diff options
author | Ghanshyam Mann <gmann@ghanshyammann.com> | 2019-08-01 13:43:30 +0000 |
---|---|---|
committer | Ghanshyam Mann <gmann@ghanshyammann.com> | 2019-10-29 15:21:50 +0000 |
commit | 55ae1a5d5397638de7cfd2aec732a7685cc39f10 (patch) | |
tree | 80d308efb77728b5704f50db39ad47d42008daa8 /nova/policy.py | |
parent | 9742a64403c0a0ae5e0b37df5b0bf3ba14ac4626 (diff) | |
download | nova-55ae1a5d5397638de7cfd2aec732a7685cc39f10.tar.gz |
Pass RequestContext to oslo_policy
In nova.policy.authorize() method, it convert the context
object to policy value by context.to_policy_values() and then
pass that into oslo.policy enforcer authorize() method.
This is fine till now and does not cause any issue but when
scope_type is set on policy and context then scope info is
not passed correctly.
In case of system scope, oslo.policy check for a key called 'system'
in creds. The oslo.context library uses `system_scope` instead[1],
and the compatibility between both oslo.policy and oslo.context
are handled when complete context is passed into oslo_policy[2].
If nova convert the context object to policy values then system scope
info is not passed into the oslo_policy. Better way is to pass the complete
context object to oslo_policy and let oslo_policy fetch the system scope
info in correct way.
Update the lower constraints for oslo.policy and oslo.context to have
system scope checks feature.
Partial implement blueprint policy-defaults-refresh
[1] https://github.com/openstack/oslo.context/blob/f65408df5cd5924f2879c3ee94d07fd27cb2cf73/oslo_context/context.py#L321
[2] https://github.com/openstack/oslo.policy/blob/b9fd10e2612f26c93d49c168a0408aba6d20e5bf/oslo_policy/policy.py#L994
Change-Id: I847fc44e62065e3d26e5595e178b83912ab5d19b
Diffstat (limited to 'nova/policy.py')
-rw-r--r-- | nova/policy.py | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/nova/policy.py b/nova/policy.py index 4f211872b3..1117b08d42 100644 --- a/nova/policy.py +++ b/nova/policy.py @@ -153,7 +153,6 @@ def authorize(context, action, target=None, do_raise=True, exc=None): do_raise is False. """ init() - credentials = context.to_policy_values() if not exc: exc = exception.PolicyNotAuthorized @@ -163,16 +162,23 @@ def authorize(context, action, target=None, do_raise=True, exc=None): target = default_target(context) try: - result = _ENFORCER.authorize(action, target, credentials, + result = _ENFORCER.authorize(action, target, context, do_raise=do_raise, exc=exc, action=action) except policy.PolicyNotRegistered: with excutils.save_and_reraise_exception(): LOG.exception(_LE('Policy not registered')) + except policy.InvalidScope: + LOG.debug('Policy check for %(action)s failed with scope check ' + '%(credentials)s', + {'action': action, + 'credentials': context.to_policy_values()}) + raise exc(action=action) except Exception: with excutils.save_and_reraise_exception(): LOG.debug('Policy check for %(action)s failed with credentials ' '%(credentials)s', - {'action': action, 'credentials': credentials}) + {'action': action, + 'credentials': context.to_policy_values()}) return result @@ -187,9 +193,8 @@ def check_is_admin(context): init() # the target is user-self - credentials = context.to_policy_values() target = default_target(context) - return _ENFORCER.authorize('context_is_admin', target, credentials) + return _ENFORCER.authorize('context_is_admin', target, context) @policy.register('is_admin') |