Shifting Role Mapping to conf

* Moved to conf, and added to test settings. * Also added same rank management to each role list based on what we want the current permission model to be. Change-Id: I7f8c2f8e7b4898d8a62776629eb6c437d7c9a155
2015-12-03 10:37:00 +13:00 · 2015-12-03 10:37:00 +13:00 · 64642435f4
parent 1526427f20
commit 64642435f4
4 changed files with 36 additions and 15 deletions
--- a/conf/conf.yaml
+++ b/conf/conf.yaml
@ -155,3 +155,20 @@ ACTION_SETTINGS:
                - 193.168.1.2
                - 193.168.1.3
            SUBNET_CIDR: 192.168.1.0/24
+
+# mapping between roles and managable roles
+ROLES_MAPPING:
+    admin:
+        - project_owner
+        - project_mod
+        - heat_stack_owner
+        - _member_
+    project_owner:
+        - project_owner
+        - project_mod
+        - heat_stack_owner
+        - _member_
+    project_mod:
+        - project_mod
+        - heat_stack_owner
+        - _member_
--- a/stacktask/actions/user_store.py
+++ b/stacktask/actions/user_store.py
@ -16,6 +16,7 @@ from openstack_clients import get_keystoneclient
 from keystoneclient.openstack.common.apiclient import (
    exceptions as ks_exceptions
 )
+from django.conf import settings


 def get_managable_roles(user_roles):
@ -23,20 +24,7 @@ def get_managable_roles(user_roles):
    Given a list of user role names, returns a list of names
    that the user is allowed to manage.
    """
-    # hardcoded mapping between roles and managable roles
-    # Todo: relocate to settings file.
-    manage_mapping = {
-        'admin': [
-            'project_owner', 'project_mod', 'Member', 'heat_stack_owner',
-            '_member_'
-        ],
-        'project_owner': [
-            'project_mod', 'Member', 'heat_stack_owner', '_member_'
-        ],
-        'project_mod': [
-            'Member', 'heat_stack_owner', '_member_'
-        ],
-    }
+    manage_mapping = settings.ROLES_MAPPING
    # merge mapping lists to form a flat permitted roles list
    managable_role_names = [mrole for role_name in user_roles
                            if role_name in manage_mapping
--- a/stacktask/settings.py
+++ b/stacktask/settings.py
@ -152,6 +152,8 @@ TASK_SETTINGS = CONFIG['TASK_SETTINGS']

 ACTION_SETTINGS = CONFIG['ACTION_SETTINGS']

+ROLES_MAPPING = CONFIG['ROLES_MAPPING']
+
 # Dict of actions and their serializers.
 # - This is populated from the various model modules at startup:
 ACTION_CLASSES = {}
--- a/stacktask/test_settings.py
+++ b/stacktask/test_settings.py
@ -154,6 +154,19 @@ ACTION_SETTINGS = {
    }
 }

+ROLES_MAPPING = {
+    'admin': [
+        'project_owner', 'project_mod', 'Member', 'heat_stack_owner',
+        '_member_'
+    ],
+    'project_owner': [
+        'project_mod', 'Member', 'heat_stack_owner', '_member_'
+    ],
+    'project_mod': [
+        'Member', 'heat_stack_owner', '_member_'
+    ],
+}
+
 conf_dict = {
    "SECRET_KEY": SECRET_KEY,
    "ADDITIONAL_APPS": ADDITIONAL_APPS,
@ -166,5 +179,6 @@ conf_dict = {
    "TASK_SETTINGS": TASK_SETTINGS,
    "ACTION_SETTINGS": ACTION_SETTINGS,
    "TOKEN_SUBMISSION_URL": TOKEN_SUBMISSION_URL,
-    "TOKEN_EXPIRE_TIME": TOKEN_EXPIRE_TIME
+    "TOKEN_EXPIRE_TIME": TOKEN_EXPIRE_TIME,
+    "ROLES_MAPPING": ROLES_MAPPING
 }