def enforce(context, action, target, plugin=None): """Verifies that the action is valid on the target in this context. :param context: quantum context :param action: string representing the action to be checked this should be colon separated for clarity. :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. ``{'project_id': context.project_id}`` :param plugin: quantum plugin used to retrieve information required for augmenting the target :raises quantum.exceptions.PolicyNotAllowed: if verification fails. """ init() # Compare with None to distinguish case in which target is {} if target is None: target = {} real_target = _build_target(action, target, plugin, context) match_rule = _build_match_rule(action, real_target) credentials = context.to_dict() return policy.check(match_rule, real_target, credentials, exceptions.PolicyNotAuthorized, action=action)
def check_is_admin(context): """Verify context has admin rights according to policy settings.""" init() # the target is user-self credentials = context.to_dict() target = credentials # Backward compatibility: if ADMIN_CTX_POLICY is not # found, default to validating role:admin admin_policy = (ADMIN_CTX_POLICY in policy._rules and ADMIN_CTX_POLICY or 'role:admin') return policy.check(admin_policy, target, credentials)
def check_if_exists(context, action, target): """Verify if the action can be authorized, and raise if it is unknown. Check whether the action can be performed on the target within this context, and raise a PolicyRuleNotFound exception if the action is not defined in the policy engine. """ # TODO(salvatore-orlando): Consider modifying oslo policy engine in # order to allow to raise distinct exception when check fails and # when policy is missing # Raise if there's no match for requested action in the policy engine if not policy._rules or action not in policy._rules: raise exceptions.PolicyRuleNotFound(rule=action) return policy.check(*(_prepare_check(context, action, target)))
def check(context, action, target, plugin=None): """Verifies that the action is valid on the target in this context. :param context: quantum context :param action: string representing the action to be checked this should be colon separated for clarity. :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. ``{'project_id': context.project_id}`` :param plugin: currently unused and deprecated. Kept for backward compatibility. :return: Returns True if access is permitted else False. """ return policy.check(*(_prepare_check(context, action, target)))
def check(context, action, target, plugin=None): """Verifies that the action is valid on the target in this context. :param context: quantum context :param action: string representing the action to be checked this should be colon separated for clarity. :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. ``{'project_id': context.project_id}`` :param plugin: quantum plugin used to retrieve information required for augmenting the target :return: Returns True if access is permitted else False. """ return policy.check(*(_prepare_check(context, action, target, plugin)))
def check(context, action, target, plugin=None): """Verifies that the action is valid on the target in this context. :param context: quantum context :param action: string representing the action to be checked this should be colon separated for clarity. :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. ``{'project_id': context.project_id}`` :param plugin: quantum plugin used to retrieve information required for augmenting the target :return: Returns True if access is permitted else False. """ init() real_target = _build_target(action, target, plugin, context) match_rule = _build_match_rule(action, real_target) credentials = context.to_dict() return policy.check(match_rule, real_target, credentials)
def enforce(context, action, target, plugin=None): """Verifies that the action is valid on the target in this context. :param context: quantum context :param action: string representing the action to be checked this should be colon separated for clarity. :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. ``{'project_id': context.project_id}`` :param plugin: currently unused and deprecated. Kept for backward compatibility. :raises quantum.exceptions.PolicyNotAllowed: if verification fails. """ init() rule, target, credentials = _prepare_check(context, action, target) return policy.check(rule, target, credentials, exc=exceptions.PolicyNotAuthorized, action=action)
def enforce(context, action, target, plugin=None): """Verifies that the action is valid on the target in this context. :param context: quantum context :param action: string representing the action to be checked this should be colon separated for clarity. :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. ``{'project_id': context.project_id}`` :param plugin: quantum plugin used to retrieve information required for augmenting the target :raises quantum.exceptions.PolicyNotAllowed: if verification fails. """ init() real_target = _build_target(action, target, plugin, context) match_rule = _build_match_rule(action, real_target) credentials = context.to_dict() return policy.check(match_rule, real_target, credentials, exceptions.PolicyNotAuthorized, action=action)