openstack/horizon
Code Issues Proposed changes

Remove old style policy checks

Browse Source 
Since the main policy engine moved to django_openstack_auth, the
policy.py file handles the check for POLICY_CHECK_FUNCTION and just
returns True if it is not defined. This eliminates the need for all
the special casing that is being removed in this patch.

One special case (not test related) was left in place, that is in
admin/dashboard.py which has more complex behavior if the operator
is not using policy.

Change-Id: I5523632d3459b68693fcc781bd024aea1180c110
This commit is contained in:
David Lyle 2016-07-11 09:30:31 -06:00
parent c701552d6a
commit 6868cb70e1
5 changed files with 61 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
openstack_dashboard/api/neutron.py
View File

@ -1287,8 +1287,7 @@ def get_feature_permission(request, feature, operation=None):
# Check policy
feature_policies = feature_info.get('policies')
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
if feature_policies and policy_check:
if feature_policies:
policy_name = feature_policies.get(operation)
if not policy_name:
# Translators: Only used inside Horizon code and invisible to users

36
openstack_dashboard/dashboards/project/access_and_security/floating_ips/tables.py
View File

@ -15,7 +15,6 @@
import logging
from django.conf import settings
from django.core.urlresolvers import reverse
from django import shortcuts
from django.utils.http import urlencode
@ -29,14 +28,13 @@ from horizon import messages
from horizon import tables
from openstack_dashboard import api
from openstack_dashboard import policy
from openstack_dashboard.usage import quotas
from openstack_dashboard.utils import filters
LOG = logging.getLogger(__name__)
POLICY_CHECK = getattr(settings, "POLICY_CHECK_FUNCTION", lambda p, r: True)
class AllocateIP(tables.LinkAction):
name = "allocate"
@ -61,12 +59,12 @@ class AllocateIP(tables.LinkAction):
self.classes = classes
if api.base.is_service_enabled(request, "network"):
policy = (("network", "create_floatingip"),)
policy_rules = (("network", "create_floatingip"),)
else:
policy = (("compute", "compute_extension:floating_ips"),
("compute", "network:allocate_floating_ip"),)
policy_rules = (("compute", "compute_extension:floating_ips"),
("compute", "network:allocate_floating_ip"),)
return POLICY_CHECK(policy, request)
return policy.check(policy_rules, request)
class ReleaseIPs(tables.BatchAction):
@ -94,12 +92,12 @@ class ReleaseIPs(tables.BatchAction):
def allowed(self, request, fip=None):
if api.base.is_service_enabled(request, "network"):
policy = (("network", "delete_floatingip"),)
policy_rules = (("network", "delete_floatingip"),)
else:
policy = (("compute", "compute_extension:floating_ips"),
("compute", "network:release_floating_ip"),)
policy_rules = (("compute", "compute_extension:floating_ips"),
("compute", "network:release_floating_ip"),)
return POLICY_CHECK(policy, request)
return policy.check(policy_rules, request)
def action(self, request, obj_id):
api.network.tenant_floating_ip_release(request, obj_id)
@ -114,12 +112,12 @@ class AssociateIP(tables.LinkAction):
def allowed(self, request, fip):
if api.base.is_service_enabled(request, "network"):
policy = (("network", "update_floatingip"),)
policy_rules = (("network", "update_floatingip"),)
else:
policy = (("compute", "compute_extension:floating_ips"),
("compute", "network:associate_floating_ip"),)
policy_rules = (("compute", "compute_extension:floating_ips"),
("compute", "network:associate_floating_ip"),)
return not fip.port_id and POLICY_CHECK(policy, request)
return not fip.port_id and policy.check(policy_rules, request)
def get_link_url(self, datum):
base_url = reverse(self.url)
@ -136,12 +134,12 @@ class DisassociateIP(tables.Action):
def allowed(self, request, fip):
if api.base.is_service_enabled(request, "network"):
policy = (("network", "update_floatingip"),)
policy_rules = (("network", "update_floatingip"),)
else:
policy = (("compute", "compute_extension:floating_ips"),
("compute", "network:disassociate_floating_ip"),)
policy_rules = (("compute", "compute_extension:floating_ips"),
("compute", "network:disassociate_floating_ip"),)
return fip.port_id and POLICY_CHECK(policy, request)
return fip.port_id and policy.check(policy_rules, request)
def single(self, table, request, obj_id):
try:

40
openstack_dashboard/dashboards/project/access_and_security/security_groups/tables.py
View File

@ -26,10 +26,6 @@ from openstack_dashboard.usage import quotas
from openstack_dashboard.utils import filters
POLICY_CHECK = getattr(settings, "POLICY_CHECK_FUNCTION",
lambda policy, request, target: True)
class DeleteGroup(policy.PolicyTargetMixin, tables.DeleteAction):
@staticmethod
@ -51,11 +47,11 @@ class DeleteGroup(policy.PolicyTargetMixin, tables.DeleteAction):
def allowed(self, request, security_group=None):
policy_target = self.get_policy_target(request, security_group)
if api.base.is_service_enabled(request, "network"):
policy = (("network", "delete_security_group"),)
policy_rules = (("network", "delete_security_group"),)
else:
policy = (("compute", "compute_extension:security_groups"),)
policy_rules = (("compute", "compute_extension:security_groups"),)
if not POLICY_CHECK(policy, request, policy_target):
if not policy.check(policy_rules, request, policy_target):
return False
if not security_group:
@ -75,9 +71,9 @@ class CreateGroup(tables.LinkAction):
def allowed(self, request, security_group=None):
if api.base.is_service_enabled(request, "network"):
policy = (("network", "create_security_group"),)
policy_rules = (("network", "create_security_group"),)
else:
policy = (("compute", "compute_extension:security_groups"),)
policy_rules = (("compute", "compute_extension:security_groups"),)
usages = quotas.tenant_quota_usages(request)
if usages['security_groups'].get('available', 1) <= 0:
@ -88,7 +84,7 @@ class CreateGroup(tables.LinkAction):
self.verbose_name = _("Create Security Group")
self.classes = [c for c in self.classes if c != "disabled"]
return POLICY_CHECK(policy, request, target={})
return policy.check(policy_rules, request, target={})
class EditGroup(policy.PolicyTargetMixin, tables.LinkAction):
@ -101,11 +97,11 @@ class EditGroup(policy.PolicyTargetMixin, tables.LinkAction):
def allowed(self, request, security_group=None):
policy_target = self.get_policy_target(request, security_group)
if api.base.is_service_enabled(request, "network"):
policy = (("network", "update_security_group"),)
policy_rules = (("network", "update_security_group"),)
else:
policy = (("compute", "compute_extension:security_groups"),)
policy_rules = (("compute", "compute_extension:security_groups"),)
if not POLICY_CHECK(policy, request, policy_target):
if not policy.check(policy_rules, request, policy_target):
return False
if not security_group:
@ -122,11 +118,11 @@ class ManageRules(policy.PolicyTargetMixin, tables.LinkAction):
def allowed(self, request, security_group=None):
policy_target = self.get_policy_target(request, security_group)
if api.base.is_service_enabled(request, "network"):
policy = (("network", "get_security_group"),)
policy_rules = (("network", "get_security_group"),)
else:
policy = (("compute", "compute_extension:security_groups"),)
policy_rules = (("compute", "compute_extension:security_groups"),)
return POLICY_CHECK(policy, request, policy_target)
return policy.check(policy_rules, request, policy_target)
class SecurityGroupsFilterAction(tables.FilterAction):
@ -161,11 +157,11 @@ class CreateRule(tables.LinkAction):
def allowed(self, request, security_group_rule=None):
if api.base.is_service_enabled(request, "network"):
policy = (("network", "create_security_group_rule"),)
policy_rules = (("network", "create_security_group_rule"),)
else:
policy = (("compute", "compute_extension:security_groups"),)
policy_rules = (("compute", "compute_extension:security_groups"),)
return POLICY_CHECK(policy, request, target={})
return policy.check(policy_rules, request, target={})
def get_link_url(self):
return reverse(self.url, args=[self.table.kwargs['security_group_id']])
@ -190,11 +186,11 @@ class DeleteRule(tables.DeleteAction):
def allowed(self, request, security_group_rule=None):
if api.base.is_service_enabled(request, "network"):
policy = (("network", "delete_security_group_rule"),)
policy_rules = (("network", "delete_security_group_rule"),)
else:
policy = (("compute", "compute_extension:security_groups"),)
policy_rules = (("compute", "compute_extension:security_groups"),)
return POLICY_CHECK(policy, request, target={})
return policy.check(policy_rules, request, target={})
def delete(self, request, obj_id):
api.network.security_group_rule_delete(request, obj_id)

43
openstack_dashboard/dashboards/project/instances/tables.py
View File

@ -216,17 +216,16 @@ class TogglePause(tables.BatchAction):
self.paused = instance.status == "PAUSED"
if self.paused:
self.current_present_action = UNPAUSE
policy = (("compute", "compute_extension:admin_actions:unpause"),)
policy_rules = (
("compute", "compute_extension:admin_actions:unpause"),)
else:
self.current_present_action = PAUSE
policy = (("compute", "compute_extension:admin_actions:pause"),)
policy_rules = (
("compute", "compute_extension:admin_actions:pause"),)
has_permission = True
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
if policy_check:
has_permission = policy_check(
policy, request,
target={'project_id': getattr(instance, 'tenant_id', None)})
has_permission = policy.check(
policy_rules, request,
target={'project_id': getattr(instance, 'tenant_id', None)})
return (has_permission
and (instance.status in ACTIVE_STATES or self.paused)
@ -284,17 +283,16 @@ class ToggleSuspend(tables.BatchAction):
self.suspended = instance.status == "SUSPENDED"
if self.suspended:
self.current_present_action = RESUME
policy = (("compute", "compute_extension:admin_actions:resume"),)
policy_rules = (
("compute", "compute_extension:admin_actions:resume"),)
else:
self.current_present_action = SUSPEND
policy = (("compute", "compute_extension:admin_actions:suspend"),)
policy_rules = (
("compute", "compute_extension:admin_actions:suspend"),)
has_permission = True
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
if policy_check:
has_permission = policy_check(
policy, request,
target={'project_id': getattr(instance, 'tenant_id', None)})
has_permission = policy.check(
policy_rules, request,
target={'project_id': getattr(instance, 'tenant_id', None)})
return (has_permission
and (instance.status in ACTIVE_STATES or self.suspended)
@ -351,17 +349,14 @@ class ToggleShelve(tables.BatchAction):
self.shelved = instance.status == "SHELVED_OFFLOADED"
if self.shelved:
self.current_present_action = UNSHELVE
policy = (("compute", "compute_extension:unshelve"),)
policy_rules = (("compute", "compute_extension:unshelve"),)
else:
self.current_present_action = SHELVE
policy = (("compute", "compute_extension:shelve"),)
policy_rules = (("compute", "compute_extension:shelve"),)
has_permission = True
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
if policy_check:
has_permission = policy_check(
policy, request,
target={'project_id': getattr(instance, 'tenant_id', None)})
has_permission = policy.check(
policy_rules, request,
target={'project_id': getattr(instance, 'tenant_id', None)})
return (has_permission
and (instance.status in ACTIVE_STATES or self.shelved)

21
openstack_dashboard/dashboards/project/network_topology/utils.py
View File

@ -13,19 +13,10 @@
from django.conf import settings
from openstack_dashboard.api import base
from openstack_dashboard import policy
from openstack_dashboard.usage import quotas
def _has_permission(request, policy):
has_permission = True
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
if policy_check:
has_permission = policy_check(policy, request)
return has_permission
def _quota_exceeded(request, quota):
usages = quotas.tenant_quota_usages(request)
available = usages.get(quota, {}).get('available', 1)
@ -39,15 +30,15 @@ def get_context(request, context=None):
network_config = getattr(settings, 'OPENSTACK_NEUTRON_NETWORK', {})
context['launch_instance_allowed'] = _has_permission(
request, (("compute", "compute:create"),))
context['launch_instance_allowed'] = policy.check(
(("compute", "compute:create"),), request)
context['instance_quota_exceeded'] = _quota_exceeded(request, 'instances')
context['create_network_allowed'] = _has_permission(
request, (("network", "create_network"),))
context['create_network_allowed'] = policy.check(
(("network", "create_network"),), request)
context['network_quota_exceeded'] = _quota_exceeded(request, 'networks')
context['create_router_allowed'] = (
network_config.get('enable_router', True) and
_has_permission(request, (("network", "create_router"),)))
policy.check((("network", "create_router"),), request))
context['router_quota_exceeded'] = _quota_exceeded(request, 'routers')
context['console_type'] = getattr(settings, 'CONSOLE_TYPE', 'AUTO')
context['show_ng_launch'] = (