]> review.fuel-infra Code Review - openstack-build/cinder-build.git/commitdiff
Code Review / openstack-build / cinder-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 30cd678)
adds user_id to check_is_admin
authorBrent Roskos <roskosb@yahoo.com>
Sun, 16 Aug 2015 12:41:48 +0000 (08:41 -0400)
committerBrent Roskos <roskosb@yahoo.com>
Tue, 25 Aug 2015 11:46:18 +0000 (04:46 -0700)
A small tactical update to allow cinder to consider user_id
when checking for admin.

This is needed in the field until the larger changes around
admin scoping are completed. Checking for role only is not
sufficient in a multi-domain configuration.

juno-backport-potential
kilo-backport-potential

closes-bug: 968696

Change-Id: I0cb99186bd833c4c32964490c4bc6da9ad42d320

cinder/context.py patch | blob | history
cinder/policy.py patch | blob | history

diff --git a/cinder/context.py b/cinder/context.py
index cd375d2b212a37a633a41e54eb241c064d7a6333..08274fe76fed58cee5c74f2daa08c8aba178c2df 100644 (file)
--- a/cinder/context.py
+++ b/cinder/context.py
@@ -102,7 +102,7 @@ class RequestContext(context.RequestContext):
         # when policy.check_is_admin invokes request logging
         # to make it loggable.
         if self.is_admin is None:
-            self.is_admin = policy.check_is_admin(self.roles)
+            self.is_admin = policy.check_is_admin(self.roles, self)
         elif self.is_admin and 'admin' not in self.roles:
             self.roles.append('admin')
 
diff --git a/cinder/policy.py b/cinder/policy.py
index 02dc263f2b218447c887d3e654db932dd4b5cea0..551f11128c044e5b122ecd4b4d810b566570c993 100644 (file)
--- a/cinder/policy.py
+++ b/cinder/policy.py
@@ -70,9 +70,11 @@ def enforce(context, action, target):
                              action=action)
 
 
-def check_is_admin(roles):
-    """Whether or not roles contains 'admin' role according to policy setting.
+def check_is_admin(roles, context=None):
+    """Whether or not user is admin according to policy setting.
 
+       Can use roles or user_id from context to determine if user is admin.
+       In a multi-domain configuration, roles alone may not be sufficient.
     """
     init()
 
@@ -81,6 +83,11 @@ def check_is_admin(roles):
     # attempts to apply.  Since our credentials dict does not include a
     # project_id, this target can never match as a generic rule.
     target = {'project_id': ''}
-    credentials = {'roles': roles}
+    if context is None:
+        credentials = {'roles': roles}
+    else:
+        credentials = {'roles': context.roles,
+                       'user_id': context.user_id
+                       }
 
     return _ENFORCER.enforce('context_is_admin', target, credentials)