openstack/nova
Code Issues Proposed changes

Move policy enforcement into REST API layer for v2.1 ips

Browse Source 
This patch moves the policy enforcement into REST API layer for v2.1
ips extension and adds related unittest.

And because ips extension haven't policy rules before, this patch adds
policy rules for it.

Partially implements bp v3-api-policy
DocImpact

Change-Id: I9cf45390af6f60ef420b33b3037f618f67276e88
This commit is contained in:
He Jie Xu 2015-01-25 13:12:34 +08:00
parent fa5dc30133
commit 03134f2378
4 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
etc/nova/policy.json
View File

@ -200,6 +200,8 @@
"compute_extension:v3:os-instance-usage-audit-log": "rule:admin_api",
"compute_extension:v3:os-instance-usage-audit-log:discoverable": "",
"compute_extension:v3:ips:discoverable": "",
"compute_extension:v3:ips:index": "rule:admin_or_owner",
"compute_extension:v3:ips:show": "rule:admin_or_owner",
"compute_extension:keypairs": "",
"compute_extension:keypairs:index": "",
"compute_extension:keypairs:show": "",

5
nova/api/openstack/compute/plugins/v3/ips.py
View File

@ -23,6 +23,7 @@ from nova.api.openstack import wsgi
from nova.i18n import _
ALIAS = 'ips'
authorize = extensions.os_compute_authorizer(ALIAS)
class IPsController(wsgi.Controller):
@ -32,11 +33,12 @@ class IPsController(wsgi.Controller):
def __init__(self, **kwargs):
super(IPsController, self).__init__(**kwargs)
self._compute_api = nova.compute.API()
self._compute_api = nova.compute.API(skip_policy_check=True)
@extensions.expected_errors(404)
def index(self, req, server_id):
context = req.environ["nova.context"]
authorize(context, action='index')
instance = common.get_instance(self._compute_api, context, server_id)
networks = common.get_networks_for_instance(context, instance)
return self._view_builder.index(networks)
@ -44,6 +46,7 @@ class IPsController(wsgi.Controller):
@extensions.expected_errors(404)
def show(self, req, server_id, id):
context = req.environ["nova.context"]
authorize(context, action='show')
instance = common.get_instance(self._compute_api, context, server_id)
networks = common.get_networks_for_instance(context, instance)
if id not in networks:

31
nova/tests/unit/api/openstack/compute/plugins/v3/test_servers.py
View File

@ -3413,3 +3413,34 @@ class TestServersExtensionSchema(test.NoDBTestCase):
actual_schema = self._test_load_extension_schema('resize')
self.assertEqual(expected_schema, actual_schema)
# TODO(alex_xu): There isn't specified file for ips extension. Most of
# unittest related to ips extension is in this file. So put the ips policy
# enforcement tests at here until there is specified file for ips extension.
class IPsPolicyEnforcementV21(test.NoDBTestCase):
def setUp(self):
super(IPsPolicyEnforcementV21, self).setUp()
self.controller = ips.IPsController()
self.req = fakes.HTTPRequest.blank('')
def test_index_policy_failed(self):
rule_name = "compute_extension:v3:ips:index"
self.policy.set_rules({rule_name: "project:non_fake"})
exc = self.assertRaises(
exception.PolicyNotAuthorized,
self.controller.index, self.req, fakes.FAKE_UUID)
self.assertEqual(
"Policy doesn't allow %s to be performed." % rule_name,
exc.format_message())
def test_show_policy_failed(self):
rule_name = "compute_extension:v3:ips:show"
self.policy.set_rules({rule_name: "project:non_fake"})
exc = self.assertRaises(
exception.PolicyNotAuthorized,
self.controller.show, self.req, fakes.FAKE_UUID, fakes.FAKE_UUID)
self.assertEqual(
"Policy doesn't allow %s to be performed." % rule_name,
exc.format_message())

2
nova/tests/unit/fake_policy.py
View File

@ -179,6 +179,8 @@ policy_data = """
"compute_extension:extended_ips_mac": "",
"compute_extension:extended_vif_net": "",
"compute_extension:extended_volumes": "",
"compute_extension:v3:ips:index": "",
"compute_extension:v3:ips:show": "",
"compute_extension:v3:os-extended-volumes": "",
"compute_extension:v3:os-extended-volumes:swap": "",
"compute_extension:v3:os-extended-volumes:attach": "",