
|
|
|
| |
For blueprint use-common-jsonutils
Pretty much just a search and replace.
Change-Id: I66f63e7b0ff82a37d8a6b9acef94f4e10a45bf90
|
|
Both Glance and Nova make use of (almost) the same policy system,
defined in glance/common/policy.py and nova/common/policy.py,
respectively. They also have independent glue code
(glance/api/policy.py and nova/policy.py), so that the common
policy system is substantially similar. This makes policies a
perfect candidate for incorporation into openstack-common,
particularly given that this same code will soon be used by
Quantum.
This change adds the common policy module (along with some minor
interface changes and bug fixes) to openstack-common, along with
a test suite.
Change-Id: I0022a91f16ded28f9dc6b4975ef1b6e4cc8460ac
|