Merge "RBAC: Fix allocation check"
This commit is contained in:
Zuul
Gerrit Code Review
commit
05a82bb295
@ -271,11 +271,22 @@ class AllocationsController(pecan.rest.RestController):
|
|||||||
:fields: fields
|
:fields: fields
|
||||||
:owner: r_owner
|
:owner: r_owner
|
||||||
"""
|
"""
|
||||||
owner = api_utils.check_list_policy('allocation', owner)
|
requestor = api_utils.check_list_policy('allocation', owner)
|
||||||
|
|
||||||
self._check_allowed_allocation_fields(fields)
|
self._check_allowed_allocation_fields(fields)
|
||||||
if owner is not None and not api_utils.allow_allocation_owner():
|
if owner is not None and not api_utils.allow_allocation_owner():
|
||||||
|
# Requestor has asked for an owner field/column match, but
|
||||||
|
# their client version does not support it.
|
||||||
raise exception.NotAcceptable()
|
raise exception.NotAcceptable()
|
||||||
|
if (owner is not None
|
||||||
|
and requestor is not None
|
||||||
|
and owner != requestor):
|
||||||
|
# The requestor is asking about other owner's records.
|
||||||
|
# Naughty!
|
||||||
|
raise exception.NotAcceptable()
|
||||||
|
|
||||||
|
if requestor is not None:
|
||||||
|
owner = requestor
|
||||||
|
|
||||||
return self._get_allocations_collection(node, resource_class, state,
|
return self._get_allocations_collection(node, resource_class, state,
|
||||||
owner, marker, limit,
|
owner, marker, limit,
|
||||||
|
|||||||
@ -28,6 +28,7 @@ from oslo_utils import uuidutils
|
|||||||
from ironic.api.controllers import base as api_base
|
from ironic.api.controllers import base as api_base
|
||||||
from ironic.api.controllers import v1 as api_v1
|
from ironic.api.controllers import v1 as api_v1
|
||||||
from ironic.api.controllers.v1 import notification_utils
|
from ironic.api.controllers.v1 import notification_utils
|
||||||
|
from ironic.api.controllers.v1 import utils as v1_api_utils
|
||||||
from ironic.common import exception
|
from ironic.common import exception
|
||||||
from ironic.common import policy
|
from ironic.common import policy
|
||||||
from ironic.conductor import rpcapi
|
from ironic.conductor import rpcapi
|
||||||
@ -420,6 +421,16 @@ class TestListAllocations(test_api_base.BaseApiTest):
|
|||||||
self.assertEqual(http_client.NOT_ACCEPTABLE, response.status_code)
|
self.assertEqual(http_client.NOT_ACCEPTABLE, response.status_code)
|
||||||
self.assertTrue(response.json['error_message'])
|
self.assertTrue(response.json['error_message'])
|
||||||
|
|
||||||
|
@mock.patch.object(v1_api_utils, 'check_list_policy', autospec=True)
|
||||||
|
def test_get_all_by_owner_not_allowed_mismatch(self, mock_check):
|
||||||
|
mock_check.return_value = '54321'
|
||||||
|
response = self.get_json("/allocations?owner=12345",
|
||||||
|
headers={api_base.Version.string: '1.60'},
|
||||||
|
expect_errors=True)
|
||||||
|
self.assertEqual('application/json', response.content_type)
|
||||||
|
self.assertEqual(http_client.NOT_ACCEPTABLE, response.status_code)
|
||||||
|
self.assertTrue(response.json['error_message'])
|
||||||
|
|
||||||
def test_get_all_by_node_name(self):
|
def test_get_all_by_node_name(self):
|
||||||
for i in range(5):
|
for i in range(5):
|
||||||
if i < 3:
|
if i < 3:
|
||||||
|
|||||||
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Fixes an issue when listing allocations as a project scoped user when
|
||||||
|
the legacy RBAC policies have been disabled which forced an HTTP 406
|
||||||
|
error being erroneously raised.
|
||||||
Loading…
x
Reference in New Issue
Block a user