starlingx/update
Code Issues Proposed changes
update/sw-patch/cgcs-patch/cgcs_patch/authapi/policy.py
Al Bailey 70afae2b0e Debian: Fix patch controller prior to bootstrap 
If /etc/resolv.conf is empty  the patch controller
will raise an uncaught exception due to osprofiler
attempting to validate dns.

osprofiler is unused by patching, so the module is
disabled by the patch controller.

All sw-patch CLI commands will fail prior to
setting up resolv.conf (bootstrapping) without this
fix, since there is no working patch controller

sysinv.common.utils also pulls in dns, so the two
utility methods are cloned into patching repo.

Test Plan:
 PASS Build/Install AIO-SX Debian
 PASS upload a patch

Story: 2009969
Task: 45838
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: I0975f5b54a17a0989a78f6ac39160af0b3e26013
2022-07-21 02:17:17 +00:00

119 lines
3.5 KiB
Python
Executable File
Raw Blame History

#
# Copyright (c) 2011 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Copyright (c) 2014-2017 Wind River Systems, Inc.
#
"""Policy Engine For Patching."""
import os.path
from sysinv.common import exception
from sysinv.openstack.common import policy
from cgcs_patch import utils
_POLICY_PATH = None
_POLICY_CACHE = {}
def reset():
global _POLICY_PATH
global _POLICY_CACHE
_POLICY_PATH = None
_POLICY_CACHE = {}
policy.reset()
def init():
global _POLICY_PATH
global _POLICY_CACHE
if not _POLICY_PATH:
_POLICY_PATH = '/etc/patching/policy.json'
if not os.path.exists(_POLICY_PATH):
raise exception.ConfigNotFound(message='/etc/patching/policy.json')
utils.read_cached_file(_POLICY_PATH, _POLICY_CACHE,
reload_func=_set_rules)
def _set_rules(data):
default_rule = "rule:admin_api"
policy.set_rules(policy.Rules.load_json(data, default_rule))
def enforce(context, action, target, do_raise=True):
"""Verifies that the action is valid on the target in this context.
:param context: sysinv context
:param action: string representing the action to be checked
this should be colon separated for clarity.
i.e. ``compute:create_instance``,
``compute:attach_volume``,
``volume:attach_volume``
:param target: dictionary representing the object of the action
for object creation this should be a dictionary representing the
location of the object e.g. ``{'project_id': context.project_id}``
:param do_raise: if True (the default), raises PolicyNotAuthorized;
if False, returns False
:raises sysinv.exception.PolicyNotAuthorized: if verification fails
and do_raise is True.
:return: returns a non-False value (not necessarily "True") if
authorized, and the exact value False if not authorized and
do_raise is False.
"""
init()
credentials = context.to_dict()
# Add the exception arguments if asked to do a raise
extra = {}
if do_raise:
extra.update(exc=exception.PolicyNotAuthorized, action=action)
return policy.check(action, target, credentials, **extra)
def check_is_admin(context):
"""Whether or not role contains 'admin' role according to policy setting.
"""
init()
credentials = context.to_dict()
target = credentials
return policy.check('context_is_admin', target, credentials)
@policy.register('context_is_admin')
class IsAdminCheck(policy.Check):
"""An explicit check for is_admin."""
def __init__(self, kind, match):
"""Initialize the check."""
self.expected = (match.lower() == 'true')
super(IsAdminCheck, self).__init__(kind, str(self.expected))
def __call__(self, target, creds):
"""Determine whether is_admin matches the requested value."""
return creds['is_admin'] == self.expected
View Git Blame Copy Permalink