Created
November 21, 2011 22:24
-
-
Save termie/1384158 to your computer and use it in GitHub Desktop.
example brain / policy interaction
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # target: | |
| # nova:action:reboot_instance | |
| # rule: | |
| # roles:admin | |
| # roles:sysadmin, tenant_id:%(tenant_id)s | |
| can_haz(target='nova:action:reboot_instance', | |
| extra={'tenant_id': object.project_id}, | |
| creds={'user_id': context.user.id, | |
| 'tenant_id': context.tenant.id, | |
| 'roles': ['role:%s' for x['id'] in context.roles]}) | |
| # results in background operations | |
| def _check_haz(target, extra, creds): | |
| rules = brain.get_rule('nova:action:reboot_instance') | |
| for rule in rules: | |
| if self.check_rule(rule, extra, creds): | |
| return True | |
| return False | |
| def _check_rule(rule, extra, creds): | |
| # handle ANDs | |
| if type(rule) is type(tuple()) or type(rule) is type(list()): | |
| for x in rule: | |
| if not self._check_rule(x, extra, creds): | |
| return False | |
| return True | |
| real_rule = rule % extra | |
| key, check = rule.split(':', 1) | |
| if creds[key] == check: | |
| return True | |
| return False |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment