Create new policy for downloading deactivated artifacts

Now there is a check in the engine, that verifies that
only admins can download deactivated artifacts.
This is not recommended and it's much wiser to create a
policy to check this.

Change-Id: I26fb4be064d2860ace5d7423d3103f2fa33360cd
This commit is contained in:
Mike Fedosin 2017-07-20 21:26:36 +03:00
parent b67f0538e4
commit 8faf9090d9
2 changed files with 7 additions and 6 deletions

View File

@ -69,7 +69,13 @@ artifact_policy_rules = [
"Policy to set custom location for artifact"),
policy.RuleDefault("artifact:upload", "rule:admin_or_owner",
"Policy to upload blob for artifact"),
policy.RuleDefault("artifact:download", "",
policy.RuleDefault("artifact:download_deactivated",
"'deactivated':%(status)s and rule:context_is_admin "
"or not 'deactivated':%(status)s",
"Policy to download blob from deactivated artifact"),
policy.RuleDefault("artifact:download",
"rule:admin_or_owner and "
"rule:artifact:download_deactivated",
"Policy to download blob from artifact"),
]

View File

@ -541,11 +541,6 @@ class Engine(object):
blob_name = "%s[%s]" % (field_name, blob_key)\
if blob_key else field_name
if af.status == 'deactivated' and not context.is_admin:
msg = _("Only admin is allowed to download artifact data "
"when it's deactivated")
raise exception.Forbidden(message=msg)
if af.status == 'deleted':
msg = _("Cannot download data when artifact is deleted")
raise exception.Forbidden(message=msg)