OpenStack glance 认证函数
2016-07-21 19:35
417 查看
def _enforce(self, req, action, target=None):
"""Authorize an action against our policies"""
if target is None:
target = {}
try:
self.policy.enforce(req.context, action, target)
except exception.Forbidden:
raise HTTPForbidden()
def _enforce_image_property_quota(self,
image_meta,
orig_image_meta=None,
purge_props=False,
req=None):
if CONF.image_property_quota < 0:
# If value is negative, allow unlimited number of properties
return
props = image_meta['properties'].keys()
# NOTE(ameade): If we are not removing existing properties,
# take them in to account
if (not purge_props) and orig_image_meta:
original_props = orig_image_meta['properties'].keys()
props.extend(original_props)
props = set(props)
if len(props) > CONF.image_property_quota:
msg = (_("The limit has been exceeded on the number of allowed "
"image properties. Attempted: %(num)s, Maximum: "
"%(quota)s") % {'num': len(props),
'quota': CONF.image_property_quota})
LOG.warn(msg)
raise HTTPRequestEntityTooLarge(explanation=msg,
request=req,
content_type="text/plain")
def _enforce_create_protected_props(self, create_props, req):
"""
[/b] Check request is permitted to create certain properties
:param create_props: List of properties to check
:param req: The WSGI/Webob Request object
:raises HTTPForbidden if request forbidden to create a property
"""
if property_utils.is_property_protection_enabled():
for key in create_props:
if (self.prop_enforcer.check_property_rules(
key, 'create', req.context) is False):
msg = _("Property '%s' is protected") % key
LOG.warn(msg)
raise HTTPForbidden(explanation=msg,
request=req,
content_type="text/plain")
def _enforce_read_protected_props(self, image_meta, req):
"""
Remove entries from metadata properties if they are read protected
:param image_meta: Mapping of metadata about image
:param req: The WSGI/Webob Request object
"""
if property_utils.is_property_protection_enabled():
for key in image_meta['properties'].keys():
if (self.prop_enforcer.check_property_rules(
key, 'read', req.context) is False):
image_meta['properties'].pop(key)
def _enforce_update_protected_props(self, update_props, image_meta,
orig_meta, req):
"""
Check request is permitted to update certain properties. Read
permission is required to delete a property.
If the property value is unchanged, i.e. a noop, it is permitted,
however, it is important to ensure read access first. Otherwise the
value could be discovered using brute force.
:param update_props: List of properties to check
:param image_meta: Mapping of proposed new metadata about image
:param orig_meta: Mapping of existing metadata about image
:param req: The WSGI/Webob Request object
:raises HTTPForbidden if request forbidden to create a property
"""
if property_utils.is_property_protection_enabled():
for key in update_props:
has_read = self.prop_enforcer.check_property_rules(
key, 'read', req.context)
if ((self.prop_enforcer.check_property_rules(
key, 'update', req.context) is False and
image_meta['properties'][key] !=
orig_meta['properties'][key]) or not has_read):
msg = _("Property '%s' is protected") % key
LOG.warn(msg)
raise HTTPForbidden(explanation=msg,
request=req,
content_type="text/plain")
def _enforce_delete_protected_props(self, delete_props, image_meta,
orig_meta, req):
"""
Check request is permitted to delete certain properties. Read
permission is required to delete a property.
Note, the absence of a property in a request does not necessarily
indicate a delete. The requester may not have read access, and so can
not know the property exists. Hence, read access is a requirement for
delete, otherwise the delete is ignored transparently.
:param delete_props: List of properties to check
:param image_meta: Mapping of proposed new metadata about image
:param orig_meta: Mapping of existing metadata about image
:param req: The WSGI/Webob Request object
:raises HTTPForbidden if request forbidden to create a property
"""
if property_utils.is_property_protection_enabled():
for key in delete_props:
if (self.prop_enforcer.check_property_rules(
key, 'read', req.context) is False):
# NOTE(bourke): if read protected, re-add to image_meta to
# prevent deletion
image_meta['properties'][key] = orig_meta[
'properties'][key]
elif (self.prop_enforcer.check_property_rules(
key, 'delete', req.context) is False):
msg = _("Property '%s' is protected") % key
LOG.warn(msg)
raise HTTPForbidden(explanation=msg,
request=req,
content_type="text/plain")
def index(self, req):
"""
Returns the following information for all public, available images:
* id -- The opaque image identifier
* name -- The name of the image
* disk_format -- The disk image format
* container_format -- The "container" format of the image
* checksum -- MD5 checksum of the image data
* size -- Size of image data in bytes
:param req: The WSGI/Webob Request object
:retval The response body is a mapping of the following form::
{'images': [
{'id': <ID>,
'name': <NAME>,
'disk_format': <DISK_FORMAT>,
'container_format': <DISK_FORMAT>,
'checksum': <CHECKSUM>
'size': <SIZE>}, ...
]}
"""
self._enforce(req, 'get_images')
params = self._get_query_params(req)
try:
images = registry.get_images_list(req.context, **params)
except exception.Invalid as e:
raise HTTPBadRequest(explanation=e.msg, request=req)
return dict(images=images)
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Linux 自检和 SystemTap
- Python 七步捉虫法
- openstack kilo-with-dokcer
- 什么是OpenStack 开源的云计算管理平台项目
- 路由器的配置与调试
- 对于技术人员的出现了运行时间错误,是否要进行调试的解决方法
- 在ASP.NET 2.0中操作数据之七十二:调试存储过程
- 讲解WordPress开发中一些常用的debug技巧
- 必备的JS调试技巧汇总
- JavaScript程序设计之JS调试
- 可以用来调试JavaScript错误的解决方案
- 如何调试异步加载页面里包含的js文件
- jQuery下的Ajax调试步骤
- 调试一段PHP程序时遇到的三个问题
- JavaScript高级程序设计 错误处理与调试学习笔记
- Javascript调试脚本的经验之谈第1/2页
- 在IE,Firefox,Safari,Chrome,Opera浏览器上调试javascript
- Android App调试内存泄露之Cursor篇
- Lua的编译、执行和调试技术介绍
- 解决Visual Studio 2012 Update 4 RC启动调试失败的方案