Update access control of show under hostAPI

Update the detection mechanism of show interface under the host API.
Replacement detection mode, and add policy for host show API.

Change-Id: I76ca1251cd14da6c777bd48a28906d8362d836b0
Closes-Bug: #1732808
This commit is contained in:
zhangbailin 2017-11-22 12:23:00 +08:00
parent bfbff1ef64
commit f39c3fac2c
3 changed files with 7 additions and 5 deletions

View File

@ -146,9 +146,7 @@ class HostController(wsgi.Controller):
"""
host = id
context = req.environ['cinder.context']
if not context.is_admin:
msg = _("Describe-resource is admin only functionality")
raise webob.exc.HTTPForbidden(explanation=msg)
context.authorize(policy.MANAGE_POLICY)
# Not found exception will be handled at the wsgi level
host_ref = objects.Service.get_by_host_and_topic(

View File

@ -24,7 +24,7 @@ hosts_policies = [
policy.DocumentedRuleDefault(
name=MANAGE_POLICY,
check_str=base.RULE_ADMIN_API,
description="List or update hosts for a project.",
description="List, update or show hosts for a project.",
operations=[
{
'method': 'GET',
@ -33,6 +33,10 @@ hosts_policies = [
{
'method': 'PUT',
'path': '/os-hosts/{host_name}'
},
{
'method': 'GET',
'path': '/os-hosts/{host_id}'
}
])
]

View File

@ -214,7 +214,7 @@ class HostTestCase(test.TestCase):
def test_show_forbidden(self):
self.req.environ['cinder.context'].is_admin = False
dest = 'dummydest'
self.assertRaises(webob.exc.HTTPForbidden,
self.assertRaises(exception.PolicyNotAuthorized,
self.controller.show,
self.req, dest)
self.req.environ['cinder.context'].is_admin = True