Browse Source

Pass a mutable target to oslo policy enforcer

Magnum API previously passed magnum.objects.cluster.Cluster objects as
the target argument to magnum.common.policy.enforce(). However, enforce()
expects target to be a mutable mapping, as it adds an entry for
trustee_domain_id which is used by the magnum policy.json. This causes
cluster detailed GET requests to fail with the following message:

AttributeError: 'Cluster' object has no attribute 'trustee_domain_id'

This change uses the as_dict() method of the magnum RPC objects to
provide a mutable mapping to the policy enforcer.

Change-Id: I54b136243afff9e0fadae3be4b36cad1679e5721
Closes-Bug: #1689797
(cherry picked from commit f1326626b9)
Mark Goddard 1 year ago
parent
commit
3afe70ad80

+ 3
- 3
magnum/api/controllers/v1/bay.py View File

@@ -372,7 +372,7 @@ class BaysController(base.Controller):
372 372
         """
373 373
         context = pecan.request.context
374 374
         bay = api_utils.get_resource('Cluster', bay_ident)
375
-        policy.enforce(context, 'bay:get', bay,
375
+        policy.enforce(context, 'bay:get', bay.as_dict(),
376 376
                        action='bay:get')
377 377
 
378 378
         bay = Bay.convert_with_links(bay)
@@ -479,7 +479,7 @@ class BaysController(base.Controller):
479 479
     def _patch(self, bay_ident, patch):
480 480
         context = pecan.request.context
481 481
         bay = api_utils.get_resource('Cluster', bay_ident)
482
-        policy.enforce(context, 'bay:update', bay,
482
+        policy.enforce(context, 'bay:update', bay.as_dict(),
483 483
                        action='bay:update')
484 484
         try:
485 485
             bay_dict = bay.as_dict()
@@ -529,6 +529,6 @@ class BaysController(base.Controller):
529 529
     def _delete(self, bay_ident):
530 530
         context = pecan.request.context
531 531
         bay = api_utils.get_resource('Cluster', bay_ident)
532
-        policy.enforce(context, 'bay:delete', bay,
532
+        policy.enforce(context, 'bay:delete', bay.as_dict(),
533 533
                        action='bay:delete')
534 534
         return bay

+ 3
- 3
magnum/api/controllers/v1/baymodel.py View File

@@ -312,7 +312,7 @@ class BayModelsController(base.Controller):
312 312
         context = pecan.request.context
313 313
         baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
314 314
         if not baymodel.public:
315
-            policy.enforce(context, 'baymodel:get', baymodel,
315
+            policy.enforce(context, 'baymodel:get', baymodel.as_dict(),
316 316
                            action='baymodel:get')
317 317
 
318 318
         return BayModel.convert_with_links(baymodel)
@@ -369,7 +369,7 @@ class BayModelsController(base.Controller):
369 369
         """
370 370
         context = pecan.request.context
371 371
         baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
372
-        policy.enforce(context, 'baymodel:update', baymodel,
372
+        policy.enforce(context, 'baymodel:update', baymodel.as_dict(),
373 373
                        action='baymodel:update')
374 374
         try:
375 375
             baymodel_dict = baymodel.as_dict()
@@ -410,6 +410,6 @@ class BayModelsController(base.Controller):
410 410
         """
411 411
         context = pecan.request.context
412 412
         baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
413
-        policy.enforce(context, 'baymodel:delete', baymodel,
413
+        policy.enforce(context, 'baymodel:delete', baymodel.as_dict(),
414 414
                        action='baymodel:delete')
415 415
         baymodel.destroy()

+ 3
- 3
magnum/api/controllers/v1/certificate.py View File

@@ -143,7 +143,7 @@ class CertificateController(base.Controller):
143 143
         """
144 144
         context = pecan.request.context
145 145
         cluster = api_utils.get_resource('Cluster', cluster_ident)
146
-        policy.enforce(context, 'certificate:get', cluster,
146
+        policy.enforce(context, 'certificate:get', cluster.as_dict(),
147 147
                        action='certificate:get')
148 148
         certificate = pecan.request.rpcapi.get_ca_certificate(cluster)
149 149
         return Certificate.convert_with_links(certificate)
@@ -156,7 +156,7 @@ class CertificateController(base.Controller):
156 156
         """
157 157
         context = pecan.request.context
158 158
         cluster = certificate.get_cluster()
159
-        policy.enforce(context, 'certificate:create', cluster,
159
+        policy.enforce(context, 'certificate:create', cluster.as_dict(),
160 160
                        action='certificate:create')
161 161
         certificate_dict = certificate.as_dict()
162 162
         certificate_dict['project_id'] = context.project_id
@@ -171,7 +171,7 @@ class CertificateController(base.Controller):
171 171
     def patch(self, cluster_ident):
172 172
         context = pecan.request.context
173 173
         cluster = api_utils.get_resource('Cluster', cluster_ident)
174
-        policy.enforce(context, 'certificate:rotate_ca', cluster,
174
+        policy.enforce(context, 'certificate:rotate_ca', cluster.as_dict(),
175 175
                        action='certificate:rotate_ca')
176 176
         if cluster.cluster_template.tls_disabled:
177 177
             raise exception.NotSupported("Rotating the CA certificate on a "

+ 3
- 3
magnum/api/controllers/v1/cluster.py View File

@@ -346,7 +346,7 @@ class ClustersController(base.Controller):
346 346
         """
347 347
         context = pecan.request.context
348 348
         cluster = api_utils.get_resource('Cluster', cluster_ident)
349
-        policy.enforce(context, 'cluster:get', cluster,
349
+        policy.enforce(context, 'cluster:get', cluster.as_dict(),
350 350
                        action='cluster:get')
351 351
 
352 352
         cluster = Cluster.convert_with_links(cluster)
@@ -451,7 +451,7 @@ class ClustersController(base.Controller):
451 451
     def _patch(self, cluster_ident, patch):
452 452
         context = pecan.request.context
453 453
         cluster = api_utils.get_resource('Cluster', cluster_ident)
454
-        policy.enforce(context, 'cluster:update', cluster,
454
+        policy.enforce(context, 'cluster:update', cluster.as_dict(),
455 455
                        action='cluster:update')
456 456
         try:
457 457
             cluster_dict = cluster.as_dict()
@@ -485,7 +485,7 @@ class ClustersController(base.Controller):
485 485
         """
486 486
         context = pecan.request.context
487 487
         cluster = api_utils.get_resource('Cluster', cluster_ident)
488
-        policy.enforce(context, 'cluster:delete', cluster,
488
+        policy.enforce(context, 'cluster:delete', cluster.as_dict(),
489 489
                        action='cluster:delete')
490 490
 
491 491
         pecan.request.rpcapi.cluster_delete_async(cluster.uuid)

+ 6
- 3
magnum/api/controllers/v1/cluster_template.py View File

@@ -320,7 +320,8 @@ class ClusterTemplatesController(base.Controller):
320 320
         cluster_template = api_utils.get_resource('ClusterTemplate',
321 321
                                                   cluster_template_ident)
322 322
         if not cluster_template.public:
323
-            policy.enforce(context, 'clustertemplate:get', cluster_template,
323
+            policy.enforce(context, 'clustertemplate:get',
324
+                           cluster_template.as_dict(),
324 325
                            action='clustertemplate:get')
325 326
 
326 327
         return ClusterTemplate.convert_with_links(cluster_template)
@@ -383,7 +384,8 @@ class ClusterTemplatesController(base.Controller):
383 384
         context = pecan.request.context
384 385
         cluster_template = api_utils.get_resource('ClusterTemplate',
385 386
                                                   cluster_template_ident)
386
-        policy.enforce(context, 'clustertemplate:update', cluster_template,
387
+        policy.enforce(context, 'clustertemplate:update',
388
+                       cluster_template.as_dict(),
387 389
                        action='clustertemplate:update')
388 390
         try:
389 391
             cluster_template_dict = cluster_template.as_dict()
@@ -427,6 +429,7 @@ class ClusterTemplatesController(base.Controller):
427 429
         context = pecan.request.context
428 430
         cluster_template = api_utils.get_resource('ClusterTemplate',
429 431
                                                   cluster_template_ident)
430
-        policy.enforce(context, 'clustertemplate:delete', cluster_template,
432
+        policy.enforce(context, 'clustertemplate:delete',
433
+                       cluster_template.as_dict(),
431 434
                        action='clustertemplate:delete')
432 435
         cluster_template.destroy()

Loading…
Cancel
Save