aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/policy/backends
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/keystone/policy/backends')
-rw-r--r--keystone-moon/keystone/policy/backends/__init__.py0
-rw-r--r--keystone-moon/keystone/policy/backends/rules.py92
-rw-r--r--keystone-moon/keystone/policy/backends/sql.py79
3 files changed, 171 insertions, 0 deletions
diff --git a/keystone-moon/keystone/policy/backends/__init__.py b/keystone-moon/keystone/policy/backends/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/keystone-moon/keystone/policy/backends/__init__.py
diff --git a/keystone-moon/keystone/policy/backends/rules.py b/keystone-moon/keystone/policy/backends/rules.py
new file mode 100644
index 00000000..011dd542
--- /dev/null
+++ b/keystone-moon/keystone/policy/backends/rules.py
@@ -0,0 +1,92 @@
+# Copyright (c) 2011 OpenStack, LLC.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+"""Policy engine for keystone"""
+
+from oslo_config import cfg
+from oslo_log import log
+from oslo_policy import policy as common_policy
+
+from keystone import exception
+from keystone import policy
+
+
+CONF = cfg.CONF
+LOG = log.getLogger(__name__)
+
+
+_ENFORCER = None
+
+
+def reset():
+ global _ENFORCER
+ _ENFORCER = None
+
+
+def init():
+ global _ENFORCER
+ if not _ENFORCER:
+ _ENFORCER = common_policy.Enforcer(CONF)
+
+
+def enforce(credentials, action, target, do_raise=True):
+ """Verifies that the action is valid on the target in this context.
+
+ :param credentials: user credentials
+ :param action: string representing the action to be checked, which
+ should be colon separated for clarity.
+ :param target: dictionary representing the object of the action
+ for object creation this should be a dictionary
+ representing the location of the object e.g.
+ {'project_id': object.project_id}
+ :raises: `exception.Forbidden` if verification fails.
+
+ Actions should be colon separated for clarity. For example:
+
+ * identity:list_users
+
+ """
+ init()
+
+ # Add the exception arguments if asked to do a raise
+ extra = {}
+ if do_raise:
+ extra.update(exc=exception.ForbiddenAction, action=action,
+ do_raise=do_raise)
+
+ return _ENFORCER.enforce(action, target, credentials, **extra)
+
+
+class Policy(policy.Driver):
+ def enforce(self, credentials, action, target):
+ LOG.debug('enforce %(action)s: %(credentials)s', {
+ 'action': action,
+ 'credentials': credentials})
+ enforce(credentials, action, target)
+
+ def create_policy(self, policy_id, policy):
+ raise exception.NotImplemented()
+
+ def list_policies(self):
+ raise exception.NotImplemented()
+
+ def get_policy(self, policy_id):
+ raise exception.NotImplemented()
+
+ def update_policy(self, policy_id, policy):
+ raise exception.NotImplemented()
+
+ def delete_policy(self, policy_id):
+ raise exception.NotImplemented()
diff --git a/keystone-moon/keystone/policy/backends/sql.py b/keystone-moon/keystone/policy/backends/sql.py
new file mode 100644
index 00000000..b2cccd01
--- /dev/null
+++ b/keystone-moon/keystone/policy/backends/sql.py
@@ -0,0 +1,79 @@
+# Copyright 2012 OpenStack LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from keystone.common import sql
+from keystone import exception
+from keystone.policy.backends import rules
+
+
+class PolicyModel(sql.ModelBase, sql.DictBase):
+ __tablename__ = 'policy'
+ attributes = ['id', 'blob', 'type']
+ id = sql.Column(sql.String(64), primary_key=True)
+ blob = sql.Column(sql.JsonBlob(), nullable=False)
+ type = sql.Column(sql.String(255), nullable=False)
+ extra = sql.Column(sql.JsonBlob())
+
+
+class Policy(rules.Policy):
+
+ @sql.handle_conflicts(conflict_type='policy')
+ def create_policy(self, policy_id, policy):
+ session = sql.get_session()
+
+ with session.begin():
+ ref = PolicyModel.from_dict(policy)
+ session.add(ref)
+
+ return ref.to_dict()
+
+ def list_policies(self):
+ session = sql.get_session()
+
+ refs = session.query(PolicyModel).all()
+ return [ref.to_dict() for ref in refs]
+
+ def _get_policy(self, session, policy_id):
+ """Private method to get a policy model object (NOT a dictionary)."""
+ ref = session.query(PolicyModel).get(policy_id)
+ if not ref:
+ raise exception.PolicyNotFound(policy_id=policy_id)
+ return ref
+
+ def get_policy(self, policy_id):
+ session = sql.get_session()
+
+ return self._get_policy(session, policy_id).to_dict()
+
+ @sql.handle_conflicts(conflict_type='policy')
+ def update_policy(self, policy_id, policy):
+ session = sql.get_session()
+
+ with session.begin():
+ ref = self._get_policy(session, policy_id)
+ old_dict = ref.to_dict()
+ old_dict.update(policy)
+ new_policy = PolicyModel.from_dict(old_dict)
+ ref.blob = new_policy.blob
+ ref.type = new_policy.type
+ ref.extra = new_policy.extra
+
+ return ref.to_dict()
+
+ def delete_policy(self, policy_id):
+ session = sql.get_session()
+
+ with session.begin():
+ ref = self._get_policy(session, policy_id)
+ session.delete(ref)