Remove hard-coded 'admin' role checking and use policy instead

bug 1037786 This change removed hard-coded 'admin' role checking, and use policy check to decide is_admin at the time of context construction. And also set default admin role to 'admin', in policy template, to keep backward compatibility. Change-Id: I56b45bfdfba1b8e1391bde7fec3d4cf26c66324c
author: unicell <unicell@gmail.com> 2012-08-18 14:23:01 +0800
committer: unicell <unicell@gmail.com> 2012-08-19 00:31:23 +0800
commit: c6be78deb6a3a7cbf092efdfb54f561ce689605f (patch)
tree: faec33ed92d186a6e927d0dd1201b922a6dce0b2 /nova/policy.py
parent: a10be151ad9f62bb916498c8dae42e4b54dfc779 (diff)
download: nova-c6be78deb6a3a7cbf092efdfb54f561ce689605f.tar.gz
1 files changed, 20 insertions, 0 deletions
diff --git a/nova/policy.py b/nova/policy.py
index 94bbbdd937..acfe830b99 100644
--- a/nova/policy.py
+++ b/nova/policy.py
@@ -92,3 +92,23 @@ def enforce(context, action, target):
 
     policy.enforce(match_list, target, credentials,
                    exception.PolicyNotAuthorized, action=action)
+
+
+def check_admin_role(roles):
+    """Whether or not roles contains 'admin' role according to policy setting.
+
+    """
+    init()
+
+    action = 'admin'
+    match_list = ('rule:%s' % action,)
+    target = {}
+    credentials = {'roles': roles}
+
+    try:
+        policy.enforce(match_list, target, credentials,
+                       exception.PolicyNotAuthorized, action=action)
+    except exception.PolicyNotAuthorized:
+        return False
+
+    return True
author	unicell <unicell@gmail.com>	2012-08-18 14:23:01 +0800
committer	unicell <unicell@gmail.com>	2012-08-19 00:31:23 +0800
commit	c6be78deb6a3a7cbf092efdfb54f561ce689605f (patch)
tree	faec33ed92d186a6e927d0dd1201b922a6dce0b2 /nova/policy.py
parent	a10be151ad9f62bb916498c8dae42e4b54dfc779 (diff)
download	nova-c6be78deb6a3a7cbf092efdfb54f561ce689605f.tar.gz