1 # Copyright (c) 2011 OpenStack Foundation
2 # Copyright 2013 IBM Corp.
5 # Licensed under the Apache License, Version 2.0 (the "License"); you may
6 # not use this file except in compliance with the License. You may obtain
7 # a copy of the License at
9 # http://www.apache.org/licenses/LICENSE-2.0
11 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
14 # License for the specific language governing permissions and limitations
17 """Policy Engine For Escalator"""
20 from oslo_config import cfg
21 from oslo_log import log as logging
22 from oslo_policy import policy
24 from escalator.common import exception
25 from escalator import i18n
28 LOG = logging.getLogger(__name__)
31 DEFAULT_RULES = policy.Rules.from_dict({
32 'context_is_admin': 'role:admin',
34 'manage_image_cache': 'role:admin',
42 class Enforcer(policy.Enforcer):
43 """Responsible for loading and enforcing rules"""
46 if CONF.find_file(CONF.oslo_policy.policy_file):
47 kwargs = dict(rules=None, use_conf=True)
49 kwargs = dict(rules=DEFAULT_RULES, use_conf=False)
50 super(Enforcer, self).__init__(CONF, overwrite=False, **kwargs)
52 def add_rules(self, rules):
53 """Add new rules to the Rules object"""
54 self.set_rules(rules, overwrite=False, use_conf=self.use_conf)
56 def enforce(self, context, action, target):
57 """Verifies that the action is valid on the target in this context.
59 :param context: Escalator request context
60 :param action: String representing the action to be checked
61 :param target: Dictionary representing the object of the action.
62 :raises: `escalator.common.exception.Forbidden`
63 :returns: A non-False value if access is allowed.
66 'roles': context.roles,
68 'tenant': context.tenant,
70 return super(Enforcer, self).enforce(action, target, credentials,
72 exc=exception.Forbidden,
75 def check(self, context, action, target):
76 """Verifies that the action is valid on the target in this context.
78 :param context: Escalator request context
79 :param action: String representing the action to be checked
80 :param target: Dictionary representing the object of the action.
81 :returns: A non-False value if access is allowed.
84 'roles': context.roles,
86 'tenant': context.tenant,
88 return super(Enforcer, self).enforce(action, target, credentials)
90 def check_is_admin(self, context):
91 """Check if the given context is associated with an admin role,
92 as defined via the 'context_is_admin' RBAC rule.
94 :param context: Escalator request context
95 :returns: A non-False value if context role is admin.
97 return self.check(context, 'context_is_admin', context.to_dict())