Use context instead of manually setting the credentials for policy

This migrates from our minimal credentials dict, towards using oslo.context directly (which is the recommended approach). In order to do this, we had to change some policies to point towards the correct attribute names. Change-Id: If382e0a45497ffcc1d5b194c4244a59d2911afe6
2018-10-11 10:47:54 +03:00 · 2018-10-11 10:47:54 +03:00 · daf8db11b4
parent 4d58ac8ddc
commit daf8db11b4
2 changed files with 5 additions and 12 deletions
--- a/barbican/api/controllers/init.py
+++ b/barbican/api/controllers/init.py
@ -49,13 +49,6 @@ def _do_enforce_rbac(inst, req, action_name, ctx, **kwargs):
    """Enforce RBAC based on 'request' information."""
    if action_name and ctx:

-        # Prepare credentials information.
-        credentials = {
-            'roles': ctx.roles,
-            'user': ctx.user,
-            'project': ctx.project_id
-        }
-
        # Enforce special case: secret GET decryption
        if 'secret:get' == action_name and not is_json_request_accept(req):
            action_name = 'secret:decrypt'  # Override to perform special rules
@ -69,7 +62,7 @@ def _do_enforce_rbac(inst, req, action_name, ctx, **kwargs):
        # Enforce access controls.
        if ctx.policy_enforcer:
            ctx.policy_enforcer.enforce(action_name, flatten(policy_dict),
-                                        credentials, do_raise=True)
+                                        ctx, do_raise=True)


 def enforce_rbac(action_name='default'):
--- a/barbican/common/policies/base.py
+++ b/barbican/common/policies/base.py
@ -41,7 +41,7 @@ rules = [
                  'rule:audit or rule:service_admin'),
    policy.RuleDefault(
        name='secret_project_match',
-        check_str='project:%(target.secret.project_id)s'),
+        check_str='project_id:%(target.secret.project_id)s'),
    policy.RuleDefault(
        name='secret_acl_read',
        check_str="'read':%(target.secret.read)s"),
@ -50,10 +50,10 @@ rules = [
        check_str="'False':%(target.secret.read_project_access)s"),
    policy.RuleDefault(
        name='secret_creator_user',
-        check_str="user:%(target.secret.creator_id)s"),
+        check_str="user_id:%(target.secret.creator_id)s"),
    policy.RuleDefault(
        name='container_project_match',
-        check_str="project:%(target.container.project_id)s"),
+        check_str="project_id:%(target.container.project_id)s"),
    policy.RuleDefault(
        name='container_acl_read',
        check_str="'read':%(target.container.read)s"),
@ -62,7 +62,7 @@ rules = [
        check_str="'False':%(target.container.read_project_access)s"),
    policy.RuleDefault(
        name='container_creator_user',
-        check_str="user:%(target.container.creator_id)s"),
+        check_str="user_id:%(target.container.creator_id)s"),
    policy.RuleDefault(
        name='secret_non_private_read',
        check_str="rule:all_users and rule:secret_project_match and not " +