FYI, this should be trivial to fix the right way. Currently, the is_admin check would go through the _check_generic() function in openstack/common/policy.py, but if we added an "is_admin"-specific check, we could correct this without having to stringify in enforce().
In current openstack/common/policy.py code, this would look something like:
FYI, this should be trivial to fix the right way. Currently, the is_admin check would go through the _check_generic() function in openstack/ common/ policy. py, but if we added an "is_admin"-specific check, we could correct this without having to stringify in enforce().
In current openstack/ common/ policy. py code, this would look something like:
@policy. register( 'is_admin' ) is_admin( brain, match_kind, match_value, target_dict, creds_dict): 'is_admin' ] == (match_ value.lower( ) == 'true')
def _check_
return creds_dict[
In my pending policy rewrite patch, the above will work fine, but we could also do something like this:
@policy. register( 'is_admin' ) policy. Check):
super( IsAdminCheck, self)._ _init__ (kind, match)
self. expected = (match.lower() == 'true')
class IsAdminCheck(
def __init__(self, kind, match):
def __call__(self, target, creds): 'is_admin' ] == self.expected
return creds_dict[
(See https:/ /review. openstack. org/#/c/ 14122 for the policy rewrite patch I'm referring to.)