Add policy check for consoles
There is no policy check consoles v3(v2.1) API. This patch adds policy check for each operations. Partially implements blueprint v3-api-policy Change-Id: Ia0aa260ac31eb359275273fdcdfbfde3cfc47d87
This commit is contained in:
jichenjc
parent
37a6c601f3
commit
005bd4c658
@ -38,6 +38,10 @@
|
|||||||
"os_compute_api:os-cloudpipe": "rule:admin_api",
|
"os_compute_api:os-cloudpipe": "rule:admin_api",
|
||||||
"os_compute_api:os-cloudpipe:discoverable": "",
|
"os_compute_api:os-cloudpipe:discoverable": "",
|
||||||
"os_compute_api:os-consoles:discoverable": "",
|
"os_compute_api:os-consoles:discoverable": "",
|
||||||
|
"os_compute_api:os-consoles:create": "",
|
||||||
|
"os_compute_api:os-consoles:delete": "",
|
||||||
|
"os_compute_api:os-consoles:index": "",
|
||||||
|
"os_compute_api:os-consoles:show": "",
|
||||||
"os_compute_api:os-console-output:discoverable": "",
|
"os_compute_api:os-console-output:discoverable": "",
|
||||||
"os_compute_api:os-console-output": "",
|
"os_compute_api:os-console-output": "",
|
||||||
"os_compute_api:os-remote-consoles": "",
|
"os_compute_api:os-remote-consoles": "",
|
||||||
|
|||||||
@ -22,6 +22,7 @@ from nova import exception
|
|||||||
|
|
||||||
|
|
||||||
ALIAS = 'os-consoles'
|
ALIAS = 'os-consoles'
|
||||||
|
authorize = extensions.os_compute_authorizer(ALIAS)
|
||||||
|
|
||||||
|
|
||||||
def _translate_keys(cons):
|
def _translate_keys(cons):
|
||||||
@ -53,6 +54,9 @@ class ConsolesController(wsgi.Controller):
|
|||||||
@extensions.expected_errors(())
|
@extensions.expected_errors(())
|
||||||
def index(self, req, server_id):
|
def index(self, req, server_id):
|
||||||
"""Returns a list of consoles for this instance."""
|
"""Returns a list of consoles for this instance."""
|
||||||
|
context = req.environ['nova.context']
|
||||||
|
authorize(context, action='index')
|
||||||
|
|
||||||
consoles = self.console_api.get_consoles(
|
consoles = self.console_api.get_consoles(
|
||||||
req.environ['nova.context'], server_id)
|
req.environ['nova.context'], server_id)
|
||||||
return dict(consoles=[_translate_keys(console)
|
return dict(consoles=[_translate_keys(console)
|
||||||
@ -64,6 +68,9 @@ class ConsolesController(wsgi.Controller):
|
|||||||
@extensions.expected_errors(404)
|
@extensions.expected_errors(404)
|
||||||
def create(self, req, server_id, body):
|
def create(self, req, server_id, body):
|
||||||
"""Creates a new console."""
|
"""Creates a new console."""
|
||||||
|
context = req.environ['nova.context']
|
||||||
|
authorize(context, action='create')
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.console_api.create_console(
|
self.console_api.create_console(
|
||||||
req.environ['nova.context'], server_id)
|
req.environ['nova.context'], server_id)
|
||||||
@ -73,6 +80,9 @@ class ConsolesController(wsgi.Controller):
|
|||||||
@extensions.expected_errors(404)
|
@extensions.expected_errors(404)
|
||||||
def show(self, req, server_id, id):
|
def show(self, req, server_id, id):
|
||||||
"""Shows in-depth information on a specific console."""
|
"""Shows in-depth information on a specific console."""
|
||||||
|
context = req.environ['nova.context']
|
||||||
|
authorize(context, action='show')
|
||||||
|
|
||||||
try:
|
try:
|
||||||
console = self.console_api.get_console(
|
console = self.console_api.get_console(
|
||||||
req.environ['nova.context'],
|
req.environ['nova.context'],
|
||||||
@ -86,6 +96,9 @@ class ConsolesController(wsgi.Controller):
|
|||||||
@extensions.expected_errors(404)
|
@extensions.expected_errors(404)
|
||||||
def delete(self, req, server_id, id):
|
def delete(self, req, server_id, id):
|
||||||
"""Deletes a console."""
|
"""Deletes a console."""
|
||||||
|
context = req.environ['nova.context']
|
||||||
|
authorize(context, action='delete')
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.console_api.delete_console(req.environ['nova.context'],
|
self.console_api.delete_console(req.environ['nova.context'],
|
||||||
server_id,
|
server_id,
|
||||||
|
|||||||
@ -26,6 +26,8 @@ from nova.compute import vm_states
|
|||||||
from nova import console
|
from nova import console
|
||||||
from nova import db
|
from nova import db
|
||||||
from nova import exception
|
from nova import exception
|
||||||
|
from nova.openstack.common import policy as common_policy
|
||||||
|
from nova import policy
|
||||||
from nova import test
|
from nova import test
|
||||||
from nova.tests.unit.api.openstack import fakes
|
from nova.tests.unit.api.openstack import fakes
|
||||||
from nova.tests.unit import matchers
|
from nova.tests.unit import matchers
|
||||||
@ -263,7 +265,42 @@ class ConsolesControllerTestV21(test.NoDBTestCase):
|
|||||||
self.assertRaises(webob.exc.HTTPNotFound, self.controller.delete,
|
self.assertRaises(webob.exc.HTTPNotFound, self.controller.delete,
|
||||||
req, self.uuid, '20')
|
req, self.uuid, '20')
|
||||||
|
|
||||||
|
def _test_fail_policy(self, rule, action, data=None):
|
||||||
|
rules = {
|
||||||
|
rule: common_policy.parse_rule("!"),
|
||||||
|
}
|
||||||
|
|
||||||
|
policy.set_rules(rules)
|
||||||
|
req = fakes.HTTPRequest.blank(self.url + '/20')
|
||||||
|
|
||||||
|
if data is not None:
|
||||||
|
self.assertRaises(exception.PolicyNotAuthorized, action,
|
||||||
|
req, self.uuid, data)
|
||||||
|
else:
|
||||||
|
self.assertRaises(exception.PolicyNotAuthorized, action,
|
||||||
|
req, self.uuid)
|
||||||
|
|
||||||
|
def test_delete_console_fail_policy(self):
|
||||||
|
self._test_fail_policy("os_compute_api:os-consoles:delete",
|
||||||
|
self.controller.delete, data='20')
|
||||||
|
|
||||||
|
def test_create_console_fail_policy(self):
|
||||||
|
self._test_fail_policy("os_compute_api:os-consoles:create",
|
||||||
|
self.controller.create, data='20')
|
||||||
|
|
||||||
|
def test_index_console_fail_policy(self):
|
||||||
|
self._test_fail_policy("os_compute_api:os-consoles:index",
|
||||||
|
self.controller.index)
|
||||||
|
|
||||||
|
def test_show_console_fail_policy(self):
|
||||||
|
self._test_fail_policy("os_compute_api:os-consoles:show",
|
||||||
|
self.controller.show, data='20')
|
||||||
|
|
||||||
|
|
||||||
class ConsolesControllerTestV2(ConsolesControllerTestV21):
|
class ConsolesControllerTestV2(ConsolesControllerTestV21):
|
||||||
def _set_up_controller(self):
|
def _set_up_controller(self):
|
||||||
self.controller = consoles_v2.Controller()
|
self.controller = consoles_v2.Controller()
|
||||||
|
|
||||||
|
def _test_fail_policy(self, rule, action, data=None):
|
||||||
|
# V2 API don't have policy
|
||||||
|
pass
|
||||||
|
|||||||
@ -178,6 +178,11 @@ policy_data = """
|
|||||||
"os_compute_api:os-console-output": "",
|
"os_compute_api:os-console-output": "",
|
||||||
"compute_extension:consoles": "",
|
"compute_extension:consoles": "",
|
||||||
"os_compute_api:os-remote-consoles": "",
|
"os_compute_api:os-remote-consoles": "",
|
||||||
|
"os_compute_api:os-consoles": "",
|
||||||
|
"os_compute_api:os-consoles:create": "",
|
||||||
|
"os_compute_api:os-consoles:delete": "",
|
||||||
|
"os_compute_api:os-consoles:index": "",
|
||||||
|
"os_compute_api:os-consoles:show": "",
|
||||||
"compute_extension:createserverext": "",
|
"compute_extension:createserverext": "",
|
||||||
"os_compute_api:os-create-backup": "",
|
"os_compute_api:os-create-backup": "",
|
||||||
"compute_extension:deferred_delete": "",
|
"compute_extension:deferred_delete": "",
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user