Adding policy check in quota call

The default policy for server_list API in nova has changed. This
exposed a problem in the way Horizon was calling server_list when
reading quota values. The call was always made with
all_tenants=True, which is only something admin should be able to
do. Instead of ignoring the privilege problem in the API as in the
past, there is a pre-emptive policy check that makes the call fail.

The fix in Horizon is to only pass in all_tenants=True when the
user has the appropriate privilege level. nova_policy.json has been
updated with the appropriate default and the permission check has
been added.

Removing passing in all_tenants=True at all was contemplated, but
when setting quota values on projects in the identity dashboard,
the administrator level user needs to read quota values from a
project that they are not currently scoped to.

This fixes the error on the network topology screen that was the
motivation for the original bug report.

Closes-Bug: #1468551
Change-Id: I4255c57f81a13cac121596c99eea4ac629ed9ca7
This commit is contained in:
David Lyle 2015-06-25 14:13:59 -06:00 committed by David Lyle
parent f1779d8cef
commit 6bfeee5baf
2 changed files with 9 additions and 2 deletions

View File

@ -11,7 +11,7 @@
"compute:create:forced_host": "is_admin:True", "compute:create:forced_host": "is_admin:True",
"compute:delete": "rule:default", "compute:delete": "rule:default",
"compute:get_all": "", "compute:get_all": "",
"compute:get_all_tenants": "", "compute:get_all_tenants": "is_admin:True",
"compute:reboot": "rule:default", "compute:reboot": "rule:default",
"compute:rebuild": "rule:default", "compute:rebuild": "rule:default",
"compute:snapshot": "rule:default", "compute:snapshot": "rule:default",

View File

@ -24,6 +24,7 @@ from openstack_dashboard.api import cinder
from openstack_dashboard.api import network from openstack_dashboard.api import network
from openstack_dashboard.api import neutron from openstack_dashboard.api import neutron
from openstack_dashboard.api import nova from openstack_dashboard.api import nova
from openstack_dashboard import policy
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
@ -254,8 +255,14 @@ def get_disabled_quotas(request):
def _get_tenant_compute_usages(request, usages, disabled_quotas, tenant_id): def _get_tenant_compute_usages(request, usages, disabled_quotas, tenant_id):
if tenant_id: if tenant_id:
# determine if the user has permission to view across projects
# there are cases where an administrator wants to check the quotas
# on a project they are not scoped to
all_tenants = policy.check((("compute", "compute:get_all_tenants"),),
request)
instances, has_more = nova.server_list( instances, has_more = nova.server_list(
request, search_opts={'tenant_id': tenant_id}, all_tenants=True) request, search_opts={'tenant_id': tenant_id},
all_tenants=all_tenants)
else: else:
instances, has_more = nova.server_list(request) instances, has_more = nova.server_list(request)