Make role-checking rules in policy.py unique - is_admin is equivalent…

… to having all other roles. Change-Id: If16a7a6aba228e0141562b805528a83d816fa725
joshuamckenty · Dec 10, 2011 · d3eb991 · d3eb991
1 parent f9a1280
commit d3eb991
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 8 deletions.
diff --git a/etc/nova/policy.json b/etc/nova/policy.json
@@ -1,11 +1,6 @@
 {
-    "compute:get_volume": [["role:compute_admin"], ["tenant_id:%(tenant_id)s", "role:compute_sysadmin"]],
-    "compute:get_instance": [["role:compute_admin"], ["tenant_id:%(tenant_id)s", "role:compute_sysadmin"]],
-    "example:get_http": [["http:http://www.example.com"]],
-    "example:my_file": [["role:compute_admin"], ["tenant_id:%(tenant_id)s"]],
     "true" : [],
-    "example:allowed" : [],
-    "example:denied" : [["false:false"]],
-    "example:early_and_fail" : [["false:false", "rule:true"]],
-    "example:early_or_success" : [["rule:true"], ["false:false"]]
+    "compute:get_instance": [["role:compute_admin"], ["project_id:%(project_id)s", "role:sysadmin"]],
+    "volume:attach_volume": [["role:compute_admin"], ["project_id:%(project_id)s", "role:sysadmin"]],
+    "volume:create_volume": [["role:compute_admin"], ["project_id:%(project_id)s", "role:sysadmin"]]
 }
diff --git a/etc/nova/roles.yaml b/etc/nova/roles.yaml
@@ -0,0 +1,7 @@
+roles:
+- 'netadmin'
+- 'sysadmin'
+- 'admin'
+- 'member'
+- 'keystoneadmin'
+- 'keystoneserviceadmin'
diff --git a/nova/common/policy.py b/nova/common/policy.py
@@ -97,6 +97,11 @@ def _check_rule(self, match, target_dict, cred_dict):
             return False
         return self.check(new_match_list, target_dict, cred_dict)
 
+    def _check_role(self, match, target_dict, cred_dict):
+        if cred_dict['is_admin']:
+            return True
+        return match in cred_dict['roles']
+
     def _check_generic(self, match, target_dict, cred_dict):
         """Check an individual match.