Merge "Add policy check for type show and type list"

This commit is contained in:
Zuul 2018-08-07 23:15:51 +00:00 committed by Gerrit Code Review
commit fdb5083b22
4 changed files with 41 additions and 4 deletions

View File

@ -27,6 +27,7 @@ from cinder.api.openstack import wsgi
from cinder.api.v2.views import types as views_types
from cinder import exception
from cinder.i18n import _
from cinder.policies import volume_type as type_policy
from cinder import utils
from cinder.volume import volume_types
@ -40,7 +41,10 @@ class VolumeTypesController(wsgi.Controller):
def index(self, req):
"""Returns the list of volume types."""
context = req.environ['cinder.context']
context.authorize(type_policy.GET_ALL_POLICY)
limited_types = self._get_volume_types(req)
req.cache_resource(limited_types, name='types')
return self._view_builder.index(req, limited_types)
@ -59,7 +63,7 @@ class VolumeTypesController(wsgi.Controller):
# Not found exception will be handled at wsgi level
vol_type = volume_types.get_volume_type(context, id)
req.cache_resource(vol_type, name='types')
context.authorize(type_policy.GET_POLICY, target_obj=vol_type)
return self._view_builder.show(req, vol_type)
def _parse_is_public(self, is_public):

View File

@ -22,6 +22,8 @@ MANAGE_POLICY = "volume_extension:types_manage"
ENCRYPTION_POLICY = "volume_extension:volume_type_encryption"
QOS_POLICY = "volume_extension:access_types_qos_specs_id"
EXTRA_SPEC_POLICY = "volume_extension:access_types_extra_specs"
GET_POLICY = "volume_extension:type_get"
GET_ALL_POLICY = "volume_extension:type_get_all"
volume_type_policies = [
policy.DocumentedRuleDefault(
@ -42,6 +44,26 @@ volume_type_policies = [
'path': '/types'
}
]),
policy.DocumentedRuleDefault(
name=GET_POLICY,
check_str="",
description="Get one specific volume type.",
operations=[
{
'method': 'GET',
'path': '/types/{type_id}'
}
]),
policy.DocumentedRuleDefault(
name=GET_ALL_POLICY,
check_str="",
description="List volume types.",
operations=[
{
'method': 'GET',
'path': '/types/'
}
]),
policy.DocumentedRuleDefault(
name=ENCRYPTION_POLICY,
check_str=base.RULE_ADMIN_API,

View File

@ -24,6 +24,7 @@ from cinder.api.v2 import types
from cinder.api.v2.views import types as views_types
from cinder import context
from cinder import exception
from cinder.policies import volume_type as type_policy
from cinder import test
from cinder.tests.unit.api import fakes
from cinder.tests.unit import fake_constants as fake
@ -91,6 +92,8 @@ class VolumeTypesApiTest(test.TestCase):
self.ctxt = context.RequestContext(user_id=fake.USER_ID,
project_id=fake.PROJECT_ID,
is_admin=True)
self.mock_authorize = self.patch(
'cinder.context.RequestContext.authorize')
self.type_id1 = self._create_volume_type('volume_type1',
{'key1': 'value1'})
self.type_id2 = self._create_volume_type('volume_type2',
@ -114,6 +117,7 @@ class VolumeTypesApiTest(test.TestCase):
self.assertEqual(set(expected_names), set(actual_names))
for entry in res_dict['volume_types']:
self.assertEqual('value1', entry['extra_specs']['key1'])
self.mock_authorize.assert_any_call(type_policy.GET_ALL_POLICY)
def test_volume_types_index_no_data(self):
self.mock_object(volume_types, 'get_all_types',
@ -242,6 +246,8 @@ class VolumeTypesApiTest(test.TestCase):
self.assertEqual(type_id, res_dict['volume_type']['id'])
type_name = 'vol_type_' + type_id
self.assertEqual(type_name, res_dict['volume_type']['name'])
self.mock_authorize.assert_any_call(
type_policy.GET_POLICY, target_obj=mock.ANY)
def test_volume_types_show_not_found(self):
self.mock_object(volume_types, 'get_volume_type',
@ -275,7 +281,7 @@ class VolumeTypesApiTest(test.TestCase):
def test_view_builder_show(self):
view_builder = views_types.ViewBuilder()
self.mock_authorize.return_value = False
now = timeutils.utcnow().isoformat()
raw_volume_type = dict(
name='new_type',
@ -304,7 +310,7 @@ class VolumeTypesApiTest(test.TestCase):
def test_view_builder_show_admin(self):
view_builder = views_types.ViewBuilder()
self.mock_authorize.return_value = True
now = timeutils.utcnow().isoformat()
raw_volume_type = dict(
name='new_type',
@ -458,7 +464,7 @@ class VolumeTypesApiTest(test.TestCase):
def test_view_builder_list(self):
view_builder = views_types.ViewBuilder()
self.mock_authorize.return_value = False
now = timeutils.utcnow().isoformat()
raw_volume_types = []
for i in range(0, 10):

View File

@ -0,0 +1,5 @@
---
fixes:
- Two new policies "volume_extension:type_get" and
"volume_extension:type_get_all" have been added to
control type show and type list APIs.