def _get_default_policy_rules(self): """Return a dictionary of all in-code policies. All policies have a default value that is maintained in code. This method returns a dictionary containing all default policies. """ rules = dict() for rule in policies.list_rules(): rules[rule.name] = rule.check_str return rules
def _add_missing_default_rules(self, rules): """Add default rules and their values to the given rules dict. The given rules dict may have an incomplete set of policy rules. This method will add the default policy rules and their values to the dict. It will not override the existing rules. This method is temporary and is only needed until we move all policy.json rules into code. """ for rule in policies.list_rules(): if rule.name not in rules: rules[rule.name] = rule.check_str
def register_rules(enforcer): enforcer.register_defaults(policies.list_rules())
from keystone.common import authorization from keystone.common import context from keystone.common import policies from keystone.common import provider_api from keystone.common import utils import keystone.conf from keystone import exception from keystone.i18n import _ from keystone.models import token_model CONF = keystone.conf.CONF LOG = log.getLogger(__name__) PROVIDER_APIS = provider_api.ProviderAPIs _POSSIBLE_TARGET_ACTIONS = frozenset([ rule.name for rule in policies.list_rules() if not rule.deprecated_for_removal ]) _ENFORCEMENT_CHECK_ATTR = 'keystone:RBAC:enforcement_called' class RBACEnforcer(object): """Enforce RBAC on API calls.""" __shared_state__ = {} __ENFORCER = None ACTION_STORE_ATTR = 'keystone:RBAC:action_name' def __init__(self): # NOTE(morgan): All Enforcer Instances use the same shared state; # BORG pattern.
from keystone.common import policies from keystone.common import provider_api from keystone.common import utils import keystone.conf from keystone import exception from keystone.i18n import _ CONF = keystone.conf.CONF LOG = log.getLogger(__name__) PROVIDER_APIS = provider_api.ProviderAPIs _POSSIBLE_TARGET_ACTIONS = frozenset([ rule.name for rule in policies.list_rules() if not rule.deprecated_for_removal ]) _ENFORCEMENT_CHECK_ATTR = 'keystone:RBAC:enforcement_called' class RBACEnforcer(object): """Enforce RBAC on API calls.""" __shared_state__ = {} __ENFORCER = None ACTION_STORE_ATTR = 'keystone:RBAC:action_name' def __init__(self): # NOTE(morgan): All Enforcer Instances use the same shared state; # BORG pattern. self.__dict__ = self.__shared_state__