Fix policy dict checkers

After the ironic context refactor, the default policy values were changed to use project_domain_id and project_name, while not changing the checker methods in API to fetch the correct values from the context. This change fixes this issue. Closes-Bug: #1650203 Change-Id: If9bf67b9d7d6f66b12a99d1ee7826af9634415b5
2016-12-16 13:30:29 +02:00 · 2016-12-16 13:30:29 +02:00 · 633abbeff8
parent e69c77a13f
commit 633abbeff8
7 changed files with 51 additions and 47 deletions
--- a/ironic/api/controllers/v1/chassis.py
+++ b/ironic/api/controllers/v1/chassis.py
@ -211,7 +211,7 @@ class ChassisController(rest.RestController):
        :param fields: Optional, a list with a specified set of fields
            of the resource to be returned.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:chassis:get', cdict, cdict)

        api_utils.check_allow_specify_fields(fields)
@ -234,7 +234,7 @@ class ChassisController(rest.RestController):
        :param sort_key: column to sort results by. Default: id.
        :param sort_dir: direction to sort. "asc" or "desc". Default: asc.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:chassis:get', cdict, cdict)

        # /detail should only work against collections
@ -255,7 +255,7 @@ class ChassisController(rest.RestController):
        :param fields: Optional, a list with a specified set of fields
            of the resource to be returned.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:chassis:get', cdict, cdict)

        api_utils.check_allow_specify_fields(fields)
@ -270,7 +270,7 @@ class ChassisController(rest.RestController):

        :param chassis: a chassis within the request body.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:chassis:create', cdict, cdict)

        new_chassis = objects.Chassis(pecan.request.context,
@ -289,7 +289,7 @@ class ChassisController(rest.RestController):
        :param chassis_uuid: UUID of a chassis.
        :param patch: a json PATCH document to apply to this chassis.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:chassis:update', cdict, cdict)

        rpc_chassis = objects.Chassis.get_by_uuid(pecan.request.context,
@ -323,7 +323,7 @@ class ChassisController(rest.RestController):

        :param chassis_uuid: UUID of a chassis.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:chassis:delete', cdict, cdict)

        rpc_chassis = objects.Chassis.get_by_uuid(pecan.request.context,
--- a/ironic/api/controllers/v1/driver.py
+++ b/ironic/api/controllers/v1/driver.py
@ -154,7 +154,7 @@ class DriverPassthruController(rest.RestController):
        :raises: DriverNotFound if the driver name is invalid or the
                 driver cannot be loaded.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:driver:vendor_passthru', cdict, cdict)

        if driver_name not in _VENDOR_METHODS:
@ -176,7 +176,7 @@ class DriverPassthruController(rest.RestController):
                       implementation.
        :param data: body of data to supply to the specified method.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        if method == "lookup":
            policy.authorize('baremetal:driver:ipa_lookup', cdict, cdict)
        else:
@ -208,7 +208,7 @@ class DriverRaidController(rest.RestController):
        :raises: DriverNotFound, if driver is not loaded on any of the
            conductors.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:driver:get_raid_logical_disk_properties',
                         cdict, cdict)

@ -250,7 +250,7 @@ class DriversController(rest.RestController):
        #              will break from a single-line doc string.
        #              This is a result of a bug in sphinxcontrib-pecanwsme
        # https://github.com/dreamhost/sphinxcontrib-pecanwsme/issues/8
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:driver:get', cdict, cdict)

        driver_list = pecan.request.dbapi.get_active_driver_dict()
@ -264,7 +264,7 @@ class DriversController(rest.RestController):
        # retrieving a list of drivers using the current sqlalchemy schema, but
        # this path must be exposed for Pecan to route any paths we might
        # choose to expose below it.
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:driver:get', cdict, cdict)

        driver_dict = pecan.request.dbapi.get_active_driver_dict()
@ -285,7 +285,7 @@ class DriversController(rest.RestController):
        :raises: DriverNotFound (HTTP 404) if the driver name is invalid or
                 the driver cannot be loaded.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:driver:get_properties', cdict, cdict)

        if driver_name not in _DRIVER_PROPERTIES:
--- a/ironic/api/controllers/v1/node.py
+++ b/ironic/api/controllers/v1/node.py
@ -196,7 +196,7 @@ class BootDeviceController(rest.RestController):
                           Default: False.

        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:set_boot_device', cdict, cdict)

        rpc_node = api_utils.get_rpc_node(node_ident)
@ -221,7 +221,7 @@ class BootDeviceController(rest.RestController):
                future boots or not, None if it is unknown.

        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:get_boot_device', cdict, cdict)

        return self._get_boot_device(node_ident)
@ -236,7 +236,7 @@ class BootDeviceController(rest.RestController):
                  devices.

        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:get_boot_device', cdict, cdict)

        boot_devices = self._get_boot_device(node_ident, supported=True)
@ -274,7 +274,7 @@ class NodeConsoleController(rest.RestController):

        :param node_ident: UUID or logical name of a node.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:get_console', cdict, cdict)

        rpc_node = api_utils.get_rpc_node(node_ident)
@ -299,7 +299,7 @@ class NodeConsoleController(rest.RestController):
        :param enabled: Boolean value; whether to enable or disable the
                console.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:set_console_state', cdict, cdict)

        rpc_node = api_utils.get_rpc_node(node_ident)
@ -390,7 +390,7 @@ class NodeStatesController(rest.RestController):

        :param node_ident: the UUID or logical_name of a node.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:get_states', cdict, cdict)

        # NOTE(lucasagomes): All these state values come from the
@ -414,7 +414,7 @@ class NodeStatesController(rest.RestController):
        :raises: NotAcceptable, if requested version of the API is less than
            1.12.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:set_raid_state', cdict, cdict)

        if not api_utils.allow_raid_config():
@ -445,7 +445,7 @@ class NodeStatesController(rest.RestController):
                 state is not valid or if the node is in CLEANING state.

        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:set_power_state', cdict, cdict)

        # TODO(lucasagomes): Test if it's able to transition to the
@ -525,7 +525,7 @@ class NodeStatesController(rest.RestController):
        :raises: NotAcceptable (HTTP 406) if the API version specified does
                 not allow the requested state transition.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:set_provision_state', cdict, cdict)

        api_utils.check_allow_management_verbs(target)
@ -826,7 +826,7 @@ class Node(base.APIBase):
        if fields is not None:
            api_utils.check_for_invalid_fields(fields, node.as_dict())

-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        # NOTE(deva): the 'show_password' policy setting name exists for legacy
        #             purposes and can not be changed. Changing it will cause
        #             upgrade problems for any operators who have customized
@ -962,7 +962,7 @@ class NodeVendorPassthruController(rest.RestController):
                  entries.
        :raises: NodeNotFound if the node is not found.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:vendor_passthru', cdict, cdict)

        # Raise an exception if node is not found
@ -986,7 +986,7 @@ class NodeVendorPassthruController(rest.RestController):
        :param method: name of the method in vendor driver.
        :param data: body of data to supply to the specified method.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        if method == 'heartbeat':
            policy.authorize('baremetal:node:ipa_heartbeat', cdict, cdict)
        else:
@ -1024,7 +1024,7 @@ class NodeMaintenanceController(rest.RestController):
        :param reason: Optional, the reason why it's in maintenance.

        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:set_maintenance', cdict, cdict)

        self._set_maintenance(node_ident, True, reason=reason)
@ -1037,7 +1037,7 @@ class NodeMaintenanceController(rest.RestController):
        :param node_ident: the UUID or logical name of a node.

        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:clear_maintenance', cdict, cdict)

        self._set_maintenance(node_ident, False)
@ -1268,7 +1268,7 @@ class NodesController(rest.RestController):
        :param fields: Optional, a list with a specified set of fields
                       of the resource to be returned.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:get', cdict, cdict)

        api_utils.check_allow_specify_fields(fields)
@ -1320,7 +1320,7 @@ class NodesController(rest.RestController):
        :param resource_class: Optional string value to get only nodes with
                               that resource_class.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:get', cdict, cdict)

        api_utils.check_for_invalid_state_and_allow_filter(provision_state)
@ -1351,7 +1351,7 @@ class NodesController(rest.RestController):
        :param node: UUID or name of a node.
        :param node_uuid: UUID of a node.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:validate', cdict, cdict)

        if node is not None:
@ -1376,7 +1376,7 @@ class NodesController(rest.RestController):
        :param fields: Optional, a list with a specified set of fields
            of the resource to be returned.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:get', cdict, cdict)

        if self.from_chassis:
@ -1395,7 +1395,7 @@ class NodesController(rest.RestController):

        :param node: a node within the request body.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:create', cdict, cdict)

        if self.from_chassis:
@ -1448,7 +1448,7 @@ class NodesController(rest.RestController):
        :param node_ident: UUID or logical name of a node.
        :param patch: a json PATCH document to apply to this node.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:update', cdict, cdict)

        if self.from_chassis:
@ -1521,7 +1521,7 @@ class NodesController(rest.RestController):

        :param node_ident: UUID or logical name of a node.
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:delete', cdict, cdict)

        if self.from_chassis:
--- a/ironic/api/controllers/v1/port.py
+++ b/ironic/api/controllers/v1/port.py
@ -383,7 +383,7 @@ class PortsController(rest.RestController):
                                   for that portgroup.
        :raises: NotAcceptable, HTTPNotFound
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:port:get', cdict, cdict)

        api_utils.check_allow_specify_fields(fields)
@ -441,7 +441,7 @@ class PortsController(rest.RestController):
        :param sort_dir: direction to sort. "asc" or "desc". Default: asc.
        :raises: NotAcceptable, HTTPNotFound
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:port:get', cdict, cdict)

        if portgroup and not api_utils.allow_portgroups_subcontrollers():
@ -475,7 +475,7 @@ class PortsController(rest.RestController):
            of the resource to be returned.
        :raises: NotAcceptable, HTTPNotFound
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:port:get', cdict, cdict)

        if self.parent_node_ident or self.parent_portgroup_ident:
@ -494,7 +494,7 @@ class PortsController(rest.RestController):
        :param port: a port within the request body.
        :raises: NotAcceptable, HTTPNotFound, Conflict
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:port:create', cdict, cdict)

        if self.parent_node_ident or self.parent_portgroup_ident:
@ -540,7 +540,7 @@ class PortsController(rest.RestController):
        :param patch: a json PATCH document to apply to this port.
        :raises: NotAcceptable, HTTPNotFound
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:port:update', cdict, cdict)

        if self.parent_node_ident or self.parent_portgroup_ident:
@ -608,7 +608,7 @@ class PortsController(rest.RestController):
        :param port_uuid: UUID of a port.
        :raises OperationNotPermitted, HTTPNotFound
        """
-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:port:delete', cdict, cdict)

        if self.parent_node_ident or self.parent_portgroup_ident:
--- a/ironic/api/controllers/v1/portgroup.py
+++ b/ironic/api/controllers/v1/portgroup.py
@ -336,7 +336,7 @@ class PortgroupsController(pecan.rest.RestController):
        if not api_utils.allow_portgroups():
            raise exception.NotFound()

-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:portgroup:get', cdict, cdict)

        if fields is None:
@ -369,7 +369,7 @@ class PortgroupsController(pecan.rest.RestController):
        if not api_utils.allow_portgroups():
            raise exception.NotFound()

-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:portgroup:get', cdict, cdict)

        # NOTE: /detail should only work against collections
@ -394,7 +394,7 @@ class PortgroupsController(pecan.rest.RestController):
        if not api_utils.allow_portgroups():
            raise exception.NotFound()

-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:portgroup:get', cdict, cdict)

        if self.parent_node_ident:
@ -413,7 +413,7 @@ class PortgroupsController(pecan.rest.RestController):
        if not api_utils.allow_portgroups():
            raise exception.NotFound()

-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:portgroup:create', cdict, cdict)

        if self.parent_node_ident:
@ -446,7 +446,7 @@ class PortgroupsController(pecan.rest.RestController):
        if not api_utils.allow_portgroups():
            raise exception.NotFound()

-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:portgroup:update', cdict, cdict)

        if self.parent_node_ident:
@ -509,7 +509,7 @@ class PortgroupsController(pecan.rest.RestController):
        if not api_utils.allow_portgroups():
            raise exception.NotFound()

-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:portgroup:delete', cdict, cdict)

        if self.parent_node_ident:
--- a/ironic/api/controllers/v1/ramdisk.py
+++ b/ironic/api/controllers/v1/ramdisk.py
@ -98,7 +98,7 @@ class LookupController(rest.RestController):
        if not api_utils.allow_ramdisk_endpoints():
            raise exception.NotFound()

-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:driver:ipa_lookup', cdict, cdict)

        # Validate the list of MAC addresses
@ -160,7 +160,7 @@ class HeartbeatController(rest.RestController):
        if not api_utils.allow_ramdisk_endpoints():
            raise exception.NotFound()

-        cdict = pecan.request.context.to_dict()
+        cdict = pecan.request.context.to_policy_values()
        policy.authorize('baremetal:node:ipa_heartbeat', cdict, cdict)

        rpc_node = api_utils.get_rpc_node(node_ident)
--- a/releasenotes/notes/fix-policy-checkers-1a08203e3c2cf859.yaml
+++ b/releasenotes/notes/fix-policy-checkers-1a08203e3c2cf859.yaml
@ -0,0 +1,4 @@
+---
+fixes:
+  - Some of the API methods were not using the right context values for
+    checking the policy, this release fixes the issue.