Check RBAC policy for nested stacks

This prevents stacks with forbidden resources start to create/update or stuck in DELETE_IN_PROGRESS state, if delete the stack with admin resources in nested stacks. Also we need to allow get id of resource that in SUSPEND state, because of we use stack preview in SUSPEND state. Change-Id: I328891e62b4f4bcf620c52ef9d4d8ab60801a651 Closes-Bug: #1539145
2016-03-07 17:16:29 +02:00
parent 3bbfb3e69d
commit a8accbba98
3 changed files with 30 additions and 1 deletions
--- a/heat/common/policy.py
+++ b/heat/common/policy.py
@@ -24,7 +24,6 @@ import six

 from heat.common import exception

-
 CONF = cfg.CONF
 LOG = logging.getLogger(__name__)

@@ -111,5 +110,12 @@ class ResourceEnforcer(Enforcer):
                return result

    def enforce_stack(self, stack, scope=None, target=None):
+        stack.preview_resources()
        for res in stack.resources.values():
+            if res.has_nested():
+                self.enforce_stack(res.nested())
+                # After the preview_resources() call nested stack name will
+                # be equal to stack.name + res.name, without uuid part. Get
+                # rid of the side effect of preview.
+                res._nested = None
            self.enforce(stack.context, res.type(), scope=scope, target=target)
--- a/heat/engine/stack.py
+++ b/heat/engine/stack.py
@@ -685,6 +685,8 @@ class Stack(collections.Mapping):
                    (r.CREATE, r.COMPLETE),
                    (r.RESUME, r.IN_PROGRESS),
                    (r.RESUME, r.COMPLETE),
+                    (r.SUSPEND, r.IN_PROGRESS),
+                    (r.SUSPEND, r.COMPLETE),
                    (r.UPDATE, r.IN_PROGRESS),
                    (r.UPDATE, r.COMPLETE)) and
                    (r.FnGetRefId() == refid or r.name == refid)):
--- a/heat_integrationtests/functional/test_conditional_exposure.py
+++ b/heat_integrationtests/functional/test_conditional_exposure.py
@@ -76,6 +76,19 @@ resources:
      ram: 20000
      vcpus: 10
 """
+    fl_tmpl_nested = """
+heat_template_version: 2015-10-15
+resources:
+  not4everyonerg:
+    type: OS::Heat::ResourceGroup
+    properties:
+        count: 1
+        resource_def:
+            type: OS::Nova::Flavor
+            properties:
+              ram: 20000
+              vcpus: 10
+"""

    def test_non_admin_forbidden_create_flavors(self):
        """Fail to create Flavor resource w/o admin role.
@@ -95,3 +108,11 @@ resources:
        resources = self.client.resource_types.list()
        self.assertNotIn(self.forbidden_resource_type,
                         (r.resource_type for r in resources))
+
+    def test_non_admin_forbidden_create_flavors_nested(self):
+        stack_name = self._stack_rand_name()
+        ex = self.assertRaises(exc.Forbidden,
+                               self.client.stacks.create,
+                               stack_name=stack_name,
+                               template=self.fl_tmpl_nested)
+        self.assertIn(self.forbidden_resource_type, ex.message)