Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Make role-checking rules in policy.py unique - is_admin is equivalent…

… to having all other roles.

Change-Id: If16a7a6aba228e0141562b805528a83d816fa725
  • Loading branch information...
commit d3eb99164b6e96f37ba84083eb5325e6492840b0 1 parent f9a1280
@joshuamckenty authored
View
11 etc/nova/policy.json
@@ -1,11 +1,6 @@
{
- "compute:get_volume": [["role:compute_admin"], ["tenant_id:%(tenant_id)s", "role:compute_sysadmin"]],
- "compute:get_instance": [["role:compute_admin"], ["tenant_id:%(tenant_id)s", "role:compute_sysadmin"]],
- "example:get_http": [["http:http://www.example.com"]],
- "example:my_file": [["role:compute_admin"], ["tenant_id:%(tenant_id)s"]],
"true" : [],
- "example:allowed" : [],
- "example:denied" : [["false:false"]],
- "example:early_and_fail" : [["false:false", "rule:true"]],
- "example:early_or_success" : [["rule:true"], ["false:false"]]
+ "compute:get_instance": [["role:compute_admin"], ["project_id:%(project_id)s", "role:sysadmin"]],
+ "volume:attach_volume": [["role:compute_admin"], ["project_id:%(project_id)s", "role:sysadmin"]],
+ "volume:create_volume": [["role:compute_admin"], ["project_id:%(project_id)s", "role:sysadmin"]]
}
View
7 etc/nova/roles.yaml
@@ -0,0 +1,7 @@
+roles:
+- 'netadmin'
+- 'sysadmin'
+- 'admin'
+- 'member'
+- 'keystoneadmin'
+- 'keystoneserviceadmin'
View
5 nova/common/policy.py
@@ -97,6 +97,11 @@ def _check_rule(self, match, target_dict, cred_dict):
return False
return self.check(new_match_list, target_dict, cred_dict)
+ def _check_role(self, match, target_dict, cred_dict):
+ if cred_dict['is_admin']:
+ return True
+ return match in cred_dict['roles']
+
def _check_generic(self, match, target_dict, cred_dict):
"""Check an individual match.
Please sign in to comment.
Something went wrong with that request. Please try again.