Modify policy of get total/summary

Update policy of get_total/summary, admin user can
get rate info of all tenants and non-admin user can
get rate info of itself.

For example, get total api change as follows:
    cloudkitty total-get
        -- get total of current tenant(get tenant from context)
    cloudkitty total-get -t tenant_id
        -- get total of specified tenant if allowed(admin or owner)
    cloudkitty total-get --all-tenants
        -- get total of all tenants if allowed(admin)

Change-Id: I47dd5f310f18b7e5211165069692827047cdccd6
closes-bug:#1644399

cloudkitty/api/app.py

@@ -74,11 +74,9 @@ def setup_app(pecan_config=None, extra_hooks=None):
     app_hooks = [
         hooks.RPCHook(),
         hooks.StorageHook(storage_backend),
+        hooks.ContextHook(),
     ]
 
-    if CONF.auth_strategy == 'keystone':
-        app_hooks.append(hooks.ContextHook())
-
     app = pecan.make_app(
         app_conf.app.root,
         static_root=app_conf.app.static_root,

cloudkitty/api/hooks.py

@@ -46,11 +46,15 @@ class ContextHook(hooks.PecanHook):
         is_admin = policy.check_is_admin(roles)
 
         creds = {
-            'user': headers.get('X-User') or headers.get('X-User-Id'),
-            'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'),
-            'auth_token': headers.get('X-Auth-Token'),
+            'user': headers.get('X-User-Id', ''),
+            'tenant': headers.get('X-Tenant-Id', ''),
+            'auth_token': headers.get('X-Auth-Token', ''),
             'is_admin': is_admin,
             'roles': roles,
+            "user_name": headers.get('X-User-Name', ''),
+            "project_name": headers.get('X-Project-Name', ''),
+            "domain": headers.get('X-User-Domain-Id', ''),
+            "domain_name": headers.get('X-User-Domain-Name', ''),
         }
 
         state.request.context = context.RequestContext(**creds)

cloudkitty/api/v1/controllers/report.py

@@ -61,18 +61,26 @@ class ReportController(rest.RestController):
                          datetime.datetime,
                          datetime.datetime,
                          wtypes.text,
-                         wtypes.text)
-    def total(self, begin=None, end=None, tenant_id=None, service=None):
+                         wtypes.text,
+                         bool)
+    def total(self, begin=None, end=None, tenant_id=None, service=None,
+              all_tenants=False):
         """Return the amount to pay for a given period.
 
         """
-        policy.enforce(pecan.request.context, 'report:get_total', {})
-
         if not begin:
             begin = ck_utils.get_month_start()
         if not end:
             end = ck_utils.get_next_month()
 
+        if all_tenants:
+            tenant_id = None
+        else:
+            tenant_context = pecan.request.context.tenant
+            tenant_id = tenant_context if not tenant_id else tenant_id
+        policy.enforce(pecan.request.context, 'report:get_total',
+                       {"tenant_id": tenant_id})
+
         storage = pecan.request.storage_backend
         # FIXME(sheeprine): We should filter on user id.
         # Use keystone token information by default but make it overridable and
@@ -89,13 +97,25 @@ class ReportController(rest.RestController):
                          datetime.datetime,
                          wtypes.text,
                          wtypes.text,
-                         wtypes.text,)
+                         wtypes.text,
+                         bool)
     def summary(self, begin=None, end=None, tenant_id=None,
-                service=None, groupby=None):
+                service=None, groupby=None, all_tenants=False):
         """Return the summary to pay for a given period.
 
         """
-        policy.enforce(pecan.request.context, 'report:get_summary', {})
+        if not begin:
+            begin = ck_utils.get_month_start()
+        if not end:
+            end = ck_utils.get_next_month()
+
+        if all_tenants:
+            tenant_id = None
+        else:
+            tenant_context = pecan.request.context.tenant
+            tenant_id = tenant_context if not tenant_id else tenant_id
+        policy.enforce(pecan.request.context, 'report:get_summary',
+                       {"tenant_id": tenant_id})
         storage = pecan.request.storage_backend
 
         summarymodels = []

cloudkitty/common/policy.py

@@ -75,6 +75,9 @@ def check_is_admin(roles):
     """Whether or not roles contains 'admin' role according to policy setting.
 
     """
+    if CONF.auth_strategy != "keystone":
+        return True
+
     init()
 
     # include project_id on target to avoid KeyError if context_is_admin

etc/cloudkitty/policy.json

@@ -1,5 +1,6 @@
 {
     "context_is_admin":  "role:admin",
+    "admin_or_owner":  "is_admin:True or tenant:%(tenant_id)s",
     "default": "",
 
     "info:list_services_info": "",
@@ -12,8 +13,8 @@
     "rating:quote": "",
 
     "report:list_tenants": "role:admin",
-    "report:get_total": "",
-    "report:get_summary": "",
+    "report:get_summary": "rule:admin_or_owner",
+    "report:get_total": "rule:admin_or_owner",
 
     "collector:list_mappings": "role:admin",
     "collector:get_mapping": "role:admin",

requirements.txt

@@ -14,7 +14,7 @@ PasteDeploy>=1.5.0 # MIT
 pecan>=1.0.0 # BSD
 WSME>=0.8 # MIT
 oslo.config>=3.7.0 # Apache-2.0
-oslo.context>=2.2.0 # Apache-2.0
+oslo.context>=2.9.0 # Apache-2.0
 oslo.concurrency>=3.5.0 # Apache-2.0
 oslo.db>=4.1.0 # Apache-2.0
 oslo.i18n>=2.1.0 # Apache-2.0