def enforce(policy_name, request): """Return the user and project the request should be limited to. :param request: HTTP request :param policy_name: the policy name to validate authz against. """ global _ENFORCER if not _ENFORCER: _ENFORCER = policy.Enforcer() _ENFORCER.load_rules() rule_method = "telemetry:" + policy_name headers = request.headers policy_dict = dict() policy_dict['roles'] = headers.get('X-Roles', "").split(",") policy_dict['target.user_id'] = (headers.get('X-User-Id')) policy_dict['target.project_id'] = (headers.get('X-Project-Id')) for rule_name in _ENFORCER.rules.keys(): if rule_method == rule_name: if not _ENFORCER.enforce(rule_name, {}, policy_dict): pecan.core.abort(status_code=403, detail='RBAC Authorization Failed')
def get_limited_to_project(headers): """Return the tenant the request should be limited to.""" global _ENFORCER if not _ENFORCER: _ENFORCER = policy.Enforcer() if not _ENFORCER.enforce('context_is_admin', {}, {'roles': headers.get('X-Roles', "").split(",")}): return headers.get('X-Tenant-Id')
def get_limited_to(headers): """Return the user and project the request should be limited to. :param headers: HTTP headers dictionary :return: A tuple of (user, project), set to None if there's no limit on one of these. """ global _ENFORCER if not _ENFORCER: _ENFORCER = policy.Enforcer() if not _ENFORCER.enforce('context_is_admin', {}, {'roles': headers.get('X-Roles', "").split(",")}): return headers.get('X-User-Id'), headers.get('X-Project-Id') return None, None
def get_limited_to(headers): """Return the user and project the request should be limited to. :param headers: HTTP headers dictionary :return: A tuple of (user, project), set to None if there's no limit on one of these. """ global _ENFORCER if not _ENFORCER: _ENFORCER = policy.Enforcer() _ENFORCER.load_rules() policy_dict = dict() policy_dict['roles'] = headers.get('X-Roles', "").split(",") policy_dict['target.user_id'] = (headers.get('X-User-Id')) policy_dict['target.project_id'] = (headers.get('X-Project-Id')) if not _ENFORCER.enforce('segregation', {}, policy_dict): return headers.get('X-User-Id'), headers.get('X-Project-Id') return None, None