diff options
author | unicell <unicell@gmail.com> | 2012-08-18 14:23:01 +0800 |
---|---|---|
committer | unicell <unicell@gmail.com> | 2012-08-19 00:31:23 +0800 |
commit | c6be78deb6a3a7cbf092efdfb54f561ce689605f (patch) | |
tree | faec33ed92d186a6e927d0dd1201b922a6dce0b2 /nova/policy.py | |
parent | a10be151ad9f62bb916498c8dae42e4b54dfc779 (diff) | |
download | nova-c6be78deb6a3a7cbf092efdfb54f561ce689605f.tar.gz |
Remove hard-coded 'admin' role checking and use policy instead
bug 1037786
This change removed hard-coded 'admin' role checking, and use policy check to
decide is_admin at the time of context construction. And also set
default admin role to 'admin', in policy template, to keep backward
compatibility.
Change-Id: I56b45bfdfba1b8e1391bde7fec3d4cf26c66324c
Diffstat (limited to 'nova/policy.py')
-rw-r--r-- | nova/policy.py | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/nova/policy.py b/nova/policy.py index 94bbbdd937..acfe830b99 100644 --- a/nova/policy.py +++ b/nova/policy.py @@ -92,3 +92,23 @@ def enforce(context, action, target): policy.enforce(match_list, target, credentials, exception.PolicyNotAuthorized, action=action) + + +def check_admin_role(roles): + """Whether or not roles contains 'admin' role according to policy setting. + + """ + init() + + action = 'admin' + match_list = ('rule:%s' % action,) + target = {} + credentials = {'roles': roles} + + try: + policy.enforce(match_list, target, credentials, + exception.PolicyNotAuthorized, action=action) + except exception.PolicyNotAuthorized: + return False + + return True |