Make policy target independent of new defaults
making available and working policy checks dependent on value of enforce_new_defaults is counterintuitive, and forces operators to re-write existing policies when switching to new defaults. Closes-Bug: #2012513 Change-Id: I878ed0be24127dd3e1e377ec61bcf09d96fcbe20
This commit is contained in:
parent
5703810a40
commit
da42d596a1
|
@ -530,11 +530,9 @@ class Service(service.RPCService):
|
|||
# Quota Methods
|
||||
@rpc.expected_exceptions()
|
||||
def get_quotas(self, context, tenant_id):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: tenant_id,
|
||||
'all_tenants': context.all_tenants}
|
||||
else:
|
||||
target = {'tenant_id': tenant_id}
|
||||
target = {constants.RBAC_PROJECT_ID: tenant_id,
|
||||
'tenant_id': tenant_id,
|
||||
'all_tenants': context.all_tenants}
|
||||
policy.check('get_quotas', context, target)
|
||||
|
||||
# TODO(johnsom) Deprecated since Wallaby, remove with legacy default
|
||||
|
@ -548,18 +546,12 @@ class Service(service.RPCService):
|
|||
@rpc.expected_exceptions()
|
||||
@transaction
|
||||
def set_quota(self, context, tenant_id, resource, hard_limit):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: tenant_id,
|
||||
'resource': resource,
|
||||
'hard_limit': hard_limit,
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'tenant_id': tenant_id,
|
||||
'resource': resource,
|
||||
'hard_limit': hard_limit,
|
||||
}
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: tenant_id,
|
||||
'tenant_id': tenant_id,
|
||||
'resource': resource,
|
||||
'hard_limit': hard_limit,
|
||||
}
|
||||
|
||||
policy.check('set_quota', context, target)
|
||||
# TODO(johnsom) Deprecated since Wallaby, remove with legacy default
|
||||
|
@ -572,10 +564,8 @@ class Service(service.RPCService):
|
|||
|
||||
@transaction
|
||||
def reset_quotas(self, context, tenant_id):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: tenant_id}
|
||||
else:
|
||||
target = {'tenant_id': tenant_id}
|
||||
target = {constants.RBAC_PROJECT_ID: tenant_id,
|
||||
'tenant_id': tenant_id}
|
||||
policy.check('reset_quotas', context, target)
|
||||
|
||||
self.quota.reset_quotas(context, tenant_id)
|
||||
|
@ -691,11 +681,8 @@ class Service(service.RPCService):
|
|||
|
||||
@rpc.expected_exceptions()
|
||||
def get_tenant(self, context, tenant_id):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: tenant_id}
|
||||
else:
|
||||
target = {'tenant_id': tenant_id}
|
||||
|
||||
target = {constants.RBAC_PROJECT_ID: tenant_id,
|
||||
'tenant_id': tenant_id}
|
||||
policy.check('get_tenant', context, target)
|
||||
|
||||
return self.storage.get_tenant(context, tenant_id)
|
||||
|
@ -741,16 +728,11 @@ class Service(service.RPCService):
|
|||
# Default to creating in the current users tenant
|
||||
zone.tenant_id = zone.tenant_id or context.project_id
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
'zone_name': zone.name
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'tenant_id': zone.tenant_id,
|
||||
'zone_name': zone.name
|
||||
}
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
'tenant_id': zone.tenant_id,
|
||||
'zone_name': zone.name
|
||||
}
|
||||
|
||||
policy.check('create_zone', context, target)
|
||||
|
||||
|
@ -877,20 +859,13 @@ class Service(service.RPCService):
|
|||
|
||||
# TODO(johnsom) This should account for all-projects context
|
||||
# it passes today due to ADMIN
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'zone_shared': zone_shared,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'zone_shared': zone_shared,
|
||||
'tenant_id': zone.tenant_id
|
||||
}
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'zone_shared': zone_shared,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
'tenant_id': zone.tenant_id,
|
||||
}
|
||||
|
||||
policy.check('get_zone', context, target)
|
||||
|
||||
|
@ -905,18 +880,12 @@ class Service(service.RPCService):
|
|||
else:
|
||||
zone = self.storage.get_zone(context, zone_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'tenant_id': zone.tenant_id
|
||||
}
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
'tenant_id': zone.tenant_id,
|
||||
}
|
||||
pool_id = zone.pool_id
|
||||
|
||||
policy.check('get_zone_ns_records', context, target)
|
||||
|
@ -934,10 +903,8 @@ class Service(service.RPCService):
|
|||
sort_key=None, sort_dir=None):
|
||||
"""List existing zones including the ones flagged for deletion.
|
||||
"""
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id,
|
||||
'tenant_id': context.project_id}
|
||||
|
||||
policy.check('find_zones', context, target)
|
||||
|
||||
|
@ -953,19 +920,13 @@ class Service(service.RPCService):
|
|||
|
||||
:returns: updated zone
|
||||
"""
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone.obj_get_original_value('id'),
|
||||
'zone_name': zone.obj_get_original_value('name'),
|
||||
constants.RBAC_PROJECT_ID: (
|
||||
zone.obj_get_original_value('tenant_id')),
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone.obj_get_original_value('id'),
|
||||
'zone_name': zone.obj_get_original_value('name'),
|
||||
'tenant_id': zone.obj_get_original_value('tenant_id'),
|
||||
}
|
||||
target = {
|
||||
'zone_id': zone.obj_get_original_value('id'),
|
||||
'zone_name': zone.obj_get_original_value('name'),
|
||||
constants.RBAC_PROJECT_ID: (
|
||||
zone.obj_get_original_value('tenant_id')),
|
||||
'tenant_id': zone.obj_get_original_value('tenant_id'),
|
||||
}
|
||||
|
||||
policy.check('update_zone', context, target)
|
||||
|
||||
|
@ -1031,18 +992,12 @@ class Service(service.RPCService):
|
|||
"""
|
||||
zone = self.storage.get_zone(context, zone_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'tenant_id': zone.tenant_id
|
||||
}
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
'tenant_id': zone.tenant_id,
|
||||
}
|
||||
|
||||
if hasattr(context, 'abandon') and context.abandon:
|
||||
policy.check('abandon_zone', context, target)
|
||||
|
@ -1114,18 +1069,12 @@ class Service(service.RPCService):
|
|||
def xfr_zone(self, context, zone_id):
|
||||
zone = self.storage.get_zone(context, zone_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'tenant_id': zone.tenant_id
|
||||
}
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
'tenant_id': zone.tenant_id,
|
||||
}
|
||||
|
||||
policy.check('xfr_zone', context, target)
|
||||
|
||||
|
@ -1151,14 +1100,10 @@ class Service(service.RPCService):
|
|||
if criterion is None:
|
||||
criterion = {}
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None)
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'tenant_id': criterion.get('tenant_id', None)
|
||||
}
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None),
|
||||
'tenant_id': criterion.get('tenant_id', None),
|
||||
}
|
||||
|
||||
policy.check('count_zones', context, target)
|
||||
|
||||
|
@ -1202,10 +1147,8 @@ class Service(service.RPCService):
|
|||
# Ensure that zone exists and get the zone owner
|
||||
zone = self.storage.get_zone(context, zone_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: zone.tenant_id}
|
||||
else:
|
||||
target = {'tenant_id': zone.tenant_id}
|
||||
target = {constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
'tenant_id': zone.tenant_id}
|
||||
|
||||
policy.check('share_zone', context, target)
|
||||
|
||||
|
@ -1223,10 +1166,8 @@ class Service(service.RPCService):
|
|||
# Ensure the share exists and get the share owner
|
||||
shared_zone = self.get_shared_zone(context, zone_id, zone_share_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: shared_zone.project_id}
|
||||
else:
|
||||
target = {'tenant_id': shared_zone.project_id}
|
||||
target = {constants.RBAC_PROJECT_ID: shared_zone.project_id,
|
||||
'tenant_id': shared_zone.project_id}
|
||||
|
||||
policy.check('unshare_zone', context, target)
|
||||
|
||||
|
@ -1274,12 +1215,11 @@ class Service(service.RPCService):
|
|||
|
||||
if not context.all_tenants and criterion:
|
||||
# Check that they are asking for another projects shares
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: criterion.get(
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: criterion.get(
|
||||
'target_project_id', context.project_id),
|
||||
'tenant_id': criterion.get(
|
||||
'target_project_id', context.project_id)}
|
||||
else:
|
||||
target = {'tenant_id': criterion.get('target_project_id',
|
||||
context.project_id)}
|
||||
|
||||
policy.check('find_project_zone_share', context, target)
|
||||
|
||||
|
@ -1295,10 +1235,8 @@ class Service(service.RPCService):
|
|||
zone_share = self.storage.get_shared_zone(
|
||||
context, zone_id, zone_share_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: zone_share.project_id}
|
||||
else:
|
||||
target = {'tenant_id': zone_share.project_id}
|
||||
target = {constants.RBAC_PROJECT_ID: zone_share.project_id,
|
||||
'tenant_id': zone_share.project_id}
|
||||
|
||||
policy.check('get_zone_share', context, target)
|
||||
|
||||
|
@ -1343,24 +1281,15 @@ class Service(service.RPCService):
|
|||
if zone.action == 'DELETE':
|
||||
raise exceptions.BadRequest('Can not update a deleting zone')
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'zone_type': zone.type,
|
||||
'zone_shared': zone_shared,
|
||||
'recordset_name': recordset.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'zone_type': zone.type,
|
||||
'zone_shared': zone_shared,
|
||||
'recordset_name': recordset.name,
|
||||
'tenant_id': zone.tenant_id,
|
||||
}
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'zone_type': zone.type,
|
||||
'zone_shared': zone_shared,
|
||||
'recordset_name': recordset.name,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
'tenant_id': zone.tenant_id,
|
||||
}
|
||||
|
||||
policy.check('create_recordset', context, target)
|
||||
|
||||
|
@ -1466,22 +1395,14 @@ class Service(service.RPCService):
|
|||
zone_shared = self._check_zone_share_permission(context, zone)
|
||||
|
||||
# TODO(johnsom) This should account for all_projects
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone.id,
|
||||
'zone_name': zone.name,
|
||||
'zone_shared': zone_shared,
|
||||
'recordset_id': recordset.id,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone.id,
|
||||
'zone_name': zone.name,
|
||||
'zone_shared': zone_shared,
|
||||
'recordset_id': recordset.id,
|
||||
'tenant_id': zone.tenant_id,
|
||||
}
|
||||
target = {
|
||||
'zone_id': zone.id,
|
||||
'zone_name': zone.name,
|
||||
'zone_shared': zone_shared,
|
||||
'recordset_id': recordset.id,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
'tenant_id': zone.tenant_id,
|
||||
}
|
||||
|
||||
policy.check('get_recordset', context, target)
|
||||
|
||||
|
@ -1507,10 +1428,8 @@ class Service(service.RPCService):
|
|||
zone_shared = self._check_zone_share_permission(context, zone)
|
||||
|
||||
# TODO(johnsom) Fix this to be useful
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id,
|
||||
'tenant_id': context.project_id}
|
||||
|
||||
policy.check('find_recordsets', context, target)
|
||||
|
||||
|
@ -1530,10 +1449,8 @@ class Service(service.RPCService):
|
|||
def find_recordset(self, context, criterion=None):
|
||||
|
||||
# TODO(johnsom) Fix this to be useful
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id,
|
||||
'tenant_id': context.project_id}
|
||||
policy.check('find_recordset', context, target)
|
||||
|
||||
recordset = self.storage.find_recordset(context, criterion)
|
||||
|
@ -1584,28 +1501,17 @@ class Service(service.RPCService):
|
|||
|
||||
# TODO(johnsom) This should account for all-projects context
|
||||
# it passes today due to ADMIN
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'recordset_id': recordset.obj_get_original_value('id'),
|
||||
'recordset_project_id': recordset.obj_get_original_value(
|
||||
'tenant_id'),
|
||||
'zone_id': recordset.obj_get_original_value('zone_id'),
|
||||
'zone_name': zone.name,
|
||||
'zone_shared': zone_shared,
|
||||
'zone_type': zone.type,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'recordset_id': recordset.obj_get_original_value('id'),
|
||||
'recordset_project_id': recordset.obj_get_original_value(
|
||||
'tenant_id'),
|
||||
'zone_id': recordset.obj_get_original_value('zone_id'),
|
||||
'zone_name': zone.name,
|
||||
'zone_shared': zone_shared,
|
||||
'zone_type': zone.type,
|
||||
'tenant_id': zone.tenant_id
|
||||
}
|
||||
target = {
|
||||
'recordset_id': recordset.obj_get_original_value('id'),
|
||||
'recordset_project_id': recordset.obj_get_original_value(
|
||||
'tenant_id'),
|
||||
'zone_id': recordset.obj_get_original_value('zone_id'),
|
||||
'zone_name': zone.name,
|
||||
'zone_shared': zone_shared,
|
||||
'zone_type': zone.type,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
'tenant_id': zone.tenant_id,
|
||||
}
|
||||
|
||||
policy.check('update_recordset', context, target)
|
||||
|
||||
|
@ -1675,24 +1581,15 @@ class Service(service.RPCService):
|
|||
raise exceptions.BadRequest('Can not update a deleting zone')
|
||||
|
||||
# TODO(johnsom) should handle all_projects
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'zone_type': zone.type,
|
||||
'recordset_id': recordset.id,
|
||||
'recordset_project_id': recordset.tenant_id,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'zone_type': zone.type,
|
||||
'recordset_id': recordset.id,
|
||||
'recordset_project_id': recordset.tenant_id,
|
||||
'tenant_id': zone.tenant_id
|
||||
}
|
||||
target = {
|
||||
'zone_id': zone_id,
|
||||
'zone_name': zone.name,
|
||||
'zone_type': zone.type,
|
||||
'recordset_id': recordset.id,
|
||||
'recordset_project_id': recordset.tenant_id,
|
||||
constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
'tenant_id': zone.tenant_id,
|
||||
}
|
||||
|
||||
policy.check('delete_recordset', context, target)
|
||||
|
||||
|
@ -1741,12 +1638,10 @@ class Service(service.RPCService):
|
|||
if criterion is None:
|
||||
criterion = {}
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None)
|
||||
}
|
||||
else:
|
||||
target = {'tenant_id': criterion.get('tenant_id', None)}
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None),
|
||||
'tenant_id': criterion.get('tenant_id', None),
|
||||
}
|
||||
|
||||
policy.check('count_recordsets', context, target)
|
||||
|
||||
|
@ -1757,10 +1652,8 @@ class Service(service.RPCService):
|
|||
def find_records(self, context, criterion=None, marker=None, limit=None,
|
||||
sort_key=None, sort_dir=None):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id,
|
||||
'tenant_id': context.project_id}
|
||||
policy.check('find_records', context, target)
|
||||
|
||||
return self.storage.find_records(context, criterion, marker, limit,
|
||||
|
@ -1771,12 +1664,10 @@ class Service(service.RPCService):
|
|||
if criterion is None:
|
||||
criterion = {}
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None)
|
||||
}
|
||||
else:
|
||||
target = {'tenant_id': criterion.get('tenant_id', None)}
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None),
|
||||
'tenant_id': criterion.get('tenant_id', None),
|
||||
}
|
||||
|
||||
policy.check('count_records', context, target)
|
||||
return self.storage.count_records(context, criterion)
|
||||
|
@ -2483,10 +2374,8 @@ class Service(service.RPCService):
|
|||
if zone.action == 'DELETE':
|
||||
raise exceptions.BadRequest('Can not transfer a deleting zone')
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: zone.tenant_id}
|
||||
else:
|
||||
target = {'tenant_id': zone.tenant_id}
|
||||
target = {constants.RBAC_PROJECT_ID: zone.tenant_id,
|
||||
'tenant_id': zone.tenant_id}
|
||||
|
||||
policy.check('create_zone_transfer_request', context, target)
|
||||
|
||||
|
@ -2513,17 +2402,13 @@ class Service(service.RPCService):
|
|||
elevated_context, zone_transfer_request_id)
|
||||
|
||||
LOG.info('Target Tenant ID found - using scoped policy')
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request.
|
||||
target_tenant_id),
|
||||
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'target_tenant_id': zone_transfer_request.target_tenant_id,
|
||||
'tenant_id': zone_transfer_request.tenant_id,
|
||||
}
|
||||
target = {
|
||||
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request.
|
||||
target_tenant_id),
|
||||
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
|
||||
'target_tenant_id': zone_transfer_request.target_tenant_id,
|
||||
'tenant_id': zone_transfer_request.tenant_id,
|
||||
}
|
||||
|
||||
policy.check('get_zone_transfer_request', context, target)
|
||||
|
||||
|
@ -2550,14 +2435,10 @@ class Service(service.RPCService):
|
|||
if 'zone_id' in zone_transfer_request.obj_what_changed():
|
||||
raise exceptions.InvalidOperation('Zone cannot be changed')
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'tenant_id': zone_transfer_request.tenant_id,
|
||||
}
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
|
||||
'tenant_id': zone_transfer_request.tenant_id,
|
||||
}
|
||||
policy.check('update_zone_transfer_request', context, target)
|
||||
request = self.storage.update_zone_transfer_request(
|
||||
context, zone_transfer_request)
|
||||
|
@ -2572,12 +2453,10 @@ class Service(service.RPCService):
|
|||
zone_transfer_request = self.storage.get_zone_transfer_request(
|
||||
context, zone_transfer_request_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {'tenant_id': zone_transfer_request.tenant_id}
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
|
||||
'tenant_id': zone_transfer_request.tenant_id,
|
||||
}
|
||||
|
||||
policy.check('delete_zone_transfer_request', context, target)
|
||||
return self.storage.delete_zone_transfer_request(
|
||||
|
@ -2605,15 +2484,11 @@ class Service(service.RPCService):
|
|||
raise exceptions.IncorrectZoneTransferKey(
|
||||
'Key does not match stored key for request')
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request.
|
||||
target_tenant_id)
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'target_tenant_id': zone_transfer_request.target_tenant_id
|
||||
}
|
||||
target = {
|
||||
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request.
|
||||
target_tenant_id),
|
||||
'target_tenant_id': zone_transfer_request.target_tenant_id,
|
||||
}
|
||||
|
||||
policy.check('create_zone_transfer_accept', context, target)
|
||||
|
||||
|
@ -2664,14 +2539,10 @@ class Service(service.RPCService):
|
|||
zone_transfer_accept = self.storage.get_zone_transfer_accept(
|
||||
context, zone_transfer_accept_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: zone_transfer_accept.tenant_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'tenant_id': zone_transfer_accept.tenant_id
|
||||
}
|
||||
target = {
|
||||
constants.RBAC_PROJECT_ID: zone_transfer_accept.tenant_id,
|
||||
'tenant_id': zone_transfer_accept.tenant_id,
|
||||
}
|
||||
|
||||
policy.check('get_zone_transfer_accept', context, target)
|
||||
|
||||
|
@ -2689,10 +2560,8 @@ class Service(service.RPCService):
|
|||
@rpc.expected_exceptions()
|
||||
@notification.notify_type('dns.zone_import.create')
|
||||
def create_zone_import(self, context, request_body):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id,
|
||||
'tenant_id': context.project_id}
|
||||
|
||||
policy.check('create_zone_import', context, target)
|
||||
|
||||
|
@ -2785,10 +2654,8 @@ class Service(service.RPCService):
|
|||
@rpc.expected_exceptions()
|
||||
@notification.notify_type('dns.zone_import.update')
|
||||
def update_zone_import(self, context, zone_import):
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: zone_import.tenant_id}
|
||||
else:
|
||||
target = {'tenant_id': zone_import.tenant_id}
|
||||
target = {constants.RBAC_PROJECT_ID: zone_import.tenant_id,
|
||||
'tenant_id': zone_import.tenant_id}
|
||||
policy.check('update_zone_import', context, target)
|
||||
|
||||
return self.storage.update_zone_import(context, zone_import)
|
||||
|
@ -2797,10 +2664,8 @@ class Service(service.RPCService):
|
|||
def find_zone_imports(self, context, criterion=None, marker=None,
|
||||
limit=None, sort_key=None, sort_dir=None):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id,
|
||||
'tenant_id': context.project_id}
|
||||
|
||||
policy.check('find_zone_imports', context, target)
|
||||
|
||||
|
@ -2817,10 +2682,8 @@ class Service(service.RPCService):
|
|||
@rpc.expected_exceptions()
|
||||
def get_zone_import(self, context, zone_import_id):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id,
|
||||
'tenant_id': context.project_id}
|
||||
|
||||
policy.check('get_zone_import', context, target)
|
||||
return self.storage.get_zone_import(context, zone_import_id)
|
||||
|
@ -2830,16 +2693,11 @@ class Service(service.RPCService):
|
|||
@transaction
|
||||
def delete_zone_import(self, context, zone_import_id):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_import_id': zone_import_id,
|
||||
constants.RBAC_PROJECT_ID: context.project_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_import_id': zone_import_id,
|
||||
'tenant_id': context.project_id
|
||||
}
|
||||
target = {
|
||||
'zone_import_id': zone_import_id,
|
||||
constants.RBAC_PROJECT_ID: context.project_id,
|
||||
'tenant_id': context.project_id,
|
||||
}
|
||||
|
||||
policy.check('delete_zone_import', context, target)
|
||||
|
||||
|
@ -2854,10 +2712,8 @@ class Service(service.RPCService):
|
|||
# Try getting the zone to ensure it exists
|
||||
zone = self.storage.get_zone(context, zone_id)
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id,
|
||||
'tenant_id': context.project_id}
|
||||
|
||||
policy.check('create_zone_export', context, target)
|
||||
|
||||
|
@ -2884,10 +2740,8 @@ class Service(service.RPCService):
|
|||
def find_zone_exports(self, context, criterion=None, marker=None,
|
||||
limit=None, sort_key=None, sort_dir=None):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id,
|
||||
'tenant_id': context.project_id}
|
||||
policy.check('find_zone_exports', context, target)
|
||||
|
||||
if not criterion:
|
||||
|
@ -2903,10 +2757,8 @@ class Service(service.RPCService):
|
|||
@rpc.expected_exceptions()
|
||||
def get_zone_export(self, context, zone_export_id):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id}
|
||||
else:
|
||||
target = {'tenant_id': context.project_id}
|
||||
target = {constants.RBAC_PROJECT_ID: context.project_id,
|
||||
'tenant_id': context.project_id}
|
||||
|
||||
policy.check('get_zone_export', context, target)
|
||||
|
||||
|
@ -2916,10 +2768,8 @@ class Service(service.RPCService):
|
|||
@notification.notify_type('dns.zone_export.update')
|
||||
def update_zone_export(self, context, zone_export):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {constants.RBAC_PROJECT_ID: zone_export.tenant_id}
|
||||
else:
|
||||
target = {'tenant_id': zone_export.tenant_id}
|
||||
target = {constants.RBAC_PROJECT_ID: zone_export.tenant_id,
|
||||
'tenant_id': zone_export.tenant_id}
|
||||
|
||||
policy.check('update_zone_export', context, target)
|
||||
|
||||
|
@ -2930,16 +2780,11 @@ class Service(service.RPCService):
|
|||
@transaction
|
||||
def delete_zone_export(self, context, zone_export_id):
|
||||
|
||||
if policy.enforce_new_defaults():
|
||||
target = {
|
||||
'zone_export_id': zone_export_id,
|
||||
constants.RBAC_PROJECT_ID: context.project_id
|
||||
}
|
||||
else:
|
||||
target = {
|
||||
'zone_export_id': zone_export_id,
|
||||
'tenant_id': context.project_id
|
||||
}
|
||||
target = {
|
||||
'zone_export_id': zone_export_id,
|
||||
constants.RBAC_PROJECT_ID: context.project_id,
|
||||
'tenant_id': context.project_id,
|
||||
}
|
||||
|
||||
policy.check('delete_zone_export', context, target)
|
||||
|
||||
|
|
|
@ -1170,7 +1170,9 @@ class CentralZoneTestCase(CentralBasic):
|
|||
'zone_name': 'example.org.',
|
||||
'zone_shared': self.zone_shared,
|
||||
'recordset_id': CentralZoneTestCase.recordset__id,
|
||||
'project_id': '2'}, target)
|
||||
'project_id': '2',
|
||||
'tenant_id': '2',
|
||||
}, target)
|
||||
|
||||
def test_get_recordset_no_zone_id(self):
|
||||
self.service.storage.get_zone.return_value = RoObject(
|
||||
|
@ -1204,7 +1206,9 @@ class CentralZoneTestCase(CentralBasic):
|
|||
'zone_name': 'example.org.',
|
||||
'zone_shared': self.zone_shared,
|
||||
'recordset_id': CentralZoneTestCase.recordset__id,
|
||||
'project_id': '2'}, target)
|
||||
'project_id': '2',
|
||||
'tenant_id': '2',
|
||||
}, target)
|
||||
|
||||
def test_find_recordsets(self):
|
||||
self.context = mock.Mock()
|
||||
|
@ -1213,7 +1217,7 @@ class CentralZoneTestCase(CentralBasic):
|
|||
self.assertTrue(self.service.storage.find_recordsets.called)
|
||||
n, ctx, target = designate.central.service.policy.check.call_args[0]
|
||||
self.assertEqual('find_recordsets', n)
|
||||
self.assertEqual({'project_id': 't'}, target)
|
||||
self.assertEqual({'project_id': 't', 'tenant_id': 't'}, target)
|
||||
|
||||
def test_find_recordset(self):
|
||||
self.context = mock.Mock()
|
||||
|
@ -1223,7 +1227,7 @@ class CentralZoneTestCase(CentralBasic):
|
|||
self.assertTrue(self.service.storage.find_recordset.called)
|
||||
n, ctx, target = designate.central.service.policy.check.call_args[0]
|
||||
self.assertEqual('find_recordset', n)
|
||||
self.assertEqual({'project_id': 't'}, target)
|
||||
self.assertEqual({'project_id': 't', 'tenant_id': 't'}, target)
|
||||
|
||||
def test_update_recordset_fail_on_changes(self):
|
||||
self.service.storage.get_zone.return_value = RoObject()
|
||||
|
@ -1321,7 +1325,9 @@ class CentralZoneTestCase(CentralBasic):
|
|||
'zone_shared': self.zone_shared,
|
||||
'recordset_id': '9c85d9b0-1e9d-4e99-aede-a06664f1af2e',
|
||||
'recordset_project_id': '9c85d9b0-1e9d-4e99-aede-a06664f1af2e',
|
||||
'project_id': '2'}, target)
|
||||
'project_id': '2',
|
||||
'tenant_id': '2',
|
||||
}, target)
|
||||
|
||||
def test_update_recordset_in_storage(self):
|
||||
recordset = mock.Mock()
|
||||
|
@ -1557,7 +1563,7 @@ class CentralZoneTestCase(CentralBasic):
|
|||
self.service.count_recordsets(self.context)
|
||||
n, ctx, target = designate.central.service.policy.check.call_args[0]
|
||||
self.assertEqual('count_recordsets', n)
|
||||
self.assertEqual({'project_id': None}, target)
|
||||
self.assertEqual({'project_id': None, 'tenant_id': None}, target)
|
||||
self.assertEqual(
|
||||
{},
|
||||
self.service.storage.count_recordsets.call_args[0][1]
|
||||
|
@ -1567,7 +1573,7 @@ class CentralZoneTestCase(CentralBasic):
|
|||
self.service.count_records(self.context)
|
||||
t, ctx, target = designate.central.service.policy.check.call_args[0]
|
||||
self.assertEqual('count_records', t)
|
||||
self.assertEqual({'project_id': None}, target)
|
||||
self.assertEqual({'project_id': None, 'tenant_id': None}, target)
|
||||
|
||||
def test_determine_floatingips(self):
|
||||
self.context = mock.Mock()
|
||||
|
|
Loading…
Reference in New Issue