From 633abbeff876599f1eb286f3620550f8cbca3f0c Mon Sep 17 00:00:00 2001 From: Vladyslav Drok Date: Fri, 16 Dec 2016 13:30:29 +0200 Subject: [PATCH] Fix policy dict checkers After the ironic context refactor, the default policy values were changed to use project_domain_id and project_name, while not changing the checker methods in API to fetch the correct values from the context. This change fixes this issue. Closes-Bug: #1650203 Change-Id: If9bf67b9d7d6f66b12a99d1ee7826af9634415b5 --- ironic/api/controllers/v1/chassis.py | 12 +++--- ironic/api/controllers/v1/driver.py | 12 +++--- ironic/api/controllers/v1/node.py | 42 +++++++++---------- ironic/api/controllers/v1/port.py | 12 +++--- ironic/api/controllers/v1/portgroup.py | 12 +++--- ironic/api/controllers/v1/ramdisk.py | 4 +- .../fix-policy-checkers-1a08203e3c2cf859.yaml | 4 ++ 7 files changed, 51 insertions(+), 47 deletions(-) create mode 100644 releasenotes/notes/fix-policy-checkers-1a08203e3c2cf859.yaml diff --git a/ironic/api/controllers/v1/chassis.py b/ironic/api/controllers/v1/chassis.py index 2725d0633d..6f837e221b 100644 --- a/ironic/api/controllers/v1/chassis.py +++ b/ironic/api/controllers/v1/chassis.py @@ -211,7 +211,7 @@ class ChassisController(rest.RestController): :param fields: Optional, a list with a specified set of fields of the resource to be returned. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:chassis:get', cdict, cdict) api_utils.check_allow_specify_fields(fields) @@ -234,7 +234,7 @@ class ChassisController(rest.RestController): :param sort_key: column to sort results by. Default: id. :param sort_dir: direction to sort. "asc" or "desc". Default: asc. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:chassis:get', cdict, cdict) # /detail should only work against collections @@ -255,7 +255,7 @@ class ChassisController(rest.RestController): :param fields: Optional, a list with a specified set of fields of the resource to be returned. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:chassis:get', cdict, cdict) api_utils.check_allow_specify_fields(fields) @@ -270,7 +270,7 @@ class ChassisController(rest.RestController): :param chassis: a chassis within the request body. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:chassis:create', cdict, cdict) new_chassis = objects.Chassis(pecan.request.context, @@ -289,7 +289,7 @@ class ChassisController(rest.RestController): :param chassis_uuid: UUID of a chassis. :param patch: a json PATCH document to apply to this chassis. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:chassis:update', cdict, cdict) rpc_chassis = objects.Chassis.get_by_uuid(pecan.request.context, @@ -323,7 +323,7 @@ class ChassisController(rest.RestController): :param chassis_uuid: UUID of a chassis. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:chassis:delete', cdict, cdict) rpc_chassis = objects.Chassis.get_by_uuid(pecan.request.context, diff --git a/ironic/api/controllers/v1/driver.py b/ironic/api/controllers/v1/driver.py index fed3f9593f..d2dbc12c26 100644 --- a/ironic/api/controllers/v1/driver.py +++ b/ironic/api/controllers/v1/driver.py @@ -154,7 +154,7 @@ class DriverPassthruController(rest.RestController): :raises: DriverNotFound if the driver name is invalid or the driver cannot be loaded. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:driver:vendor_passthru', cdict, cdict) if driver_name not in _VENDOR_METHODS: @@ -176,7 +176,7 @@ class DriverPassthruController(rest.RestController): implementation. :param data: body of data to supply to the specified method. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() if method == "lookup": policy.authorize('baremetal:driver:ipa_lookup', cdict, cdict) else: @@ -208,7 +208,7 @@ class DriverRaidController(rest.RestController): :raises: DriverNotFound, if driver is not loaded on any of the conductors. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:driver:get_raid_logical_disk_properties', cdict, cdict) @@ -250,7 +250,7 @@ class DriversController(rest.RestController): # will break from a single-line doc string. # This is a result of a bug in sphinxcontrib-pecanwsme # https://github.com/dreamhost/sphinxcontrib-pecanwsme/issues/8 - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:driver:get', cdict, cdict) driver_list = pecan.request.dbapi.get_active_driver_dict() @@ -264,7 +264,7 @@ class DriversController(rest.RestController): # retrieving a list of drivers using the current sqlalchemy schema, but # this path must be exposed for Pecan to route any paths we might # choose to expose below it. - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:driver:get', cdict, cdict) driver_dict = pecan.request.dbapi.get_active_driver_dict() @@ -285,7 +285,7 @@ class DriversController(rest.RestController): :raises: DriverNotFound (HTTP 404) if the driver name is invalid or the driver cannot be loaded. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:driver:get_properties', cdict, cdict) if driver_name not in _DRIVER_PROPERTIES: diff --git a/ironic/api/controllers/v1/node.py b/ironic/api/controllers/v1/node.py index cb371f2526..8f0d833180 100644 --- a/ironic/api/controllers/v1/node.py +++ b/ironic/api/controllers/v1/node.py @@ -196,7 +196,7 @@ class BootDeviceController(rest.RestController): Default: False. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:set_boot_device', cdict, cdict) rpc_node = api_utils.get_rpc_node(node_ident) @@ -221,7 +221,7 @@ class BootDeviceController(rest.RestController): future boots or not, None if it is unknown. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:get_boot_device', cdict, cdict) return self._get_boot_device(node_ident) @@ -236,7 +236,7 @@ class BootDeviceController(rest.RestController): devices. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:get_boot_device', cdict, cdict) boot_devices = self._get_boot_device(node_ident, supported=True) @@ -274,7 +274,7 @@ class NodeConsoleController(rest.RestController): :param node_ident: UUID or logical name of a node. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:get_console', cdict, cdict) rpc_node = api_utils.get_rpc_node(node_ident) @@ -299,7 +299,7 @@ class NodeConsoleController(rest.RestController): :param enabled: Boolean value; whether to enable or disable the console. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:set_console_state', cdict, cdict) rpc_node = api_utils.get_rpc_node(node_ident) @@ -390,7 +390,7 @@ class NodeStatesController(rest.RestController): :param node_ident: the UUID or logical_name of a node. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:get_states', cdict, cdict) # NOTE(lucasagomes): All these state values come from the @@ -414,7 +414,7 @@ class NodeStatesController(rest.RestController): :raises: NotAcceptable, if requested version of the API is less than 1.12. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:set_raid_state', cdict, cdict) if not api_utils.allow_raid_config(): @@ -445,7 +445,7 @@ class NodeStatesController(rest.RestController): state is not valid or if the node is in CLEANING state. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:set_power_state', cdict, cdict) # TODO(lucasagomes): Test if it's able to transition to the @@ -525,7 +525,7 @@ class NodeStatesController(rest.RestController): :raises: NotAcceptable (HTTP 406) if the API version specified does not allow the requested state transition. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:set_provision_state', cdict, cdict) api_utils.check_allow_management_verbs(target) @@ -826,7 +826,7 @@ class Node(base.APIBase): if fields is not None: api_utils.check_for_invalid_fields(fields, node.as_dict()) - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() # NOTE(deva): the 'show_password' policy setting name exists for legacy # purposes and can not be changed. Changing it will cause # upgrade problems for any operators who have customized @@ -962,7 +962,7 @@ class NodeVendorPassthruController(rest.RestController): entries. :raises: NodeNotFound if the node is not found. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:vendor_passthru', cdict, cdict) # Raise an exception if node is not found @@ -986,7 +986,7 @@ class NodeVendorPassthruController(rest.RestController): :param method: name of the method in vendor driver. :param data: body of data to supply to the specified method. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() if method == 'heartbeat': policy.authorize('baremetal:node:ipa_heartbeat', cdict, cdict) else: @@ -1024,7 +1024,7 @@ class NodeMaintenanceController(rest.RestController): :param reason: Optional, the reason why it's in maintenance. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:set_maintenance', cdict, cdict) self._set_maintenance(node_ident, True, reason=reason) @@ -1037,7 +1037,7 @@ class NodeMaintenanceController(rest.RestController): :param node_ident: the UUID or logical name of a node. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:clear_maintenance', cdict, cdict) self._set_maintenance(node_ident, False) @@ -1268,7 +1268,7 @@ class NodesController(rest.RestController): :param fields: Optional, a list with a specified set of fields of the resource to be returned. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:get', cdict, cdict) api_utils.check_allow_specify_fields(fields) @@ -1320,7 +1320,7 @@ class NodesController(rest.RestController): :param resource_class: Optional string value to get only nodes with that resource_class. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:get', cdict, cdict) api_utils.check_for_invalid_state_and_allow_filter(provision_state) @@ -1351,7 +1351,7 @@ class NodesController(rest.RestController): :param node: UUID or name of a node. :param node_uuid: UUID of a node. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:validate', cdict, cdict) if node is not None: @@ -1376,7 +1376,7 @@ class NodesController(rest.RestController): :param fields: Optional, a list with a specified set of fields of the resource to be returned. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:get', cdict, cdict) if self.from_chassis: @@ -1395,7 +1395,7 @@ class NodesController(rest.RestController): :param node: a node within the request body. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:create', cdict, cdict) if self.from_chassis: @@ -1448,7 +1448,7 @@ class NodesController(rest.RestController): :param node_ident: UUID or logical name of a node. :param patch: a json PATCH document to apply to this node. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:update', cdict, cdict) if self.from_chassis: @@ -1521,7 +1521,7 @@ class NodesController(rest.RestController): :param node_ident: UUID or logical name of a node. """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:delete', cdict, cdict) if self.from_chassis: diff --git a/ironic/api/controllers/v1/port.py b/ironic/api/controllers/v1/port.py index 7fac0da03a..1148fbc8e9 100644 --- a/ironic/api/controllers/v1/port.py +++ b/ironic/api/controllers/v1/port.py @@ -383,7 +383,7 @@ class PortsController(rest.RestController): for that portgroup. :raises: NotAcceptable, HTTPNotFound """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:port:get', cdict, cdict) api_utils.check_allow_specify_fields(fields) @@ -441,7 +441,7 @@ class PortsController(rest.RestController): :param sort_dir: direction to sort. "asc" or "desc". Default: asc. :raises: NotAcceptable, HTTPNotFound """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:port:get', cdict, cdict) if portgroup and not api_utils.allow_portgroups_subcontrollers(): @@ -475,7 +475,7 @@ class PortsController(rest.RestController): of the resource to be returned. :raises: NotAcceptable, HTTPNotFound """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:port:get', cdict, cdict) if self.parent_node_ident or self.parent_portgroup_ident: @@ -494,7 +494,7 @@ class PortsController(rest.RestController): :param port: a port within the request body. :raises: NotAcceptable, HTTPNotFound, Conflict """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:port:create', cdict, cdict) if self.parent_node_ident or self.parent_portgroup_ident: @@ -540,7 +540,7 @@ class PortsController(rest.RestController): :param patch: a json PATCH document to apply to this port. :raises: NotAcceptable, HTTPNotFound """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:port:update', cdict, cdict) if self.parent_node_ident or self.parent_portgroup_ident: @@ -608,7 +608,7 @@ class PortsController(rest.RestController): :param port_uuid: UUID of a port. :raises OperationNotPermitted, HTTPNotFound """ - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:port:delete', cdict, cdict) if self.parent_node_ident or self.parent_portgroup_ident: diff --git a/ironic/api/controllers/v1/portgroup.py b/ironic/api/controllers/v1/portgroup.py index 2db9a579ef..615fc3bf5d 100644 --- a/ironic/api/controllers/v1/portgroup.py +++ b/ironic/api/controllers/v1/portgroup.py @@ -336,7 +336,7 @@ class PortgroupsController(pecan.rest.RestController): if not api_utils.allow_portgroups(): raise exception.NotFound() - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:portgroup:get', cdict, cdict) if fields is None: @@ -369,7 +369,7 @@ class PortgroupsController(pecan.rest.RestController): if not api_utils.allow_portgroups(): raise exception.NotFound() - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:portgroup:get', cdict, cdict) # NOTE: /detail should only work against collections @@ -394,7 +394,7 @@ class PortgroupsController(pecan.rest.RestController): if not api_utils.allow_portgroups(): raise exception.NotFound() - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:portgroup:get', cdict, cdict) if self.parent_node_ident: @@ -413,7 +413,7 @@ class PortgroupsController(pecan.rest.RestController): if not api_utils.allow_portgroups(): raise exception.NotFound() - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:portgroup:create', cdict, cdict) if self.parent_node_ident: @@ -446,7 +446,7 @@ class PortgroupsController(pecan.rest.RestController): if not api_utils.allow_portgroups(): raise exception.NotFound() - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:portgroup:update', cdict, cdict) if self.parent_node_ident: @@ -509,7 +509,7 @@ class PortgroupsController(pecan.rest.RestController): if not api_utils.allow_portgroups(): raise exception.NotFound() - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:portgroup:delete', cdict, cdict) if self.parent_node_ident: diff --git a/ironic/api/controllers/v1/ramdisk.py b/ironic/api/controllers/v1/ramdisk.py index cceb1987b4..c6939c19be 100644 --- a/ironic/api/controllers/v1/ramdisk.py +++ b/ironic/api/controllers/v1/ramdisk.py @@ -98,7 +98,7 @@ class LookupController(rest.RestController): if not api_utils.allow_ramdisk_endpoints(): raise exception.NotFound() - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:driver:ipa_lookup', cdict, cdict) # Validate the list of MAC addresses @@ -160,7 +160,7 @@ class HeartbeatController(rest.RestController): if not api_utils.allow_ramdisk_endpoints(): raise exception.NotFound() - cdict = pecan.request.context.to_dict() + cdict = pecan.request.context.to_policy_values() policy.authorize('baremetal:node:ipa_heartbeat', cdict, cdict) rpc_node = api_utils.get_rpc_node(node_ident) diff --git a/releasenotes/notes/fix-policy-checkers-1a08203e3c2cf859.yaml b/releasenotes/notes/fix-policy-checkers-1a08203e3c2cf859.yaml new file mode 100644 index 0000000000..6e196b1117 --- /dev/null +++ b/releasenotes/notes/fix-policy-checkers-1a08203e3c2cf859.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - Some of the API methods were not using the right context values for + checking the policy, this release fixes the issue.