Пример #1
0
def check_is_admin(roles):
    """Whether or not roles contains 'admin' role according to policy setting.

    """
    init()

    if isinstance(roles, RequestContext):
        # the target is user-self
        credentials = roles.to_dict()
        target = credentials
        return policy.check('context_is_admin', target, credentials)
    else:
        return policy.check('context_is_admin', {}, {'roles': roles})
Пример #2
0
def enforce(context, action, target, do_raise=True):
    """Verifies that the action is valid on the target in this context.

       :param context: ironic context
       :param action: string representing the action to be checked
           this should be colon separated for clarity.
           i.e. ``compute:create_instance``,
           ``compute:attach_volume``,
           ``volume:attach_volume``
       :param target: dictionary representing the object of the action
           for object creation this should be a dictionary representing the
           location of the object e.g. ``{'project_id': context.project_id}``
       :param do_raise: if True (the default), raises PolicyNotAuthorized;
           if False, returns False

       :raises nova.exception.PolicyNotAuthorized: if verification fails
           and do_raise is True.

       :return: returns a non-False value (not necessarily "True") if
           authorized, and the exact value False if not authorized and
           do_raise is False.
    """
    init()

    credentials = context.to_dict()

    # Add the exception arguments if asked to do a raise
    extra = {}
    if do_raise:
        extra.update(exc=exception.PolicyNotAuthorized, action=action)

    return policy.check(action, target, credentials, **extra)
Пример #3
0
def enforce(context, action, target, do_raise=True):
    """Verifies that the action is valid on the target in this context.

       :param context: ironic context
       :param action: string representing the action to be checked
           this should be colon separated for clarity.
           i.e. ``compute:create_instance``,
           ``compute:attach_volume``,
           ``volume:attach_volume``
       :param target: dictionary representing the object of the action
           for object creation this should be a dictionary representing the
           location of the object e.g. ``{'project_id': context.project_id}``
       :param do_raise: if True (the default), raises PolicyNotAuthorized;
           if False, returns False

       :raises ironic.exception.PolicyNotAuthorized: if verification fails
           and do_raise is True.

       :return: returns a non-False value (not necessarily "True") if
           authorized, and the exact value False if not authorized and
           do_raise is False.
    """
    init()

    credentials = context.to_dict()

    # Add the exception arguments if asked to do a raise
    extra = {}
    if do_raise:
        extra.update(exc=exception.PolicyNotAuthorized, action=action)

    return policy.check(action, target, credentials, **extra)
Пример #4
0
def check_is_admin(context):
    """Whether or not role contains 'admin' role according to policy setting.

    """
    init()

    credentials = context.to_dict()
    target = credentials

    return policy.check('context_is_admin', target, credentials)
Пример #5
0
def check_is_admin(context):
    """Whether or not role contains 'admin' role according to policy setting.

    """
    init()

    credentials = context.to_dict()
    target = credentials

    return policy.check('context_is_admin', target, credentials)
Пример #6
0
    def before(self, state):
        user_id = state.request.headers.get('X-User-Id')
        user_id = state.request.headers.get('X-User', user_id)
        tenant = state.request.headers.get('X-Tenant-Id')
        tenant = state.request.headers.get('X-Tenant', tenant)
        auth_token = state.request.headers.get('X-Auth-Token', None)
        creds = {'roles': state.request.headers.get('X-Roles', '').split(',')}
        is_admin = policy.check('is_admin', state.request.headers, creds)

        state.request.context = context.RequestContext(
            auth_token=auth_token,
            user=user_id,
            tenant=tenant,
            request_id=context.generate_request_id(),
            is_admin=is_admin)
Пример #7
0
    def before(self, state):
        user_id = state.request.headers.get('X-User-Id')
        user_id = state.request.headers.get('X-User', user_id)
        tenant = state.request.headers.get('X-Tenant-Id')
        tenant = state.request.headers.get('X-Tenant', tenant)
        domain_id = state.request.headers.get('X-User-Domain-Id')
        domain_name = state.request.headers.get('X-User-Domain-Name')
        auth_token = state.request.headers.get('X-Auth-Token')
        creds = {'roles': state.request.headers.get('X-Roles', '').split(',')}

        is_public_api = state.request.environ.get('is_public_api', False)
        is_admin = policy.check('admin', state.request.headers, creds)

        state.request.context = context.RequestContext(
            auth_token=auth_token,
            user=user_id,
            tenant=tenant,
            domain_id=domain_id,
            domain_name=domain_name,
            is_admin=is_admin,
            is_public_api=is_public_api)
Пример #8
0
    def before(self, state):
        user_id = state.request.headers.get('X-User-Id')
        user_id = state.request.headers.get('X-User', user_id)
        tenant = state.request.headers.get('X-Tenant-Id')
        tenant = state.request.headers.get('X-Tenant', tenant)
        domain_id = state.request.headers.get('X-User-Domain-Id')
        domain_name = state.request.headers.get('X-User-Domain-Name')
        auth_token = state.request.headers.get('X-Auth-Token')
        creds = {'roles': state.request.headers.get('X-Roles', '').split(',')}

        is_public_api = state.request.environ.get('is_public_api', False)
        is_admin = policy.check('admin', state.request.headers, creds)

        state.request.context = context.RequestContext(
            auth_token=auth_token,
            user=user_id,
            tenant=tenant,
            domain_id=domain_id,
            domain_name=domain_name,
            is_admin=is_admin,
            is_public_api=is_public_api)
Пример #9
0
    def before(self, state):
        user_id = state.request.headers.get('X-User-Id')
        user_id = state.request.headers.get('X-User', user_id)
        tenant = state.request.headers.get('X-Tenant-Id')
        tenant = state.request.headers.get('X-Tenant', tenant)
        domain_id = state.request.headers.get('X-User-Domain-Id')
        domain_name = state.request.headers.get('X-User-Domain-Name')
        auth_token = state.request.headers.get('X-Auth-Token', None)
        creds = {'roles': state.request.headers.get('X-Roles', '').split(',')}

        is_admin = policy.check('admin', state.request.headers, creds)

        path = utils.safe_rstrip(state.request.path, '/')
        is_public_api = path in self.public_api_routes

        state.request.context = context.RequestContext(
            auth_token=auth_token,
            user=user_id,
            tenant=tenant,
            domain_id=domain_id,
            domain_name=domain_name,
            is_admin=is_admin,
            is_public_api=is_public_api)
Пример #10
0
    def before(self, state):
        ctx = state.request.context
        is_admin_api = policy.check('admin_api', {}, ctx.to_dict())

        if not is_admin_api and not ctx.is_public_api:
            raise exc.HTTPForbidden()
Пример #11
0
    def before(self, state):
        ctx = state.request.context
        is_admin_api = policy.check('admin_api', {}, ctx.to_dict())

        if not is_admin_api and not ctx.is_public_api:
            raise exc.HTTPForbidden()