def _enforce(self, req, action, target=None): """Authorize an action against our policies""" if target is None: target = {} try: self.policy.enforce(req.context, action, target) except exception.Forbidden: raise HTTPForbidden() def _enforce_image_property_quota(self, image_meta, orig_image_meta=None, purge_props=False, req=None): if CONF.image_property_quota < 0: # If value is negative, allow unlimited number of properties return props = image_meta['properties'].keys() # NOTE(ameade): If we are not removing existing properties, # take them in to account if (not purge_props) and orig_image_meta: original_props = orig_image_meta['properties'].keys() props.extend(original_props) props = set(props) if len(props) > CONF.image_property_quota: msg = (_("The limit has been exceeded on the number of allowed " "image properties. Attempted: %(num)s, Maximum: " "%(quota)s") % {'num': len(props), 'quota': CONF.image_property_quota}) LOG.warn(msg) raise HTTPRequestEntityTooLarge(explanation=msg, request=req, content_type="text/plain") def _enforce_create_protected_props(self, create_props, req): """ Check request is permitted to create certain properties :param create_props: List of properties to check :param req: The WSGI/Webob Request object :raises HTTPForbidden if request forbidden to create a property """ if property_utils.is_property_protection_enabled(): for key in create_props: if (self.prop_enforcer.check_property_rules( key, 'create', req.context) is False): msg = _("Property '%s' is protected") % key LOG.warn(msg) raise HTTPForbidden(explanation=msg, request=req, content_type="text/plain") def _enforce_read_protected_props(self, image_meta, req): """ Remove entries from metadata properties if they are read protected :param image_meta: Mapping of metadata about image :param req: The WSGI/Webob Request object """ if property_utils.is_property_protection_enabled(): for key in image_meta['properties'].keys(): if (self.prop_enforcer.check_property_rules( key, 'read', req.context) is False): image_meta['properties'].pop(key) def _enforce_update_protected_props(self, update_props, image_meta, orig_meta, req): """ Check request is permitted to update certain properties. Read permission is required to delete a property. If the property value is unchanged, i.e. a noop, it is permitted, however, it is important to ensure read access first. Otherwise the value could be discovered using brute force. :param update_props: List of properties to check :param image_meta: Mapping of proposed new metadata about image :param orig_meta: Mapping of existing metadata about image :param req: The WSGI/Webob Request object :raises HTTPForbidden if request forbidden to create a property """ if property_utils.is_property_protection_enabled(): for key in update_props: has_read = self.prop_enforcer.check_property_rules( key, 'read', req.context) if ((self.prop_enforcer.check_property_rules( key, 'update', req.context) is False and image_meta['properties'][key] != orig_meta['properties'][key]) or not has_read): msg = _("Property '%s' is protected") % key LOG.warn(msg) raise HTTPForbidden(explanation=msg, request=req, content_type="text/plain") def _enforce_delete_protected_props(self, delete_props, image_meta, orig_meta, req): """ Check request is permitted to delete certain properties. Read permission is required to delete a property. Note, the absence of a property in a request does not necessarily indicate a delete. The requester may not have read access, and so can not know the property exists. Hence, read access is a requirement for delete, otherwise the delete is ignored transparently. :param delete_props: List of properties to check :param image_meta: Mapping of proposed new metadata about image :param orig_meta: Mapping of existing metadata about image :param req: The WSGI/Webob Request object :raises HTTPForbidden if request forbidden to create a property """ if property_utils.is_property_protection_enabled(): for key in delete_props: if (self.prop_enforcer.check_property_rules( key, 'read', req.context) is False): # NOTE(bourke): if read protected, re-add to image_meta to # prevent deletion image_meta['properties'][key] = orig_meta[ 'properties'][key] elif (self.prop_enforcer.check_property_rules( key, 'delete', req.context) is False): msg = _("Property '%s' is protected") % key LOG.warn(msg) raise HTTPForbidden(explanation=msg, request=req, content_type="text/plain") def index(self, req): """ Returns the following information for all public, available images: * id -- The opaque image identifier * name -- The name of the image * disk_format -- The disk image format * container_format -- The "container" format of the image * checksum -- MD5 checksum of the image data * size -- Size of image data in bytes :param req: The WSGI/Webob Request object :retval The response body is a mapping of the following form:: {'images': [ {'id': <ID>, 'name': <NAME>, 'disk_format': <DISK_FORMAT>, 'container_format': <DISK_FORMAT>, 'checksum': <CHECKSUM> 'size': <SIZE>}, ... ]} """ self._enforce(req, 'get_images') params = self._get_query_params(req) try: images = registry.get_images_list(req.context, **params) except exception.Invalid as e: raise HTTPBadRequest(explanation=e.msg, request=req) return dict(images=images)
OpenStack glance 认证函数
最新推荐文章于 2021-12-21 22:34:53 发布