Finer access control in os-volume_attachments

Allows policy.json access controls to authorize requests for specific actions, rather than just being an all or nothing control for the entire extension. Bug 1108222 DocImpact Change-Id: I78e1f596f22434a73bec3952ed024e4d58faac51
2013-01-28 16:32:05 -05:00 · 2013-01-28 16:32:05 -05:00 · 0ff6b52ff2
commit 0ff6b52ff2
parent ce09c50c92
3 changed files with 22 additions and 0 deletions
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@ -83,6 +83,10 @@
    "compute_extension:virtual_interfaces": "",
    "compute_extension:virtual_storage_arrays": "",
    "compute_extension:volumes": "",
+    "compute_extension:volume_attachments:index": "",
+    "compute_extension:volume_attachments:show": "",
+    "compute_extension:volume_attachments:create": "",
+    "compute_extension:volume_attachments:delete": "",
    "compute_extension:volumetypes": "",
    "compute_extension:availability_zone:list": "",
    "compute_extension:availability_zone:detail": "rule:admin_api",
--- a/nova/api/openstack/compute/contrib/volumes.py
+++ b/nova/api/openstack/compute/contrib/volumes.py
@ -33,6 +33,15 @@ from nova import volume
 LOG = logging.getLogger(__name__)
 authorize = extensions.extension_authorizer('compute', 'volumes')

+authorize_attach_index = extensions.extension_authorizer('compute',
+                                                    'volume_attachments:index')
+authorize_attach_show = extensions.extension_authorizer('compute',
+                                                    'volume_attachments:show')
+authorize_attach_create = extensions.extension_authorizer('compute',
+                                                'volume_attachments:create')
+authorize_attach_delete = extensions.extension_authorizer('compute',
+                                                'volume_attachments:delete')
+

 def _translate_volume_detail_view(context, vol):
    """Maps keys for volumes details view."""
@ -329,6 +338,8 @@ class VolumeAttachmentController(wsgi.Controller):
    @wsgi.serializers(xml=VolumeAttachmentsTemplate)
    def index(self, req, server_id):
        """Returns the list of volume attachments for a given instance."""
+        context = req.environ['nova.context']
+        authorize_attach_index(context)
        return self._items(req, server_id,
                           entity_maker=_translate_attachment_summary_view)

@ -337,6 +348,7 @@ class VolumeAttachmentController(wsgi.Controller):
        """Return data about the given volume attachment."""
        context = req.environ['nova.context']
        authorize(context)
+        authorize_attach_show(context)

        volume_id = id
        try:
@ -377,6 +389,7 @@ class VolumeAttachmentController(wsgi.Controller):
        """Attach a volume to an instance."""
        context = req.environ['nova.context']
        authorize(context)
+        authorize_attach_create(context)

        if not self.is_valid_body(body, 'volumeAttachment'):
            raise exc.HTTPUnprocessableEntity()
@ -423,6 +436,7 @@ class VolumeAttachmentController(wsgi.Controller):
        """Detach a volume from an instance."""
        context = req.environ['nova.context']
        authorize(context)
+        authorize_attach_delete(context)

        volume_id = id
        LOG.audit(_("Detach volume %s"), volume_id, context=context)
--- a/nova/tests/fake_policy.py
+++ b/nova/tests/fake_policy.py
@ -157,6 +157,10 @@ policy_data = """
    "compute_extension:virtual_interfaces": "",
    "compute_extension:virtual_storage_arrays": "",
    "compute_extension:volumes": "",
+    "compute_extension:volume_attachments:index": "",
+    "compute_extension:volume_attachments:show": "",
+    "compute_extension:volume_attachments:create": "",
+    "compute_extension:volume_attachments:delete": "",
    "compute_extension:volumetypes": "",
    "compute_extension:zones": "",
    "compute_extension:availability_zone:list": "",