From 9840721b51671296816d681dbd4b9afe221f68b4 Mon Sep 17 00:00:00 2001 From: Brent Roskos Date: Sun, 16 Aug 2015 08:41:48 -0400 Subject: [PATCH] adds user_id to check_is_admin A small tactical update to allow cinder to consider user_id when checking for admin. This is needed in the field until the larger changes around admin scoping are completed. Checking for role only is not sufficient in a multi-domain configuration. juno-backport-potential kilo-backport-potential closes-bug: 968696 Change-Id: I0cb99186bd833c4c32964490c4bc6da9ad42d320 --- cinder/context.py | 2 +- cinder/policy.py | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/cinder/context.py b/cinder/context.py index cd375d2b2..08274fe76 100644 --- a/cinder/context.py +++ b/cinder/context.py @@ -102,7 +102,7 @@ class RequestContext(context.RequestContext): # when policy.check_is_admin invokes request logging # to make it loggable. if self.is_admin is None: - self.is_admin = policy.check_is_admin(self.roles) + self.is_admin = policy.check_is_admin(self.roles, self) elif self.is_admin and 'admin' not in self.roles: self.roles.append('admin') diff --git a/cinder/policy.py b/cinder/policy.py index 02dc263f2..551f11128 100644 --- a/cinder/policy.py +++ b/cinder/policy.py @@ -70,9 +70,11 @@ def enforce(context, action, target): action=action) -def check_is_admin(roles): - """Whether or not roles contains 'admin' role according to policy setting. +def check_is_admin(roles, context=None): + """Whether or not user is admin according to policy setting. + Can use roles or user_id from context to determine if user is admin. + In a multi-domain configuration, roles alone may not be sufficient. """ init() @@ -81,6 +83,11 @@ def check_is_admin(roles): # attempts to apply. Since our credentials dict does not include a # project_id, this target can never match as a generic rule. target = {'project_id': ''} - credentials = {'roles': roles} + if context is None: + credentials = {'roles': roles} + else: + credentials = {'roles': context.roles, + 'user_id': context.user_id + } return _ENFORCER.enforce('context_is_admin', target, credentials) -- 2.45.2