def enforce(context, action, target):
"""Verifies that the action is valid on the target in this context.
:param context: nova context
:param action: string representing the action to be checked
this should be colon separated for clarity.
i.e. ``compute:create_instance``,
``compute:attach_volume``,
``volume:attach_volume``
:param object: dictionary representing the object of the action
for object creation this should be a dictionary representing the
location of the object e.g. ``{'project_id': context.project_id}``
:raises nova.exception.PolicyNotAllowed: if verification fails.
"""
init()
match_list = ('rule:%s' % action, )
credentials = context.to_dict()
policy.enforce(match_list,
target,
credentials,
exception.PolicyNotAuthorized,
action=action)
def enforce(context, action, target):
"""Verifies that the action is valid on the target in this context.
:param context: nova context
:param action: string representing the action to be checked
this should be colon separated for clarity.
i.e. ``compute:create_instance``,
``compute:attach_volume``,
``volume:attach_volume``
:param object: dictionary representing the object of the action
for object creation this should be a dictionary representing the
location of the object e.g. ``{'project_id': context.project_id}``
:raises nova.exception.PolicyNotAuthorized: if verification fails.
"""
init()
match_list = ('rule:%s' % action,)
credentials = context.to_dict()
# NOTE(vish): This is to work around the following launchpad bug:
# https://bugs.launchpad.net/openstack-common/+bug/1039132
# It can be removed when that bug is fixed.
credentials['is_admin'] = unicode(credentials['is_admin'])
policy.enforce(match_list, target, credentials,
exception.PolicyNotAuthorized, action=action)
def enforce(context, action, target):
"""Verifies that the action is valid on the target in this context.
:param context: nova context
:param action: string representing the action to be checked
this should be colon separated for clarity.
i.e. ``compute:create_instance``,
``compute:attach_volume``,
``volume:attach_volume``
:param object: dictionary representing the object of the action
for object creation this should be a dictionary representing the
location of the object e.g. ``{'project_id': context.project_id}``
:raises nova.exception.PolicyNotAllowed: if verification fails.
"""
init()
match_list = ('rule:%s' % action,)
credentials = context.to_dict()
# NOTE(vish): This is to work around the following launchpad bug:
# https://bugs.launchpad.net/openstack-common/+bug/1039132
# It can be removed when that bug is fixed.
credentials['is_admin'] = unicode(credentials['is_admin'])
policy.enforce(match_list, target, credentials,
exception.PolicyNotAuthorized, action=action)
def check_is_admin(roles):
"""Whether or not roles contains 'admin' role according to policy setting.
"""
init()
action = "context_is_admin"
match_list = ("rule:%s" % action,)
target = {}
credentials = {"roles": roles}
try:
policy.enforce(match_list, target, credentials, exception.PolicyNotAuthorized, action=action)
except exception.PolicyNotAuthorized:
return False
return True
def check_is_admin(roles):
"""Whether or not roles contains 'admin' role according to policy setting.
"""
init()
action = 'context_is_admin'
match_list = ('rule:%s' % action,)
target = {}
credentials = {'roles': roles}
try:
policy.enforce(match_list, target, credentials,
exception.PolicyNotAuthorized, action=action)
except exception.PolicyNotAuthorized:
return False
return True
def enforce(context, action, target):
"""Verifies that the action is valid on the target in this context.
:param context: nova context
:param action: string representing the action to be checked
this should be colon separated for clarity.
i.e. ``compute:create_instance``,
``compute:attach_volume``,
``volume:attach_volume``
:param object: dictionary representing the object of the action
for object creation this should be a dictionary representing the
location of the object e.g. ``{'project_id': context.project_id}``
:raises nova.exception.PolicyNotAllowed: if verification fails.
"""
init()
match_list = ('rule:%s' % action,)
credentials = context.to_dict()
policy.enforce(match_list, target, credentials,
exception.PolicyNotAuthorized, action=action)