Merge "Update the default policy rule for /v1/storage/dataframes"

2019-04-02 12:15:16 +00:00 · 2019-04-02 12:15:16 +00:00 · 6c36f6721d
parent fdd83e7e98 b3c4f18b94
commit 6c36f6721d
3 changed files with 11 additions and 2 deletions
--- a/cloudkitty/api/v1/controllers/storage.py
+++ b/cloudkitty/api/v1/controllers/storage.py
@ -54,7 +54,10 @@ class DataFramesController(rest.RestController):
        :return: Collection of DataFrame objects.
        """

-        policy.authorize(pecan.request.context, 'storage:list_data_frames', {})
+        project_id = tenant_id or pecan.request.context.project_id
+        policy.authorize(pecan.request.context, 'storage:list_data_frames', {
+            'tenant_id': project_id,
+        })

        scope_key = CONF.collect.scope_key
        backend = pecan.request.storage_backend
--- a/cloudkitty/common/policies/v1/storage.py
+++ b/cloudkitty/common/policies/v1/storage.py
@ -20,7 +20,7 @@ from cloudkitty.common.policies import base
 storage_policies = [
    policy.DocumentedRuleDefault(
        name='storage:list_data_frames',
-        check_str=base.UNPROTECTED,
+        check_str=base.RULE_ADMIN_OR_OWNER,
        description='Return a list of rated resources for a time period '
                    'and a tenant.',
        operations=[{'path': '/v1/storage/dataframes',
--- a/releasenotes/notes/harden-dataframes-policy-7786286525e52dfb.yaml
+++ b/releasenotes/notes/harden-dataframes-policy-7786286525e52dfb.yaml
@ -0,0 +1,6 @@
+---
+security:
+  - |
+    The default policy for the ``/v1/storage/dataframes`` endpoint has been
+    changed from ``unprotected`` (accessible by any unauthenticated used) to
+    ``admin_or_owner`` (accessible only by admins or members of the project).