Update the default policy rule for /v1/storage/dataframes
For now, this endpoint is unprotected, allowing any authenticated user to access it. This hardens the access control. Change-Id: Id35e162a213449527b871c01056779c29239edfa
This commit is contained in:
parent
dc2509ba65
commit
b3c4f18b94
|
@ -54,7 +54,10 @@ class DataFramesController(rest.RestController):
|
|||
:return: Collection of DataFrame objects.
|
||||
"""
|
||||
|
||||
policy.authorize(pecan.request.context, 'storage:list_data_frames', {})
|
||||
project_id = tenant_id or pecan.request.context.project_id
|
||||
policy.authorize(pecan.request.context, 'storage:list_data_frames', {
|
||||
'tenant_id': project_id,
|
||||
})
|
||||
|
||||
scope_key = CONF.collect.scope_key
|
||||
backend = pecan.request.storage_backend
|
||||
|
|
|
@ -20,7 +20,7 @@ from cloudkitty.common.policies import base
|
|||
storage_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='storage:list_data_frames',
|
||||
check_str=base.UNPROTECTED,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description='Return a list of rated resources for a time period '
|
||||
'and a tenant.',
|
||||
operations=[{'path': '/v1/storage/dataframes',
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
The default policy for the ``/v1/storage/dataframes`` endpoint has been
|
||||
changed from ``unprotected`` (accessible by any unauthenticated used) to
|
||||
``admin_or_owner`` (accessible only by admins or members of the project).
|
Loading…
Reference in New Issue