def get_repo(self, context): #生成数据库操作对象 image_repo = glance.db.ImageRepo(context, self.db_api) #??? store_image_repo = glance.location.ImageRepoProxy( image_repo, context, self.store_api, self.store_utils) #包装上配额检查 quota_image_repo = glance.quota.ImageRepoProxy( store_image_repo, context, self.db_api, self.store_utils) #包装上策略检查 policy_image_repo = policy.ImageRepoProxy( quota_image_repo, context, self.policy) #包装上消息通知 notifier_image_repo = glance.notifier.ImageRepoProxy( policy_image_repo, context, self.notifier) if property_utils.is_property_protection_enabled(): property_rules = property_utils.PropertyRules(self.policy) pir = property_protections.ProtectedImageRepoProxy( notifier_image_repo, context, property_rules) authorized_image_repo = authorization.ImageRepoProxy( pir, context) else: #简单起点,我们认为没有开启,再封装一层 authorized_image_repo = authorization.ImageRepoProxy( notifier_image_repo, context) return authorized_image_repo
def setUp(self): super(TestProtectedImageRepoProxy, self).setUp() self.set_property_protections() self.policy = policy.Enforcer() self.property_rules = property_utils.PropertyRules(self.policy) self.image_factory = glance.domain.ImageFactory() extra_props = { 'spl_create_prop': 'c', 'spl_read_prop': 'r', 'spl_update_prop': 'u', 'spl_delete_prop': 'd', 'forbidden': 'prop' } extra_props_2 = {'spl_read_prop': 'r', 'forbidden': 'prop'} self.fixtures = [ self.image_factory.new_image(image_id='1', owner=TENANT1, extra_properties=extra_props), self.image_factory.new_image(owner=TENANT2, visibility='public'), self.image_factory.new_image(image_id='3', owner=TENANT1, extra_properties=extra_props_2), ] self.context = glance.context.RequestContext(roles=['spl_role']) image_repo = self.ImageRepoStub(self.fixtures) self.image_repo = property_protections.ProtectedImageRepoProxy( image_repo, self.context, self.property_rules)
def get_repo(self, context, authorization_layer=True): """Get the layered ImageRepo model. This is where we construct the "the onion" by layering ImageRepo models on top of each other, starting with the DB at the bottom. NB: Code that has implemented policy checks fully above this layer should pass authorization_layer=False to ensure that no conflicts with old checks happen. Legacy code should continue passing True until legacy checks are no longer needed. :param context: The RequestContext :param authorization_layer: Controls whether or not we add the legacy glance.authorization and glance.policy layers. :returns: An ImageRepo-like object """ repo = glance.db.ImageRepo(context, self.db_api) repo = glance.location.ImageRepoProxy(repo, context, self.store_api, self.store_utils) repo = glance.quota.ImageRepoProxy(repo, context, self.db_api, self.store_utils) if authorization_layer: repo = policy.ImageRepoProxy(repo, context, self.policy) repo = glance.notifier.ImageRepoProxy(repo, context, self.notifier) if property_utils.is_property_protection_enabled(): property_rules = property_utils.PropertyRules(self.policy) repo = property_protections.ProtectedImageRepoProxy( repo, context, property_rules) if authorization_layer: repo = authorization.ImageRepoProxy(repo, context) return repo
def get_repo(self, context): image_repo = glance.db.ImageRepo(context, self.db_api) store_image_repo = glance.location.ImageRepoProxy( image_repo, context, self.store_api, self.store_utils) quota_image_repo = glance.quota.ImageRepoProxy(store_image_repo, context, self.db_api, self.store_utils) policy_image_repo = policy.ImageRepoProxy(quota_image_repo, context, self.policy) notifier_image_repo = glance.notifier.ImageRepoProxy( policy_image_repo, context, self.notifier) if property_utils.is_property_protection_enabled(): property_rules = property_utils.PropertyRules(self.policy) pir = property_protections.ProtectedImageRepoProxy( notifier_image_repo, context, property_rules) authorized_image_repo = authorization.ImageRepoProxy(pir, context) else: authorized_image_repo = authorization.ImageRepoProxy( notifier_image_repo, context) return authorized_image_repo