Skip to content

Instantly share code, notes, and snippets.

@termie
Created November 21, 2011 22:24
Show Gist options
  • Save termie/1384158 to your computer and use it in GitHub Desktop.
Save termie/1384158 to your computer and use it in GitHub Desktop.
example brain / policy interaction
# target:
# nova:action:reboot_instance
# rule:
# roles:admin
# roles:sysadmin, tenant_id:%(tenant_id)s
can_haz(target='nova:action:reboot_instance',
extra={'tenant_id': object.project_id},
creds={'user_id': context.user.id,
'tenant_id': context.tenant.id,
'roles': ['role:%s' for x['id'] in context.roles]})
# results in background operations
def _check_haz(target, extra, creds):
rules = brain.get_rule('nova:action:reboot_instance')
for rule in rules:
if self.check_rule(rule, extra, creds):
return True
return False
def _check_rule(rule, extra, creds):
# handle ANDs
if type(rule) is type(tuple()) or type(rule) is type(list()):
for x in rule:
if not self._check_rule(x, extra, creds):
return False
return True
real_rule = rule % extra
key, check = rule.split(':', 1)
if creds[key] == check:
return True
return False
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment