From b3c4f18b944326052e22faf306f7b93fbde28d6a Mon Sep 17 00:00:00 2001 From: Luka Peschke Date: Mon, 25 Mar 2019 14:16:40 +0100 Subject: [PATCH] Update the default policy rule for /v1/storage/dataframes For now, this endpoint is unprotected, allowing any authenticated user to access it. This hardens the access control. Change-Id: Id35e162a213449527b871c01056779c29239edfa --- cloudkitty/api/v1/controllers/storage.py | 5 ++++- cloudkitty/common/policies/v1/storage.py | 2 +- .../notes/harden-dataframes-policy-7786286525e52dfb.yaml | 6 ++++++ 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/harden-dataframes-policy-7786286525e52dfb.yaml diff --git a/cloudkitty/api/v1/controllers/storage.py b/cloudkitty/api/v1/controllers/storage.py index 4719da3a..4b2b761a 100644 --- a/cloudkitty/api/v1/controllers/storage.py +++ b/cloudkitty/api/v1/controllers/storage.py @@ -54,7 +54,10 @@ class DataFramesController(rest.RestController): :return: Collection of DataFrame objects. """ - policy.authorize(pecan.request.context, 'storage:list_data_frames', {}) + project_id = tenant_id or pecan.request.context.project_id + policy.authorize(pecan.request.context, 'storage:list_data_frames', { + 'tenant_id': project_id, + }) scope_key = CONF.collect.scope_key backend = pecan.request.storage_backend diff --git a/cloudkitty/common/policies/v1/storage.py b/cloudkitty/common/policies/v1/storage.py index 67710e01..47d92079 100644 --- a/cloudkitty/common/policies/v1/storage.py +++ b/cloudkitty/common/policies/v1/storage.py @@ -20,7 +20,7 @@ from cloudkitty.common.policies import base storage_policies = [ policy.DocumentedRuleDefault( name='storage:list_data_frames', - check_str=base.UNPROTECTED, + check_str=base.RULE_ADMIN_OR_OWNER, description='Return a list of rated resources for a time period ' 'and a tenant.', operations=[{'path': '/v1/storage/dataframes', diff --git a/releasenotes/notes/harden-dataframes-policy-7786286525e52dfb.yaml b/releasenotes/notes/harden-dataframes-policy-7786286525e52dfb.yaml new file mode 100644 index 00000000..63a02d8b --- /dev/null +++ b/releasenotes/notes/harden-dataframes-policy-7786286525e52dfb.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + The default policy for the ``/v1/storage/dataframes`` endpoint has been + changed from ``unprotected`` (accessible by any unauthenticated used) to + ``admin_or_owner`` (accessible only by admins or members of the project).