Merge "RBAC: Fix allocation check"

ironic/api/controllers/v1/allocation.py

@@ -271,11 +271,22 @@ class AllocationsController(pecan.rest.RestController):
            :fields: fields
            :owner: r_owner
         """
-        owner = api_utils.check_list_policy('allocation', owner)
+        requestor = api_utils.check_list_policy('allocation', owner)
 
         self._check_allowed_allocation_fields(fields)
         if owner is not None and not api_utils.allow_allocation_owner():
+            # Requestor has asked for an owner field/column match, but
+            # their client version does not support it.
             raise exception.NotAcceptable()
+        if (owner is not None
+                and requestor is not None
+                and owner != requestor):
+            # The requestor is asking about other owner's records.
+            # Naughty!
+            raise exception.NotAcceptable()
+
+        if requestor is not None:
+            owner = requestor
 
         return self._get_allocations_collection(node, resource_class, state,
                                                 owner, marker, limit,

ironic/tests/unit/api/controllers/v1/test_allocation.py

@@ -28,6 +28,7 @@ from oslo_utils import uuidutils
 from ironic.api.controllers import base as api_base
 from ironic.api.controllers import v1 as api_v1
 from ironic.api.controllers.v1 import notification_utils
+from ironic.api.controllers.v1 import utils as v1_api_utils
 from ironic.common import exception
 from ironic.common import policy
 from ironic.conductor import rpcapi
@@ -420,6 +421,16 @@ class TestListAllocations(test_api_base.BaseApiTest):
         self.assertEqual(http_client.NOT_ACCEPTABLE, response.status_code)
         self.assertTrue(response.json['error_message'])
 
+    @mock.patch.object(v1_api_utils, 'check_list_policy', autospec=True)
+    def test_get_all_by_owner_not_allowed_mismatch(self, mock_check):
+        mock_check.return_value = '54321'
+        response = self.get_json("/allocations?owner=12345",
+                                 headers={api_base.Version.string: '1.60'},
+                                 expect_errors=True)
+        self.assertEqual('application/json', response.content_type)
+        self.assertEqual(http_client.NOT_ACCEPTABLE, response.status_code)
+        self.assertTrue(response.json['error_message'])
+
     def test_get_all_by_node_name(self):
         for i in range(5):
             if i < 3:

releasenotes/notes/fix-allocation-exception-on-list-c04e93fb9cace218.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes an issue when listing allocations as a project scoped user when
+    the legacy RBAC policies have been disabled which forced an HTTP 406
+    error being erroneously raised.