Merge "policy: Replaces 'authorize' in nova-api (part 5)"

openstack · Jun 30, 2016 · bc22a15 · bc22a15
2 parents 3b87313 + 955c921
commit bc22a15
Show file tree

Hide file tree

Showing 20 changed files with 108 additions and 107 deletions.
diff --git a/nova/api/openstack/compute/security_group_default_rules.py b/nova/api/openstack/compute/security_group_default_rules.py
@@ -20,10 +20,10 @@
 from nova import exception
 from nova.i18n import _
 from nova.network.security_group import openstack_driver
+from nova.policies import security_group_default_rules as sgdr_policies
 
 
 ALIAS = "os-security-group-default-rules"
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):
@@ -35,7 +35,7 @@ def __init__(self):
     @extensions.expected_errors((400, 409, 501))
     def create(self, req, body):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sgdr_policies.BASE_POLICY_NAME)
 
         sg_rule = self._from_body(body, 'security_group_default_rule')
 
@@ -72,7 +72,7 @@ def _rule_args_to_dict(self, to_port=None, from_port=None,
     @extensions.expected_errors((400, 404, 501))
     def show(self, req, id):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sgdr_policies.BASE_POLICY_NAME)
 
         try:
             id = self.security_group_api.validate_id(id)
@@ -91,7 +91,7 @@ def show(self, req, id):
     @wsgi.response(204)
     def delete(self, req, id):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sgdr_policies.BASE_POLICY_NAME)
 
         try:
             id = self.security_group_api.validate_id(id)
@@ -107,7 +107,7 @@ def delete(self, req, id):
     @extensions.expected_errors((404, 501))
     def index(self, req):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sgdr_policies.BASE_POLICY_NAME)
 
         ret = {'security_group_default_rules': []}
         try:

diff --git a/nova/api/openstack/compute/security_groups.py b/nova/api/openstack/compute/security_groups.py
@@ -28,19 +28,18 @@
 from nova import exception
 from nova.i18n import _
 from nova.network.security_group import openstack_driver
+from nova.policies import security_groups as sg_policies
 from nova.virt import netutils
 
 
 LOG = logging.getLogger(__name__)
 ALIAS = 'os-security-groups'
 ATTRIBUTE_NAME = 'security_groups'
-authorize = extensions.os_compute_authorizer(ALIAS)
-softauth = extensions.os_compute_soft_authorizer(ALIAS)
 
 
 def _authorize_context(req):
     context = req.environ['nova.context']
-    authorize(context)
+    context.can(sg_policies.BASE_POLICY_NAME)
     return context
 
 
@@ -386,7 +385,7 @@ def _invoke(self, method, context, id, group_name):
     @wsgi.action('addSecurityGroup')
     def _addSecurityGroup(self, req, id, body):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sg_policies.BASE_POLICY_NAME)
 
         group_name = self._parse(body, 'addSecurityGroup')
         try:
@@ -406,7 +405,7 @@ def _addSecurityGroup(self, req, id, body):
     @wsgi.action('removeSecurityGroup')
     def _removeSecurityGroup(self, req, id, body):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sg_policies.BASE_POLICY_NAME)
 
         group_name = self._parse(body, 'removeSecurityGroup')
 
@@ -436,7 +435,7 @@ def _extend_servers(self, req, servers):
             return
         key = "security_groups"
         context = req.environ['nova.context']
-        if not softauth(context):
+        if not context.can(sg_policies.BASE_POLICY_NAME, fatal=False):
             return
 
         if not openstack_driver.is_neutron_security_groups():

diff --git a/nova/api/openstack/compute/server_diagnostics.py b/nova/api/openstack/compute/server_diagnostics.py
@@ -18,10 +18,10 @@
 from nova.api.openstack import wsgi
 from nova import compute
 from nova import exception
+from nova.policies import server_diagnostics as sd_policies
 
 
 ALIAS = "os-server-diagnostics"
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class ServerDiagnosticsController(wsgi.Controller):
@@ -31,7 +31,7 @@ def __init__(self):
     @extensions.expected_errors((404, 409, 501))
     def index(self, req, server_id):
         context = req.environ["nova.context"]
-        authorize(context)
+        context.can(sd_policies.BASE_POLICY_NAME)
 
         instance = common.get_instance(self.compute_api, context, server_id)
 

diff --git a/nova/api/openstack/compute/server_external_events.py b/nova/api/openstack/compute/server_external_events.py
@@ -24,11 +24,11 @@
 from nova.i18n import _
 from nova.i18n import _LI
 from nova import objects
+from nova.policies import server_external_events as see_policies
 
 
 LOG = logging.getLogger(__name__)
 ALIAS = 'os-server-external-events'
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class ServerExternalEventsController(wsgi.Controller):
@@ -43,7 +43,7 @@ def __init__(self):
     def create(self, req, body):
         """Creates a new instance event."""
         context = req.environ['nova.context']
-        authorize(context, action='create')
+        context.can(see_policies.POLICY_ROOT % 'create')
 
         response_events = []
         accepted_events = []

diff --git a/nova/api/openstack/compute/server_groups.py b/nova/api/openstack/compute/server_groups.py
@@ -29,18 +29,16 @@
 from nova.i18n import _
 from nova.i18n import _LE
 from nova import objects
+from nova.policies import server_groups as sg_policies
 
 LOG = logging.getLogger(__name__)
 
 ALIAS = "os-server-groups"
 
 
-authorize = extensions.os_compute_authorizer(ALIAS)
-
-
 def _authorize_context(req):
     context = req.environ['nova.context']
-    authorize(context)
+    context.can(sg_policies.BASE_POLICY_NAME)
     return context
 
 

diff --git a/nova/api/openstack/compute/server_metadata.py b/nova/api/openstack/compute/server_metadata.py
@@ -24,9 +24,9 @@
 from nova import compute
 from nova import exception
 from nova.i18n import _
+from nova.policies import server_metadata as sm_policies
 
 ALIAS = 'server-metadata'
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class ServerMetadataController(wsgi.Controller):
@@ -55,7 +55,7 @@ def _get_metadata(self, context, server_id):
     def index(self, req, server_id):
         """Returns the list of metadata for a given instance."""
         context = req.environ['nova.context']
-        authorize(context, action='index')
+        context.can(sm_policies.POLICY_ROOT % 'index')
         return {'metadata': self._get_metadata(context, server_id)}
 
     @extensions.expected_errors((400, 403, 404, 409))
@@ -65,7 +65,7 @@ def index(self, req, server_id):
     def create(self, req, server_id, body):
         metadata = body['metadata']
         context = req.environ['nova.context']
-        authorize(context, action='create')
+        context.can(sm_policies.POLICY_ROOT % 'create')
         new_metadata = self._update_instance_metadata(context,
                                                       server_id,
                                                       metadata,
@@ -77,7 +77,7 @@ def create(self, req, server_id, body):
     @validation.schema(server_metadata.update)
     def update(self, req, server_id, id, body):
         context = req.environ['nova.context']
-        authorize(context, action='update')
+        context.can(sm_policies.POLICY_ROOT % 'update')
         meta_item = body['meta']
         if id not in meta_item:
             expl = _('Request body and URI mismatch')
@@ -94,7 +94,7 @@ def update(self, req, server_id, id, body):
     @validation.schema(server_metadata.update_all)
     def update_all(self, req, server_id, body):
         context = req.environ['nova.context']
-        authorize(context, action='update_all')
+        context.can(sm_policies.POLICY_ROOT % 'update_all')
         metadata = body['metadata']
         new_metadata = self._update_instance_metadata(context,
                                                       server_id,
@@ -129,7 +129,7 @@ def _update_instance_metadata(self, context, server_id, metadata,
     def show(self, req, server_id, id):
         """Return a single metadata item."""
         context = req.environ['nova.context']
-        authorize(context, action='show')
+        context.can(sm_policies.POLICY_ROOT % 'show')
         data = self._get_metadata(context, server_id)
 
         try:
@@ -143,7 +143,7 @@ def show(self, req, server_id, id):
     def delete(self, req, server_id, id):
         """Deletes an existing metadata."""
         context = req.environ['nova.context']
-        authorize(context, action='delete')
+        context.can(sm_policies.POLICY_ROOT % 'delete')
         metadata = self._get_metadata(context, server_id)
 
         if id not in metadata:

diff --git a/nova/api/openstack/compute/server_migrations.py b/nova/api/openstack/compute/server_migrations.py
@@ -23,10 +23,10 @@
 from nova import compute
 from nova import exception
 from nova.i18n import _
+from nova.policies import servers_migrations as sm_policies
 
 
 ALIAS = 'servers:migrations'
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 def output(migration):
@@ -69,7 +69,7 @@ def __init__(self):
     @validation.schema(server_migrations.force_complete)
     def _force_complete(self, req, id, server_id, body):
         context = req.environ['nova.context']
-        authorize(context, action='force_complete')
+        context.can(sm_policies.POLICY_ROOT % 'force_complete')
 
         instance = common.get_instance(self.compute_api, context, server_id)
         try:
@@ -91,7 +91,7 @@ def _force_complete(self, req, id, server_id, body):
     def index(self, req, server_id):
         """Return all migrations of an instance in progress."""
         context = req.environ['nova.context']
-        authorize(context, action="index")
+        context.can(sm_policies.POLICY_ROOT % 'index')
 
         # NOTE(Shaohe Feng) just check the instance is available. To keep
         # consistency with other API, check it before get migrations.
@@ -107,7 +107,7 @@ def index(self, req, server_id):
     def show(self, req, server_id, id):
         """Return the migration of an instance in progress by id."""
         context = req.environ['nova.context']
-        authorize(context, action="show")
+        context.can(sm_policies.POLICY_ROOT % 'show')
 
         # NOTE(Shaohe Feng) just check the instance is available. To keep
         # consistency with other API, check it before get migrations.
@@ -141,7 +141,7 @@ def show(self, req, server_id, id):
     def delete(self, req, server_id, id):
         """Abort an in progress migration of an instance."""
         context = req.environ['nova.context']
-        authorize(context, action="delete")
+        context.can(sm_policies.POLICY_ROOT % 'delete')
 
         instance = common.get_instance(self.compute_api, context, server_id)
         try:

diff --git a/nova/api/openstack/compute/server_password.py b/nova/api/openstack/compute/server_password.py
@@ -20,10 +20,10 @@
 from nova.api.openstack import extensions
 from nova.api.openstack import wsgi
 from nova import compute
+from nova.policies import server_password as sp_policies
 
 
 ALIAS = 'os-server-password'
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class ServerPasswordController(wsgi.Controller):
@@ -34,7 +34,7 @@ def __init__(self):
     @extensions.expected_errors(404)
     def index(self, req, server_id):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sp_policies.BASE_POLICY_NAME)
         instance = common.get_instance(self.compute_api, context, server_id)
 
         passw = password.extract_password(instance)
@@ -50,7 +50,7 @@ def clear(self, req, server_id):
         """
 
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(sp_policies.BASE_POLICY_NAME)
         instance = common.get_instance(self.compute_api, context, server_id)
         meta = password.convert_password(context, None)
         instance.system_metadata.update(meta)

diff --git a/nova/api/openstack/compute/server_tags.py b/nova/api/openstack/compute/server_tags.py
@@ -25,10 +25,10 @@
 from nova import exception
 from nova.i18n import _
 from nova import objects
+from nova.policies import server_tags as st_policies
 
 
 ALIAS = "os-server-tags"
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 def _get_tags_names(tags):
@@ -58,7 +58,7 @@ def _check_instance_in_valid_state(self, context, server_id, action):
     @extensions.expected_errors(404)
     def show(self, req, server_id, id):
         context = req.environ["nova.context"]
-        authorize(context, action='show')
+        context.can(st_policies.POLICY_ROOT % 'show')
 
         try:
             exists = objects.Tag.exists(context, server_id, id)
@@ -74,7 +74,7 @@ def show(self, req, server_id, id):
     @extensions.expected_errors(404)
     def index(self, req, server_id):
         context = req.environ["nova.context"]
-        authorize(context, action='index')
+        context.can(st_policies.POLICY_ROOT % 'index')
 
         try:
             tags = objects.TagList.get_by_resource_id(context, server_id)
@@ -88,7 +88,7 @@ def index(self, req, server_id):
     @validation.schema(schema.update)
     def update(self, req, server_id, id, body):
         context = req.environ["nova.context"]
-        authorize(context, action='update')
+        context.can(st_policies.POLICY_ROOT % 'update')
         self._check_instance_in_valid_state(context, server_id, 'update tag')
 
         try:
@@ -136,7 +136,7 @@ def update(self, req, server_id, id, body):
     @validation.schema(schema.update_all)
     def update_all(self, req, server_id, body):
         context = req.environ["nova.context"]
-        authorize(context, action='update_all')
+        context.can(st_policies.POLICY_ROOT % 'update_all')
         self._check_instance_in_valid_state(context, server_id, 'update tags')
 
         invalid_tags = []
@@ -178,7 +178,7 @@ def update_all(self, req, server_id, body):
     @extensions.expected_errors((404, 409))
     def delete(self, req, server_id, id):
         context = req.environ["nova.context"]
-        authorize(context, action='delete')
+        context.can(st_policies.POLICY_ROOT % 'delete')
         self._check_instance_in_valid_state(context, server_id, 'delete tag')
 
         try:
@@ -193,7 +193,7 @@ def delete(self, req, server_id, id):
     @extensions.expected_errors((404, 409))
     def delete_all(self, req, server_id):
         context = req.environ["nova.context"]
-        authorize(context, action='delete_all')
+        context.can(st_policies.POLICY_ROOT % 'delete_all')
         self._check_instance_in_valid_state(context, server_id, 'delete tags')
 
         try:

diff --git a/nova/api/openstack/compute/server_usage.py b/nova/api/openstack/compute/server_usage.py
@@ -14,10 +14,10 @@
 
 from nova.api.openstack import extensions
 from nova.api.openstack import wsgi
+from nova.policies import server_usage as su_policies
 
 
 ALIAS = "os-server-usage"
-authorize = extensions.os_compute_soft_authorizer(ALIAS)
 
 resp_topic = "OS-SRV-USG"
 
@@ -37,7 +37,7 @@ def _extend_server(self, server, instance):
     @wsgi.extends
     def show(self, req, resp_obj, id):
         context = req.environ['nova.context']
-        if authorize(context):
+        if context.can(su_policies.BASE_POLICY_NAME, fatal=False):
             server = resp_obj.obj['server']
             db_instance = req.get_db_instance(server['id'])
             # server['id'] is guaranteed to be in the cache due to
@@ -47,7 +47,7 @@ def show(self, req, resp_obj, id):
     @wsgi.extends
     def detail(self, req, resp_obj):
         context = req.environ['nova.context']
-        if authorize(context):
+        if context.can(su_policies.BASE_POLICY_NAME, fatal=False):
             servers = list(resp_obj.obj['servers'])
             for server in servers:
                 db_instance = req.get_db_instance(server['id'])