openstack
/
ironic
Code Issues Proposed changes

Consistently use utils functions for policy auth 

The check_policy function exists in api utils, along with other more
complex policy utility functions. This change replaces direct calls to
authorize with calls to check_policy.

Having authorize calls consolidated in api utils may help with the
upcoming secure-rbac work.

Change-Id: If4779b08b9f360f4c2f4675c605aa519f6ea4778
This commit is contained in:
Steve Baker 2020-12-14 13:16:00 +13:00
parent a58b88c737
commit 8669837ea2
13 changed files with 47 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ironic/api/controllers/v1/allocation.py
View File

@ -26,7 +26,6 @@ from ironic.api import method
from ironic.common import args from ironic.common import args
from ironic.common import exception from ironic.common import exception
from ironic.common.i18n import _ from ironic.common.i18n import _
from ironic.common import policy
from ironic import objects from ironic import objects
METRICS = metrics_utils.get_metrics_logger(__name__) METRICS = metrics_utils.get_metrics_logger(__name__)
@ -266,18 +265,17 @@ class AllocationsController(pecan.rest.RestController):
return convert_with_links(rpc_allocation, fields=fields) return convert_with_links(rpc_allocation, fields=fields)
def _authorize_create_allocation(self, allocation): def _authorize_create_allocation(self, allocation):
cdict = api.request.context.to_policy_values()
try: try:
policy.authorize('baremetal:allocation:create', cdict, cdict) api_utils.check_policy('baremetal:allocation:create')
self._check_allowed_allocation_fields(allocation) self._check_allowed_allocation_fields(allocation)
except exception.HTTPForbidden: except exception.HTTPForbidden:
cdict = api.request.context.to_policy_values()
owner = cdict.get('project_id') owner = cdict.get('project_id')
if not owner or (allocation.get('owner') if not owner or (allocation.get('owner')
and owner != allocation.get('owner')): and owner != allocation.get('owner')):
raise raise
policy.authorize('baremetal:allocation:create_restricted', api_utils.check_policy('baremetal:allocation:create_restricted')
cdict, cdict)
self._check_allowed_allocation_fields(allocation) self._check_allowed_allocation_fields(allocation)
allocation['owner'] = owner allocation['owner'] = owner
@ -460,8 +458,7 @@ class NodeAllocationController(pecan.rest.RestController):
@method.expose() @method.expose()
@args.validate(fields=args.string_list) @args.validate(fields=args.string_list)
def get_all(self, fields=None): def get_all(self, fields=None):
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:allocation:get')
policy.authorize('baremetal:allocation:get', cdict, cdict)
result = self.inner._get_allocations_collection(self.parent_node_ident, result = self.inner._get_allocations_collection(self.parent_node_ident,
fields=fields) fields=fields)
@ -476,8 +473,7 @@ class NodeAllocationController(pecan.rest.RestController):
@method.expose(status_code=http_client.NO_CONTENT) @method.expose(status_code=http_client.NO_CONTENT)
def delete(self): def delete(self):
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:allocation:delete')
policy.authorize('baremetal:allocation:delete', cdict, cdict)
rpc_node = api_utils.get_rpc_node_with_suffix(self.parent_node_ident) rpc_node = api_utils.get_rpc_node_with_suffix(self.parent_node_ident)
allocations = objects.Allocation.list( allocations = objects.Allocation.list(

7
ironic/api/controllers/v1/bios.py
View File

@ -21,7 +21,6 @@ from ironic.api.controllers.v1 import utils as api_utils
from ironic.api import method from ironic.api import method
from ironic.common import args from ironic.common import args
from ironic.common import exception from ironic.common import exception
from ironic.common import policy
from ironic import objects from ironic import objects
METRICS = metrics_utils.get_metrics_logger(__name__) METRICS = metrics_utils.get_metrics_logger(__name__)
@ -57,8 +56,7 @@ class NodeBiosController(rest.RestController):
@method.expose() @method.expose()
def get_all(self): def get_all(self):
"""List node bios settings.""" """List node bios settings."""
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:node:bios:get')
policy.authorize('baremetal:node:bios:get', cdict, cdict)
node = api_utils.get_rpc_node(self.node_ident) node = api_utils.get_rpc_node(self.node_ident)
settings = objects.BIOSSettingList.get_by_node_id( settings = objects.BIOSSettingList.get_by_node_id(
@ -73,8 +71,7 @@ class NodeBiosController(rest.RestController):
:param setting_name: Logical name of the setting to retrieve. :param setting_name: Logical name of the setting to retrieve.
""" """
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:node:bios:get')
policy.authorize('baremetal:node:bios:get', cdict, cdict)
node = api_utils.get_rpc_node(self.node_ident) node = api_utils.get_rpc_node(self.node_ident)
try: try:

19
ironic/api/controllers/v1/chassis.py
View File

@ -29,7 +29,6 @@ from ironic.api import method
from ironic.common import args from ironic.common import args
from ironic.common import exception from ironic.common import exception
from ironic.common.i18n import _ from ironic.common.i18n import _
from ironic.common import policy
from ironic import objects from ironic import objects
METRICS = metrics_utils.get_metrics_logger(__name__) METRICS = metrics_utils.get_metrics_logger(__name__)
@ -157,8 +156,7 @@ class ChassisController(rest.RestController):
:param fields: Optional, a list with a specified set of fields :param fields: Optional, a list with a specified set of fields
of the resource to be returned. of the resource to be returned.
""" """
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:chassis:get')
policy.authorize('baremetal:chassis:get', cdict, cdict)
api_utils.check_allow_specify_fields(fields) api_utils.check_allow_specify_fields(fields)
@ -183,8 +181,7 @@ class ChassisController(rest.RestController):
:param sort_key: column to sort results by. Default: id. :param sort_key: column to sort results by. Default: id.
:param sort_dir: direction to sort. "asc" or "desc". Default: asc. :param sort_dir: direction to sort. "asc" or "desc". Default: asc.
""" """
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:chassis:get')
policy.authorize('baremetal:chassis:get', cdict, cdict)
# /detail should only work against collections # /detail should only work against collections
parent = api.request.path.split('/')[:-1][-1] parent = api.request.path.split('/')[:-1][-1]
@ -205,8 +202,7 @@ class ChassisController(rest.RestController):
:param fields: Optional, a list with a specified set of fields :param fields: Optional, a list with a specified set of fields
of the resource to be returned. of the resource to be returned.
""" """
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:chassis:get')
policy.authorize('baremetal:chassis:get', cdict, cdict)
api_utils.check_allow_specify_fields(fields) api_utils.check_allow_specify_fields(fields)
rpc_chassis = objects.Chassis.get_by_uuid(api.request.context, rpc_chassis = objects.Chassis.get_by_uuid(api.request.context,
@ -223,8 +219,7 @@ class ChassisController(rest.RestController):
:param chassis: a chassis within the request body. :param chassis: a chassis within the request body.
""" """
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:chassis:create')
policy.authorize('baremetal:chassis:create', cdict, cdict)
# NOTE(yuriyz): UUID is mandatory for notifications payload # NOTE(yuriyz): UUID is mandatory for notifications payload
if not chassis.get('uuid'): if not chassis.get('uuid'):
@ -250,8 +245,7 @@ class ChassisController(rest.RestController):
:param patch: a json PATCH document to apply to this chassis. :param patch: a json PATCH document to apply to this chassis.
""" """
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:chassis:update')
policy.authorize('baremetal:chassis:update', cdict, cdict)
api_utils.patch_validate_allowed_fields( api_utils.patch_validate_allowed_fields(
patch, CHASSIS_SCHEMA['properties']) patch, CHASSIS_SCHEMA['properties'])
@ -282,8 +276,7 @@ class ChassisController(rest.RestController):
:param chassis_uuid: UUID of a chassis. :param chassis_uuid: UUID of a chassis.
""" """
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:chassis:delete')
policy.authorize('baremetal:chassis:delete', cdict, cdict)
rpc_chassis = objects.Chassis.get_by_uuid(context, chassis_uuid) rpc_chassis = objects.Chassis.get_by_uuid(context, chassis_uuid)
notify.emit_start_notification(context, rpc_chassis, 'delete') notify.emit_start_notification(context, rpc_chassis, 'delete')

7
ironic/api/controllers/v1/conductor.py
View File

@ -22,7 +22,6 @@ from ironic.api import method
from ironic.common import args from ironic.common import args
from ironic.common import exception from ironic.common import exception
from ironic.common.i18n import _ from ironic.common.i18n import _
from ironic.common import policy
import ironic.conf import ironic.conf
from ironic import objects from ironic import objects
@ -122,8 +121,7 @@ class ConductorsController(rest.RestController):
:param detail: Optional, boolean to indicate whether retrieve a list :param detail: Optional, boolean to indicate whether retrieve a list
of conductors with detail. of conductors with detail.
""" """
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:conductor:get')
policy.authorize('baremetal:conductor:get', cdict, cdict)
if not api_utils.allow_expose_conductors(): if not api_utils.allow_expose_conductors():
raise exception.NotFound() raise exception.NotFound()
@ -149,8 +147,7 @@ class ConductorsController(rest.RestController):
:param fields: Optional, a list with a specified set of fields :param fields: Optional, a list with a specified set of fields
of the resource to be returned. of the resource to be returned.
""" """
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:conductor:get')
policy.authorize('baremetal:conductor:get', cdict, cdict)
if not api_utils.allow_expose_conductors(): if not api_utils.allow_expose_conductors():
raise exception.NotFound() raise exception.NotFound()

22
ironic/api/controllers/v1/driver.py
View File

@ -25,7 +25,6 @@ from ironic.api import method
from ironic.common import args from ironic.common import args
from ironic.common import exception from ironic.common import exception
from ironic.common.i18n import _ from ironic.common.i18n import _
from ironic.common import policy
from ironic.drivers import base as driver_base from ironic.drivers import base as driver_base
@ -206,8 +205,7 @@ class DriverPassthruController(rest.RestController):
:raises: DriverNotFound if the driver name is invalid or the :raises: DriverNotFound if the driver name is invalid or the
driver cannot be loaded. driver cannot be loaded.
""" """
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:driver:vendor_passthru')
policy.authorize('baremetal:driver:vendor_passthru', cdict, cdict)
if driver_name not in _VENDOR_METHODS: if driver_name not in _VENDOR_METHODS:
topic = api.request.rpcapi.get_topic_for_driver(driver_name) topic = api.request.rpcapi.get_topic_for_driver(driver_name)
@ -230,8 +228,7 @@ class DriverPassthruController(rest.RestController):
:param data: body of data to supply to the specified method. :param data: body of data to supply to the specified method.
""" """
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:driver:vendor_passthru')
policy.authorize('baremetal:driver:vendor_passthru', cdict, cdict)
topic = api.request.rpcapi.get_topic_for_driver(driver_name) topic = api.request.rpcapi.get_topic_for_driver(driver_name)
resp = api_utils.vendor_passthru(driver_name, method, topic, resp = api_utils.vendor_passthru(driver_name, method, topic,
@ -262,9 +259,8 @@ class DriverRaidController(rest.RestController):
:raises: DriverNotFound, if driver is not loaded on any of the :raises: DriverNotFound, if driver is not loaded on any of the
conductors. conductors.
""" """
cdict = api.request.context.to_policy_values() api_utils.check_policy(
policy.authorize('baremetal:driver:get_raid_logical_disk_properties', 'baremetal:driver:get_raid_logical_disk_properties')
cdict, cdict)
if not api_utils.allow_raid_config(): if not api_utils.allow_raid_config():
raise exception.NotAcceptable() raise exception.NotAcceptable()
@ -305,9 +301,7 @@ class DriversController(rest.RestController):
# will break from a single-line doc string. # will break from a single-line doc string.
# This is a result of a bug in sphinxcontrib-pecanwsme # This is a result of a bug in sphinxcontrib-pecanwsme
# https://github.com/dreamhost/sphinxcontrib-pecanwsme/issues/8 # https://github.com/dreamhost/sphinxcontrib-pecanwsme/issues/8
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:driver:get')
policy.authorize('baremetal:driver:get', cdict, cdict)
api_utils.check_allow_driver_detail(detail) api_utils.check_allow_driver_detail(detail)
api_utils.check_allow_filter_driver_type(type) api_utils.check_allow_filter_driver_type(type)
if type not in (None, 'classic', 'dynamic'): if type not in (None, 'classic', 'dynamic'):
@ -332,8 +326,7 @@ class DriversController(rest.RestController):
# retrieving a list of drivers using the current sqlalchemy schema, but # retrieving a list of drivers using the current sqlalchemy schema, but
# this path must be exposed for Pecan to route any paths we might # this path must be exposed for Pecan to route any paths we might
# choose to expose below it. # choose to expose below it.
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:driver:get')
policy.authorize('baremetal:driver:get', cdict, cdict)
hw_type_dict = api.request.dbapi.get_active_hardware_type_dict() hw_type_dict = api.request.dbapi.get_active_hardware_type_dict()
for name, hosts in hw_type_dict.items(): for name, hosts in hw_type_dict.items():
@ -355,8 +348,7 @@ class DriversController(rest.RestController):
:raises: DriverNotFound (HTTP 404) if the driver name is invalid or :raises: DriverNotFound (HTTP 404) if the driver name is invalid or
the driver cannot be loaded. the driver cannot be loaded.
""" """
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:driver:get_properties')
policy.authorize('baremetal:driver:get_properties', cdict, cdict)
if driver_name not in _DRIVER_PROPERTIES: if driver_name not in _DRIVER_PROPERTIES:
topic = api.request.rpcapi.get_topic_for_driver(driver_name) topic = api.request.rpcapi.get_topic_for_driver(driver_name)

5
ironic/api/controllers/v1/event.py
View File

@ -16,12 +16,10 @@ from ironic_lib import metrics_utils
from oslo_log import log from oslo_log import log
import pecan import pecan
from ironic import api
from ironic.api.controllers.v1 import utils as api_utils from ironic.api.controllers.v1 import utils as api_utils
from ironic.api import method from ironic.api import method
from ironic.common import args from ironic.common import args
from ironic.common import exception from ironic.common import exception
from ironic.common import policy
METRICS = metrics_utils.get_metrics_logger(__name__) METRICS = metrics_utils.get_metrics_logger(__name__)
@ -104,7 +102,6 @@ class EventsController(pecan.rest.RestController):
def post(self, evts): def post(self, evts):
if not api_utils.allow_expose_events(): if not api_utils.allow_expose_events():
raise exception.NotFound() raise exception.NotFound()
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:events:post')
policy.authorize('baremetal:events:post', cdict, cdict)
for e in evts['events']: for e in evts['events']:
LOG.debug("Received external event: %s", e) LOG.debug("Received external event: %s", e)

12
ironic/api/controllers/v1/node.py
View File

@ -506,8 +506,7 @@ class IndicatorController(rest.RestController):
mod:`ironic.common.indicator_states`. mod:`ironic.common.indicator_states`.
""" """
cdict = pecan.request.context.to_policy_values() api_utils.check_policy('baremetal:node:set_indicator_state')
policy.authorize('baremetal:node:set_indicator_state', cdict, cdict)
rpc_node = api_utils.get_rpc_node(node_ident) rpc_node = api_utils.get_rpc_node(node_ident)
topic = pecan.request.rpcapi.get_topic_for(rpc_node) topic = pecan.request.rpcapi.get_topic_for(rpc_node)
@ -529,8 +528,7 @@ class IndicatorController(rest.RestController):
:returns: a dict with the "state" key and one of :returns: a dict with the "state" key and one of
mod:`ironic.common.indicator_states` as a value. mod:`ironic.common.indicator_states` as a value.
""" """
cdict = pecan.request.context.to_policy_values() api_utils.check_policy('baremetal:node:get_indicator_state')
policy.authorize('baremetal:node:get_indicator_state', cdict, cdict)
rpc_node = api_utils.get_rpc_node(node_ident) rpc_node = api_utils.get_rpc_node(node_ident)
topic = pecan.request.rpcapi.get_topic_for(rpc_node) topic = pecan.request.rpcapi.get_topic_for(rpc_node)
@ -553,8 +551,7 @@ class IndicatorController(rest.RestController):
(from `get_supported_indicators`) as values. (from `get_supported_indicators`) as values.
""" """
cdict = pecan.request.context.to_policy_values() api_utils.check_policy('baremetal:node:get_indicator_state')
policy.authorize('baremetal:node:get_indicator_state', cdict, cdict)
rpc_node = api_utils.get_rpc_node(node_ident) rpc_node = api_utils.get_rpc_node(node_ident)
topic = pecan.request.rpcapi.get_topic_for(rpc_node) topic = pecan.request.rpcapi.get_topic_for(rpc_node)
@ -1995,8 +1992,7 @@ class NodesController(rest.RestController):
raise exception.OperationNotPermitted() raise exception.OperationNotPermitted()
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:node:create')
policy.authorize('baremetal:node:create', cdict, cdict)
reject_fields_in_newer_versions(node) reject_fields_in_newer_versions(node)

4
ironic/api/controllers/v1/port.py
View File

@ -30,7 +30,6 @@ from ironic.api import method
from ironic.common import args from ironic.common import args
from ironic.common import exception from ironic.common import exception
from ironic.common.i18n import _ from ironic.common.i18n import _
from ironic.common import policy
from ironic.common import states as ir_states from ironic.common import states as ir_states
from ironic import objects from ironic import objects
@ -501,8 +500,7 @@ class PortsController(rest.RestController):
raise exception.OperationNotPermitted() raise exception.OperationNotPermitted()
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:port:create')
policy.authorize('baremetal:port:create', cdict, cdict)
# NOTE(lucasagomes): Create the node_id attribute on-the-fly # NOTE(lucasagomes): Create the node_id attribute on-the-fly
# to satisfy the api -> rpc object # to satisfy the api -> rpc object

19
ironic/api/controllers/v1/portgroup.py
View File

@ -27,7 +27,6 @@ from ironic.api import method
from ironic.common import args from ironic.common import args
from ironic.common import exception from ironic.common import exception
from ironic.common.i18n import _ from ironic.common.i18n import _
from ironic.common import policy
from ironic.common import states as ir_states from ironic.common import states as ir_states
from ironic import objects from ironic import objects
@ -269,8 +268,7 @@ class PortgroupsController(pecan.rest.RestController):
if not api_utils.allow_portgroups(): if not api_utils.allow_portgroups():
raise exception.NotFound() raise exception.NotFound()
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:portgroup:get')
policy.authorize('baremetal:portgroup:get', cdict, cdict)
api_utils.check_allowed_portgroup_fields(fields) api_utils.check_allowed_portgroup_fields(fields)
api_utils.check_allowed_portgroup_fields([sort_key]) api_utils.check_allowed_portgroup_fields([sort_key])
@ -308,8 +306,7 @@ class PortgroupsController(pecan.rest.RestController):
if not api_utils.allow_portgroups(): if not api_utils.allow_portgroups():
raise exception.NotFound() raise exception.NotFound()
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:portgroup:get')
policy.authorize('baremetal:portgroup:get', cdict, cdict)
api_utils.check_allowed_portgroup_fields([sort_key]) api_utils.check_allowed_portgroup_fields([sort_key])
# NOTE: /detail should only work against collections # NOTE: /detail should only work against collections
@ -335,8 +332,7 @@ class PortgroupsController(pecan.rest.RestController):
if not api_utils.allow_portgroups(): if not api_utils.allow_portgroups():
raise exception.NotFound() raise exception.NotFound()
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:portgroup:get')
policy.authorize('baremetal:portgroup:get', cdict, cdict)
if self.parent_node_ident: if self.parent_node_ident:
raise exception.OperationNotPermitted() raise exception.OperationNotPermitted()
@ -360,8 +356,7 @@ class PortgroupsController(pecan.rest.RestController):
raise exception.NotFound() raise exception.NotFound()
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:portgroup:create')
policy.authorize('baremetal:portgroup:create', cdict, cdict)
if self.parent_node_ident: if self.parent_node_ident:
raise exception.OperationNotPermitted() raise exception.OperationNotPermitted()
@ -414,8 +409,7 @@ class PortgroupsController(pecan.rest.RestController):
raise exception.NotFound() raise exception.NotFound()
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:portgroup:update')
policy.authorize('baremetal:portgroup:update', cdict, cdict)
if self.parent_node_ident: if self.parent_node_ident:
raise exception.OperationNotPermitted() raise exception.OperationNotPermitted()
@ -511,8 +505,7 @@ class PortgroupsController(pecan.rest.RestController):
raise exception.NotFound() raise exception.NotFound()
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:portgroup:delete')
policy.authorize('baremetal:portgroup:delete', cdict, cdict)
if self.parent_node_ident: if self.parent_node_ident:
raise exception.OperationNotPermitted() raise exception.OperationNotPermitted()

7
ironic/api/controllers/v1/ramdisk.py
View File

@ -25,7 +25,6 @@ from ironic.api import method
from ironic.common import args from ironic.common import args
from ironic.common import exception from ironic.common import exception
from ironic.common.i18n import _ from ironic.common.i18n import _
from ironic.common import policy
from ironic.common import states from ironic.common import states
from ironic.common import utils from ironic.common import utils
from ironic import objects from ironic import objects
@ -95,8 +94,7 @@ class LookupController(rest.RestController):
if not api_utils.allow_ramdisk_endpoints(): if not api_utils.allow_ramdisk_endpoints():
raise exception.NotFound() raise exception.NotFound()
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:driver:ipa_lookup')
policy.authorize('baremetal:driver:ipa_lookup', cdict, cdict)
# Validate the list of MAC addresses # Validate the list of MAC addresses
if addresses is None: if addresses is None:
@ -187,8 +185,7 @@ class HeartbeatController(rest.RestController):
raise exception.InvalidParameterValue( raise exception.InvalidParameterValue(
_('Field "agent_version" not recognised')) _('Field "agent_version" not recognised'))
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:node:ipa_heartbeat')
policy.authorize('baremetal:node:ipa_heartbeat', cdict, cdict)
if (agent_verify_ca is not None if (agent_verify_ca is not None
and not api_utils.allow_verify_ca_in_heartbeat()): and not api_utils.allow_verify_ca_in_heartbeat()):

4
ironic/api/controllers/v1/volume.py
View File

@ -24,7 +24,6 @@ from ironic.api.controllers.v1 import volume_connector
from ironic.api.controllers.v1 import volume_target from ironic.api.controllers.v1 import volume_target
from ironic.api import method from ironic.api import method
from ironic.common import exception from ironic.common import exception
from ironic.common import policy
def convert(node_ident=None): def convert(node_ident=None):
@ -72,8 +71,7 @@ class VolumeController(rest.RestController):
if not api_utils.allow_volume(): if not api_utils.allow_volume():
raise exception.NotFound() raise exception.NotFound()
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:volume:get')
policy.authorize('baremetal:volume:get', cdict, cdict)
return convert(self.parent_node_ident) return convert(self.parent_node_ident)

16
ironic/api/controllers/v1/volume_connector.py
View File

@ -27,7 +27,6 @@ from ironic.api import method
from ironic.common import args from ironic.common import args
from ironic.common import exception from ironic.common import exception
from ironic.common.i18n import _ from ironic.common.i18n import _
from ironic.common import policy
from ironic import objects from ironic import objects
METRICS = metrics_utils.get_metrics_logger(__name__) METRICS = metrics_utils.get_metrics_logger(__name__)
@ -180,8 +179,7 @@ class VolumeConnectorsController(rest.RestController):
:raises: InvalidParameterValue if sort key is invalid for sorting. :raises: InvalidParameterValue if sort key is invalid for sorting.
:raises: InvalidParameterValue if both fields and detail are specified. :raises: InvalidParameterValue if both fields and detail are specified.
""" """
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:volume:get')
policy.authorize('baremetal:volume:get', cdict, cdict)
if fields is None and not detail: if fields is None and not detail:
fields = _DEFAULT_RETURN_FIELDS fields = _DEFAULT_RETURN_FIELDS
@ -212,8 +210,7 @@ class VolumeConnectorsController(rest.RestController):
:raises: VolumeConnectorNotFound if no volume connector exists with :raises: VolumeConnectorNotFound if no volume connector exists with
the specified UUID. the specified UUID.
""" """
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:volume:get')
policy.authorize('baremetal:volume:get', cdict, cdict)
if self.parent_node_ident: if self.parent_node_ident:
raise exception.OperationNotPermitted() raise exception.OperationNotPermitted()
@ -241,8 +238,7 @@ class VolumeConnectorsController(rest.RestController):
same UUID already exists same UUID already exists
""" """
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:volume:create')
policy.authorize('baremetal:volume:create', cdict, cdict)
if self.parent_node_ident: if self.parent_node_ident:
raise exception.OperationNotPermitted() raise exception.OperationNotPermitted()
@ -298,8 +294,7 @@ class VolumeConnectorsController(rest.RestController):
volume connector is not powered off. volume connector is not powered off.
""" """
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:volume:update')
policy.authorize('baremetal:volume:update', cdict, cdict)
if self.parent_node_ident: if self.parent_node_ident:
raise exception.OperationNotPermitted() raise exception.OperationNotPermitted()
@ -375,8 +370,7 @@ class VolumeConnectorsController(rest.RestController):
volume connector is not powered off. volume connector is not powered off.
""" """
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:volume:delete')
policy.authorize('baremetal:volume:delete', cdict, cdict)
if self.parent_node_ident: if self.parent_node_ident:
raise exception.OperationNotPermitted() raise exception.OperationNotPermitted()

16
ironic/api/controllers/v1/volume_target.py
View File

@ -27,7 +27,6 @@ from ironic.api import method
from ironic.common import args from ironic.common import args
from ironic.common import exception from ironic.common import exception
from ironic.common.i18n import _ from ironic.common.i18n import _
from ironic.common import policy
from ironic import objects from ironic import objects
METRICS = metrics_utils.get_metrics_logger(__name__) METRICS = metrics_utils.get_metrics_logger(__name__)
@ -189,8 +188,7 @@ class VolumeTargetsController(rest.RestController):
:raises: InvalidParameterValue if sort key is invalid for sorting. :raises: InvalidParameterValue if sort key is invalid for sorting.
:raises: InvalidParameterValue if both fields and detail are specified. :raises: InvalidParameterValue if both fields and detail are specified.
""" """
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:volume:get')
policy.authorize('baremetal:volume:get', cdict, cdict)
if fields is None and not detail: if fields is None and not detail:
fields = _DEFAULT_RETURN_FIELDS fields = _DEFAULT_RETURN_FIELDS
@ -222,8 +220,7 @@ class VolumeTargetsController(rest.RestController):
node. node.
:raises: VolumeTargetNotFound if no volume target with this UUID exists :raises: VolumeTargetNotFound if no volume target with this UUID exists
""" """
cdict = api.request.context.to_policy_values() api_utils.check_policy('baremetal:volume:get')
policy.authorize('baremetal:volume:get', cdict, cdict)
if self.parent_node_ident: if self.parent_node_ident:
raise exception.OperationNotPermitted() raise exception.OperationNotPermitted()
@ -251,8 +248,7 @@ class VolumeTargetsController(rest.RestController):
UUID exists UUID exists
""" """
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:volume:create')
policy.authorize('baremetal:volume:create', cdict, cdict)
if self.parent_node_ident: if self.parent_node_ident:
raise exception.OperationNotPermitted() raise exception.OperationNotPermitted()
@ -305,8 +301,7 @@ class VolumeTargetsController(rest.RestController):
volume target is not powered off. volume target is not powered off.
""" """
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:volume:update')
policy.authorize('baremetal:volume:update', cdict, cdict)
if self.parent_node_ident: if self.parent_node_ident:
raise exception.OperationNotPermitted() raise exception.OperationNotPermitted()
@ -379,8 +374,7 @@ class VolumeTargetsController(rest.RestController):
volume target is not powered off. volume target is not powered off.
""" """
context = api.request.context context = api.request.context
cdict = context.to_policy_values() api_utils.check_policy('baremetal:volume:delete')
policy.authorize('baremetal:volume:delete', cdict, cdict)
if self.parent_node_ident: if self.parent_node_ident:
raise exception.OperationNotPermitted() raise exception.OperationNotPermitted()