Merge "Add a permissive mode for access rules config"
This commit is contained in:
commit
30e6a7f1f1
|
@ -94,6 +94,8 @@ class AccessRulesConfig(base.AccessRulesConfigDriverBase):
|
|||
|
||||
def __init__(self):
|
||||
super(AccessRulesConfig, self).__init__()
|
||||
if CONF.access_rules_config.permissive:
|
||||
return
|
||||
access_rules_file = CONF.access_rules_config.rules_file
|
||||
self.access_rules = dict()
|
||||
self.access_rules_json = dict()
|
||||
|
|
|
@ -12,15 +12,18 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
"""List access rules."""
|
||||
"""List access rules config."""
|
||||
|
||||
from keystone.common import cache
|
||||
from keystone.common import driver_hints
|
||||
from keystone.common import manager
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
MEMOIZE = cache.get_memoization_decorator(group='access_rules_config')
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class Manager(manager.Manager):
|
||||
|
@ -41,6 +44,22 @@ class Manager(manager.Manager):
|
|||
HTTP method.
|
||||
|
||||
"""
|
||||
if CONF.access_rules_config.permissive:
|
||||
hints = driver_hints.Hints()
|
||||
if service:
|
||||
hints.add_filter('service', service)
|
||||
rules = {}
|
||||
services = PROVIDERS.catalog_api.list_services(hints=hints)
|
||||
if service:
|
||||
services = [svc for svc in services if svc['type'] == service]
|
||||
for svc in services:
|
||||
rules[svc['type']] = []
|
||||
for method in ['HEAD', 'GET', 'POST', 'PUT', 'PATCH', 'DELETE']:
|
||||
rules[svc['type']].append({
|
||||
"path": "**",
|
||||
"method": method
|
||||
})
|
||||
return rules
|
||||
return self.driver.list_access_rules_config(service)
|
||||
|
||||
@MEMOIZE
|
||||
|
@ -55,5 +74,7 @@ class Manager(manager.Manager):
|
|||
configured access rules
|
||||
|
||||
"""
|
||||
if CONF.access_rules_config.permissive:
|
||||
return True
|
||||
return self.driver.check_access_rule(service, request_path,
|
||||
request_method)
|
||||
|
|
|
@ -51,12 +51,22 @@ configuration will be loaded and application credential access rules will be
|
|||
unavailable.
|
||||
"""))
|
||||
|
||||
permissive = cfg.BoolOpt(
|
||||
'permissive',
|
||||
default=False,
|
||||
help=utils.fmt("""
|
||||
Toggles permissive mode for access rules. When enabled, application
|
||||
credentials can be created with any access rules regardless of operator's
|
||||
configuration.
|
||||
"""))
|
||||
|
||||
GROUP_NAME = __name__.split('.')[-1]
|
||||
ALL_OPTS = [
|
||||
driver,
|
||||
caching,
|
||||
cache_time,
|
||||
rules_file,
|
||||
permissive,
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -12,9 +12,12 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import uuid
|
||||
|
||||
from keystone.common import provider_api
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit.ksfixtures import access_rules_config
|
||||
from keystone.tests.unit.ksfixtures import database
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
@ -43,3 +46,24 @@ class AccessRulesConfigTest(unit.TestCase):
|
|||
result = PROVIDERS.access_rules_config_api.check_access_rule(
|
||||
'identity', '/v3/users', 'GET')
|
||||
self.assertTrue(result)
|
||||
|
||||
|
||||
class AccessRulesConfigPermissiveTest(AccessRulesConfigTest):
|
||||
|
||||
def setUp(self):
|
||||
super(AccessRulesConfigPermissiveTest, self).setUp()
|
||||
self.config_fixture.config(group='access_rules_config',
|
||||
permissive=True)
|
||||
self.useFixture(database.Database())
|
||||
services = [
|
||||
'identity',
|
||||
'image',
|
||||
'block-storage',
|
||||
'network',
|
||||
'compute',
|
||||
'object'
|
||||
]
|
||||
for service in services:
|
||||
ref = unit.new_service_ref(type=service)
|
||||
PROVIDERS.catalog_api.create_service(
|
||||
uuid.uuid4().hex, ref)
|
||||
|
|
Loading…
Reference in New Issue