Adding policy check in quota call
The default policy for server_list API in nova has changed. This exposed a problem in the way Horizon was calling server_list when reading quota values. The call was always made with all_tenants=True, which is only something admin should be able to do. Instead of ignoring the privilege problem in the API as in the past, there is a pre-emptive policy check that makes the call fail. The fix in Horizon is to only pass in all_tenants=True when the user has the appropriate privilege level. nova_policy.json has been updated with the appropriate default and the permission check has been added. Removing passing in all_tenants=True at all was contemplated, but when setting quota values on projects in the identity dashboard, the administrator level user needs to read quota values from a project that they are not currently scoped to. This fixes the error on the network topology screen that was the motivation for the original bug report. Closes-Bug: #1468551 Change-Id: I4255c57f81a13cac121596c99eea4ac629ed9ca7
This commit is contained in:
parent
f1779d8cef
commit
6bfeee5baf
@ -11,7 +11,7 @@
|
|||||||
"compute:create:forced_host": "is_admin:True",
|
"compute:create:forced_host": "is_admin:True",
|
||||||
"compute:delete": "rule:default",
|
"compute:delete": "rule:default",
|
||||||
"compute:get_all": "",
|
"compute:get_all": "",
|
||||||
"compute:get_all_tenants": "",
|
"compute:get_all_tenants": "is_admin:True",
|
||||||
"compute:reboot": "rule:default",
|
"compute:reboot": "rule:default",
|
||||||
"compute:rebuild": "rule:default",
|
"compute:rebuild": "rule:default",
|
||||||
"compute:snapshot": "rule:default",
|
"compute:snapshot": "rule:default",
|
||||||
|
@ -24,6 +24,7 @@ from openstack_dashboard.api import cinder
|
|||||||
from openstack_dashboard.api import network
|
from openstack_dashboard.api import network
|
||||||
from openstack_dashboard.api import neutron
|
from openstack_dashboard.api import neutron
|
||||||
from openstack_dashboard.api import nova
|
from openstack_dashboard.api import nova
|
||||||
|
from openstack_dashboard import policy
|
||||||
|
|
||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
@ -254,8 +255,14 @@ def get_disabled_quotas(request):
|
|||||||
|
|
||||||
def _get_tenant_compute_usages(request, usages, disabled_quotas, tenant_id):
|
def _get_tenant_compute_usages(request, usages, disabled_quotas, tenant_id):
|
||||||
if tenant_id:
|
if tenant_id:
|
||||||
|
# determine if the user has permission to view across projects
|
||||||
|
# there are cases where an administrator wants to check the quotas
|
||||||
|
# on a project they are not scoped to
|
||||||
|
all_tenants = policy.check((("compute", "compute:get_all_tenants"),),
|
||||||
|
request)
|
||||||
instances, has_more = nova.server_list(
|
instances, has_more = nova.server_list(
|
||||||
request, search_opts={'tenant_id': tenant_id}, all_tenants=True)
|
request, search_opts={'tenant_id': tenant_id},
|
||||||
|
all_tenants=all_tenants)
|
||||||
else:
|
else:
|
||||||
instances, has_more = nova.server_list(request)
|
instances, has_more = nova.server_list(request)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user