Revert "RBAC: Fix allocation check"

This reverts commit c901b15f6c. Reason for revert: Should have been Unauthorized. Change-Id: I0febafd2a603ad991b4b677a94773c891ad3465c
2024-01-16 15:10:56 +00:00 · 2024-01-16 15:10:56 +00:00 · 4b31633862
commit 4b31633862
parent c901b15f6c
3 changed files with 1 additions and 29 deletions
--- a/ironic/api/controllers/v1/allocation.py
+++ b/ironic/api/controllers/v1/allocation.py
@ -271,22 +271,11 @@ class AllocationsController(pecan.rest.RestController):
           :fields: fields
           :owner: r_owner
        """
-        requestor = api_utils.check_list_policy('allocation', owner)
+        owner = api_utils.check_list_policy('allocation', owner)

        self._check_allowed_allocation_fields(fields)
        if owner is not None and not api_utils.allow_allocation_owner():
-            # Requestor has asked for an owner field/column match, but
-            # their client version does not support it.
            raise exception.NotAcceptable()
-        if (owner is not None
-                and requestor is not None
-                and owner != requestor):
-            # The requestor is asking about other owner's records.
-            # Naughty!
-            raise exception.NotAcceptable()
-
-        if requestor is not None:
-            owner = requestor

        return self._get_allocations_collection(node, resource_class, state,
                                                owner, marker, limit,
--- a/ironic/tests/unit/api/controllers/v1/test_allocation.py
+++ b/ironic/tests/unit/api/controllers/v1/test_allocation.py
@ -28,7 +28,6 @@ from oslo_utils import uuidutils
 from ironic.api.controllers import base as api_base
 from ironic.api.controllers import v1 as api_v1
 from ironic.api.controllers.v1 import notification_utils
-from ironic.api.controllers.v1 import utils as v1_api_utils
 from ironic.common import exception
 from ironic.common import policy
 from ironic.conductor import rpcapi
@ -421,16 +420,6 @@ class TestListAllocations(test_api_base.BaseApiTest):
        self.assertEqual(http_client.NOT_ACCEPTABLE, response.status_code)
        self.assertTrue(response.json['error_message'])

-    @mock.patch.object(v1_api_utils, 'check_list_policy', autospec=True)
-    def test_get_all_by_owner_not_allowed_mismatch(self, mock_check):
-        mock_check.return_value = '54321'
-        response = self.get_json("/allocations?owner=12345",
-                                 headers={api_base.Version.string: '1.60'},
-                                 expect_errors=True)
-        self.assertEqual('application/json', response.content_type)
-        self.assertEqual(http_client.NOT_ACCEPTABLE, response.status_code)
-        self.assertTrue(response.json['error_message'])
-
    def test_get_all_by_node_name(self):
        for i in range(5):
            if i < 3:
--- a/releasenotes/notes/fix-allocation-exception-on-list-c04e93fb9cace218.yaml
+++ b/releasenotes/notes/fix-allocation-exception-on-list-c04e93fb9cace218.yaml
@ -1,6 +0,0 @@
---
-fixes:
-  - |
-    Fixes an issue when listing allocations as a project scoped user when
-    the legacy RBAC policies have been disabled which forced an HTTP 406
-    error being erroneously raised.