[Policy] Set scope_types for BaseCheck rules
To be able to do policy checks for e.g. subattriutes, Neutron is creating rule objects which are subclasses of the oslo_policy.BaseCheck objects but we didn't set scope_types in that newly created rules. As we are now moving to the new secure RBAC rules, which allows us to enforce scope checks, we need to set those scope types for such objects to let oslo.policy to enforce it when needed. Related-Bug: #1923503 Change-Id: Ie9b4b908621a0e2ca7c9f7d8a3057c95e28f0dbd
This commit is contained in:
parent
1d2a4cb35a
commit
48f4e05b6e
|
@ -206,6 +206,10 @@ def _build_match_rule(action, target, pluralized):
|
|||
(e.g.: create_router:external_gateway_info:network_id)
|
||||
"""
|
||||
match_rule = policy.RuleCheck('rule', action)
|
||||
registered_rule = _ENFORCER.registered_rules.get(action)
|
||||
if registered_rule and registered_rule.scope_types:
|
||||
match_rule.scope_types = registered_rule.scope_types
|
||||
|
||||
resource, enforce_attr_based_check = get_resource_and_action(
|
||||
action, pluralized)
|
||||
if enforce_attr_based_check:
|
||||
|
|
Loading…
Reference in New Issue