Implement system-scope
The context should carry some information that all services will need in order to enforce scoping. System scope can be implemented here and available for projects when they start adding scope types to policies. bp system-scope Change-Id: I02fdaccfdd002d60b0b51c5d3327c783009cf35e
This commit is contained in:
parent
92b96644eb
commit
1a40b3d43b
|
@ -49,6 +49,7 @@ _ENVIRON_HEADERS = {
|
|||
'project_id': ['HTTP_X_PROJECT_ID',
|
||||
'HTTP_X_TENANT_ID',
|
||||
'HTTP_X_TENANT'],
|
||||
'system_scope': ['HTTP_OPENSTACK_SYSTEM_SCOPE'],
|
||||
'user_domain_id': ['HTTP_X_USER_DOMAIN_ID'],
|
||||
'project_domain_id': ['HTTP_X_PROJECT_DOMAIN_ID'],
|
||||
'user_name': ['HTTP_X_USER_NAME'],
|
||||
|
@ -219,7 +220,8 @@ class RequestContext(object):
|
|||
service_project_domain_id=None,
|
||||
service_project_domain_name=None,
|
||||
service_roles=None,
|
||||
global_request_id=None):
|
||||
global_request_id=None,
|
||||
system_scope=None):
|
||||
"""Initialize the RequestContext
|
||||
|
||||
:param overwrite: Set to False to ensure that the greenthread local
|
||||
|
@ -228,6 +230,11 @@ class RequestContext(object):
|
|||
the token as the admin project. Defaults to
|
||||
True for backwards compatibility.
|
||||
:type is_admin_project: bool
|
||||
:param system_scope: The system scope of a token. The value ``all``
|
||||
represents the entire deployment system. A service
|
||||
ID represents a specific service within the
|
||||
deployment system.
|
||||
:type system_scope: string
|
||||
"""
|
||||
# setting to private variables to avoid triggering subclass properties
|
||||
self._user_id = user_id
|
||||
|
@ -240,6 +247,7 @@ class RequestContext(object):
|
|||
self.user_name = user_name
|
||||
self.project_name = project_name
|
||||
self.domain_name = domain_name
|
||||
self.system_scope = system_scope
|
||||
self.user_domain_name = user_domain_name
|
||||
self.project_domain_name = project_domain_name
|
||||
self.is_admin = is_admin
|
||||
|
@ -309,6 +317,7 @@ class RequestContext(object):
|
|||
return _DeprecatedPolicyValues({
|
||||
'user_id': self.user_id,
|
||||
'user_domain_id': self.user_domain_id,
|
||||
'system_scope': self.system_scope,
|
||||
'project_id': self.project_id,
|
||||
'project_domain_id': self.project_domain_id,
|
||||
'roles': self.roles,
|
||||
|
@ -330,6 +339,7 @@ class RequestContext(object):
|
|||
|
||||
return {'user': self.user_id,
|
||||
'tenant': self.project_id,
|
||||
'system_scope': self.system_scope,
|
||||
'project': self.project_id,
|
||||
'domain': self.domain_id,
|
||||
'user_domain': self.user_domain_id,
|
||||
|
|
|
@ -554,6 +554,7 @@ class ContextTest(test_base.BaseTestCase):
|
|||
|
||||
self.assertEqual({'user_id': user,
|
||||
'user_domain_id': user_domain,
|
||||
'system_scope': None,
|
||||
'project_id': tenant,
|
||||
'project_domain_id': project_domain,
|
||||
'roles': roles,
|
||||
|
@ -565,6 +566,32 @@ class ContextTest(test_base.BaseTestCase):
|
|||
'service_roles': service_roles},
|
||||
ctx.to_policy_values())
|
||||
|
||||
# NOTE(lbragstad): This string has special meaning in that the value
|
||||
# ``all`` represents the entire deployment system.
|
||||
system_all = 'all'
|
||||
|
||||
ctx = context.RequestContext(user=user,
|
||||
user_domain=user_domain,
|
||||
system_scope=system_all,
|
||||
roles=roles,
|
||||
service_user_id=service_user_id,
|
||||
service_project_id=service_project_id,
|
||||
service_roles=service_roles)
|
||||
|
||||
self.assertEqual({'user_id': user,
|
||||
'user_domain_id': user_domain,
|
||||
'system_scope': system_all,
|
||||
'project_id': None,
|
||||
'project_domain_id': None,
|
||||
'roles': roles,
|
||||
'is_admin_project': True,
|
||||
'service_user_id': service_user_id,
|
||||
'service_user_domain_id': None,
|
||||
'service_project_id': service_project_id,
|
||||
'service_project_domain_id': None,
|
||||
'service_roles': service_roles},
|
||||
ctx.to_policy_values())
|
||||
|
||||
ctx = context.RequestContext(user=user,
|
||||
user_domain=user_domain,
|
||||
tenant=tenant,
|
||||
|
@ -577,6 +604,7 @@ class ContextTest(test_base.BaseTestCase):
|
|||
|
||||
self.assertEqual({'user_id': user,
|
||||
'user_domain_id': user_domain,
|
||||
'system_scope': None,
|
||||
'project_id': tenant,
|
||||
'project_domain_id': project_domain,
|
||||
'roles': roles,
|
||||
|
|
Loading…
Reference in New Issue