From 92a73de2d7219a0011e1a66bca08bee4011c3f6e Mon Sep 17 00:00:00 2001 From: Sean Dague Date: Wed, 22 Jun 2016 15:55:34 -0400 Subject: [PATCH] update servers policy in code to use formats Change-Id: I267d2855a9d1f012eaf52c01a99a180b2e0c07b9 --- nova/api/openstack/compute/servers.py | 44 +++++++++++------------ nova/policies/servers.py | 50 ++++++++++++--------------- 2 files changed, 44 insertions(+), 50 deletions(-) diff --git a/nova/api/openstack/compute/servers.py b/nova/api/openstack/compute/servers.py index 6445660dedcb..4e45cabfff7a 100644 --- a/nova/api/openstack/compute/servers.py +++ b/nova/api/openstack/compute/servers.py @@ -257,7 +257,7 @@ class ServersController(wsgi.Controller): def index(self, req): """Returns a list of server names and ids for a given user.""" context = req.environ['nova.context'] - context.can(server_policies.get_name('index')) + context.can(server_policies.SERVERS % 'index') try: servers = self._get_servers(req, is_detail=False) except exception.Invalid as err: @@ -268,7 +268,7 @@ class ServersController(wsgi.Controller): def detail(self, req): """Returns a list of server details for a given user.""" context = req.environ['nova.context'] - context.can(server_policies.get_name('detail')) + context.can(server_policies.SERVERS % 'detail') try: servers = self._get_servers(req, is_detail=True) except exception.Invalid as err: @@ -367,9 +367,9 @@ class ServersController(wsgi.Controller): elevated = None if all_tenants: if is_detail: - context.can(server_policies.get_name('detail:get_all_tenants')) + context.can(server_policies.SERVERS % 'detail:get_all_tenants') else: - context.can(server_policies.get_name('index:get_all_tenants')) + context.can(server_policies.SERVERS % 'index:get_all_tenants') elevated = context.elevated() else: if context.project_id: @@ -524,7 +524,7 @@ class ServersController(wsgi.Controller): def show(self, req, id): """Returns server details by server id.""" context = req.environ['nova.context'] - context.can(server_policies.get_name('show')) + context.can(server_policies.SERVERS % 'show') instance = self._get_server(context, req, id, is_detail=True) return self._view_builder.show(req, instance) @@ -573,7 +573,7 @@ class ServersController(wsgi.Controller): 'project_id': context.project_id, 'user_id': context.user_id, 'availability_zone': availability_zone} - context.can(server_policies.get_name('create'), target) + context.can(server_policies.SERVERS % 'create', target) # TODO(Shao He, Feng) move this policy check to os-availability-zone # extension after refactor it. @@ -584,13 +584,13 @@ class ServersController(wsgi.Controller): except exception.InvalidInput as err: raise exc.HTTPBadRequest(explanation=six.text_type(err)) if host or node: - context.can(server_policies.get_name('create:forced_host'), {}) + context.can(server_policies.SERVERS % 'create:forced_host', {}) block_device_mapping = create_kwargs.get("block_device_mapping") # TODO(Shao He, Feng) move this policy check to os-block-device-mapping # extension after refactor it. if block_device_mapping: - context.can(server_policies.get_name('create:attach_volume'), + context.can(server_policies.SERVERS % 'create:attach_volume', target) image_uuid = self._image_from_req_data(server_dict, create_kwargs) @@ -615,7 +615,7 @@ class ServersController(wsgi.Controller): requested_networks) if requested_networks and len(requested_networks): - context.can(server_policies.get_name('create:attach_network'), + context.can(server_policies.SERVERS % 'create:attach_network', target) try: @@ -779,7 +779,7 @@ class ServersController(wsgi.Controller): rebuild_schema['properties']['rebuild']['properties'].update(schema) def _delete(self, context, req, instance_uuid): - context.can(server_policies.get_name('delete')) + context.can(server_policies.SERVERS % 'delete') instance = self._get_server(context, req, instance_uuid) if CONF.reclaim_instance_interval: try: @@ -801,7 +801,7 @@ class ServersController(wsgi.Controller): ctxt = req.environ['nova.context'] update_dict = {} - ctxt.can(server_policies.get_name('update')) + ctxt.can(server_policies.SERVERS % 'update') if 'name' in body['server']: update_dict['display_name'] = common.normalize_name( @@ -837,7 +837,7 @@ class ServersController(wsgi.Controller): @wsgi.action('confirmResize') def _action_confirm_resize(self, req, id, body): context = req.environ['nova.context'] - context.can(server_policies.get_name('confirm_resize')) + context.can(server_policies.SERVERS % 'confirm_resize') instance = self._get_server(context, req, id) try: self.compute_api.confirm_resize(context, instance) @@ -857,7 +857,7 @@ class ServersController(wsgi.Controller): @wsgi.action('revertResize') def _action_revert_resize(self, req, id, body): context = req.environ['nova.context'] - context.can(server_policies.get_name('revert_resize')) + context.can(server_policies.SERVERS % 'revert_resize') instance = self._get_server(context, req, id) try: self.compute_api.revert_resize(context, instance) @@ -883,7 +883,7 @@ class ServersController(wsgi.Controller): reboot_type = body['reboot']['type'].upper() context = req.environ['nova.context'] - context.can(server_policies.get_name('reboot')) + context.can(server_policies.SERVERS % 'reboot') instance = self._get_server(context, req, id) try: @@ -897,7 +897,7 @@ class ServersController(wsgi.Controller): def _resize(self, req, instance_id, flavor_id, **kwargs): """Begin the resize process with given instance/flavor.""" context = req.environ["nova.context"] - context.can(server_policies.get_name('resize')) + context.can(server_policies.SERVERS % 'resize') instance = self._get_server(context, req, instance_id) try: @@ -1000,7 +1000,7 @@ class ServersController(wsgi.Controller): password = self._get_server_admin_password(rebuild_dict) context = req.environ['nova.context'] - context.can(server_policies.get_name('rebuild')) + context.can(server_policies.SERVERS % 'rebuild') instance = self._get_server(context, req, id) attr_map = { @@ -1077,7 +1077,7 @@ class ServersController(wsgi.Controller): def _action_create_image(self, req, id, body): """Snapshot a server instance.""" context = req.environ['nova.context'] - context.can(server_policies.get_name('create_image')) + context.can(server_policies.SERVERS % 'create_image') entity = body["createImage"] image_name = common.normalize_name(entity["name"]) @@ -1093,8 +1093,8 @@ class ServersController(wsgi.Controller): try: if compute_utils.is_volume_backed_instance(context, instance, bdms): - context.can(server_policies.get_name( - 'create_image:allow_volume_backed')) + context.can(server_policies.SERVERS % + 'create_image:allow_volume_backed') image = self.compute_api.snapshot_volume_backed( context, instance, @@ -1155,7 +1155,7 @@ class ServersController(wsgi.Controller): """Start an instance.""" context = req.environ['nova.context'] instance = self._get_instance(context, id) - context.can(server_policies.get_name('start'), instance) + context.can(server_policies.SERVERS % 'start', instance) LOG.debug('start instance', instance=instance) try: self.compute_api.start(context, instance) @@ -1174,7 +1174,7 @@ class ServersController(wsgi.Controller): """Stop an instance.""" context = req.environ['nova.context'] instance = self._get_instance(context, id) - context.can(server_policies.get_name('stop'), instance) + context.can(server_policies.SERVERS % 'stop', instance) LOG.debug('stop instance', instance=instance) try: self.compute_api.stop(context, instance) @@ -1195,7 +1195,7 @@ class ServersController(wsgi.Controller): """Trigger crash dump in an instance""" context = req.environ['nova.context'] instance = self._get_instance(context, id) - context.can(server_policies.get_name('trigger_crash_dump'), instance) + context.can(server_policies.SERVERS % 'trigger_crash_dump', instance) try: self.compute_api.trigger_crash_dump(context, instance) except exception.InstanceInvalidState as state_error: diff --git a/nova/policies/servers.py b/nova/policies/servers.py index c2f81b0aaae0..0d5a14327cc9 100644 --- a/nova/policies/servers.py +++ b/nova/policies/servers.py @@ -15,37 +15,31 @@ from oslo_policy import policy RULE_AOO = 'rule:admin_or_owner' - - -def get_name(action=None): - name = 'os_compute_api:servers' - if action: - name = name + ':%s' % action - return name +SERVERS = 'os_compute_api:servers:%s' rules = [ - policy.RuleDefault(get_name('index'), RULE_AOO), - policy.RuleDefault(get_name('detail'), RULE_AOO), - policy.RuleDefault(get_name('detail:get_all_tenants'), RULE_AOO), - policy.RuleDefault(get_name('index:get_all_tenants'), RULE_AOO), - policy.RuleDefault(get_name('show'), RULE_AOO), - policy.RuleDefault(get_name('create'), RULE_AOO), - policy.RuleDefault(get_name('create:forced_host'), RULE_AOO), - policy.RuleDefault(get_name('create:attach_volume'), RULE_AOO), - policy.RuleDefault(get_name('create:attach_network'), RULE_AOO), - policy.RuleDefault(get_name('delete'), RULE_AOO), - policy.RuleDefault(get_name('update'), RULE_AOO), - policy.RuleDefault(get_name('confirm_resize'), RULE_AOO), - policy.RuleDefault(get_name('revert_resize'), RULE_AOO), - policy.RuleDefault(get_name('reboot'), RULE_AOO), - policy.RuleDefault(get_name('resize'), RULE_AOO), - policy.RuleDefault(get_name('rebuild'), RULE_AOO), - policy.RuleDefault(get_name('create_image'), RULE_AOO), - policy.RuleDefault(get_name('create_image:allow_volume_backed'), + policy.RuleDefault(SERVERS % 'index', RULE_AOO), + policy.RuleDefault(SERVERS % 'detail', RULE_AOO), + policy.RuleDefault(SERVERS % 'detail:get_all_tenants', RULE_AOO), + policy.RuleDefault(SERVERS % 'index:get_all_tenants', RULE_AOO), + policy.RuleDefault(SERVERS % 'show', RULE_AOO), + policy.RuleDefault(SERVERS % 'create', RULE_AOO), + policy.RuleDefault(SERVERS % 'create:forced_host', RULE_AOO), + policy.RuleDefault(SERVERS % 'create:attach_volume', RULE_AOO), + policy.RuleDefault(SERVERS % 'create:attach_network', RULE_AOO), + policy.RuleDefault(SERVERS % 'delete', RULE_AOO), + policy.RuleDefault(SERVERS % 'update', RULE_AOO), + policy.RuleDefault(SERVERS % 'confirm_resize', RULE_AOO), + policy.RuleDefault(SERVERS % 'revert_resize', RULE_AOO), + policy.RuleDefault(SERVERS % 'reboot', RULE_AOO), + policy.RuleDefault(SERVERS % 'resize', RULE_AOO), + policy.RuleDefault(SERVERS % 'rebuild', RULE_AOO), + policy.RuleDefault(SERVERS % 'create_image', RULE_AOO), + policy.RuleDefault(SERVERS % 'create_image:allow_volume_backed', RULE_AOO), - policy.RuleDefault(get_name('start'), RULE_AOO), - policy.RuleDefault(get_name('stop'), RULE_AOO), - policy.RuleDefault(get_name('trigger_crash_dump'), RULE_AOO), + policy.RuleDefault(SERVERS % 'start', RULE_AOO), + policy.RuleDefault(SERVERS % 'stop', RULE_AOO), + policy.RuleDefault(SERVERS % 'trigger_crash_dump', RULE_AOO), ]