Re: [openstack-dev] [Ceilometer] Way to get wrapped method's name/class using Pecan secure decorators?
>>>>> return MeterController(meter_name), remainder
>>>>>>
>>>>>> @wsme_pecan.wsexpose([Meter], [Query])
>>>>>> @secure(RBACController.check_permissions)
>>>>>> def get_all(self, q=None):
>>>>>>
>>>>>> and here's the decorator called by the secure tag:
>>>>>>
>>>>>> class RBACController(object):
>>>>>> global _ENFORCER
>>>>>> if not _ENFORCER:
>>>>>> _ENFORCER = policy.Enforcer()
>>>>>>
>>>>>>
>>>>>> @classmethod
>>>>>> def check_permissions(cls):
>>>>>> # do some stuff
>>>>>>
>>>>>> In check_permissions I'd like to know the class and method with
>>>>>> the
>>> @secure tag that caused check_permissions to be invoked. In this
>>> case, that would be MetersController.get_all.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>>> Can you share some code? What do you mean by, "is there a way
>>>>>>> for the
>>> decorator code to know it was called by MetersController.get_all"
>>>>>>>
>>>>>>> On 08/12/14 04:46 PM, Pendergrass, Eric wrote:
>>>>>>>> Thanks Ryan, but for some reason the controller attribute is
> None:
>>>>>>>>
>>>>>>>> (Pdb) from pecan.core import state
>>>>>>>> (Pdb) state.__dict__
>>>>>>>> {'hooks': [>>>>>>> 0x31894d0>, ,
>
>>>>>>>> ,
>>>>>>>> ],
> 'app':
>>>>>>>> , 'request': >>>>>>> 0x3ed7390 GET http://localhost:8777/v2/meters>, 'controller':
>>>>>>>> None,
>>>>>>>> 'response': }
>>>>>>>>
>>>>>>>>> -Original Message-
>>>>>>>>> From: Ryan Petrello [mailto:ryan.petre...@dreamhost.com]
>>>>>>>>> Sent: Tuesday, August 12, 2014 10:34 AM
>>>>>>>>> To: OpenStack Development Mailing List (not for usage
>>>>>>>>> questions)
>>>>>>>>> Subject: Re: [openstack-dev] [Ceilometer] Way to get wrapped
>>> method's name/class using Pecan secure decorators?
>>>>>>>>>
>>>>>>>>> This should give you what you need:
>>>>>>>>>
>>>>>>>>> from pecan.core import state
>>>>>>>>> state.controller
>>>>>>>>>
>>>>>>>>> On 08/12/14 04:08 PM, Pendergrass, Eric wrote:
>>>>>>>>>> Hi, I'm trying to use the built in secure decorator in
> Pecan
>>>>>>>>>> for
>>> access control, and I'ld like to get the name of the method that is
>>> wrapped from within the decorator.
>>>>>>>>>>
>>>>>>>>>> For instance, if I'm wrapping MetersController.get_all
> with
>>>>>>>>>> an
>>> @secure decorator, is there a way for the decorator code to know it
>>> was called by MetersController.get_all?
>>>>>>>>>>
>>>>>>>>>> I don't see any global objects that provide this
> information.
>>>>>>>>>> I
>>> can get the endpoint, v2/meters, with pecan.request.path, but that's
>>> not as elegant.
>>>>>>>>>>
>>>>>>>>>> Is there a way to derive the caller or otherwise pass this
>>> information to the decorator?
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>> Eric Pendergrass
>>>>>>>>>
>>>>>>>>>> ___
>>>>>>>>>> OpenStack-dev mailing list
>>>>>>>>>> OpenStack-dev@lists.openstack.org
>>>>>>>>>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>>>>>> -dev
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Ryan Petrello
>>>>>>>>> Senior Developer, DreamHost
>>>>>>>>> ryan.petre...@dreamhost.com
>>>>>>
>>>>>> ___
>>>>>> OpenStack-dev mailing list
>>>>>> OpenStack-dev@lists.openstack.org
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>> --
>>>>> Ryan Petrello
>>>>> Senior Developer, DreamHost
>>>>> ryan.petre...@dreamhost.com
>>>>>
>>>>> ___
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev@lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>> ___
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev@lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>>> ___
>>> OpenStack-dev mailing list
>>> OpenStack-dev@lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>> --
>> Ryan Petrello
>> Senior Developer, DreamHost
>> ryan.petre...@dreamhost.com
>>
>> ___
>> OpenStack-dev mailing list
>> OpenStack-dev@lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> ___
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Ceilometer] Way to get wrapped method's name/class using Pecan secure decorators?
> > >global _ENFORCER
> > > > >if not _ENFORCER:
> > > > >_ENFORCER = policy.Enforcer()
> > > > >
> > > > >
> > > > >@classmethod
> > > > >def check_permissions(cls):
> > > > ># do some stuff
> > > > >
> > > > > In check_permissions I'd like to know the class and method with
> > > > > the
> > @secure tag that caused check_permissions to be invoked. In this
> > case, that would be MetersController.get_all.
> > > > >
> > > > > Thanks
> > > > >
> > > > >
> > > > > > Can you share some code? What do you mean by, "is there a way
> > > > > > for the
> > decorator code to know it was called by MetersController.get_all"
> > > > > >
> > > > > > On 08/12/14 04:46 PM, Pendergrass, Eric wrote:
> > > > > > > Thanks Ryan, but for some reason the controller attribute is
None:
> > > > > > >
> > > > > > > (Pdb) from pecan.core import state
> > > > > > > (Pdb) state.__dict__
> > > > > > > {'hooks': [ > > > > > > 0x31894d0>, ,
> > > > > > > ,
> > > > > > > ],
'app':
> > > > > > > , 'request': > > > > > > 0x3ed7390 GET http://localhost:8777/v2/meters>, 'controller':
> > > > > > > None,
> > > > > > > 'response': }
> > > > > > >
> > > > > > > > -Original Message-
> > > > > > > > From: Ryan Petrello [mailto:ryan.petre...@dreamhost.com]
> > > > > > > > Sent: Tuesday, August 12, 2014 10:34 AM
> > > > > > > > To: OpenStack Development Mailing List (not for usage
> > > > > > > > questions)
> > > > > > > > Subject: Re: [openstack-dev] [Ceilometer] Way to get wrapped
> > method's name/class using Pecan secure decorators?
> > > > > > > >
> > > > > > > > This should give you what you need:
> > > > > > > >
> > > > > > > > from pecan.core import state
> > > > > > > > state.controller
> > > > > > > >
> > > > > > > > On 08/12/14 04:08 PM, Pendergrass, Eric wrote:
> > > > > > > > > Hi, I'm trying to use the built in secure decorator in
Pecan
> > > > > > > > > for
> > access control, and I'ld like to get the name of the method that is
> > wrapped from within the decorator.
> > > > > > > > >
> > > > > > > > > For instance, if I'm wrapping MetersController.get_all
with
> > > > > > > > > an
> > @secure decorator, is there a way for the decorator code to know it
> > was called by MetersController.get_all?
> > > > > > > > >
> > > > > > > > > I don't see any global objects that provide this
information.
> > > > > > > > > I
> > can get the endpoint, v2/meters, with pecan.request.path, but that's
> > not as elegant.
> > > > > > > > >
> > > > > > > > > Is there a way to derive the caller or otherwise pass this
> > information to the decorator?
> > > > > > > > >
> > > > > > > > > Thanks
> > > > > > > > > Eric Pendergrass
> > > > > > > >
> > > > > > > > > ___
> > > > > > > > > OpenStack-dev mailing list
> > > > > > > > > OpenStack-dev@lists.openstack.org
> > > > > > > > >
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > > > > > > > > -dev
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Ryan Petrello
> > > > > > > > Senior Developer, DreamHost
> > > > > > > > ryan.petre...@dreamhost.com
> > > > >
> > > > > ___
> > > > > OpenStack-dev mailing list
> > > > > OpenStack-dev@lists.openstack.org
> > > > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > > >
> > > > --
> > > > Ryan Petrello
> > > > Senior Developer, DreamHost
> > > > ryan.petre...@dreamhost.com
> > > >
> > > > ___
> > > > OpenStack-dev mailing list
> > > > OpenStack-dev@lists.openstack.org
> > > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > >
> > >
> > > ___
> > > OpenStack-dev mailing list
> > > OpenStack-dev@lists.openstack.org
> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> > ___
> > OpenStack-dev mailing list
> > OpenStack-dev@lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>--
>Ryan Petrello
>Senior Developer, DreamHost
>ryan.petre...@dreamhost.com
>
>___
>OpenStack-dev mailing list
>OpenStack-dev@lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
smime.p7s
Description: S/MIME cryptographic signature
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Ceilometer] Way to get wrapped method's name/class using Pecan secure decorators?
> >>> Can you share some code? What do you mean by, "is there a way for the
> decorator code to know it was called by MetersController.get_all"
> > >>>
> > >>> On 08/12/14 04:46 PM, Pendergrass, Eric wrote:
> > >>>> Thanks Ryan, but for some reason the controller attribute is None:
> > >>>>
> > >>>> (Pdb) from pecan.core import state
> > >>>> (Pdb) state.__dict__
> > >>>> {'hooks': [,
> > >>>> ,
> > >>>> ,
> > >>>> ], 'app':
> > >>>> , 'request': > >>>> 0x3ed7390 GET http://localhost:8777/v2/meters>, 'controller': None,
> > >>>> 'response': }
> > >>>>
> > >>>>> -Original Message-
> > >>>>> From: Ryan Petrello [mailto:ryan.petre...@dreamhost.com]
> > >>>>> Sent: Tuesday, August 12, 2014 10:34 AM
> > >>>>> To: OpenStack Development Mailing List (not for usage questions)
> > >>>>> Subject: Re: [openstack-dev] [Ceilometer] Way to get wrapped
> method's name/class using Pecan secure decorators?
> > >>>>>
> > >>>>> This should give you what you need:
> > >>>>>
> > >>>>> from pecan.core import state
> > >>>>> state.controller
> > >>>>>
> > >>>>> On 08/12/14 04:08 PM, Pendergrass, Eric wrote:
> > >>>>>> Hi, I'm trying to use the built in secure decorator in Pecan for
> access control, and I'ld like to get the name of the method that is wrapped
> from within the decorator.
> > >>>>>>
> > >>>>>> For instance, if I'm wrapping MetersController.get_all with an
> @secure decorator, is there a way for the decorator code to know it was
> called by MetersController.get_all?
> > >>>>>>
> > >>>>>> I don't see any global objects that provide this information. I
> can get the endpoint, v2/meters, with pecan.request.path, but that's not as
> elegant.
> > >>>>>>
> > >>>>>> Is there a way to derive the caller or otherwise pass this
> information to the decorator?
> > >>>>>>
> > >>>>>> Thanks
> > >>>>>> Eric Pendergrass
> > >>>>>
> > >>>>>> ___
> > >>>>>> OpenStack-dev mailing list
> > >>>>>> OpenStack-dev@lists.openstack.org
> > >>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > >>>>>
> > >>>>>
> > >>>>> --
> > >>>>> Ryan Petrello
> > >>>>> Senior Developer, DreamHost
> > >>>>> ryan.petre...@dreamhost.com
> > >>
> > >> ___
> > >> OpenStack-dev mailing list
> > >> OpenStack-dev@lists.openstack.org
> > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > >
> > > --
> > > Ryan Petrello
> > > Senior Developer, DreamHost
> > > ryan.petre...@dreamhost.com
> > >
> > > ___
> > > OpenStack-dev mailing list
> > > OpenStack-dev@lists.openstack.org
> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> >
> > ___
> > OpenStack-dev mailing list
> > OpenStack-dev@lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> ___
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Ryan Petrello
Senior Developer, DreamHost
ryan.petre...@dreamhost.com
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Ceilometer] Way to get wrapped method's name/class using Pecan secure decorators?
@classmethod
>>>> def check_permissions(cls):
>>>> # do some stuff
>>>>
>>>> In check_permissions I'd like to know the class and method with the
> @secure tag that caused check_permissions to be invoked. In this case, that
> would be MetersController.get_all.
>>>>
>>>> Thanks
>>>>
>>>>
>>>>> Can you share some code? What do you mean by, "is there a way for the
> decorator code to know it was called by MetersController.get_all"
>>>>>
>>>>> On 08/12/14 04:46 PM, Pendergrass, Eric wrote:
>>>>>> Thanks Ryan, but for some reason the controller attribute is None:
>>>>>>
>>>>>> (Pdb) from pecan.core import state
>>>>>> (Pdb) state.__dict__
>>>>>> {'hooks': [,
>>>>>> ,
>>>>>> ,
>>>>>> ], 'app':
>>>>>> , 'request': >>>>> 0x3ed7390 GET http://localhost:8777/v2/meters>, 'controller': None,
>>>>>> 'response': }
>>>>>>
>>>>>>> -Original Message-
>>>>>>> From: Ryan Petrello [mailto:ryan.petre...@dreamhost.com]
>>>>>>> Sent: Tuesday, August 12, 2014 10:34 AM
>>>>>>> To: OpenStack Development Mailing List (not for usage questions)
>>>>>>> Subject: Re: [openstack-dev] [Ceilometer] Way to get wrapped
> method's name/class using Pecan secure decorators?
>>>>>>>
>>>>>>> This should give you what you need:
>>>>>>>
>>>>>>> from pecan.core import state
>>>>>>> state.controller
>>>>>>>
>>>>>>> On 08/12/14 04:08 PM, Pendergrass, Eric wrote:
>>>>>>>> Hi, I'm trying to use the built in secure decorator in Pecan for
> access control, and I'ld like to get the name of the method that is wrapped
> from within the decorator.
>>>>>>>>
>>>>>>>> For instance, if I'm wrapping MetersController.get_all with an
> @secure decorator, is there a way for the decorator code to know it was
> called by MetersController.get_all?
>>>>>>>>
>>>>>>>> I don't see any global objects that provide this information. I
> can get the endpoint, v2/meters, with pecan.request.path, but that's not as
> elegant.
>>>>>>>>
>>>>>>>> Is there a way to derive the caller or otherwise pass this
> information to the decorator?
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> Eric Pendergrass
>>>>>>>
>>>>>>>> ___
>>>>>>>> OpenStack-dev mailing list
>>>>>>>> OpenStack-dev@lists.openstack.org
>>>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Ryan Petrello
>>>>>>> Senior Developer, DreamHost
>>>>>>> ryan.petre...@dreamhost.com
>>>>
>>>> ___
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev@lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>> --
>>> Ryan Petrello
>>> Senior Developer, DreamHost
>>> ryan.petre...@dreamhost.com
>>>
>>> ___
>>> OpenStack-dev mailing list
>>> OpenStack-dev@lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>> ___
>> OpenStack-dev mailing list
>> OpenStack-dev@lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> ___
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Ceilometer] Way to get wrapped method's name/class using Pecan secure decorators?
Sure, Doug. We want the ability to selectively apply policies to certain
Ceilometer
API methods based on user/tenant roles.
For example, we want to restrict the ability to execute Alarm deletes to
admins and user/tenants who have a special role, say "domainadmin".
The policy file might look like this:
{
"context_is_admin": [["role:admin"]],
"admin_and_matching_project_domain_id": [["role:domainadmin"]],
"admin_or_cloud_admin": [["rule:context_is_admin"],
["rule:admin_and_matching_project_domain_id"]],
"telemetry:delete_alarms": [["rule:admin_or_cloud_admin"]]
}
The current acl.py and _query_to_kwargs access control setup either sets
project_id scope to None (do everything) or to the project_id in the request
header 'X-Project-Id'. This allows for admin or project scope, but nothing
in
between.
We tried hooks. Unfortunately we can't seem to turn the API controllers
into
HookControllers just by adding HookController to the Controller class
definition. It causes infinite recursion on API startup. For example, this
doesn't work because ceilometer-api will not start with it:
class MetersController(rest.RestController, HookController):
If there was a way to use hooks with the v2. API controllers that might work
really well.
So we are left using the @secure decorator and deriving the method name from
the request environ PATH_INFO and REQUEST_METHOD values. This is how we
determine the wrapped method within the class (REQUEST_METHOD + PATH_INFO =
"telemetry:delete_alarms" with some munging). We need the method name in
order to
selectively apply acces control to certain methods.
Deriving the method this way isn't ideal but it's the only thing we've
gotten working
between hooks, @secure, and regular decorators.
I submitted a WIP BP here: https://review.openstack.org/#/c/112137/3. It is
slightly out of date but should give you a beter idea of our goals.
Thanks
> Eric,
>
> If you can give us some more information about your end goal, independent
of the implementation, maybe we can propose an alternate technique to
achieve the same thing.
>
> Doug
>
> On Aug 12, 2014, at 6:21 PM, Ryan Petrello
wrote:
>
> > Yep, you're right, this doesn't seem to work. The issue is that
> > security is enforced at routing time (while the controller is still
> > actually being discovered). In order to do this sort of thing with
> > the `check_permissions`, we'd probably need to add a feature to pecan.
> >
> > On 08/12/14 06:38 PM, Pendergrass, Eric wrote:
> >> Sure, here's the decorated method from v2.py:
> >>
> >>class MetersController(rest.RestController):
> >>"""Works on meters."""
> >>
> >>@pecan.expose()
> >>def _lookup(self, meter_name, *remainder):
> >>return MeterController(meter_name), remainder
> >>
> >>@wsme_pecan.wsexpose([Meter], [Query])
> >>@secure(RBACController.check_permissions)
> >>def get_all(self, q=None):
> >>
> >> and here's the decorator called by the secure tag:
> >>
> >>class RBACController(object):
> >>global _ENFORCER
> >>if not _ENFORCER:
> >>_ENFORCER = policy.Enforcer()
> >>
> >>
> >>@classmethod
> >>def check_permissions(cls):
> >># do some stuff
> >>
> >> In check_permissions I'd like to know the class and method with the
@secure tag that caused check_permissions to be invoked. In this case, that
would be MetersController.get_all.
> >>
> >> Thanks
> >>
> >>
> >>> Can you share some code? What do you mean by, "is there a way for the
decorator code to know it was called by MetersController.get_all"
> >>>
> >>> On 08/12/14 04:46 PM, Pendergrass, Eric wrote:
> >>>> Thanks Ryan, but for some reason the controller attribute is None:
> >>>>
> >>>> (Pdb) from pecan.core import state
> >>>> (Pdb) state.__dict__
> >>>> {'hooks': [,
> >>>> ,
> >>>> ,
> >>>> ], 'app':
> >>>> , 'request': >>>> 0x3ed7390 GET http://localhost:8777/v2/meters>, 'controller': None,
> >>>> 'response': }
> >>>>
> >>>>> -Original Message-
> >>>>> From: Ryan Petrello [mailto:ryan.petre...@dreamhost.com]
> >>>>> Sent:
Re: [openstack-dev] [Ceilometer] Way to get wrapped method's name/class using Pecan secure decorators?
Eric,
If you can give us some more information about your end goal, independent of
the implementation, maybe we can propose an alternate technique to achieve the
same thing.
Doug
On Aug 12, 2014, at 6:21 PM, Ryan Petrello wrote:
> Yep, you're right, this doesn't seem to work. The issue is that security is
> enforced at routing time (while the controller is still actually being
> discovered). In order to do this sort of thing with the `check_permissions`,
> we'd probably need to add a feature to pecan.
>
> On 08/12/14 06:38 PM, Pendergrass, Eric wrote:
>> Sure, here's the decorated method from v2.py:
>>
>>class MetersController(rest.RestController):
>>"""Works on meters."""
>>
>>@pecan.expose()
>>def _lookup(self, meter_name, *remainder):
>>return MeterController(meter_name), remainder
>>
>>@wsme_pecan.wsexpose([Meter], [Query])
>>@secure(RBACController.check_permissions)
>>def get_all(self, q=None):
>>
>> and here's the decorator called by the secure tag:
>>
>>class RBACController(object):
>>global _ENFORCER
>>if not _ENFORCER:
>>_ENFORCER = policy.Enforcer()
>>
>>
>>@classmethod
>>def check_permissions(cls):
>># do some stuff
>>
>> In check_permissions I'd like to know the class and method with the @secure
>> tag that caused check_permissions to be invoked. In this case, that would
>> be MetersController.get_all.
>>
>> Thanks
>>
>>
>>> Can you share some code? What do you mean by, "is there a way for the
>>> decorator code to know it was called by MetersController.get_all"
>>>
>>> On 08/12/14 04:46 PM, Pendergrass, Eric wrote:
>>>> Thanks Ryan, but for some reason the controller attribute is None:
>>>>
>>>> (Pdb) from pecan.core import state
>>>> (Pdb) state.__dict__
>>>> {'hooks': [,
>>>> ,
>>>> ,
>>>> ], 'app':
>>>> , 'request': >>> 0x3ed7390 GET http://localhost:8777/v2/meters>, 'controller': None,
>>>> 'response': }
>>>>
>>>>> -Original Message-
>>>>> From: Ryan Petrello [mailto:ryan.petre...@dreamhost.com]
>>>>> Sent: Tuesday, August 12, 2014 10:34 AM
>>>>> To: OpenStack Development Mailing List (not for usage questions)
>>>>> Subject: Re: [openstack-dev] [Ceilometer] Way to get wrapped method's
>>>>> name/class using Pecan secure decorators?
>>>>>
>>>>> This should give you what you need:
>>>>>
>>>>> from pecan.core import state
>>>>> state.controller
>>>>>
>>>>> On 08/12/14 04:08 PM, Pendergrass, Eric wrote:
>>>>>> Hi, I'm trying to use the built in secure decorator in Pecan for access
>>>>>> control, and I'ld like to get the name of the method that is wrapped
>>>>>> from within the decorator.
>>>>>>
>>>>>> For instance, if I'm wrapping MetersController.get_all with an @secure
>>>>>> decorator, is there a way for the decorator code to know it was called
>>>>>> by MetersController.get_all?
>>>>>>
>>>>>> I don't see any global objects that provide this information. I can get
>>>>>> the endpoint, v2/meters, with pecan.request.path, but that's not as
>>>>>> elegant.
>>>>>>
>>>>>> Is there a way to derive the caller or otherwise pass this information
>>>>>> to the decorator?
>>>>>>
>>>>>> Thanks
>>>>>> Eric Pendergrass
>>>>>
>>>>>> ___
>>>>>> OpenStack-dev mailing list
>>>>>> OpenStack-dev@lists.openstack.org
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>>
>>>>> --
>>>>> Ryan Petrello
>>>>> Senior Developer, DreamHost
>>>>> ryan.petre...@dreamhost.com
>>
>> ___
>> OpenStack-dev mailing list
>> OpenStack-dev@lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> --
> Ryan Petrello
> Senior Developer, DreamHost
> ryan.petre...@dreamhost.com
>
> ___
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Ceilometer] Way to get wrapped method's name/class using Pecan secure decorators?
Yep, you're right, this doesn't seem to work. The issue is that security is
enforced at routing time (while the controller is still actually being
discovered). In order to do this sort of thing with the `check_permissions`,
we'd probably need to add a feature to pecan.
On 08/12/14 06:38 PM, Pendergrass, Eric wrote:
> Sure, here's the decorated method from v2.py:
>
> class MetersController(rest.RestController):
> """Works on meters."""
>
> @pecan.expose()
> def _lookup(self, meter_name, *remainder):
> return MeterController(meter_name), remainder
>
> @wsme_pecan.wsexpose([Meter], [Query])
> @secure(RBACController.check_permissions)
> def get_all(self, q=None):
>
> and here's the decorator called by the secure tag:
>
> class RBACController(object):
> global _ENFORCER
> if not _ENFORCER:
> _ENFORCER = policy.Enforcer()
>
>
> @classmethod
> def check_permissions(cls):
> # do some stuff
>
> In check_permissions I'd like to know the class and method with the @secure
> tag that caused check_permissions to be invoked. In this case, that would be
> MetersController.get_all.
>
> Thanks
>
>
> > Can you share some code? What do you mean by, "is there a way for the
> > decorator code to know it was called by MetersController.get_all"
> >
> > On 08/12/14 04:46 PM, Pendergrass, Eric wrote:
> > > Thanks Ryan, but for some reason the controller attribute is None:
> > >
> > > (Pdb) from pecan.core import state
> > > (Pdb) state.__dict__
> > > {'hooks': [,
> > > ,
> > > ,
> > > ], 'app':
> > > , 'request': > > 0x3ed7390 GET http://localhost:8777/v2/meters>, 'controller': None,
> > > 'response': }
> > >
> > > > -Original Message-
> > > > From: Ryan Petrello [mailto:ryan.petre...@dreamhost.com]
> > > > Sent: Tuesday, August 12, 2014 10:34 AM
> > > > To: OpenStack Development Mailing List (not for usage questions)
> > > > Subject: Re: [openstack-dev] [Ceilometer] Way to get wrapped method's
> > > > name/class using Pecan secure decorators?
> > > >
> > > > This should give you what you need:
> > > >
> > > > from pecan.core import state
> > > > state.controller
> > > >
> > > > On 08/12/14 04:08 PM, Pendergrass, Eric wrote:
> > > > > Hi, I'm trying to use the built in secure decorator in Pecan for
> > > > > access control, and I'ld like to get the name of the method that is
> > > > > wrapped from within the decorator.
> > > > >
> > > > > For instance, if I'm wrapping MetersController.get_all with an
> > > > > @secure decorator, is there a way for the decorator code to know it
> > > > > was called by MetersController.get_all?
> > > > >
> > > > > I don't see any global objects that provide this information. I can
> > > > > get the endpoint, v2/meters, with pecan.request.path, but that's not
> > > > > as elegant.
> > > > >
> > > > > Is there a way to derive the caller or otherwise pass this
> > > > > information to the decorator?
> > > > >
> > > > > Thanks
> > > > > Eric Pendergrass
> > > >
> > > > > ___
> > > > > OpenStack-dev mailing list
> > > > > OpenStack-dev@lists.openstack.org
> > > > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > > >
> > > >
> > > > --
> > > > Ryan Petrello
> > > > Senior Developer, DreamHost
> > > > ryan.petre...@dreamhost.com
>
> ___
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Ryan Petrello
Senior Developer, DreamHost
ryan.petre...@dreamhost.com
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Ceilometer] Way to get wrapped method's name/class using Pecan secure decorators?
Sure, here's the decorated method from v2.py:
class MetersController(rest.RestController):
"""Works on meters."""
@pecan.expose()
def _lookup(self, meter_name, *remainder):
return MeterController(meter_name), remainder
@wsme_pecan.wsexpose([Meter], [Query])
@secure(RBACController.check_permissions)
def get_all(self, q=None):
and here's the decorator called by the secure tag:
class RBACController(object):
global _ENFORCER
if not _ENFORCER:
_ENFORCER = policy.Enforcer()
@classmethod
def check_permissions(cls):
# do some stuff
In check_permissions I'd like to know the class and method with the @secure tag
that caused check_permissions to be invoked. In this case, that would be
MetersController.get_all.
Thanks
> Can you share some code? What do you mean by, "is there a way for the
> decorator code to know it was called by MetersController.get_all"
>
> On 08/12/14 04:46 PM, Pendergrass, Eric wrote:
> > Thanks Ryan, but for some reason the controller attribute is None:
> >
> > (Pdb) from pecan.core import state
> > (Pdb) state.__dict__
> > {'hooks': [,
> > ,
> > ,
> > ], 'app':
> > , 'request': > 0x3ed7390 GET http://localhost:8777/v2/meters>, 'controller': None,
> > 'response': }
> >
> > > -Original Message-
> > > From: Ryan Petrello [mailto:ryan.petre...@dreamhost.com]
> > > Sent: Tuesday, August 12, 2014 10:34 AM
> > > To: OpenStack Development Mailing List (not for usage questions)
> > > Subject: Re: [openstack-dev] [Ceilometer] Way to get wrapped method's
> > > name/class using Pecan secure decorators?
> > >
> > > This should give you what you need:
> > >
> > > from pecan.core import state
> > > state.controller
> > >
> > > On 08/12/14 04:08 PM, Pendergrass, Eric wrote:
> > > > Hi, I'm trying to use the built in secure decorator in Pecan for access
> > > > control, and I'ld like to get the name of the method that is wrapped
> > > > from within the decorator.
> > > >
> > > > For instance, if I'm wrapping MetersController.get_all with an @secure
> > > > decorator, is there a way for the decorator code to know it was called
> > > > by MetersController.get_all?
> > > >
> > > > I don't see any global objects that provide this information. I can
> > > > get the endpoint, v2/meters, with pecan.request.path, but that's not as
> > > > elegant.
> > > >
> > > > Is there a way to derive the caller or otherwise pass this information
> > > > to the decorator?
> > > >
> > > > Thanks
> > > > Eric Pendergrass
> > >
> > > > ___
> > > > OpenStack-dev mailing list
> > > > OpenStack-dev@lists.openstack.org
> > > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > >
> > >
> > > --
> > > Ryan Petrello
> > > Senior Developer, DreamHost
> > > ryan.petre...@dreamhost.com
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Ceilometer] Way to get wrapped method's name/class using Pecan secure decorators?
Can you share some code? What do you mean by, "is there a way for the
decorator code to know it was called by MetersController.get_all"
On 08/12/14 04:46 PM, Pendergrass, Eric wrote:
> Thanks Ryan, but for some reason the controller attribute is None:
>
> (Pdb) from pecan.core import state
> (Pdb) state.__dict__
> {'hooks': [,
> ,
> ,
> ], 'app':
> , 'request': http://localhost:8777/v2/meters>, 'controller': None, 'response': at 0x3ed74d0 200 OK>}
>
> > -Original Message-
> > From: Ryan Petrello [mailto:ryan.petre...@dreamhost.com]
> > Sent: Tuesday, August 12, 2014 10:34 AM
> > To: OpenStack Development Mailing List (not for usage questions)
> > Subject: Re: [openstack-dev] [Ceilometer] Way to get wrapped method's
> > name/class using Pecan secure decorators?
> >
> > This should give you what you need:
> >
> > from pecan.core import state
> > state.controller
> >
> > On 08/12/14 04:08 PM, Pendergrass, Eric wrote:
> > > Hi, I'm trying to use the built in secure decorator in Pecan for access
> > > control, and I'ld like to get the name of the method that is wrapped from
> > > within the decorator.
> > >
> > > For instance, if I'm wrapping MetersController.get_all with an @secure
> > > decorator, is there a way for the decorator code to know it was called by
> > > MetersController.get_all?
> > >
> > > I don't see any global objects that provide this information. I can get
> > > the endpoint, v2/meters, with pecan.request.path, but that's not as
> > > elegant.
> > >
> > > Is there a way to derive the caller or otherwise pass this information to
> > > the decorator?
> > >
> > > Thanks
> > > Eric Pendergrass
> >
> > > ___
> > > OpenStack-dev mailing list
> > > OpenStack-dev@lists.openstack.org
> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> >
> > --
> > Ryan Petrello
> > Senior Developer, DreamHost
> > ryan.petre...@dreamhost.com
> >
> > ___
> > OpenStack-dev mailing list
> > OpenStack-dev@lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> ___
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Ryan Petrello
Senior Developer, DreamHost
ryan.petre...@dreamhost.com
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Ceilometer] Way to get wrapped method's name/class using Pecan secure decorators?
Thanks Ryan, but for some reason the controller attribute is None:
(Pdb) from pecan.core import state
(Pdb) state.__dict__
{'hooks': [,
,
,
], 'app':
, 'request': http://localhost:8777/v2/meters>, 'controller': None, 'response': }
> -Original Message-
> From: Ryan Petrello [mailto:ryan.petre...@dreamhost.com]
> Sent: Tuesday, August 12, 2014 10:34 AM
> To: OpenStack Development Mailing List (not for usage questions)
> Subject: Re: [openstack-dev] [Ceilometer] Way to get wrapped method's
> name/class using Pecan secure decorators?
>
> This should give you what you need:
>
> from pecan.core import state
> state.controller
>
> On 08/12/14 04:08 PM, Pendergrass, Eric wrote:
> > Hi, I'm trying to use the built in secure decorator in Pecan for access
> > control, and I'ld like to get the name of the method that is wrapped from
> > within the decorator.
> >
> > For instance, if I'm wrapping MetersController.get_all with an @secure
> > decorator, is there a way for the decorator code to know it was called by
> > MetersController.get_all?
> >
> > I don't see any global objects that provide this information. I can get
> > the endpoint, v2/meters, with pecan.request.path, but that's not as elegant.
> >
> > Is there a way to derive the caller or otherwise pass this information to
> > the decorator?
> >
> > Thanks
> > Eric Pendergrass
>
> > ___
> > OpenStack-dev mailing list
> > OpenStack-dev@lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> --
> Ryan Petrello
> Senior Developer, DreamHost
> ryan.petre...@dreamhost.com
>
> ___
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Ceilometer] Way to get wrapped method's name/class using Pecan secure decorators?
This should give you what you need: from pecan.core import state state.controller On 08/12/14 04:08 PM, Pendergrass, Eric wrote: > Hi, I'm trying to use the built in secure decorator in Pecan for access > control, and I'ld like to get the name of the method that is wrapped from > within the decorator. > > For instance, if I'm wrapping MetersController.get_all with an @secure > decorator, is there a way for the decorator code to know it was called by > MetersController.get_all? > > I don't see any global objects that provide this information. I can get the > endpoint, v2/meters, with pecan.request.path, but that's not as elegant. > > Is there a way to derive the caller or otherwise pass this information to the > decorator? > > Thanks > Eric Pendergrass > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Ryan Petrello Senior Developer, DreamHost ryan.petre...@dreamhost.com ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Ceilometer] Way to get wrapped method's name/class using Pecan secure decorators?
Do u know if ceilometer is using six.wraps? If so, that helper adds in the `__wrapped__` attribute to decorated methods (which can be used to find the original decorated function). If just plain functools are used (and python3.x isn't used) then it will be pretty hard afaik to find the original decorated function (if that's the desire). six.wraps() is new in six 1.7.x so it might not be used in ceilometer yet (although maybe it should start to be used?). -Josh On Tue, Aug 12, 2014 at 9:08 AM, Pendergrass, Eric wrote: Hi, I’m trying to use the built in secure decorator in Pecan for access control, and I’ld like to get the name of the method that is wrapped from within the decorator. For instance, if I’m wrapping MetersController.get_all with an @secure decorator, is there a way for the decorator code to know it was called by MetersController.get_all? I don’t see any global objects that provide this information. I can get the endpoint, v2/meters, with pecan.request.path, but that’s not as elegant. Is there a way to derive the caller or otherwise pass this information to the decorator? Thanks Eric Pendergrass ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Ceilometer] Way to get wrapped method's name/class using Pecan secure decorators?
Hi, I'm trying to use the built in secure decorator in Pecan for access control, and I'ld like to get the name of the method that is wrapped from within the decorator. For instance, if I'm wrapping MetersController.get_all with an @secure decorator, is there a way for the decorator code to know it was called by MetersController.get_all? I don't see any global objects that provide this information. I can get the endpoint, v2/meters, with pecan.request.path, but that's not as elegant. Is there a way to derive the caller or otherwise pass this information to the decorator? Thanks Eric Pendergrass ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
