def before_delete(self, resource):
if resource.port == 0:
# FIXME(dhellmann): This will apply if the user creates
# any of their own aliases with a zero port.
raise exceptions.PolicyNotAuthorized(
action='modification of system port aliases.'
)
return super(PortaliasResource, self).before_delete(resource)
def update(self, context, resource, resource_dict):
if resource.name == 'Any':
raise exceptions.PolicyNotAuthorized(
action='modification of system address groups')
return super(AddressGroupResource, self).update(
context,
resource,
resource_dict,
)
def create(self, context, tenant_id, body):
if body.get('name', '').lower() == 'any':
raise exceptions.PolicyNotAuthorized(
action='creation of wildcard address groups')
return super(AddressGroupResource, self).create(
context,
tenant_id,
body,
)
def create(self, context, tenant_id, body):
if body.get('port') == 0:
# FIXME(dhellmann): This will apply if the user creates
# any of their own aliases with a zero port.
raise exceptions.PolicyNotAuthorized(
action='creation of wildcard port aliases'
)
return super(PortaliasResource, self).create(context,
tenant_id,
body
)
def update(self, context, resource, resource_dict):
if resource.port == 0:
# FIXME(dhellmann): This will apply if the user creates
# any of their own aliases with a zero port.
raise exceptions.PolicyNotAuthorized(
action='deletion of system port aliases.'
)
return super(PortaliasResource, self).update(context,
resource,
resource_dict,
)
def enforce(context, action, target, plugin=None):
"""Verifies that the action is valid on the target in this context.
:param context: neutron context
:param action: string representing the action to be checked
this should be colon separated for clarity.
:param target: dictionary representing the object of the action
for object creation this should be a dictionary representing the
location of the object e.g. ``{'project_id': context.project_id}``
:param plugin: currently unused and deprecated.
Kept for backward compatibility.
:raises neutron.exceptions.PolicyNotAuthorized: if verification fails.
"""
rule, target, credentials = _prepare_check(context, action, target)
result = policy.check(rule, target, credentials, action=action)
if not result:
LOG.debug(_("Failed policy check for '%s'"), action)
raise exceptions.PolicyNotAuthorized(action=action)
return result
def before_delete(self, resource):
if resource.name == 'Any':
raise exceptions.PolicyNotAuthorized(
action='modification of system address groups')
return super(AddressGroupResource, self).before_delete(resource)
