Pass a mutable target to oslo policy enforcer
Magnum API previously passed magnum.objects.cluster.Cluster objects as the target argument to magnum.common.policy.enforce(). However, enforce() expects target to be a mutable mapping, as it adds an entry for trustee_domain_id which is used by the magnum policy.json. This causes cluster detailed GET requests to fail with the following message: AttributeError: 'Cluster' object has no attribute 'trustee_domain_id' This change uses the as_dict() method of the magnum RPC objects to provide a mutable mapping to the policy enforcer. Change-Id: I54b136243afff9e0fadae3be4b36cad1679e5721 Closes-Bug: #1689797
This commit is contained in:
parent
0dee921e6e
commit
f1326626b9
@ -371,7 +371,7 @@ class BaysController(base.Controller):
|
|||||||
"""
|
"""
|
||||||
context = pecan.request.context
|
context = pecan.request.context
|
||||||
bay = api_utils.get_resource('Cluster', bay_ident)
|
bay = api_utils.get_resource('Cluster', bay_ident)
|
||||||
policy.enforce(context, 'bay:get', bay,
|
policy.enforce(context, 'bay:get', bay.as_dict(),
|
||||||
action='bay:get')
|
action='bay:get')
|
||||||
|
|
||||||
bay = Bay.convert_with_links(bay)
|
bay = Bay.convert_with_links(bay)
|
||||||
@ -478,7 +478,7 @@ class BaysController(base.Controller):
|
|||||||
def _patch(self, bay_ident, patch):
|
def _patch(self, bay_ident, patch):
|
||||||
context = pecan.request.context
|
context = pecan.request.context
|
||||||
bay = api_utils.get_resource('Cluster', bay_ident)
|
bay = api_utils.get_resource('Cluster', bay_ident)
|
||||||
policy.enforce(context, 'bay:update', bay,
|
policy.enforce(context, 'bay:update', bay.as_dict(),
|
||||||
action='bay:update')
|
action='bay:update')
|
||||||
try:
|
try:
|
||||||
bay_dict = bay.as_dict()
|
bay_dict = bay.as_dict()
|
||||||
@ -528,6 +528,6 @@ class BaysController(base.Controller):
|
|||||||
def _delete(self, bay_ident):
|
def _delete(self, bay_ident):
|
||||||
context = pecan.request.context
|
context = pecan.request.context
|
||||||
bay = api_utils.get_resource('Cluster', bay_ident)
|
bay = api_utils.get_resource('Cluster', bay_ident)
|
||||||
policy.enforce(context, 'bay:delete', bay,
|
policy.enforce(context, 'bay:delete', bay.as_dict(),
|
||||||
action='bay:delete')
|
action='bay:delete')
|
||||||
return bay
|
return bay
|
||||||
|
@ -312,7 +312,7 @@ class BayModelsController(base.Controller):
|
|||||||
context = pecan.request.context
|
context = pecan.request.context
|
||||||
baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
|
baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
|
||||||
if not baymodel.public:
|
if not baymodel.public:
|
||||||
policy.enforce(context, 'baymodel:get', baymodel,
|
policy.enforce(context, 'baymodel:get', baymodel.as_dict(),
|
||||||
action='baymodel:get')
|
action='baymodel:get')
|
||||||
|
|
||||||
return BayModel.convert_with_links(baymodel)
|
return BayModel.convert_with_links(baymodel)
|
||||||
@ -369,7 +369,7 @@ class BayModelsController(base.Controller):
|
|||||||
"""
|
"""
|
||||||
context = pecan.request.context
|
context = pecan.request.context
|
||||||
baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
|
baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
|
||||||
policy.enforce(context, 'baymodel:update', baymodel,
|
policy.enforce(context, 'baymodel:update', baymodel.as_dict(),
|
||||||
action='baymodel:update')
|
action='baymodel:update')
|
||||||
try:
|
try:
|
||||||
baymodel_dict = baymodel.as_dict()
|
baymodel_dict = baymodel.as_dict()
|
||||||
@ -410,6 +410,6 @@ class BayModelsController(base.Controller):
|
|||||||
"""
|
"""
|
||||||
context = pecan.request.context
|
context = pecan.request.context
|
||||||
baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
|
baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
|
||||||
policy.enforce(context, 'baymodel:delete', baymodel,
|
policy.enforce(context, 'baymodel:delete', baymodel.as_dict(),
|
||||||
action='baymodel:delete')
|
action='baymodel:delete')
|
||||||
baymodel.destroy()
|
baymodel.destroy()
|
||||||
|
@ -143,7 +143,7 @@ class CertificateController(base.Controller):
|
|||||||
"""
|
"""
|
||||||
context = pecan.request.context
|
context = pecan.request.context
|
||||||
cluster = api_utils.get_resource('Cluster', cluster_ident)
|
cluster = api_utils.get_resource('Cluster', cluster_ident)
|
||||||
policy.enforce(context, 'certificate:get', cluster,
|
policy.enforce(context, 'certificate:get', cluster.as_dict(),
|
||||||
action='certificate:get')
|
action='certificate:get')
|
||||||
certificate = pecan.request.rpcapi.get_ca_certificate(cluster)
|
certificate = pecan.request.rpcapi.get_ca_certificate(cluster)
|
||||||
return Certificate.convert_with_links(certificate)
|
return Certificate.convert_with_links(certificate)
|
||||||
@ -156,7 +156,7 @@ class CertificateController(base.Controller):
|
|||||||
"""
|
"""
|
||||||
context = pecan.request.context
|
context = pecan.request.context
|
||||||
cluster = certificate.get_cluster()
|
cluster = certificate.get_cluster()
|
||||||
policy.enforce(context, 'certificate:create', cluster,
|
policy.enforce(context, 'certificate:create', cluster.as_dict(),
|
||||||
action='certificate:create')
|
action='certificate:create')
|
||||||
certificate_dict = certificate.as_dict()
|
certificate_dict = certificate.as_dict()
|
||||||
certificate_dict['project_id'] = context.project_id
|
certificate_dict['project_id'] = context.project_id
|
||||||
@ -171,7 +171,7 @@ class CertificateController(base.Controller):
|
|||||||
def patch(self, cluster_ident):
|
def patch(self, cluster_ident):
|
||||||
context = pecan.request.context
|
context = pecan.request.context
|
||||||
cluster = api_utils.get_resource('Cluster', cluster_ident)
|
cluster = api_utils.get_resource('Cluster', cluster_ident)
|
||||||
policy.enforce(context, 'certificate:rotate_ca', cluster,
|
policy.enforce(context, 'certificate:rotate_ca', cluster.as_dict(),
|
||||||
action='certificate:rotate_ca')
|
action='certificate:rotate_ca')
|
||||||
if cluster.cluster_template.tls_disabled:
|
if cluster.cluster_template.tls_disabled:
|
||||||
raise exception.NotSupported("Rotating the CA certificate on a "
|
raise exception.NotSupported("Rotating the CA certificate on a "
|
||||||
|
@ -345,7 +345,7 @@ class ClustersController(base.Controller):
|
|||||||
"""
|
"""
|
||||||
context = pecan.request.context
|
context = pecan.request.context
|
||||||
cluster = api_utils.get_resource('Cluster', cluster_ident)
|
cluster = api_utils.get_resource('Cluster', cluster_ident)
|
||||||
policy.enforce(context, 'cluster:get', cluster,
|
policy.enforce(context, 'cluster:get', cluster.as_dict(),
|
||||||
action='cluster:get')
|
action='cluster:get')
|
||||||
|
|
||||||
cluster = Cluster.convert_with_links(cluster)
|
cluster = Cluster.convert_with_links(cluster)
|
||||||
@ -450,7 +450,7 @@ class ClustersController(base.Controller):
|
|||||||
def _patch(self, cluster_ident, patch):
|
def _patch(self, cluster_ident, patch):
|
||||||
context = pecan.request.context
|
context = pecan.request.context
|
||||||
cluster = api_utils.get_resource('Cluster', cluster_ident)
|
cluster = api_utils.get_resource('Cluster', cluster_ident)
|
||||||
policy.enforce(context, 'cluster:update', cluster,
|
policy.enforce(context, 'cluster:update', cluster.as_dict(),
|
||||||
action='cluster:update')
|
action='cluster:update')
|
||||||
try:
|
try:
|
||||||
cluster_dict = cluster.as_dict()
|
cluster_dict = cluster.as_dict()
|
||||||
@ -484,7 +484,7 @@ class ClustersController(base.Controller):
|
|||||||
"""
|
"""
|
||||||
context = pecan.request.context
|
context = pecan.request.context
|
||||||
cluster = api_utils.get_resource('Cluster', cluster_ident)
|
cluster = api_utils.get_resource('Cluster', cluster_ident)
|
||||||
policy.enforce(context, 'cluster:delete', cluster,
|
policy.enforce(context, 'cluster:delete', cluster.as_dict(),
|
||||||
action='cluster:delete')
|
action='cluster:delete')
|
||||||
|
|
||||||
pecan.request.rpcapi.cluster_delete_async(cluster.uuid)
|
pecan.request.rpcapi.cluster_delete_async(cluster.uuid)
|
||||||
|
@ -320,7 +320,8 @@ class ClusterTemplatesController(base.Controller):
|
|||||||
cluster_template = api_utils.get_resource('ClusterTemplate',
|
cluster_template = api_utils.get_resource('ClusterTemplate',
|
||||||
cluster_template_ident)
|
cluster_template_ident)
|
||||||
if not cluster_template.public:
|
if not cluster_template.public:
|
||||||
policy.enforce(context, 'clustertemplate:get', cluster_template,
|
policy.enforce(context, 'clustertemplate:get',
|
||||||
|
cluster_template.as_dict(),
|
||||||
action='clustertemplate:get')
|
action='clustertemplate:get')
|
||||||
|
|
||||||
return ClusterTemplate.convert_with_links(cluster_template)
|
return ClusterTemplate.convert_with_links(cluster_template)
|
||||||
@ -383,7 +384,8 @@ class ClusterTemplatesController(base.Controller):
|
|||||||
context = pecan.request.context
|
context = pecan.request.context
|
||||||
cluster_template = api_utils.get_resource('ClusterTemplate',
|
cluster_template = api_utils.get_resource('ClusterTemplate',
|
||||||
cluster_template_ident)
|
cluster_template_ident)
|
||||||
policy.enforce(context, 'clustertemplate:update', cluster_template,
|
policy.enforce(context, 'clustertemplate:update',
|
||||||
|
cluster_template.as_dict(),
|
||||||
action='clustertemplate:update')
|
action='clustertemplate:update')
|
||||||
try:
|
try:
|
||||||
cluster_template_dict = cluster_template.as_dict()
|
cluster_template_dict = cluster_template.as_dict()
|
||||||
@ -427,6 +429,7 @@ class ClusterTemplatesController(base.Controller):
|
|||||||
context = pecan.request.context
|
context = pecan.request.context
|
||||||
cluster_template = api_utils.get_resource('ClusterTemplate',
|
cluster_template = api_utils.get_resource('ClusterTemplate',
|
||||||
cluster_template_ident)
|
cluster_template_ident)
|
||||||
policy.enforce(context, 'clustertemplate:delete', cluster_template,
|
policy.enforce(context, 'clustertemplate:delete',
|
||||||
|
cluster_template.as_dict(),
|
||||||
action='clustertemplate:delete')
|
action='clustertemplate:delete')
|
||||||
cluster_template.destroy()
|
cluster_template.destroy()
|
||||||
|
Loading…
Reference in New Issue
Block a user