diff options
| author | Michael Johnson <johnsomor@gmail.com> | 2021-07-15 21:42:54 +0000 |
|---|---|---|
| committer | Michael Johnson <johnsomor@gmail.com> | 2021-09-29 18:40:03 +0000 |
| commit | ff2a39fc619baafa956bee74a2574f5438d40767 (patch) | |
| tree | 5f7d301b6976500c211c9337585565c04f46d339 /oslo_policy/policy.py | |
| parent | f3d6914656df6cba0993cb7290ada2dc321ba1cf (diff) | |
| download | oslo-policy-stable/xena.tar.gz | |
Map system_scope in creds dictionaryxena-em3.8.3stable/xena
An earlier patch[1] added a mapping for context 'system_scope'
to 'system' when enforce was called with a RequestContext
object. However, enforce can also be called with a creds dictionary
that may contain the context 'system_scope' element. When this
occured, 'system_scope' was not mapped to 'system' and the enforce
would fail with an InvalidScope exception.
This patch moves the 'system_scope' mapping from only occuring
with RequestContext objects to also map it when a creds dictonary
is passed to enforce.
[1] https://review.opendev.org/c/openstack/oslo.policy/+/578995
Change-Id: I83a22c3f825bad0c88018118f8630a20a445965e
(cherry picked from commit 9774108cf91408e9cb825b317f48a3a3f856e161)
Diffstat (limited to 'oslo_policy/policy.py')
| -rw-r--r-- | oslo_policy/policy.py | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py index 4491eca..53815d6 100644 --- a/oslo_policy/policy.py +++ b/oslo_policy/policy.py @@ -982,6 +982,17 @@ class Enforcer(object): ) raise InvalidContextObject(msg) + # NOTE(lbragstad): We unfortunately have to special case this + # attribute. Originally when the system scope when into oslo.policy, we + # checked for a key called 'system' in creds. The oslo.context library + # uses `system_scope` instead, and the compatibility between + # oslo.policy and oslo.context was an afterthought. We'll have to + # support services who've been setting creds['system'], but we can do + # that by making sure we populate it with what's in the context object + # if it has a system_scope attribute. + if creds.get('system_scope'): + creds['system'] = creds.get('system_scope') + if LOG.isEnabledFor(logging.DEBUG): try: creds_dict = strutils.mask_dict_password(creds) @@ -1088,17 +1099,6 @@ class Enforcer(object): for k, v in context_values.items(): creds[k] = v - # NOTE(lbragstad): We unfortunately have to special case this - # attribute. Originally when the system scope when into oslo.policy, we - # checked for a key called 'system' in creds. The oslo.context library - # uses `system_scope` instead, and the compatibility between - # oslo.policy and oslo.context was an afterthought. We'll have to - # support services who've been setting creds['system'], but we can do - # that by making sure we populate it with what's in the context object - # if it has a system_scope attribute. - if context.system_scope: - creds['system'] = context.system_scope - return creds def register_default(self, default): |