Policy bug fixes.
Change-Id: I2fab74a7bf1b7d9f36b1c3b8e555902b94c2a89b
This commit is contained in:
parent
f7c77bb200
commit
8c5d8610aa
|
@ -91,7 +91,7 @@ def check_drivers_alive():
|
|||
if not driver_thread.is_alive():
|
||||
LOG.warning('%s(probe_ids=%s, kwargs=%s) is crashed'
|
||||
% (driver_thread.__class__.__name__,
|
||||
driver_thread.probe_ids, driver_thread.kwargs))
|
||||
driver_thread.probe_ids, driver_thread.kwargs))
|
||||
new_thread = load_driver(driver_thread.__class__.__name__,
|
||||
driver_thread.probe_ids,
|
||||
driver_thread.kwargs
|
||||
|
|
|
@ -20,8 +20,9 @@ import flask
|
|||
import keystoneclient.middleware.auth_token as auth_token
|
||||
from oslo.config import cfg
|
||||
|
||||
from kwapi import policy
|
||||
from kwapi.openstack.common import policy
|
||||
|
||||
_ENFORCER = None
|
||||
OPT_GROUP_NAME = 'keystone_authtoken'
|
||||
|
||||
|
||||
|
@ -46,5 +47,10 @@ def install(app, conf):
|
|||
def check():
|
||||
"""Checks application access."""
|
||||
headers = flask.request.headers
|
||||
if not policy.check_is_admin(headers.get('X-Roles', "").split(",")):
|
||||
global _ENFORCER
|
||||
if not _ENFORCER:
|
||||
_ENFORCER = policy.Enforcer()
|
||||
if not _ENFORCER.enforce('context_is_admin',
|
||||
{},
|
||||
{'roles': headers.get('X-Roles', "").split(",")}):
|
||||
return "Access denied", 401
|
||||
|
|
|
@ -158,8 +158,8 @@ def create_rrd_file(filename):
|
|||
for scale in scales.keys():
|
||||
args.append('RRA:AVERAGE:0.5:%s:%s'
|
||||
% (scales[scale][0]['resolution'],
|
||||
scales[scale][0]['interval'] /
|
||||
scales[scale][0]['resolution']))
|
||||
scales[scale][0]['interval'] /
|
||||
scales[scale][0]['resolution']))
|
||||
rrdtool.create(args)
|
||||
|
||||
|
||||
|
|
|
@ -1,55 +0,0 @@
|
|||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||
|
||||
# Copyright (c) 2011 OpenStack, LLC.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
"""Policy Engine For Kwapi"""
|
||||
|
||||
import os
|
||||
|
||||
from oslo.config import cfg
|
||||
|
||||
from kwapi.openstack.common import policy
|
||||
from kwapi import utils
|
||||
|
||||
_POLICY_PATH = None
|
||||
_POLICY_CACHE = {}
|
||||
|
||||
|
||||
def init():
|
||||
global _POLICY_PATH
|
||||
global _POLICY_CACHE
|
||||
if not _POLICY_PATH:
|
||||
_POLICY_PATH = cfg.CONF.policy_file
|
||||
if not os.path.exists(_POLICY_PATH):
|
||||
_POLICY_PATH = cfg.CONF.find_file(_POLICY_PATH)
|
||||
if not _POLICY_PATH:
|
||||
raise cfg.ConfigFilesNotFoundError([cfg.CONF.policy_file])
|
||||
utils.read_cached_file(_POLICY_PATH, _POLICY_CACHE,
|
||||
reload_func=_set_rules)
|
||||
|
||||
|
||||
def _set_rules(data):
|
||||
default_rule = cfg.CONF.policy_default_rule
|
||||
policy.set_rules(policy.Rules.load_json(data, default_rule))
|
||||
|
||||
|
||||
def check_is_admin(roles):
|
||||
"""Whether or not roles contains 'admin' role according to policy setting.
|
||||
|
||||
"""
|
||||
init()
|
||||
|
||||
return policy.check('context_is_admin', {}, {'roles': roles})
|
Loading…
Reference in New Issue