Require correct project context for quota operations

Because of the recent change in SRBAC design, now quota apis require
project sopce and no longer supports system scope[1]. So we should
revert these logics to bypass project scope check, which was added to
support system scope[2].

[1] c2e51939b4
[2] 5f87d207b4

Change-Id: I0c4fd340dd657613ec69109fccd51bda0b3ec3d0
This commit is contained in:
Takashi Kajinami 2023-11-09 01:30:44 +09:00
parent 1912f7015e
commit e7a1603314

View File

@ -530,11 +530,9 @@ class Service(service.RPCService):
else:
target = {'tenant_id': tenant_id}
policy.check('get_quotas', context, target)
# TODO(johnsom) Deprecated since Wallaby, remove with legacy default
# policies. System scoped admin doesn't have a project_id
if (tenant_id != context.project_id and not context.all_tenants and not
policy.enforce_new_defaults()):
# NOTE(tkajinam): get_quotas now requires project scope so we assume
# the context should contain project_id
if (tenant_id != context.project_id and not context.all_tenants):
raise exceptions.Forbidden()
return self.quota.get_quotas(context, tenant_id)
@ -556,10 +554,9 @@ class Service(service.RPCService):
}
policy.check('set_quota', context, target)
# TODO(johnsom) Deprecated since Wallaby, remove with legacy default
# policies. System scoped admin doesn't have a project_id
if (tenant_id != context.project_id and not context.all_tenants and not
policy.enforce_new_defaults()):
# NOTE(tkajinam): set_quota now requires project scope so we assume
# the context should contain project_id
if (tenant_id != context.project_id and not context.all_tenants):
raise exceptions.Forbidden()
return self.quota.set_quota(context, tenant_id, resource, hard_limit)