Merge "Remove old style policy checks"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
7409b1baad
@ -1287,8 +1287,7 @@ def get_feature_permission(request, feature, operation=None):
|
||||
|
||||
# Check policy
|
||||
feature_policies = feature_info.get('policies')
|
||||
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
|
||||
if feature_policies and policy_check:
|
||||
if feature_policies:
|
||||
policy_name = feature_policies.get(operation)
|
||||
if not policy_name:
|
||||
# Translators: Only used inside Horizon code and invisible to users
|
||||
|
||||
@ -15,7 +15,6 @@
|
||||
|
||||
import logging
|
||||
|
||||
from django.conf import settings
|
||||
from django.core.urlresolvers import reverse
|
||||
from django import shortcuts
|
||||
from django.utils.http import urlencode
|
||||
@ -29,14 +28,13 @@ from horizon import messages
|
||||
from horizon import tables
|
||||
|
||||
from openstack_dashboard import api
|
||||
from openstack_dashboard import policy
|
||||
from openstack_dashboard.usage import quotas
|
||||
from openstack_dashboard.utils import filters
|
||||
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
POLICY_CHECK = getattr(settings, "POLICY_CHECK_FUNCTION", lambda p, r: True)
|
||||
|
||||
|
||||
class AllocateIP(tables.LinkAction):
|
||||
name = "allocate"
|
||||
@ -61,12 +59,12 @@ class AllocateIP(tables.LinkAction):
|
||||
self.classes = classes
|
||||
|
||||
if api.base.is_service_enabled(request, "network"):
|
||||
policy = (("network", "create_floatingip"),)
|
||||
policy_rules = (("network", "create_floatingip"),)
|
||||
else:
|
||||
policy = (("compute", "compute_extension:floating_ips"),
|
||||
("compute", "network:allocate_floating_ip"),)
|
||||
policy_rules = (("compute", "compute_extension:floating_ips"),
|
||||
("compute", "network:allocate_floating_ip"),)
|
||||
|
||||
return POLICY_CHECK(policy, request)
|
||||
return policy.check(policy_rules, request)
|
||||
|
||||
|
||||
class ReleaseIPs(tables.BatchAction):
|
||||
@ -94,12 +92,12 @@ class ReleaseIPs(tables.BatchAction):
|
||||
|
||||
def allowed(self, request, fip=None):
|
||||
if api.base.is_service_enabled(request, "network"):
|
||||
policy = (("network", "delete_floatingip"),)
|
||||
policy_rules = (("network", "delete_floatingip"),)
|
||||
else:
|
||||
policy = (("compute", "compute_extension:floating_ips"),
|
||||
("compute", "network:release_floating_ip"),)
|
||||
policy_rules = (("compute", "compute_extension:floating_ips"),
|
||||
("compute", "network:release_floating_ip"),)
|
||||
|
||||
return POLICY_CHECK(policy, request)
|
||||
return policy.check(policy_rules, request)
|
||||
|
||||
def action(self, request, obj_id):
|
||||
api.network.tenant_floating_ip_release(request, obj_id)
|
||||
@ -114,12 +112,12 @@ class AssociateIP(tables.LinkAction):
|
||||
|
||||
def allowed(self, request, fip):
|
||||
if api.base.is_service_enabled(request, "network"):
|
||||
policy = (("network", "update_floatingip"),)
|
||||
policy_rules = (("network", "update_floatingip"),)
|
||||
else:
|
||||
policy = (("compute", "compute_extension:floating_ips"),
|
||||
("compute", "network:associate_floating_ip"),)
|
||||
policy_rules = (("compute", "compute_extension:floating_ips"),
|
||||
("compute", "network:associate_floating_ip"),)
|
||||
|
||||
return not fip.port_id and POLICY_CHECK(policy, request)
|
||||
return not fip.port_id and policy.check(policy_rules, request)
|
||||
|
||||
def get_link_url(self, datum):
|
||||
base_url = reverse(self.url)
|
||||
@ -136,12 +134,12 @@ class DisassociateIP(tables.Action):
|
||||
|
||||
def allowed(self, request, fip):
|
||||
if api.base.is_service_enabled(request, "network"):
|
||||
policy = (("network", "update_floatingip"),)
|
||||
policy_rules = (("network", "update_floatingip"),)
|
||||
else:
|
||||
policy = (("compute", "compute_extension:floating_ips"),
|
||||
("compute", "network:disassociate_floating_ip"),)
|
||||
policy_rules = (("compute", "compute_extension:floating_ips"),
|
||||
("compute", "network:disassociate_floating_ip"),)
|
||||
|
||||
return fip.port_id and POLICY_CHECK(policy, request)
|
||||
return fip.port_id and policy.check(policy_rules, request)
|
||||
|
||||
def single(self, table, request, obj_id):
|
||||
try:
|
||||
|
||||
@ -26,10 +26,6 @@ from openstack_dashboard.usage import quotas
|
||||
from openstack_dashboard.utils import filters
|
||||
|
||||
|
||||
POLICY_CHECK = getattr(settings, "POLICY_CHECK_FUNCTION",
|
||||
lambda policy, request, target: True)
|
||||
|
||||
|
||||
class DeleteGroup(policy.PolicyTargetMixin, tables.DeleteAction):
|
||||
|
||||
@staticmethod
|
||||
@ -51,11 +47,11 @@ class DeleteGroup(policy.PolicyTargetMixin, tables.DeleteAction):
|
||||
def allowed(self, request, security_group=None):
|
||||
policy_target = self.get_policy_target(request, security_group)
|
||||
if api.base.is_service_enabled(request, "network"):
|
||||
policy = (("network", "delete_security_group"),)
|
||||
policy_rules = (("network", "delete_security_group"),)
|
||||
else:
|
||||
policy = (("compute", "compute_extension:security_groups"),)
|
||||
policy_rules = (("compute", "compute_extension:security_groups"),)
|
||||
|
||||
if not POLICY_CHECK(policy, request, policy_target):
|
||||
if not policy.check(policy_rules, request, policy_target):
|
||||
return False
|
||||
|
||||
if not security_group:
|
||||
@ -75,9 +71,9 @@ class CreateGroup(tables.LinkAction):
|
||||
|
||||
def allowed(self, request, security_group=None):
|
||||
if api.base.is_service_enabled(request, "network"):
|
||||
policy = (("network", "create_security_group"),)
|
||||
policy_rules = (("network", "create_security_group"),)
|
||||
else:
|
||||
policy = (("compute", "compute_extension:security_groups"),)
|
||||
policy_rules = (("compute", "compute_extension:security_groups"),)
|
||||
|
||||
usages = quotas.tenant_quota_usages(request)
|
||||
if usages['security_groups'].get('available', 1) <= 0:
|
||||
@ -88,7 +84,7 @@ class CreateGroup(tables.LinkAction):
|
||||
self.verbose_name = _("Create Security Group")
|
||||
self.classes = [c for c in self.classes if c != "disabled"]
|
||||
|
||||
return POLICY_CHECK(policy, request, target={})
|
||||
return policy.check(policy_rules, request, target={})
|
||||
|
||||
|
||||
class EditGroup(policy.PolicyTargetMixin, tables.LinkAction):
|
||||
@ -101,11 +97,11 @@ class EditGroup(policy.PolicyTargetMixin, tables.LinkAction):
|
||||
def allowed(self, request, security_group=None):
|
||||
policy_target = self.get_policy_target(request, security_group)
|
||||
if api.base.is_service_enabled(request, "network"):
|
||||
policy = (("network", "update_security_group"),)
|
||||
policy_rules = (("network", "update_security_group"),)
|
||||
else:
|
||||
policy = (("compute", "compute_extension:security_groups"),)
|
||||
policy_rules = (("compute", "compute_extension:security_groups"),)
|
||||
|
||||
if not POLICY_CHECK(policy, request, policy_target):
|
||||
if not policy.check(policy_rules, request, policy_target):
|
||||
return False
|
||||
|
||||
if not security_group:
|
||||
@ -122,11 +118,11 @@ class ManageRules(policy.PolicyTargetMixin, tables.LinkAction):
|
||||
def allowed(self, request, security_group=None):
|
||||
policy_target = self.get_policy_target(request, security_group)
|
||||
if api.base.is_service_enabled(request, "network"):
|
||||
policy = (("network", "get_security_group"),)
|
||||
policy_rules = (("network", "get_security_group"),)
|
||||
else:
|
||||
policy = (("compute", "compute_extension:security_groups"),)
|
||||
policy_rules = (("compute", "compute_extension:security_groups"),)
|
||||
|
||||
return POLICY_CHECK(policy, request, policy_target)
|
||||
return policy.check(policy_rules, request, policy_target)
|
||||
|
||||
|
||||
class SecurityGroupsFilterAction(tables.FilterAction):
|
||||
@ -161,11 +157,11 @@ class CreateRule(tables.LinkAction):
|
||||
|
||||
def allowed(self, request, security_group_rule=None):
|
||||
if api.base.is_service_enabled(request, "network"):
|
||||
policy = (("network", "create_security_group_rule"),)
|
||||
policy_rules = (("network", "create_security_group_rule"),)
|
||||
else:
|
||||
policy = (("compute", "compute_extension:security_groups"),)
|
||||
policy_rules = (("compute", "compute_extension:security_groups"),)
|
||||
|
||||
return POLICY_CHECK(policy, request, target={})
|
||||
return policy.check(policy_rules, request, target={})
|
||||
|
||||
def get_link_url(self):
|
||||
return reverse(self.url, args=[self.table.kwargs['security_group_id']])
|
||||
@ -190,11 +186,11 @@ class DeleteRule(tables.DeleteAction):
|
||||
|
||||
def allowed(self, request, security_group_rule=None):
|
||||
if api.base.is_service_enabled(request, "network"):
|
||||
policy = (("network", "delete_security_group_rule"),)
|
||||
policy_rules = (("network", "delete_security_group_rule"),)
|
||||
else:
|
||||
policy = (("compute", "compute_extension:security_groups"),)
|
||||
policy_rules = (("compute", "compute_extension:security_groups"),)
|
||||
|
||||
return POLICY_CHECK(policy, request, target={})
|
||||
return policy.check(policy_rules, request, target={})
|
||||
|
||||
def delete(self, request, obj_id):
|
||||
api.network.security_group_rule_delete(request, obj_id)
|
||||
|
||||
@ -216,17 +216,16 @@ class TogglePause(tables.BatchAction):
|
||||
self.paused = instance.status == "PAUSED"
|
||||
if self.paused:
|
||||
self.current_present_action = UNPAUSE
|
||||
policy = (("compute", "compute_extension:admin_actions:unpause"),)
|
||||
policy_rules = (
|
||||
("compute", "compute_extension:admin_actions:unpause"),)
|
||||
else:
|
||||
self.current_present_action = PAUSE
|
||||
policy = (("compute", "compute_extension:admin_actions:pause"),)
|
||||
policy_rules = (
|
||||
("compute", "compute_extension:admin_actions:pause"),)
|
||||
|
||||
has_permission = True
|
||||
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
|
||||
if policy_check:
|
||||
has_permission = policy_check(
|
||||
policy, request,
|
||||
target={'project_id': getattr(instance, 'tenant_id', None)})
|
||||
has_permission = policy.check(
|
||||
policy_rules, request,
|
||||
target={'project_id': getattr(instance, 'tenant_id', None)})
|
||||
|
||||
return (has_permission
|
||||
and (instance.status in ACTIVE_STATES or self.paused)
|
||||
@ -284,17 +283,16 @@ class ToggleSuspend(tables.BatchAction):
|
||||
self.suspended = instance.status == "SUSPENDED"
|
||||
if self.suspended:
|
||||
self.current_present_action = RESUME
|
||||
policy = (("compute", "compute_extension:admin_actions:resume"),)
|
||||
policy_rules = (
|
||||
("compute", "compute_extension:admin_actions:resume"),)
|
||||
else:
|
||||
self.current_present_action = SUSPEND
|
||||
policy = (("compute", "compute_extension:admin_actions:suspend"),)
|
||||
policy_rules = (
|
||||
("compute", "compute_extension:admin_actions:suspend"),)
|
||||
|
||||
has_permission = True
|
||||
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
|
||||
if policy_check:
|
||||
has_permission = policy_check(
|
||||
policy, request,
|
||||
target={'project_id': getattr(instance, 'tenant_id', None)})
|
||||
has_permission = policy.check(
|
||||
policy_rules, request,
|
||||
target={'project_id': getattr(instance, 'tenant_id', None)})
|
||||
|
||||
return (has_permission
|
||||
and (instance.status in ACTIVE_STATES or self.suspended)
|
||||
@ -351,17 +349,14 @@ class ToggleShelve(tables.BatchAction):
|
||||
self.shelved = instance.status == "SHELVED_OFFLOADED"
|
||||
if self.shelved:
|
||||
self.current_present_action = UNSHELVE
|
||||
policy = (("compute", "compute_extension:unshelve"),)
|
||||
policy_rules = (("compute", "compute_extension:unshelve"),)
|
||||
else:
|
||||
self.current_present_action = SHELVE
|
||||
policy = (("compute", "compute_extension:shelve"),)
|
||||
policy_rules = (("compute", "compute_extension:shelve"),)
|
||||
|
||||
has_permission = True
|
||||
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
|
||||
if policy_check:
|
||||
has_permission = policy_check(
|
||||
policy, request,
|
||||
target={'project_id': getattr(instance, 'tenant_id', None)})
|
||||
has_permission = policy.check(
|
||||
policy_rules, request,
|
||||
target={'project_id': getattr(instance, 'tenant_id', None)})
|
||||
|
||||
return (has_permission
|
||||
and (instance.status in ACTIVE_STATES or self.shelved)
|
||||
|
||||
@ -13,19 +13,10 @@
|
||||
from django.conf import settings
|
||||
|
||||
from openstack_dashboard.api import base
|
||||
from openstack_dashboard import policy
|
||||
from openstack_dashboard.usage import quotas
|
||||
|
||||
|
||||
def _has_permission(request, policy):
|
||||
has_permission = True
|
||||
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
|
||||
|
||||
if policy_check:
|
||||
has_permission = policy_check(policy, request)
|
||||
|
||||
return has_permission
|
||||
|
||||
|
||||
def _quota_exceeded(request, quota):
|
||||
usages = quotas.tenant_quota_usages(request)
|
||||
available = usages.get(quota, {}).get('available', 1)
|
||||
@ -39,15 +30,15 @@ def get_context(request, context=None):
|
||||
|
||||
network_config = getattr(settings, 'OPENSTACK_NEUTRON_NETWORK', {})
|
||||
|
||||
context['launch_instance_allowed'] = _has_permission(
|
||||
request, (("compute", "compute:create"),))
|
||||
context['launch_instance_allowed'] = policy.check(
|
||||
(("compute", "compute:create"),), request)
|
||||
context['instance_quota_exceeded'] = _quota_exceeded(request, 'instances')
|
||||
context['create_network_allowed'] = _has_permission(
|
||||
request, (("network", "create_network"),))
|
||||
context['create_network_allowed'] = policy.check(
|
||||
(("network", "create_network"),), request)
|
||||
context['network_quota_exceeded'] = _quota_exceeded(request, 'networks')
|
||||
context['create_router_allowed'] = (
|
||||
network_config.get('enable_router', True) and
|
||||
_has_permission(request, (("network", "create_router"),)))
|
||||
policy.check((("network", "create_router"),), request))
|
||||
context['router_quota_exceeded'] = _quota_exceeded(request, 'routers')
|
||||
context['console_type'] = getattr(settings, 'CONSOLE_TYPE', 'AUTO')
|
||||
context['show_ng_launch'] = (
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user