diff options
Diffstat (limited to 'keystone-moon/keystone/policy/backends')
-rw-r--r-- | keystone-moon/keystone/policy/backends/__init__.py | 0 | ||||
-rw-r--r-- | keystone-moon/keystone/policy/backends/rules.py | 92 | ||||
-rw-r--r-- | keystone-moon/keystone/policy/backends/sql.py | 71 |
3 files changed, 0 insertions, 163 deletions
diff --git a/keystone-moon/keystone/policy/backends/__init__.py b/keystone-moon/keystone/policy/backends/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/keystone-moon/keystone/policy/backends/__init__.py +++ /dev/null diff --git a/keystone-moon/keystone/policy/backends/rules.py b/keystone-moon/keystone/policy/backends/rules.py deleted file mode 100644 index 5a13287d..00000000 --- a/keystone-moon/keystone/policy/backends/rules.py +++ /dev/null @@ -1,92 +0,0 @@ -# Copyright (c) 2011 OpenStack, LLC. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -"""Policy engine for keystone""" - -from oslo_config import cfg -from oslo_log import log -from oslo_policy import policy as common_policy - -from keystone import exception -from keystone import policy - - -CONF = cfg.CONF -LOG = log.getLogger(__name__) - - -_ENFORCER = None - - -def reset(): - global _ENFORCER - _ENFORCER = None - - -def init(): - global _ENFORCER - if not _ENFORCER: - _ENFORCER = common_policy.Enforcer(CONF) - - -def enforce(credentials, action, target, do_raise=True): - """Verifies that the action is valid on the target in this context. - - :param credentials: user credentials - :param action: string representing the action to be checked, which should - be colon separated for clarity. - :param target: dictionary representing the object of the action for object - creation this should be a dictionary representing the - location of the object e.g. {'project_id': - object.project_id} - :raises keystone.exception.Forbidden: If verification fails. - - Actions should be colon separated for clarity. For example: - - * identity:list_users - - """ - init() - - # Add the exception arguments if asked to do a raise - extra = {} - if do_raise: - extra.update(exc=exception.ForbiddenAction, action=action, - do_raise=do_raise) - - return _ENFORCER.enforce(action, target, credentials, **extra) - - -class Policy(policy.PolicyDriverV8): - def enforce(self, credentials, action, target): - LOG.debug('enforce %(action)s: %(credentials)s', { - 'action': action, - 'credentials': credentials}) - enforce(credentials, action, target) - - def create_policy(self, policy_id, policy): - raise exception.NotImplemented() - - def list_policies(self): - raise exception.NotImplemented() - - def get_policy(self, policy_id): - raise exception.NotImplemented() - - def update_policy(self, policy_id, policy): - raise exception.NotImplemented() - - def delete_policy(self, policy_id): - raise exception.NotImplemented() diff --git a/keystone-moon/keystone/policy/backends/sql.py b/keystone-moon/keystone/policy/backends/sql.py deleted file mode 100644 index 94763f0d..00000000 --- a/keystone-moon/keystone/policy/backends/sql.py +++ /dev/null @@ -1,71 +0,0 @@ -# Copyright 2012 OpenStack LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from keystone.common import sql -from keystone import exception -from keystone.policy.backends import rules - - -class PolicyModel(sql.ModelBase, sql.DictBase): - __tablename__ = 'policy' - attributes = ['id', 'blob', 'type'] - id = sql.Column(sql.String(64), primary_key=True) - blob = sql.Column(sql.JsonBlob(), nullable=False) - type = sql.Column(sql.String(255), nullable=False) - extra = sql.Column(sql.JsonBlob()) - - -class Policy(rules.Policy): - - @sql.handle_conflicts(conflict_type='policy') - def create_policy(self, policy_id, policy): - with sql.session_for_write() as session: - ref = PolicyModel.from_dict(policy) - session.add(ref) - - return ref.to_dict() - - def list_policies(self): - with sql.session_for_read() as session: - refs = session.query(PolicyModel).all() - return [ref.to_dict() for ref in refs] - - def _get_policy(self, session, policy_id): - """Private method to get a policy model object (NOT a dictionary).""" - ref = session.query(PolicyModel).get(policy_id) - if not ref: - raise exception.PolicyNotFound(policy_id=policy_id) - return ref - - def get_policy(self, policy_id): - with sql.session_for_read() as session: - return self._get_policy(session, policy_id).to_dict() - - @sql.handle_conflicts(conflict_type='policy') - def update_policy(self, policy_id, policy): - with sql.session_for_write() as session: - ref = self._get_policy(session, policy_id) - old_dict = ref.to_dict() - old_dict.update(policy) - new_policy = PolicyModel.from_dict(old_dict) - ref.blob = new_policy.blob - ref.type = new_policy.type - ref.extra = new_policy.extra - - return ref.to_dict() - - def delete_policy(self, policy_id): - with sql.session_for_write() as session: - ref = self._get_policy(session, policy_id) - session.delete(ref) |