Merge lp:~hazmat/pyjuju/security-node-policy-def into lp:pyjuju
Proposed by
Kapil Thangavelu
Status: | Merged |
---|---|
Approved by: | Benjamin Saller |
Approved revision: | 274 |
Merged at revision: | 277 |
Proposed branch: | lp:~hazmat/pyjuju/security-node-policy-def |
Merge into: | lp:pyjuju |
Diff against target: |
171 lines (+128/-4) 2 files modified
ensemble/state/security.py (+58/-2) ensemble/state/tests/test_security.py (+70/-2) |
To merge this branch: | bzr merge lp:~hazmat/pyjuju/security-node-policy-def |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Benjamin Saller (community) | Approve | ||
Gustavo Niemeyer | Approve | ||
Review via email: mp+67972@code.launchpad.net |
Description of the change
Zookeeper clients need to use ACLs for nodes created by them in order to leverage zookeeper security. The security policy class implemented in this branch enable these policy choices via a path based lookup for the corresponding ACLs. The policy defers to rules matched by the path to provide an ACL for the path.
To post a comment you must log in.
This looks very nice.. tiny, organized, clear. Thanks!
[1]
33 +class SecurityPolicy( object) :
34 + """The security policy generates ACLs for new nodes based on their path.
35 + """
This should be able to handle existing nodes as well, I suppose? Imagine a
relation.. what happens when we add a new service unit to it?
[2]
83 +def owner_ace( principal) : principal. get_token( ), all=True)
84 + return make_ace(
This function doesn't feel worth it. Besides being called a single time, it's
a single liner, so it's just obscuring logic at the call site.
[3]
132 + """If no rules match, the default acl gives authenticated users access.
133 + """
Might be nice to add an equivalent comment here saying we don't actually want this for real.