diff options
author | Vishvananda Ishaya <vishvananda@gmail.com> | 2012-08-20 10:11:34 -0700 |
---|---|---|
committer | Vishvananda Ishaya <vishvananda@gmail.com> | 2012-08-20 10:32:06 -0700 |
commit | 8378f316454fe74d171a09ce9af91f1da6692c21 (patch) | |
tree | 94aacacbd37d9d9fdc4fdc1c4e49103830c3d304 /nova/policy.py | |
parent | 740e93aae891d6c20f38b091ad9f54d71db0d7f7 (diff) | |
download | nova-8378f316454fe74d171a09ce9af91f1da6692c21.tar.gz |
Fix is_admin check via policy
When we create an admin context internally, we need to make sure
that all of the policy actions that are available to that context
are still available. This wasn't working in some cases because
we were looking for a hard-coded role called 'admin'.
Fixes bug 1039093
Change-Id: I939f834a63c9e6e6e7c87b115bd469466da66a69
Diffstat (limited to 'nova/policy.py')
-rw-r--r-- | nova/policy.py | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/nova/policy.py b/nova/policy.py index acfe830b99..16ff15b861 100644 --- a/nova/policy.py +++ b/nova/policy.py @@ -90,17 +90,22 @@ def enforce(context, action, target): match_list = ('rule:%s' % action,) credentials = context.to_dict() + # NOTE(vish): This is to work around the following launchpad bug: + # https://bugs.launchpad.net/openstack-common/+bug/1039132 + # It can be removed when that bug is fixed. + credentials['is_admin'] = unicode(credentials['is_admin']) + policy.enforce(match_list, target, credentials, exception.PolicyNotAuthorized, action=action) -def check_admin_role(roles): +def check_is_admin(roles): """Whether or not roles contains 'admin' role according to policy setting. """ init() - action = 'admin' + action = 'context_is_admin' match_list = ('rule:%s' % action,) target = {} credentials = {'roles': roles} |