openstack/cinder
Code Issues Proposed changes

Merge "Remove authorisation checks at the DB level for quota operations"

Browse Source
This commit is contained in:
Jenkins 2016-12-18 10:27:53 +00:00 committed by Gerrit Code Review
commit 10031f1f14
4 changed files with 19 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
cinder/db/sqlalchemy/api.py
View File

@ -787,7 +787,6 @@ def quota_get(context, project_id, resource):
@require_context
def quota_get_all_by_project(context, project_id):
authorize_project_context(context, project_id)
rows = model_query(context, models.Quota, read_deleted="no").\
filter_by(project_id=project_id).\
@ -819,7 +818,7 @@ def _quota_get_by_resource(context, resource, session=None):
return rows
@require_admin_context
@require_context
def quota_create(context, project_id, resource, limit, allocated):
quota_ref = models.Quota()
quota_ref.project_id = project_id
@ -834,7 +833,7 @@ def quota_create(context, project_id, resource, limit, allocated):
return quota_ref
@require_admin_context
@require_context
def quota_update(context, project_id, resource, limit):
session = get_session()
with session.begin():
@ -905,7 +904,6 @@ def quota_class_get_default(context):
@require_context
def quota_class_get_all_by_name(context, class_name):
authorize_quota_class_context(context, class_name)
rows = model_query(context, models.QuotaClass, read_deleted="no").\
filter_by(class_name=class_name).\
@ -930,7 +928,7 @@ def _quota_class_get_all_by_resource(context, resource, session):
@handle_db_data_error
@require_admin_context
@require_context
def quota_class_create(context, class_name, resource, limit):
quota_class_ref = models.QuotaClass()
quota_class_ref.class_name = class_name
@ -943,7 +941,7 @@ def quota_class_create(context, class_name, resource, limit):
return quota_class_ref
@require_admin_context
@require_context
def quota_class_update(context, class_name, resource, limit):
session = get_session()
with session.begin():
@ -963,7 +961,7 @@ def quota_class_update_resource(context, old_res, new_res):
quota_class.resource = new_res
@require_admin_context
@require_context
def quota_class_destroy(context, class_name, resource):
session = get_session()
with session.begin():
@ -972,7 +970,7 @@ def quota_class_destroy(context, class_name, resource):
return quota_class_ref.delete(session=session)
@require_admin_context
@require_context
def quota_class_destroy_all_by_name(context, class_name):
session = get_session()
with session.begin():
@ -1003,7 +1001,6 @@ def quota_usage_get(context, project_id, resource):
@require_context
def quota_usage_get_all_by_project(context, project_id):
authorize_project_context(context, project_id)
rows = model_query(context, models.QuotaUsage, read_deleted="no").\
filter_by(project_id=project_id).\

9
cinder/tests/unit/api/contrib/test_quotas.py
View File

@ -281,8 +281,9 @@ class QuotaSetsControllerTest(QuotaSetsControllerTestBase):
self.req.environ['cinder.context'].is_admin = False
self.req.environ['cinder.context'].project_id = fake.PROJECT_ID
self.req.environ['cinder.context'].user_id = 'foo_user'
self.assertRaises(webob.exc.HTTPForbidden, self.controller.update,
self.req, fake.PROJECT_ID, make_body(tenant_id=None))
self.assertRaises(exception.PolicyNotAuthorized,
self.controller.update, self.req, fake.PROJECT_ID,
make_body(tenant_id=None))
def test_update_without_quota_set_field(self):
body = {'fake_quota_set': {'gigabytes': 100}}
@ -372,8 +373,8 @@ class QuotaSetsControllerTest(QuotaSetsControllerTestBase):
def test_delete_no_admin(self):
self.req.environ['cinder.context'].is_admin = False
self.assertRaises(webob.exc.HTTPForbidden, self.controller.delete,
self.req, fake.PROJECT_ID)
self.assertRaises(exception.PolicyNotAuthorized,
self.controller.delete, self.req, fake.PROJECT_ID)
def test_subproject_show_not_using_nested_quotas(self):
# Current roles say for non-nested quotas, an admin should be able to

8
cinder/tests/unit/api/contrib/test_quotas_classes.py
View File

@ -25,6 +25,7 @@ import webob.exc
from cinder.api.contrib import quota_classes
from cinder import context
from cinder import exception
from cinder import quota
from cinder import test
from cinder.tests.unit import fake_constants as fake
@ -99,7 +100,7 @@ class QuotaClassSetsControllerTest(test.TestCase):
self.req.environ['cinder.context'].is_admin = False
self.req.environ['cinder.context'].user_id = fake.USER_ID
self.req.environ['cinder.context'].project_id = fake.PROJECT_ID
self.assertRaises(webob.exc.HTTPForbidden, self.controller.show,
self.assertRaises(exception.PolicyNotAuthorized, self.controller.show,
self.req, fake.PROJECT_ID)
def test_update(self):
@ -138,8 +139,9 @@ class QuotaClassSetsControllerTest(test.TestCase):
def test_update_no_admin(self):
self.req.environ['cinder.context'].is_admin = False
self.assertRaises(webob.exc.HTTPForbidden, self.controller.update,
self.req, fake.PROJECT_ID, make_body(tenant_id=None))
self.assertRaises(exception.PolicyNotAuthorized,
self.controller.update, self.req, fake.PROJECT_ID,
make_body(tenant_id=None))
def test_update_with_more_volume_types(self):
volume_types.create(self.ctxt, 'fake_type_1')

6
cinder/tests/unit/policy.json
View File

@ -68,9 +68,9 @@
"volume_extension:volume_mig_status_attribute": "rule:admin_api",
"volume_extension:hosts": "rule:admin_api",
"volume_extension:quotas:show": "",
"volume_extension:quotas:update": "",
"volume_extension:quotas:delete": "",
"volume_extension:quota_classes": "",
"volume_extension:quotas:update": "rule:admin_api",
"volume_extension:quotas:delete": "rule:admin_api",
"volume_extension:quota_classes": "rule:admin_api",
"volume_extension:services:index": "",
"volume_extension:services:update" : "rule:admin_api",
"volume_extension:volume_manage": "rule:admin_api",