Update the default policy rule for /v1/storage/dataframes
For now, this endpoint is unprotected, allowing any authenticated user to access it. This hardens the access control. Change-Id: Id35e162a213449527b871c01056779c29239edfa
This commit is contained in:
parent
dc2509ba65
commit
b3c4f18b94
|
@ -54,7 +54,10 @@ class DataFramesController(rest.RestController):
|
||||||
:return: Collection of DataFrame objects.
|
:return: Collection of DataFrame objects.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
policy.authorize(pecan.request.context, 'storage:list_data_frames', {})
|
project_id = tenant_id or pecan.request.context.project_id
|
||||||
|
policy.authorize(pecan.request.context, 'storage:list_data_frames', {
|
||||||
|
'tenant_id': project_id,
|
||||||
|
})
|
||||||
|
|
||||||
scope_key = CONF.collect.scope_key
|
scope_key = CONF.collect.scope_key
|
||||||
backend = pecan.request.storage_backend
|
backend = pecan.request.storage_backend
|
||||||
|
|
|
@ -20,7 +20,7 @@ from cloudkitty.common.policies import base
|
||||||
storage_policies = [
|
storage_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='storage:list_data_frames',
|
name='storage:list_data_frames',
|
||||||
check_str=base.UNPROTECTED,
|
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||||
description='Return a list of rated resources for a time period '
|
description='Return a list of rated resources for a time period '
|
||||||
'and a tenant.',
|
'and a tenant.',
|
||||||
operations=[{'path': '/v1/storage/dataframes',
|
operations=[{'path': '/v1/storage/dataframes',
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
The default policy for the ``/v1/storage/dataframes`` endpoint has been
|
||||||
|
changed from ``unprotected`` (accessible by any unauthenticated used) to
|
||||||
|
``admin_or_owner`` (accessible only by admins or members of the project).
|
Loading…
Reference in New Issue