openstack
/
designate
Code Issues Proposed changes

Make policy target independent of new defaults 

making available and working policy checks dependent on value of
enforce_new_defaults is counterintuitive, and forces operators
to re-write existing policies when switching to new defaults.

Closes-Bug: #2012513
Change-Id: I878ed0be24127dd3e1e377ec61bcf09d96fcbe20
This commit is contained in:
Pavlo Shchelokovskyy 2023-03-22 13:44:36 +00:00
parent 5703810a40
commit da42d596a1
2 changed files with 182 additions and 331 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

493
designate/central/service.py
View File

@ -530,11 +530,9 @@ class Service(service.RPCService):
# Quota Methods
@rpc.expected_exceptions()
def get_quotas(self, context, tenant_id):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: tenant_id,
'all_tenants': context.all_tenants}
else:
target = {'tenant_id': tenant_id}
target = {constants.RBAC_PROJECT_ID: tenant_id,
'tenant_id': tenant_id,
'all_tenants': context.all_tenants}
policy.check('get_quotas', context, target)
# TODO(johnsom) Deprecated since Wallaby, remove with legacy default
@ -548,18 +546,12 @@ class Service(service.RPCService):
@rpc.expected_exceptions()
@transaction
def set_quota(self, context, tenant_id, resource, hard_limit):
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: tenant_id,
'resource': resource,
'hard_limit': hard_limit,
}
else:
target = {
'tenant_id': tenant_id,
'resource': resource,
'hard_limit': hard_limit,
}
target = {
constants.RBAC_PROJECT_ID: tenant_id,
'tenant_id': tenant_id,
'resource': resource,
'hard_limit': hard_limit,
}
policy.check('set_quota', context, target)
# TODO(johnsom) Deprecated since Wallaby, remove with legacy default
@ -572,10 +564,8 @@ class Service(service.RPCService):
@transaction
def reset_quotas(self, context, tenant_id):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: tenant_id}
else:
target = {'tenant_id': tenant_id}
target = {constants.RBAC_PROJECT_ID: tenant_id,
'tenant_id': tenant_id}
policy.check('reset_quotas', context, target)
self.quota.reset_quotas(context, tenant_id)
@ -691,11 +681,8 @@ class Service(service.RPCService):
@rpc.expected_exceptions()
def get_tenant(self, context, tenant_id):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: tenant_id}
else:
target = {'tenant_id': tenant_id}
target = {constants.RBAC_PROJECT_ID: tenant_id,
'tenant_id': tenant_id}
policy.check('get_tenant', context, target)
return self.storage.get_tenant(context, tenant_id)
@ -741,16 +728,11 @@ class Service(service.RPCService):
# Default to creating in the current users tenant
zone.tenant_id = zone.tenant_id or context.project_id
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: zone.tenant_id,
'zone_name': zone.name
}
else:
target = {
'tenant_id': zone.tenant_id,
'zone_name': zone.name
}
target = {
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id,
'zone_name': zone.name
}
policy.check('create_zone', context, target)
@ -877,20 +859,13 @@ class Service(service.RPCService):
# TODO(johnsom) This should account for all-projects context
# it passes today due to ADMIN
if policy.enforce_new_defaults():
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_shared': zone_shared,
constants.RBAC_PROJECT_ID: zone.tenant_id
}
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_shared': zone_shared,
'tenant_id': zone.tenant_id
}
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_shared': zone_shared,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id,
}
policy.check('get_zone', context, target)
@ -905,18 +880,12 @@ class Service(service.RPCService):
else:
zone = self.storage.get_zone(context, zone_id)
if policy.enforce_new_defaults():
target = {
'zone_id': zone_id,
'zone_name': zone.name,
constants.RBAC_PROJECT_ID: zone.tenant_id
}
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'tenant_id': zone.tenant_id
}
target = {
'zone_id': zone_id,
'zone_name': zone.name,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id,
}
pool_id = zone.pool_id
policy.check('get_zone_ns_records', context, target)
@ -934,10 +903,8 @@ class Service(service.RPCService):
sort_key=None, sort_dir=None):
"""List existing zones including the ones flagged for deletion.
"""
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('find_zones', context, target)
@ -953,19 +920,13 @@ class Service(service.RPCService):
:returns: updated zone
"""
if policy.enforce_new_defaults():
target = {
'zone_id': zone.obj_get_original_value('id'),
'zone_name': zone.obj_get_original_value('name'),
constants.RBAC_PROJECT_ID: (
zone.obj_get_original_value('tenant_id')),
}
else:
target = {
'zone_id': zone.obj_get_original_value('id'),
'zone_name': zone.obj_get_original_value('name'),
'tenant_id': zone.obj_get_original_value('tenant_id'),
}
target = {
'zone_id': zone.obj_get_original_value('id'),
'zone_name': zone.obj_get_original_value('name'),
constants.RBAC_PROJECT_ID: (
zone.obj_get_original_value('tenant_id')),
'tenant_id': zone.obj_get_original_value('tenant_id'),
}
policy.check('update_zone', context, target)
@ -1031,18 +992,12 @@ class Service(service.RPCService):
"""
zone = self.storage.get_zone(context, zone_id)
if policy.enforce_new_defaults():
target = {
'zone_id': zone_id,
'zone_name': zone.name,
constants.RBAC_PROJECT_ID: zone.tenant_id
}
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'tenant_id': zone.tenant_id
}
target = {
'zone_id': zone_id,
'zone_name': zone.name,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id,
}
if hasattr(context, 'abandon') and context.abandon:
policy.check('abandon_zone', context, target)
@ -1114,18 +1069,12 @@ class Service(service.RPCService):
def xfr_zone(self, context, zone_id):
zone = self.storage.get_zone(context, zone_id)
if policy.enforce_new_defaults():
target = {
'zone_id': zone_id,
'zone_name': zone.name,
constants.RBAC_PROJECT_ID: zone.tenant_id
}
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'tenant_id': zone.tenant_id
}
target = {
'zone_id': zone_id,
'zone_name': zone.name,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id,
}
policy.check('xfr_zone', context, target)
@ -1151,14 +1100,10 @@ class Service(service.RPCService):
if criterion is None:
criterion = {}
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None)
}
else:
target = {
'tenant_id': criterion.get('tenant_id', None)
}
target = {
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None),
'tenant_id': criterion.get('tenant_id', None),
}
policy.check('count_zones', context, target)
@ -1202,10 +1147,8 @@ class Service(service.RPCService):
# Ensure that zone exists and get the zone owner
zone = self.storage.get_zone(context, zone_id)
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: zone.tenant_id}
else:
target = {'tenant_id': zone.tenant_id}
target = {constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id}
policy.check('share_zone', context, target)
@ -1223,10 +1166,8 @@ class Service(service.RPCService):
# Ensure the share exists and get the share owner
shared_zone = self.get_shared_zone(context, zone_id, zone_share_id)
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: shared_zone.project_id}
else:
target = {'tenant_id': shared_zone.project_id}
target = {constants.RBAC_PROJECT_ID: shared_zone.project_id,
'tenant_id': shared_zone.project_id}
policy.check('unshare_zone', context, target)
@ -1274,12 +1215,11 @@ class Service(service.RPCService):
if not context.all_tenants and criterion:
# Check that they are asking for another projects shares
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: criterion.get(
target = {
constants.RBAC_PROJECT_ID: criterion.get(
'target_project_id', context.project_id),
'tenant_id': criterion.get(
'target_project_id', context.project_id)}
else:
target = {'tenant_id': criterion.get('target_project_id',
context.project_id)}
policy.check('find_project_zone_share', context, target)
@ -1295,10 +1235,8 @@ class Service(service.RPCService):
zone_share = self.storage.get_shared_zone(
context, zone_id, zone_share_id)
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: zone_share.project_id}
else:
target = {'tenant_id': zone_share.project_id}
target = {constants.RBAC_PROJECT_ID: zone_share.project_id,
'tenant_id': zone_share.project_id}
policy.check('get_zone_share', context, target)
@ -1343,24 +1281,15 @@ class Service(service.RPCService):
if zone.action == 'DELETE':
raise exceptions.BadRequest('Can not update a deleting zone')
if policy.enforce_new_defaults():
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_type': zone.type,
'zone_shared': zone_shared,
'recordset_name': recordset.name,
constants.RBAC_PROJECT_ID: zone.tenant_id,
}
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_type': zone.type,
'zone_shared': zone_shared,
'recordset_name': recordset.name,
'tenant_id': zone.tenant_id,
}
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_type': zone.type,
'zone_shared': zone_shared,
'recordset_name': recordset.name,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id,
}
policy.check('create_recordset', context, target)
@ -1466,22 +1395,14 @@ class Service(service.RPCService):
zone_shared = self._check_zone_share_permission(context, zone)
# TODO(johnsom) This should account for all_projects
if policy.enforce_new_defaults():
target = {
'zone_id': zone.id,
'zone_name': zone.name,
'zone_shared': zone_shared,
'recordset_id': recordset.id,
constants.RBAC_PROJECT_ID: zone.tenant_id,
}
else:
target = {
'zone_id': zone.id,
'zone_name': zone.name,
'zone_shared': zone_shared,
'recordset_id': recordset.id,
'tenant_id': zone.tenant_id,
}
target = {
'zone_id': zone.id,
'zone_name': zone.name,
'zone_shared': zone_shared,
'recordset_id': recordset.id,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id,
}
policy.check('get_recordset', context, target)
@ -1507,10 +1428,8 @@ class Service(service.RPCService):
zone_shared = self._check_zone_share_permission(context, zone)
# TODO(johnsom) Fix this to be useful
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('find_recordsets', context, target)
@ -1530,10 +1449,8 @@ class Service(service.RPCService):
def find_recordset(self, context, criterion=None):
# TODO(johnsom) Fix this to be useful
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('find_recordset', context, target)
recordset = self.storage.find_recordset(context, criterion)
@ -1584,28 +1501,17 @@ class Service(service.RPCService):
# TODO(johnsom) This should account for all-projects context
# it passes today due to ADMIN
if policy.enforce_new_defaults():
target = {
'recordset_id': recordset.obj_get_original_value('id'),
'recordset_project_id': recordset.obj_get_original_value(
'tenant_id'),
'zone_id': recordset.obj_get_original_value('zone_id'),
'zone_name': zone.name,
'zone_shared': zone_shared,
'zone_type': zone.type,
constants.RBAC_PROJECT_ID: zone.tenant_id
}
else:
target = {
'recordset_id': recordset.obj_get_original_value('id'),
'recordset_project_id': recordset.obj_get_original_value(
'tenant_id'),
'zone_id': recordset.obj_get_original_value('zone_id'),
'zone_name': zone.name,
'zone_shared': zone_shared,
'zone_type': zone.type,
'tenant_id': zone.tenant_id
}
target = {
'recordset_id': recordset.obj_get_original_value('id'),
'recordset_project_id': recordset.obj_get_original_value(
'tenant_id'),
'zone_id': recordset.obj_get_original_value('zone_id'),
'zone_name': zone.name,
'zone_shared': zone_shared,
'zone_type': zone.type,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id,
}
policy.check('update_recordset', context, target)
@ -1675,24 +1581,15 @@ class Service(service.RPCService):
raise exceptions.BadRequest('Can not update a deleting zone')
# TODO(johnsom) should handle all_projects
if policy.enforce_new_defaults():
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_type': zone.type,
'recordset_id': recordset.id,
'recordset_project_id': recordset.tenant_id,
constants.RBAC_PROJECT_ID: zone.tenant_id
}
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_type': zone.type,
'recordset_id': recordset.id,
'recordset_project_id': recordset.tenant_id,
'tenant_id': zone.tenant_id
}
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_type': zone.type,
'recordset_id': recordset.id,
'recordset_project_id': recordset.tenant_id,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id,
}
policy.check('delete_recordset', context, target)
@ -1741,12 +1638,10 @@ class Service(service.RPCService):
if criterion is None:
criterion = {}
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None)
}
else:
target = {'tenant_id': criterion.get('tenant_id', None)}
target = {
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None),
'tenant_id': criterion.get('tenant_id', None),
}
policy.check('count_recordsets', context, target)
@ -1757,10 +1652,8 @@ class Service(service.RPCService):
def find_records(self, context, criterion=None, marker=None, limit=None,
sort_key=None, sort_dir=None):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('find_records', context, target)
return self.storage.find_records(context, criterion, marker, limit,
@ -1771,12 +1664,10 @@ class Service(service.RPCService):
if criterion is None:
criterion = {}
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None)
}
else:
target = {'tenant_id': criterion.get('tenant_id', None)}
target = {
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None),
'tenant_id': criterion.get('tenant_id', None),
}
policy.check('count_records', context, target)
return self.storage.count_records(context, criterion)
@ -2483,10 +2374,8 @@ class Service(service.RPCService):
if zone.action == 'DELETE':
raise exceptions.BadRequest('Can not transfer a deleting zone')
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: zone.tenant_id}
else:
target = {'tenant_id': zone.tenant_id}
target = {constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id}
policy.check('create_zone_transfer_request', context, target)
@ -2513,17 +2402,13 @@ class Service(service.RPCService):
elevated_context, zone_transfer_request_id)
LOG.info('Target Tenant ID found - using scoped policy')
if policy.enforce_new_defaults():
target = {
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request.
target_tenant_id),
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
}
else:
target = {
'target_tenant_id': zone_transfer_request.target_tenant_id,
'tenant_id': zone_transfer_request.tenant_id,
}
target = {
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request.
target_tenant_id),
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
'target_tenant_id': zone_transfer_request.target_tenant_id,
'tenant_id': zone_transfer_request.tenant_id,
}
policy.check('get_zone_transfer_request', context, target)
@ -2550,14 +2435,10 @@ class Service(service.RPCService):
if 'zone_id' in zone_transfer_request.obj_what_changed():
raise exceptions.InvalidOperation('Zone cannot be changed')
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
}
else:
target = {
'tenant_id': zone_transfer_request.tenant_id,
}
target = {
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
'tenant_id': zone_transfer_request.tenant_id,
}
policy.check('update_zone_transfer_request', context, target)
request = self.storage.update_zone_transfer_request(
context, zone_transfer_request)
@ -2572,12 +2453,10 @@ class Service(service.RPCService):
zone_transfer_request = self.storage.get_zone_transfer_request(
context, zone_transfer_request_id)
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id
}
else:
target = {'tenant_id': zone_transfer_request.tenant_id}
target = {
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
'tenant_id': zone_transfer_request.tenant_id,
}
policy.check('delete_zone_transfer_request', context, target)
return self.storage.delete_zone_transfer_request(
@ -2605,15 +2484,11 @@ class Service(service.RPCService):
raise exceptions.IncorrectZoneTransferKey(
'Key does not match stored key for request')
if policy.enforce_new_defaults():
target = {
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request.
target_tenant_id)
}
else:
target = {
'target_tenant_id': zone_transfer_request.target_tenant_id
}
target = {
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request.
target_tenant_id),
'target_tenant_id': zone_transfer_request.target_tenant_id,
}
policy.check('create_zone_transfer_accept', context, target)
@ -2664,14 +2539,10 @@ class Service(service.RPCService):
zone_transfer_accept = self.storage.get_zone_transfer_accept(
context, zone_transfer_accept_id)
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: zone_transfer_accept.tenant_id
}
else:
target = {
'tenant_id': zone_transfer_accept.tenant_id
}
target = {
constants.RBAC_PROJECT_ID: zone_transfer_accept.tenant_id,
'tenant_id': zone_transfer_accept.tenant_id,
}
policy.check('get_zone_transfer_accept', context, target)
@ -2689,10 +2560,8 @@ class Service(service.RPCService):
@rpc.expected_exceptions()
@notification.notify_type('dns.zone_import.create')
def create_zone_import(self, context, request_body):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('create_zone_import', context, target)
@ -2785,10 +2654,8 @@ class Service(service.RPCService):
@rpc.expected_exceptions()
@notification.notify_type('dns.zone_import.update')
def update_zone_import(self, context, zone_import):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: zone_import.tenant_id}
else:
target = {'tenant_id': zone_import.tenant_id}
target = {constants.RBAC_PROJECT_ID: zone_import.tenant_id,
'tenant_id': zone_import.tenant_id}
policy.check('update_zone_import', context, target)
return self.storage.update_zone_import(context, zone_import)
@ -2797,10 +2664,8 @@ class Service(service.RPCService):
def find_zone_imports(self, context, criterion=None, marker=None,
limit=None, sort_key=None, sort_dir=None):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('find_zone_imports', context, target)
@ -2817,10 +2682,8 @@ class Service(service.RPCService):
@rpc.expected_exceptions()
def get_zone_import(self, context, zone_import_id):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('get_zone_import', context, target)
return self.storage.get_zone_import(context, zone_import_id)
@ -2830,16 +2693,11 @@ class Service(service.RPCService):
@transaction
def delete_zone_import(self, context, zone_import_id):
if policy.enforce_new_defaults():
target = {
'zone_import_id': zone_import_id,
constants.RBAC_PROJECT_ID: context.project_id
}
else:
target = {
'zone_import_id': zone_import_id,
'tenant_id': context.project_id
}
target = {
'zone_import_id': zone_import_id,
constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id,
}
policy.check('delete_zone_import', context, target)
@ -2854,10 +2712,8 @@ class Service(service.RPCService):
# Try getting the zone to ensure it exists
zone = self.storage.get_zone(context, zone_id)
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('create_zone_export', context, target)
@ -2884,10 +2740,8 @@ class Service(service.RPCService):
def find_zone_exports(self, context, criterion=None, marker=None,
limit=None, sort_key=None, sort_dir=None):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('find_zone_exports', context, target)
if not criterion:
@ -2903,10 +2757,8 @@ class Service(service.RPCService):
@rpc.expected_exceptions()
def get_zone_export(self, context, zone_export_id):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('get_zone_export', context, target)
@ -2916,10 +2768,8 @@ class Service(service.RPCService):
@notification.notify_type('dns.zone_export.update')
def update_zone_export(self, context, zone_export):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: zone_export.tenant_id}
else:
target = {'tenant_id': zone_export.tenant_id}
target = {constants.RBAC_PROJECT_ID: zone_export.tenant_id,
'tenant_id': zone_export.tenant_id}
policy.check('update_zone_export', context, target)
@ -2930,16 +2780,11 @@ class Service(service.RPCService):
@transaction
def delete_zone_export(self, context, zone_export_id):
if policy.enforce_new_defaults():
target = {
'zone_export_id': zone_export_id,
constants.RBAC_PROJECT_ID: context.project_id
}
else:
target = {
'zone_export_id': zone_export_id,
'tenant_id': context.project_id
}
target = {
'zone_export_id': zone_export_id,
constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id,
}
policy.check('delete_zone_export', context, target)

20
designate/tests/unit/test_central/test_basic.py
View File

@ -1170,7 +1170,9 @@ class CentralZoneTestCase(CentralBasic):
'zone_name': 'example.org.',
'zone_shared': self.zone_shared,
'recordset_id': CentralZoneTestCase.recordset__id,
'project_id': '2'}, target)
'project_id': '2',
'tenant_id': '2',
}, target)
def test_get_recordset_no_zone_id(self):
self.service.storage.get_zone.return_value = RoObject(
@ -1204,7 +1206,9 @@ class CentralZoneTestCase(CentralBasic):
'zone_name': 'example.org.',
'zone_shared': self.zone_shared,
'recordset_id': CentralZoneTestCase.recordset__id,
'project_id': '2'}, target)
'project_id': '2',
'tenant_id': '2',
}, target)
def test_find_recordsets(self):
self.context = mock.Mock()
@ -1213,7 +1217,7 @@ class CentralZoneTestCase(CentralBasic):
self.assertTrue(self.service.storage.find_recordsets.called)
n, ctx, target = designate.central.service.policy.check.call_args[0]
self.assertEqual('find_recordsets', n)
self.assertEqual({'project_id': 't'}, target)
self.assertEqual({'project_id': 't', 'tenant_id': 't'}, target)
def test_find_recordset(self):
self.context = mock.Mock()
@ -1223,7 +1227,7 @@ class CentralZoneTestCase(CentralBasic):
self.assertTrue(self.service.storage.find_recordset.called)
n, ctx, target = designate.central.service.policy.check.call_args[0]
self.assertEqual('find_recordset', n)
self.assertEqual({'project_id': 't'}, target)
self.assertEqual({'project_id': 't', 'tenant_id': 't'}, target)
def test_update_recordset_fail_on_changes(self):
self.service.storage.get_zone.return_value = RoObject()
@ -1321,7 +1325,9 @@ class CentralZoneTestCase(CentralBasic):
'zone_shared': self.zone_shared,
'recordset_id': '9c85d9b0-1e9d-4e99-aede-a06664f1af2e',
'recordset_project_id': '9c85d9b0-1e9d-4e99-aede-a06664f1af2e',
'project_id': '2'}, target)
'project_id': '2',
'tenant_id': '2',
}, target)
def test_update_recordset_in_storage(self):
recordset = mock.Mock()
@ -1557,7 +1563,7 @@ class CentralZoneTestCase(CentralBasic):
self.service.count_recordsets(self.context)
n, ctx, target = designate.central.service.policy.check.call_args[0]
self.assertEqual('count_recordsets', n)
self.assertEqual({'project_id': None}, target)
self.assertEqual({'project_id': None, 'tenant_id': None}, target)
self.assertEqual(
{},
self.service.storage.count_recordsets.call_args[0][1]
@ -1567,7 +1573,7 @@ class CentralZoneTestCase(CentralBasic):
self.service.count_records(self.context)
t, ctx, target = designate.central.service.policy.check.call_args[0]
self.assertEqual('count_records', t)
self.assertEqual({'project_id': None}, target)
self.assertEqual({'project_id': None, 'tenant_id': None}, target)
def test_determine_floatingips(self):
self.context = mock.Mock()