Update the default policy rule for /v1/storage/dataframes

For now, this endpoint is unprotected, allowing any authenticated user to access it. This hardens the access control. Change-Id: Id35e162a213449527b871c01056779c29239edfa
2019-03-25 14:16:40 +01:00 · 2019-03-25 14:16:40 +01:00 · b3c4f18b94
parent dc2509ba65
commit b3c4f18b94
3 changed files with 11 additions and 2 deletions
--- a/cloudkitty/api/v1/controllers/storage.py
+++ b/cloudkitty/api/v1/controllers/storage.py
@ -54,7 +54,10 @@ class DataFramesController(rest.RestController):
        :return: Collection of DataFrame objects.
        """

-        policy.authorize(pecan.request.context, 'storage:list_data_frames', {})
+        project_id = tenant_id or pecan.request.context.project_id
+        policy.authorize(pecan.request.context, 'storage:list_data_frames', {
+            'tenant_id': project_id,
+        })

        scope_key = CONF.collect.scope_key
        backend = pecan.request.storage_backend
--- a/cloudkitty/common/policies/v1/storage.py
+++ b/cloudkitty/common/policies/v1/storage.py
@ -20,7 +20,7 @@ from cloudkitty.common.policies import base
 storage_policies = [
    policy.DocumentedRuleDefault(
        name='storage:list_data_frames',
-        check_str=base.UNPROTECTED,
+        check_str=base.RULE_ADMIN_OR_OWNER,
        description='Return a list of rated resources for a time period '
                    'and a tenant.',
        operations=[{'path': '/v1/storage/dataframes',
--- a/releasenotes/notes/harden-dataframes-policy-7786286525e52dfb.yaml
+++ b/releasenotes/notes/harden-dataframes-policy-7786286525e52dfb.yaml
@ -0,0 +1,6 @@
+---
+security:
+  - |
+    The default policy for the ``/v1/storage/dataframes`` endpoint has been
+    changed from ``unprotected`` (accessible by any unauthenticated used) to
+    ``admin_or_owner`` (accessible only by admins or members of the project).