diff options
author | Petr Malik <pmalik@tesora.com> | 2016-06-27 16:01:42 -0400 |
---|---|---|
committer | Petr Malik <pmalik@tesora.com> | 2016-12-06 21:51:21 +0000 |
commit | 21250cf20c0efbe6d57c4a712c51b80667e53b44 (patch) | |
tree | d18e6ee84986b798e7654e254a2a6894dc8d54f4 /trove/datastore | |
parent | 77fd7014c0007c83652dd4fb1f9d3316a97b1ed3 (diff) | |
download | trove-21250cf20c0efbe6d57c4a712c51b80667e53b44.tar.gz |
Add support for Oslo Policies to Trove
The Oslo Policy library provides support for RBAC policy
enforcement across all OpenStack services.
Update the devstack plugin to copy the default policy file
over to /etc/trove in the gate environments.
Note: Not adding a rule for 'reset-password' instance
action as that API was discontinued years ago
and is now just waiting for removal (Bug: 1645866).
DocImpact
Co-Authored-By: Ali Adil <aadil@tesora.com>
Change-Id: Ic443a4c663301840406cad537159eab7b0b5ed1c
Implements: blueprint trove-policy
Diffstat (limited to 'trove/datastore')
-rw-r--r-- | trove/datastore/service.py | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/trove/datastore/service.py b/trove/datastore/service.py index 6a04a1ce..0f69c029 100644 --- a/trove/datastore/service.py +++ b/trove/datastore/service.py @@ -16,6 +16,7 @@ # under the License. # +from trove.common import policy from trove.common import wsgi from trove.datastore import models, views from trove.flavor import views as flavor_views @@ -23,7 +24,16 @@ from trove.flavor import views as flavor_views class DatastoreController(wsgi.Controller): + @classmethod + def authorize_request(cls, req, rule_name): + """Datastores are not owned by any particular tenant so we only check + the current tenant is allowed to perform the action. + """ + context = req.environ[wsgi.CONTEXT_KEY] + policy.authorize_on_tenant(context, 'datastore:%s' % rule_name) + def show(self, req, tenant_id, id): + self.authorize_request(req, 'show') datastore = models.Datastore.load(id) datastore_versions = (models.DatastoreVersions.load(datastore.id)) return wsgi.Result(views. @@ -31,6 +41,7 @@ class DatastoreController(wsgi.Controller): req).data(), 200) def index(self, req, tenant_id): + self.authorize_request(req, 'index') context = req.environ[wsgi.CONTEXT_KEY] only_active = True if context.is_admin: @@ -42,17 +53,20 @@ class DatastoreController(wsgi.Controller): req).data(), 200) def version_show(self, req, tenant_id, datastore, id): + self.authorize_request(req, 'version_show') datastore = models.Datastore.load(datastore) datastore_version = models.DatastoreVersion.load(datastore, id) return wsgi.Result(views.DatastoreVersionView(datastore_version, req).data(), 200) def version_show_by_uuid(self, req, tenant_id, uuid): + self.authorize_request(req, 'version_show_by_uuid') datastore_version = models.DatastoreVersion.load_by_uuid(uuid) return wsgi.Result(views.DatastoreVersionView(datastore_version, req).data(), 200) def version_index(self, req, tenant_id, datastore): + self.authorize_request(req, 'version_index') context = req.environ[wsgi.CONTEXT_KEY] only_active = True if context.is_admin: @@ -70,6 +84,7 @@ class DatastoreController(wsgi.Controller): one or more entries are found in datastore_version_metadata, in which case only those are returned. """ + self.authorize_request(req, 'list_associated_flavors') context = req.environ[wsgi.CONTEXT_KEY] flavors = (models.DatastoreVersionMetadata. list_datastore_version_flavor_associations( |