diff options
| author | David Lyle <david.lyle@hp.com> | 2014-02-05 12:08:15 -0700 |
|---|---|---|
| committer | David Lyle <david.lyle@hp.com> | 2014-08-18 16:40:56 -0600 |
| commit | 18e8ea810d540f5d464e3ac38c5fefb0814d0b1f (patch) | |
| tree | 702ae53a74d4829386bcb64ba752d4bd1d3b2d11 /horizon/base.py | |
| parent | 8863146bb0f5f73c9d66b878b948fb471ba56239 (diff) | |
| download | horizon-18e8ea810d540f5d464e3ac38c5fefb0814d0b1f.tar.gz | |
Separating Identity Dashboard and using RBAC
Moving identity panels to their own dashboard.
RBAC is now used to determine the data to load in the identity
dashboard. Using the default policy file, a user with role member
will now be able to see their project list.
Also, adding a policy check mechanism at the panel and dashboard
level to determine which panels and dashboards the user can access.
Implements blueprint separate-identity-dash
Change-Id: I7ebfec2bf6e44899bec79d3b23c90d56a976200f
Diffstat (limited to 'horizon/base.py')
| -rw-r--r-- | horizon/base.py | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/horizon/base.py b/horizon/base.py index ab696a683..16b387750 100644 --- a/horizon/base.py +++ b/horizon/base.py @@ -61,6 +61,8 @@ class NotRegistered(Exception): class HorizonComponent(object): + policy_rules = None + def __init__(self): super(HorizonComponent, self).__init__() if not self.slug: @@ -88,6 +90,29 @@ class HorizonComponent(object): urlpatterns = patterns('') return urlpatterns + def can_access(self, context): + """Checks to see that the user has role based access to this component. + + This method should be overridden to return the result of + any policy checks required for the user to access this component + when more complex checks are required. + """ + return self._can_access(context['request']) + + def _can_access(self, request): + policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None) + + # this check is an OR check rather than an AND check that is the + # default in the policy engine, so calling each rule individually + if policy_check and self.policy_rules: + for rule in self.policy_rules: + if policy_check((rule,), request): + return True + return False + + # default to allowed + return True + class Registry(object): def __init__(self): @@ -543,6 +568,30 @@ class Dashboard(Registry, HorizonComponent): del loaders.panel_template_dirs[key] return success + def can_access(self, context): + """Checks for role based access for this dashboard. + + Checks for access to any panels in the dashboard and of the the + dashboard itself. + + This method should be overridden to return the result of + any policy checks required for the user to access this dashboard + when more complex checks are required. + """ + + # if the dashboard has policy rules, honor those above individual + # panels + if not self._can_access(context['request']): + return False + + # check if access is allowed to a single panel, + # the default for each panel is True + for panel in self.get_panels(): + if panel.can_access(context): + return True + + return False + class Workflow(object): def __init__(*args, **kwargs): |