Finer access control in os-volume_attachments
Allows policy.json access controls to authorize requests for specific actions, rather than just being an all or nothing control for the entire extension. Bug 1108222 DocImpact Change-Id: I78e1f596f22434a73bec3952ed024e4d58faac51
This commit is contained in:
parent
ce09c50c92
commit
0ff6b52ff2
@ -83,6 +83,10 @@
|
||||
"compute_extension:virtual_interfaces": "",
|
||||
"compute_extension:virtual_storage_arrays": "",
|
||||
"compute_extension:volumes": "",
|
||||
"compute_extension:volume_attachments:index": "",
|
||||
"compute_extension:volume_attachments:show": "",
|
||||
"compute_extension:volume_attachments:create": "",
|
||||
"compute_extension:volume_attachments:delete": "",
|
||||
"compute_extension:volumetypes": "",
|
||||
"compute_extension:availability_zone:list": "",
|
||||
"compute_extension:availability_zone:detail": "rule:admin_api",
|
||||
|
@ -33,6 +33,15 @@ from nova import volume
|
||||
LOG = logging.getLogger(__name__)
|
||||
authorize = extensions.extension_authorizer('compute', 'volumes')
|
||||
|
||||
authorize_attach_index = extensions.extension_authorizer('compute',
|
||||
'volume_attachments:index')
|
||||
authorize_attach_show = extensions.extension_authorizer('compute',
|
||||
'volume_attachments:show')
|
||||
authorize_attach_create = extensions.extension_authorizer('compute',
|
||||
'volume_attachments:create')
|
||||
authorize_attach_delete = extensions.extension_authorizer('compute',
|
||||
'volume_attachments:delete')
|
||||
|
||||
|
||||
def _translate_volume_detail_view(context, vol):
|
||||
"""Maps keys for volumes details view."""
|
||||
@ -329,6 +338,8 @@ class VolumeAttachmentController(wsgi.Controller):
|
||||
@wsgi.serializers(xml=VolumeAttachmentsTemplate)
|
||||
def index(self, req, server_id):
|
||||
"""Returns the list of volume attachments for a given instance."""
|
||||
context = req.environ['nova.context']
|
||||
authorize_attach_index(context)
|
||||
return self._items(req, server_id,
|
||||
entity_maker=_translate_attachment_summary_view)
|
||||
|
||||
@ -337,6 +348,7 @@ class VolumeAttachmentController(wsgi.Controller):
|
||||
"""Return data about the given volume attachment."""
|
||||
context = req.environ['nova.context']
|
||||
authorize(context)
|
||||
authorize_attach_show(context)
|
||||
|
||||
volume_id = id
|
||||
try:
|
||||
@ -377,6 +389,7 @@ class VolumeAttachmentController(wsgi.Controller):
|
||||
"""Attach a volume to an instance."""
|
||||
context = req.environ['nova.context']
|
||||
authorize(context)
|
||||
authorize_attach_create(context)
|
||||
|
||||
if not self.is_valid_body(body, 'volumeAttachment'):
|
||||
raise exc.HTTPUnprocessableEntity()
|
||||
@ -423,6 +436,7 @@ class VolumeAttachmentController(wsgi.Controller):
|
||||
"""Detach a volume from an instance."""
|
||||
context = req.environ['nova.context']
|
||||
authorize(context)
|
||||
authorize_attach_delete(context)
|
||||
|
||||
volume_id = id
|
||||
LOG.audit(_("Detach volume %s"), volume_id, context=context)
|
||||
|
@ -157,6 +157,10 @@ policy_data = """
|
||||
"compute_extension:virtual_interfaces": "",
|
||||
"compute_extension:virtual_storage_arrays": "",
|
||||
"compute_extension:volumes": "",
|
||||
"compute_extension:volume_attachments:index": "",
|
||||
"compute_extension:volume_attachments:show": "",
|
||||
"compute_extension:volume_attachments:create": "",
|
||||
"compute_extension:volume_attachments:delete": "",
|
||||
"compute_extension:volumetypes": "",
|
||||
"compute_extension:zones": "",
|
||||
"compute_extension:availability_zone:list": "",
|
||||
|
Loading…
Reference in New Issue
Block a user