Modify policy of get total/summary

Update policy of get_total/summary, admin user can get rate info of all tenants and non-admin user can get rate info of itself. For example, get total api change as follows: cloudkitty total-get -- get total of current tenant(get tenant from context) cloudkitty total-get -t tenant_id -- get total of specified tenant if allowed(admin or owner) cloudkitty total-get --all-tenants -- get total of all tenants if allowed(admin) Change-Id: I47dd5f310f18b7e5211165069692827047cdccd6 closes-bug:#1644399
2016-12-28 15:31:09 +08:00 · 2016-12-28 15:31:09 +08:00 · 2ba69c4a0b
parent e8dc5ce4aa
commit 2ba69c4a0b
6 changed files with 42 additions and 16 deletions
--- a/cloudkitty/api/app.py
+++ b/cloudkitty/api/app.py
@ -74,11 +74,9 @@ def setup_app(pecan_config=None, extra_hooks=None):
    app_hooks = [
        hooks.RPCHook(),
        hooks.StorageHook(storage_backend),
+        hooks.ContextHook(),
    ]

-    if CONF.auth_strategy == 'keystone':
-        app_hooks.append(hooks.ContextHook())
-
    app = pecan.make_app(
        app_conf.app.root,
        static_root=app_conf.app.static_root,
--- a/cloudkitty/api/hooks.py
+++ b/cloudkitty/api/hooks.py
@ -46,11 +46,15 @@ class ContextHook(hooks.PecanHook):
        is_admin = policy.check_is_admin(roles)

        creds = {
-            'user': headers.get('X-User') or headers.get('X-User-Id'),
-            'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'),
-            'auth_token': headers.get('X-Auth-Token'),
+            'user': headers.get('X-User-Id', ''),
+            'tenant': headers.get('X-Tenant-Id', ''),
+            'auth_token': headers.get('X-Auth-Token', ''),
            'is_admin': is_admin,
            'roles': roles,
+            "user_name": headers.get('X-User-Name', ''),
+            "project_name": headers.get('X-Project-Name', ''),
+            "domain": headers.get('X-User-Domain-Id', ''),
+            "domain_name": headers.get('X-User-Domain-Name', ''),
        }

        state.request.context = context.RequestContext(**creds)
--- a/cloudkitty/api/v1/controllers/report.py
+++ b/cloudkitty/api/v1/controllers/report.py
@ -61,18 +61,26 @@ class ReportController(rest.RestController):
                         datetime.datetime,
                         datetime.datetime,
                         wtypes.text,
-                         wtypes.text)
-    def total(self, begin=None, end=None, tenant_id=None, service=None):
+                         wtypes.text,
+                         bool)
+    def total(self, begin=None, end=None, tenant_id=None, service=None,
+              all_tenants=False):
        """Return the amount to pay for a given period.

        """
-        policy.enforce(pecan.request.context, 'report:get_total', {})
-
        if not begin:
            begin = ck_utils.get_month_start()
        if not end:
            end = ck_utils.get_next_month()

+        if all_tenants:
+            tenant_id = None
+        else:
+            tenant_context = pecan.request.context.tenant
+            tenant_id = tenant_context if not tenant_id else tenant_id
+        policy.enforce(pecan.request.context, 'report:get_total',
+                       {"tenant_id": tenant_id})
+
        storage = pecan.request.storage_backend
        # FIXME(sheeprine): We should filter on user id.
        # Use keystone token information by default but make it overridable and
@ -89,13 +97,25 @@ class ReportController(rest.RestController):
                         datetime.datetime,
                         wtypes.text,
                         wtypes.text,
-                         wtypes.text,)
+                         wtypes.text,
+                         bool)
    def summary(self, begin=None, end=None, tenant_id=None,
-                service=None, groupby=None):
+                service=None, groupby=None, all_tenants=False):
        """Return the summary to pay for a given period.

        """
-        policy.enforce(pecan.request.context, 'report:get_summary', {})
+        if not begin:
+            begin = ck_utils.get_month_start()
+        if not end:
+            end = ck_utils.get_next_month()
+
+        if all_tenants:
+            tenant_id = None
+        else:
+            tenant_context = pecan.request.context.tenant
+            tenant_id = tenant_context if not tenant_id else tenant_id
+        policy.enforce(pecan.request.context, 'report:get_summary',
+                       {"tenant_id": tenant_id})
        storage = pecan.request.storage_backend

        summarymodels = []
--- a/cloudkitty/common/policy.py
+++ b/cloudkitty/common/policy.py
@ -75,6 +75,9 @@ def check_is_admin(roles):
    """Whether or not roles contains 'admin' role according to policy setting.

    """
+    if CONF.auth_strategy != "keystone":
+        return True
+
    init()

    # include project_id on target to avoid KeyError if context_is_admin
--- a/etc/cloudkitty/policy.json
+++ b/etc/cloudkitty/policy.json
@ -1,5 +1,6 @@
 {
    "context_is_admin":  "role:admin",
+    "admin_or_owner":  "is_admin:True or tenant:%(tenant_id)s",
    "default": "",

    "info:list_services_info": "",
@ -12,8 +13,8 @@
    "rating:quote": "",

    "report:list_tenants": "role:admin",
-    "report:get_total": "",
-    "report:get_summary": "",
+    "report:get_summary": "rule:admin_or_owner",
+    "report:get_total": "rule:admin_or_owner",

    "collector:list_mappings": "role:admin",
    "collector:get_mapping": "role:admin",
--- a/requirements.txt
+++ b/requirements.txt
@ -14,7 +14,7 @@ PasteDeploy>=1.5.0 # MIT
 pecan>=1.0.0 # BSD
 WSME>=0.8 # MIT
 oslo.config>=3.7.0 # Apache-2.0
-oslo.context>=2.2.0 # Apache-2.0
+oslo.context>=2.9.0 # Apache-2.0
 oslo.concurrency>=3.5.0 # Apache-2.0
 oslo.db>=4.1.0 # Apache-2.0
 oslo.i18n>=2.1.0 # Apache-2.0