From 6bfeee5bafdf80ba33526dbae5bb5cb26b025220 Mon Sep 17 00:00:00 2001 From: David Lyle Date: Thu, 25 Jun 2015 14:13:59 -0600 Subject: [PATCH] Adding policy check in quota call The default policy for server_list API in nova has changed. This exposed a problem in the way Horizon was calling server_list when reading quota values. The call was always made with all_tenants=True, which is only something admin should be able to do. Instead of ignoring the privilege problem in the API as in the past, there is a pre-emptive policy check that makes the call fail. The fix in Horizon is to only pass in all_tenants=True when the user has the appropriate privilege level. nova_policy.json has been updated with the appropriate default and the permission check has been added. Removing passing in all_tenants=True at all was contemplated, but when setting quota values on projects in the identity dashboard, the administrator level user needs to read quota values from a project that they are not currently scoped to. This fixes the error on the network topology screen that was the motivation for the original bug report. Closes-Bug: #1468551 Change-Id: I4255c57f81a13cac121596c99eea4ac629ed9ca7 --- openstack_dashboard/conf/nova_policy.json | 2 +- openstack_dashboard/usage/quotas.py | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/openstack_dashboard/conf/nova_policy.json b/openstack_dashboard/conf/nova_policy.json index 487e46c118..8f81561056 100644 --- a/openstack_dashboard/conf/nova_policy.json +++ b/openstack_dashboard/conf/nova_policy.json @@ -11,7 +11,7 @@ "compute:create:forced_host": "is_admin:True", "compute:delete": "rule:default", "compute:get_all": "", - "compute:get_all_tenants": "", + "compute:get_all_tenants": "is_admin:True", "compute:reboot": "rule:default", "compute:rebuild": "rule:default", "compute:snapshot": "rule:default", diff --git a/openstack_dashboard/usage/quotas.py b/openstack_dashboard/usage/quotas.py index 7cfce73e79..7a2245d08a 100644 --- a/openstack_dashboard/usage/quotas.py +++ b/openstack_dashboard/usage/quotas.py @@ -24,6 +24,7 @@ from openstack_dashboard.api import cinder from openstack_dashboard.api import network from openstack_dashboard.api import neutron from openstack_dashboard.api import nova +from openstack_dashboard import policy LOG = logging.getLogger(__name__) @@ -254,8 +255,14 @@ def get_disabled_quotas(request): def _get_tenant_compute_usages(request, usages, disabled_quotas, tenant_id): if tenant_id: + # determine if the user has permission to view across projects + # there are cases where an administrator wants to check the quotas + # on a project they are not scoped to + all_tenants = policy.check((("compute", "compute:get_all_tenants"),), + request) instances, has_more = nova.server_list( - request, search_opts={'tenant_id': tenant_id}, all_tenants=True) + request, search_opts={'tenant_id': tenant_id}, + all_tenants=all_tenants) else: instances, has_more = nova.server_list(request)