diff options
author | Lance Bragstad <lbragstad@gmail.com> | 2018-10-17 21:11:14 +0000 |
---|---|---|
committer | Lance Bragstad <lbragstad@gmail.com> | 2018-11-30 14:52:36 +0000 |
commit | 7a2d79eafcc902a57f270522e6bfc71876836688 (patch) | |
tree | eb90c63911ed682f6b0d1894428869f4d2a6997b /oslo_policy/policy.py | |
parent | fe898122c8cbf8b00e35307c719a04724bfecf46 (diff) | |
download | oslo-policy-7a2d79eafcc902a57f270522e6bfc71876836688.tar.gz |
Add domain scope support for scope types
This commit makes it easier for services to protect APIs meant for
domain-only operations. It does this by making "domain-scope" an
official scope type to check for during policy enforcement.
A good example of where this would be useful is protecting the user
API in keystone, since user's are technically owned by domains.
This commit bumps the version of oslo.context to 2.22.0, which also
has domain support.
Depends-On: https://review.openstack.org/#/c/613635/
Change-Id: Ifc83a5f261bc823060eca5c4d0a4bf07966794c4
Diffstat (limited to 'oslo_policy/policy.py')
-rw-r--r-- | oslo_policy/policy.py | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py index 1758579..49e1c01 100644 --- a/oslo_policy/policy.py +++ b/oslo_policy/policy.py @@ -864,12 +864,11 @@ class Enforcer(object): # attributes provided in `creds`. if creds.get('system'): token_scope = 'system' + elif creds.get('domain_id'): + token_scope = 'domain' else: - # If the token isn't system-scoped then we're dealing with - # either a domain-scoped token or a project-scoped token. - # From a policy perspective, both are "project" operations. - # Whether or not the project is a domain depends on where - # it sits in the hierarchy. + # If the token isn't system-scoped or domain-scoped then + # we're dealing with a project-scoped token. token_scope = 'project' registered_rule = self.registered_rules.get(rule) |