Require correct project context for quota operations
Because of the recent change in SRBAC design, now quota apis require project sopce and no longer supports system scope[1]. So we should revert these logics to bypass project scope check, which was added to support system scope[2]. [1]c2e51939b4
[2]5f87d207b4
Change-Id: I0c4fd340dd657613ec69109fccd51bda0b3ec3d0
This commit is contained in:
parent
1912f7015e
commit
e7a1603314
@ -530,11 +530,9 @@ class Service(service.RPCService):
|
||||
else:
|
||||
target = {'tenant_id': tenant_id}
|
||||
policy.check('get_quotas', context, target)
|
||||
|
||||
# TODO(johnsom) Deprecated since Wallaby, remove with legacy default
|
||||
# policies. System scoped admin doesn't have a project_id
|
||||
if (tenant_id != context.project_id and not context.all_tenants and not
|
||||
policy.enforce_new_defaults()):
|
||||
# NOTE(tkajinam): get_quotas now requires project scope so we assume
|
||||
# the context should contain project_id
|
||||
if (tenant_id != context.project_id and not context.all_tenants):
|
||||
raise exceptions.Forbidden()
|
||||
|
||||
return self.quota.get_quotas(context, tenant_id)
|
||||
@ -556,10 +554,9 @@ class Service(service.RPCService):
|
||||
}
|
||||
|
||||
policy.check('set_quota', context, target)
|
||||
# TODO(johnsom) Deprecated since Wallaby, remove with legacy default
|
||||
# policies. System scoped admin doesn't have a project_id
|
||||
if (tenant_id != context.project_id and not context.all_tenants and not
|
||||
policy.enforce_new_defaults()):
|
||||
# NOTE(tkajinam): set_quota now requires project scope so we assume
|
||||
# the context should contain project_id
|
||||
if (tenant_id != context.project_id and not context.all_tenants):
|
||||
raise exceptions.Forbidden()
|
||||
|
||||
return self.quota.set_quota(context, tenant_id, resource, hard_limit)
|
||||
|
Loading…
Reference in New Issue
Block a user