Implement system-scope

The context should carry some information that all services will need
in order to enforce scoping. System scope can be implemented here
and available for projects when they start adding scope types to
policies.

bp system-scope

Change-Id: I02fdaccfdd002d60b0b51c5d3327c783009cf35e
This commit is contained in:
Lance Bragstad 2017-12-29 21:28:17 +00:00
parent 92b96644eb
commit 1a40b3d43b
2 changed files with 39 additions and 1 deletions

View File

@ -49,6 +49,7 @@ _ENVIRON_HEADERS = {
'project_id': ['HTTP_X_PROJECT_ID',
'HTTP_X_TENANT_ID',
'HTTP_X_TENANT'],
'system_scope': ['HTTP_OPENSTACK_SYSTEM_SCOPE'],
'user_domain_id': ['HTTP_X_USER_DOMAIN_ID'],
'project_domain_id': ['HTTP_X_PROJECT_DOMAIN_ID'],
'user_name': ['HTTP_X_USER_NAME'],
@ -219,7 +220,8 @@ class RequestContext(object):
service_project_domain_id=None,
service_project_domain_name=None,
service_roles=None,
global_request_id=None):
global_request_id=None,
system_scope=None):
"""Initialize the RequestContext
:param overwrite: Set to False to ensure that the greenthread local
@ -228,6 +230,11 @@ class RequestContext(object):
the token as the admin project. Defaults to
True for backwards compatibility.
:type is_admin_project: bool
:param system_scope: The system scope of a token. The value ``all``
represents the entire deployment system. A service
ID represents a specific service within the
deployment system.
:type system_scope: string
"""
# setting to private variables to avoid triggering subclass properties
self._user_id = user_id
@ -240,6 +247,7 @@ class RequestContext(object):
self.user_name = user_name
self.project_name = project_name
self.domain_name = domain_name
self.system_scope = system_scope
self.user_domain_name = user_domain_name
self.project_domain_name = project_domain_name
self.is_admin = is_admin
@ -309,6 +317,7 @@ class RequestContext(object):
return _DeprecatedPolicyValues({
'user_id': self.user_id,
'user_domain_id': self.user_domain_id,
'system_scope': self.system_scope,
'project_id': self.project_id,
'project_domain_id': self.project_domain_id,
'roles': self.roles,
@ -330,6 +339,7 @@ class RequestContext(object):
return {'user': self.user_id,
'tenant': self.project_id,
'system_scope': self.system_scope,
'project': self.project_id,
'domain': self.domain_id,
'user_domain': self.user_domain_id,

View File

@ -554,6 +554,7 @@ class ContextTest(test_base.BaseTestCase):
self.assertEqual({'user_id': user,
'user_domain_id': user_domain,
'system_scope': None,
'project_id': tenant,
'project_domain_id': project_domain,
'roles': roles,
@ -565,6 +566,32 @@ class ContextTest(test_base.BaseTestCase):
'service_roles': service_roles},
ctx.to_policy_values())
# NOTE(lbragstad): This string has special meaning in that the value
# ``all`` represents the entire deployment system.
system_all = 'all'
ctx = context.RequestContext(user=user,
user_domain=user_domain,
system_scope=system_all,
roles=roles,
service_user_id=service_user_id,
service_project_id=service_project_id,
service_roles=service_roles)
self.assertEqual({'user_id': user,
'user_domain_id': user_domain,
'system_scope': system_all,
'project_id': None,
'project_domain_id': None,
'roles': roles,
'is_admin_project': True,
'service_user_id': service_user_id,
'service_user_domain_id': None,
'service_project_id': service_project_id,
'service_project_domain_id': None,
'service_roles': service_roles},
ctx.to_policy_values())
ctx = context.RequestContext(user=user,
user_domain=user_domain,
tenant=tenant,
@ -577,6 +604,7 @@ class ContextTest(test_base.BaseTestCase):
self.assertEqual({'user_id': user,
'user_domain_id': user_domain,
'system_scope': None,
'project_id': tenant,
'project_domain_id': project_domain,
'roles': roles,