Update access control of show under hostAPI
Update the detection mechanism of show interface under the host API. Replacement detection mode, and add policy for host show API. Change-Id: I76ca1251cd14da6c777bd48a28906d8362d836b0 Closes-Bug: #1732808
This commit is contained in:
parent
bfbff1ef64
commit
f39c3fac2c
|
@ -146,9 +146,7 @@ class HostController(wsgi.Controller):
|
||||||
"""
|
"""
|
||||||
host = id
|
host = id
|
||||||
context = req.environ['cinder.context']
|
context = req.environ['cinder.context']
|
||||||
if not context.is_admin:
|
context.authorize(policy.MANAGE_POLICY)
|
||||||
msg = _("Describe-resource is admin only functionality")
|
|
||||||
raise webob.exc.HTTPForbidden(explanation=msg)
|
|
||||||
|
|
||||||
# Not found exception will be handled at the wsgi level
|
# Not found exception will be handled at the wsgi level
|
||||||
host_ref = objects.Service.get_by_host_and_topic(
|
host_ref = objects.Service.get_by_host_and_topic(
|
||||||
|
|
|
@ -24,7 +24,7 @@ hosts_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=MANAGE_POLICY,
|
name=MANAGE_POLICY,
|
||||||
check_str=base.RULE_ADMIN_API,
|
check_str=base.RULE_ADMIN_API,
|
||||||
description="List or update hosts for a project.",
|
description="List, update or show hosts for a project.",
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
'method': 'GET',
|
'method': 'GET',
|
||||||
|
@ -33,6 +33,10 @@ hosts_policies = [
|
||||||
{
|
{
|
||||||
'method': 'PUT',
|
'method': 'PUT',
|
||||||
'path': '/os-hosts/{host_name}'
|
'path': '/os-hosts/{host_name}'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'method': 'GET',
|
||||||
|
'path': '/os-hosts/{host_id}'
|
||||||
}
|
}
|
||||||
])
|
])
|
||||||
]
|
]
|
||||||
|
|
|
@ -214,7 +214,7 @@ class HostTestCase(test.TestCase):
|
||||||
def test_show_forbidden(self):
|
def test_show_forbidden(self):
|
||||||
self.req.environ['cinder.context'].is_admin = False
|
self.req.environ['cinder.context'].is_admin = False
|
||||||
dest = 'dummydest'
|
dest = 'dummydest'
|
||||||
self.assertRaises(webob.exc.HTTPForbidden,
|
self.assertRaises(exception.PolicyNotAuthorized,
|
||||||
self.controller.show,
|
self.controller.show,
|
||||||
self.req, dest)
|
self.req, dest)
|
||||||
self.req.environ['cinder.context'].is_admin = True
|
self.req.environ['cinder.context'].is_admin = True
|
||||||
|
|
Loading…
Reference in New Issue