diff options
author | Claudiu Belu <cbelu@cloudbasesolutions.com> | 2016-06-24 17:14:27 +0300 |
---|---|---|
committer | Claudiu Belu <cbelu@cloudbasesolutions.com> | 2016-06-30 19:56:14 +0000 |
commit | 7d01bceaa03d73fd4af1887ab8c49281666b9e11 (patch) | |
tree | ba7959afc55cb216dd24ec74d81bd3c298232152 /nova/policy.py | |
parent | bc22a15e4e4ffc6521c1c860316aa1e65c42f15c (diff) | |
download | nova-7d01bceaa03d73fd4af1887ab8c49281666b9e11.tar.gz |
policy: clean-up
Registers in-code the last remaining policy rules.
Adds missing 'discoverable' rules. Without them,
the extension_info API can fail, as it tries to check the
os_compute_api:os_server_tags:discoverable rule. As it wasn't
previously registered, when listing the available extensions,
an exception of type PolicyNotRegistered is encountered.
In order to validate this, functional/api_sample_tests/test_extension_info.py
now runs without mocking policy.authorize.
Switches extension_info to context.can.
Switches nova.cells.filters to context.can.
Switches network.neutronv2.api to context.can.
Removes the rest of the entries in etc/policy.json.
Removes DefaultPolicyTestCase, as it tests the default
policy rule, which is not registered.
Removes rules from fake_policy.py that brings no value,
that are the same as the default values.
Removes extensions authorizer factories.
Removes nova.policy.enforce.
Change-Id: Ie7771768f4f3efe0edc787c12f297aa93d533d7e
Partially-Implements: bp policy-in-code
Diffstat (limited to 'nova/policy.py')
-rw-r--r-- | nova/policy.py | 42 |
1 files changed, 1 insertions, 41 deletions
diff --git a/nova/policy.py b/nova/policy.py index bb41f12de0..b6299c0724 100644 --- a/nova/policy.py +++ b/nova/policy.py @@ -73,46 +73,6 @@ def set_rules(rules, overwrite=True, use_conf=False): _ENFORCER.set_rules(rules, overwrite, use_conf) -# TODO(alaski): All users of this method should move over to authorize() as -# policies are registered and ultimately this should be removed. -def enforce(context, action, target, do_raise=True, exc=None): - """Verifies that the action is valid on the target in this context. - - :param context: nova context - :param action: string representing the action to be checked - this should be colon separated for clarity. - i.e. ``compute:create_instance``, - ``compute:attach_volume``, - ``volume:attach_volume`` - :param target: dictionary representing the object of the action - for object creation this should be a dictionary representing the - location of the object e.g. ``{'project_id': context.project_id}`` - :param do_raise: if True (the default), raises PolicyNotAuthorized; - if False, returns False - - :raises nova.exception.PolicyNotAuthorized: if verification fails - and do_raise is True. - - :return: returns a non-False value (not necessarily "True") if - authorized, and the exact value False if not authorized and - do_raise is False. - """ - init() - credentials = context.to_dict() - if not exc: - exc = exception.PolicyNotAuthorized - try: - result = _ENFORCER.enforce(action, target, credentials, - do_raise=do_raise, exc=exc, action=action) - except Exception: - credentials.pop('auth_token', None) - with excutils.save_and_reraise_exception(): - LOG.debug('Policy check for %(action)s failed with credentials ' - '%(credentials)s', - {'action': action, 'credentials': credentials}) - return result - - def authorize(context, action, target, do_raise=True, exc=None): """Verifies that the action is valid on the target in this context. @@ -128,7 +88,7 @@ def authorize(context, action, target, do_raise=True, exc=None): :param do_raise: if True (the default), raises PolicyNotAuthorized; if False, returns False :param exc: Class of the exception to raise if the check fails. - Any remaining arguments passed to :meth:`enforce` (both + Any remaining arguments passed to :meth:`authorize` (both positional and keyword arguments) will be passed to the exception class. If not specified, :class:`PolicyNotAuthorized` will be used. |