Update API policy

* Set admin rule for a several API calls and remove direct check in code * Now admin can configure policy.json and enable package management for regular users * Update common policy module Closes-Bug: #1412868 Change-Id: I8d0725b613564529d32a5acef289f4822f32915c
2015-02-27 11:05:07 +03:00 · 2015-02-27 11:05:07 +03:00 · d82b74b62f
parent 67d980e5a8
commit d82b74b62f
5 changed files with 25 additions and 5 deletions
--- a/etc/murano/policy.json
+++ b/etc/murano/policy.json
@ -1,6 +1,10 @@
 {
-    "context_is_admin": "role:admin or is_admin:True",
+    "context_is_admin": "role:admin",
+    "admin_api": "is_admin:True",
+    "default": "",

-    "default": ""
+    "update_package": "rule:admin_api",
+    "upload_package": "rule:admin_api",
+    "delete_package": "rule:admin_api"
 }

--- a/murano/common/policy.py
+++ b/murano/common/policy.py
@ -85,3 +85,13 @@ def check(rule, ctxt, target={}, do_raise=True, exc=exceptions.HTTPForbidden):
            LOG.audit(_("Policy check failed for rule "
                        "'%(rule)s' on target: %(target)s"),
                      {'rule': rule, 'target': repr(target)}, extra=extra)
+
+
+def check_is_admin(context):
+    """Check if the given context is associated with an admin role.
+
+       :param context: Murano request context
+       :returns: A non-False value if context role is admin.
+    """
+    return check('context_is_admin', context,
+                 context.to_dict(), do_raise=False)
--- a/murano/context.py
+++ b/murano/context.py
@ -12,6 +12,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+from murano.common import policy
+

 class RequestContext(object):
    """Stores information about the security context under which the user
@ -30,6 +32,9 @@ class RequestContext(object):
        self.is_admin = is_admin
        self.roles = roles or []

+        if self.is_admin is None:
+            self.is_admin = policy.check_is_admin(self)
+
    def to_dict(self):
        return {
            'user': self.user,
--- a/murano/db/catalog/api.py
+++ b/murano/db/catalog/api.py
@ -60,8 +60,6 @@ def _package_get(package_id_or_name, session):


 def _authorize_package(package, context, allow_public=False):
-    if context.is_admin:
-        return

    if package.owner_id != context.tenant:
        if not allow_public:
--- a/murano/tests/functional/api/base.py
+++ b/murano/tests/functional/api/base.py
@ -19,6 +19,7 @@ import uuid

 import requests
 from tempest import clients
+from tempest.common import cred_provider
 from tempest.common import isolated_creds
 from tempest import config
 from tempest import test
@ -230,7 +231,9 @@ class TestCase(test.BaseTestCase):

        # If no credentials are provided, the Manager will use those
        # in CONF.identity and generate an auth_provider from them
-        mgr = clients.Manager()
+        cls.creds = cred_provider.get_configured_credentials(
+            credential_type='identity_admin')
+        mgr = clients.Manager(cls.creds)
        cls.client = MuranoClient(mgr.auth_provider)

    def setUp(self):