Use context instead of manually setting the credentials for policy
This migrates from our minimal credentials dict, towards using oslo.context directly (which is the recommended approach). In order to do this, we had to change some policies to point towards the correct attribute names. Change-Id: If382e0a45497ffcc1d5b194c4244a59d2911afe6
This commit is contained in:
parent
4d58ac8ddc
commit
daf8db11b4
|
@ -49,13 +49,6 @@ def _do_enforce_rbac(inst, req, action_name, ctx, **kwargs):
|
|||
"""Enforce RBAC based on 'request' information."""
|
||||
if action_name and ctx:
|
||||
|
||||
# Prepare credentials information.
|
||||
credentials = {
|
||||
'roles': ctx.roles,
|
||||
'user': ctx.user,
|
||||
'project': ctx.project_id
|
||||
}
|
||||
|
||||
# Enforce special case: secret GET decryption
|
||||
if 'secret:get' == action_name and not is_json_request_accept(req):
|
||||
action_name = 'secret:decrypt' # Override to perform special rules
|
||||
|
@ -69,7 +62,7 @@ def _do_enforce_rbac(inst, req, action_name, ctx, **kwargs):
|
|||
# Enforce access controls.
|
||||
if ctx.policy_enforcer:
|
||||
ctx.policy_enforcer.enforce(action_name, flatten(policy_dict),
|
||||
credentials, do_raise=True)
|
||||
ctx, do_raise=True)
|
||||
|
||||
|
||||
def enforce_rbac(action_name='default'):
|
||||
|
|
|
@ -41,7 +41,7 @@ rules = [
|
|||
'rule:audit or rule:service_admin'),
|
||||
policy.RuleDefault(
|
||||
name='secret_project_match',
|
||||
check_str='project:%(target.secret.project_id)s'),
|
||||
check_str='project_id:%(target.secret.project_id)s'),
|
||||
policy.RuleDefault(
|
||||
name='secret_acl_read',
|
||||
check_str="'read':%(target.secret.read)s"),
|
||||
|
@ -50,10 +50,10 @@ rules = [
|
|||
check_str="'False':%(target.secret.read_project_access)s"),
|
||||
policy.RuleDefault(
|
||||
name='secret_creator_user',
|
||||
check_str="user:%(target.secret.creator_id)s"),
|
||||
check_str="user_id:%(target.secret.creator_id)s"),
|
||||
policy.RuleDefault(
|
||||
name='container_project_match',
|
||||
check_str="project:%(target.container.project_id)s"),
|
||||
check_str="project_id:%(target.container.project_id)s"),
|
||||
policy.RuleDefault(
|
||||
name='container_acl_read',
|
||||
check_str="'read':%(target.container.read)s"),
|
||||
|
@ -62,7 +62,7 @@ rules = [
|
|||
check_str="'False':%(target.container.read_project_access)s"),
|
||||
policy.RuleDefault(
|
||||
name='container_creator_user',
|
||||
check_str="user:%(target.container.creator_id)s"),
|
||||
check_str="user_id:%(target.container.creator_id)s"),
|
||||
policy.RuleDefault(
|
||||
name='secret_non_private_read',
|
||||
check_str="rule:all_users and rule:secret_project_match and not " +
|
||||
|
|
Loading…
Reference in New Issue