Honor volume:get policy
The fix for bug 1356368 hard-coded a policy check (same as rule:admin_or_owner) for volume:get. While in most cases this is what people want, it'd be good we honor policy setting. Note that before commit0505bb2689
, DB query volume_get() actually acted as the policy checker for volume:get, and it raised VolumeNotFound if context.project_id didn't match volume['project_id']. The check_policy() in volume:get didn't get a chance to raise PolicyNotAuthorized exception. So in this change we keep the same behavor. Change-Id: If43cec5cce977b9220296709b4e243b35b06ecd5 Related-bug: #1356368 (cherry picked from commitd6d75f868d
)
This commit is contained in:
parent
da65d08f20
commit
c2826368c2
@ -4,7 +4,7 @@
|
||||
"admin_or_owner": [["is_admin:True"], ["project_id:%(project_id)s"]],
|
||||
|
||||
"volume:create": [],
|
||||
"volume:get": [],
|
||||
"volume:get": [["rule:admin_or_owner"]],
|
||||
"volume:get_all": [],
|
||||
"volume:get_volume_metadata": [],
|
||||
"volume:delete_volume_metadata": [],
|
||||
|
@ -261,15 +261,19 @@ class API(base.Base):
|
||||
self.db.volume_update(context, volume['id'], fields)
|
||||
|
||||
def get(self, context, volume_id, viewable_admin_meta=False):
|
||||
old_ctxt = context.deepcopy()
|
||||
if viewable_admin_meta:
|
||||
ctxt = context.elevated()
|
||||
else:
|
||||
ctxt = context
|
||||
rv = self.db.volume_get(ctxt, volume_id)
|
||||
volume = dict(rv.iteritems())
|
||||
if not context.is_admin and volume['project_id'] != context.project_id:
|
||||
try:
|
||||
check_policy(old_ctxt, 'get', volume)
|
||||
except exception.PolicyNotAuthorized:
|
||||
# raise VolumeNotFound instead to make sure Cinder behaves
|
||||
# as it used to
|
||||
raise exception.VolumeNotFound(volume_id=volume_id)
|
||||
check_policy(context, 'get', volume)
|
||||
return volume
|
||||
|
||||
def get_all(self, context, marker=None, limit=None, sort_key='created_at',
|
||||
|
Loading…
Reference in New Issue
Block a user