diff options
Diffstat (limited to 'keystone-moon/keystone/policy/backends')
-rw-r--r-- | keystone-moon/keystone/policy/backends/__init__.py | 0 | ||||
-rw-r--r-- | keystone-moon/keystone/policy/backends/rules.py | 92 | ||||
-rw-r--r-- | keystone-moon/keystone/policy/backends/sql.py | 79 |
3 files changed, 171 insertions, 0 deletions
diff --git a/keystone-moon/keystone/policy/backends/__init__.py b/keystone-moon/keystone/policy/backends/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/keystone-moon/keystone/policy/backends/__init__.py diff --git a/keystone-moon/keystone/policy/backends/rules.py b/keystone-moon/keystone/policy/backends/rules.py new file mode 100644 index 00000000..011dd542 --- /dev/null +++ b/keystone-moon/keystone/policy/backends/rules.py @@ -0,0 +1,92 @@ +# Copyright (c) 2011 OpenStack, LLC. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +"""Policy engine for keystone""" + +from oslo_config import cfg +from oslo_log import log +from oslo_policy import policy as common_policy + +from keystone import exception +from keystone import policy + + +CONF = cfg.CONF +LOG = log.getLogger(__name__) + + +_ENFORCER = None + + +def reset(): + global _ENFORCER + _ENFORCER = None + + +def init(): + global _ENFORCER + if not _ENFORCER: + _ENFORCER = common_policy.Enforcer(CONF) + + +def enforce(credentials, action, target, do_raise=True): + """Verifies that the action is valid on the target in this context. + + :param credentials: user credentials + :param action: string representing the action to be checked, which + should be colon separated for clarity. + :param target: dictionary representing the object of the action + for object creation this should be a dictionary + representing the location of the object e.g. + {'project_id': object.project_id} + :raises: `exception.Forbidden` if verification fails. + + Actions should be colon separated for clarity. For example: + + * identity:list_users + + """ + init() + + # Add the exception arguments if asked to do a raise + extra = {} + if do_raise: + extra.update(exc=exception.ForbiddenAction, action=action, + do_raise=do_raise) + + return _ENFORCER.enforce(action, target, credentials, **extra) + + +class Policy(policy.Driver): + def enforce(self, credentials, action, target): + LOG.debug('enforce %(action)s: %(credentials)s', { + 'action': action, + 'credentials': credentials}) + enforce(credentials, action, target) + + def create_policy(self, policy_id, policy): + raise exception.NotImplemented() + + def list_policies(self): + raise exception.NotImplemented() + + def get_policy(self, policy_id): + raise exception.NotImplemented() + + def update_policy(self, policy_id, policy): + raise exception.NotImplemented() + + def delete_policy(self, policy_id): + raise exception.NotImplemented() diff --git a/keystone-moon/keystone/policy/backends/sql.py b/keystone-moon/keystone/policy/backends/sql.py new file mode 100644 index 00000000..b2cccd01 --- /dev/null +++ b/keystone-moon/keystone/policy/backends/sql.py @@ -0,0 +1,79 @@ +# Copyright 2012 OpenStack LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystone.common import sql +from keystone import exception +from keystone.policy.backends import rules + + +class PolicyModel(sql.ModelBase, sql.DictBase): + __tablename__ = 'policy' + attributes = ['id', 'blob', 'type'] + id = sql.Column(sql.String(64), primary_key=True) + blob = sql.Column(sql.JsonBlob(), nullable=False) + type = sql.Column(sql.String(255), nullable=False) + extra = sql.Column(sql.JsonBlob()) + + +class Policy(rules.Policy): + + @sql.handle_conflicts(conflict_type='policy') + def create_policy(self, policy_id, policy): + session = sql.get_session() + + with session.begin(): + ref = PolicyModel.from_dict(policy) + session.add(ref) + + return ref.to_dict() + + def list_policies(self): + session = sql.get_session() + + refs = session.query(PolicyModel).all() + return [ref.to_dict() for ref in refs] + + def _get_policy(self, session, policy_id): + """Private method to get a policy model object (NOT a dictionary).""" + ref = session.query(PolicyModel).get(policy_id) + if not ref: + raise exception.PolicyNotFound(policy_id=policy_id) + return ref + + def get_policy(self, policy_id): + session = sql.get_session() + + return self._get_policy(session, policy_id).to_dict() + + @sql.handle_conflicts(conflict_type='policy') + def update_policy(self, policy_id, policy): + session = sql.get_session() + + with session.begin(): + ref = self._get_policy(session, policy_id) + old_dict = ref.to_dict() + old_dict.update(policy) + new_policy = PolicyModel.from_dict(old_dict) + ref.blob = new_policy.blob + ref.type = new_policy.type + ref.extra = new_policy.extra + + return ref.to_dict() + + def delete_policy(self, policy_id): + session = sql.get_session() + + with session.begin(): + ref = self._get_policy(session, policy_id) + session.delete(ref) |