diff options
author | Lance Bragstad <lbragstad@gmail.com> | 2017-12-29 21:28:17 +0000 |
---|---|---|
committer | Lance Bragstad <lbragstad@gmail.com> | 2018-05-16 18:03:24 +0000 |
commit | 1a40b3d43bac5244bcba6bdbc4802fb76430d8d3 (patch) | |
tree | a2b27af44aef62c4bf1b01442a66f1ee68540958 | |
parent | 92b96644eb2db08ec4367161f5a0b08403065348 (diff) | |
download | oslo-context-1a40b3d43bac5244bcba6bdbc4802fb76430d8d3.tar.gz |
Implement system-scope
The context should carry some information that all services will need
in order to enforce scoping. System scope can be implemented here
and available for projects when they start adding scope types to
policies.
bp system-scope
Change-Id: I02fdaccfdd002d60b0b51c5d3327c783009cf35e
-rw-r--r-- | oslo_context/context.py | 12 | ||||
-rw-r--r-- | oslo_context/tests/test_context.py | 28 |
2 files changed, 39 insertions, 1 deletions
diff --git a/oslo_context/context.py b/oslo_context/context.py index 6475c2c..731b36e 100644 --- a/oslo_context/context.py +++ b/oslo_context/context.py @@ -49,6 +49,7 @@ _ENVIRON_HEADERS = { 'project_id': ['HTTP_X_PROJECT_ID', 'HTTP_X_TENANT_ID', 'HTTP_X_TENANT'], + 'system_scope': ['HTTP_OPENSTACK_SYSTEM_SCOPE'], 'user_domain_id': ['HTTP_X_USER_DOMAIN_ID'], 'project_domain_id': ['HTTP_X_PROJECT_DOMAIN_ID'], 'user_name': ['HTTP_X_USER_NAME'], @@ -219,7 +220,8 @@ class RequestContext(object): service_project_domain_id=None, service_project_domain_name=None, service_roles=None, - global_request_id=None): + global_request_id=None, + system_scope=None): """Initialize the RequestContext :param overwrite: Set to False to ensure that the greenthread local @@ -228,6 +230,11 @@ class RequestContext(object): the token as the admin project. Defaults to True for backwards compatibility. :type is_admin_project: bool + :param system_scope: The system scope of a token. The value ``all`` + represents the entire deployment system. A service + ID represents a specific service within the + deployment system. + :type system_scope: string """ # setting to private variables to avoid triggering subclass properties self._user_id = user_id @@ -240,6 +247,7 @@ class RequestContext(object): self.user_name = user_name self.project_name = project_name self.domain_name = domain_name + self.system_scope = system_scope self.user_domain_name = user_domain_name self.project_domain_name = project_domain_name self.is_admin = is_admin @@ -309,6 +317,7 @@ class RequestContext(object): return _DeprecatedPolicyValues({ 'user_id': self.user_id, 'user_domain_id': self.user_domain_id, + 'system_scope': self.system_scope, 'project_id': self.project_id, 'project_domain_id': self.project_domain_id, 'roles': self.roles, @@ -330,6 +339,7 @@ class RequestContext(object): return {'user': self.user_id, 'tenant': self.project_id, + 'system_scope': self.system_scope, 'project': self.project_id, 'domain': self.domain_id, 'user_domain': self.user_domain_id, diff --git a/oslo_context/tests/test_context.py b/oslo_context/tests/test_context.py index 7fb8d60..d7bab78 100644 --- a/oslo_context/tests/test_context.py +++ b/oslo_context/tests/test_context.py @@ -554,6 +554,7 @@ class ContextTest(test_base.BaseTestCase): self.assertEqual({'user_id': user, 'user_domain_id': user_domain, + 'system_scope': None, 'project_id': tenant, 'project_domain_id': project_domain, 'roles': roles, @@ -565,6 +566,32 @@ class ContextTest(test_base.BaseTestCase): 'service_roles': service_roles}, ctx.to_policy_values()) + # NOTE(lbragstad): This string has special meaning in that the value + # ``all`` represents the entire deployment system. + system_all = 'all' + + ctx = context.RequestContext(user=user, + user_domain=user_domain, + system_scope=system_all, + roles=roles, + service_user_id=service_user_id, + service_project_id=service_project_id, + service_roles=service_roles) + + self.assertEqual({'user_id': user, + 'user_domain_id': user_domain, + 'system_scope': system_all, + 'project_id': None, + 'project_domain_id': None, + 'roles': roles, + 'is_admin_project': True, + 'service_user_id': service_user_id, + 'service_user_domain_id': None, + 'service_project_id': service_project_id, + 'service_project_domain_id': None, + 'service_roles': service_roles}, + ctx.to_policy_values()) + ctx = context.RequestContext(user=user, user_domain=user_domain, tenant=tenant, @@ -577,6 +604,7 @@ class ContextTest(test_base.BaseTestCase): self.assertEqual({'user_id': user, 'user_domain_id': user_domain, + 'system_scope': None, 'project_id': tenant, 'project_domain_id': project_domain, 'roles': roles, |