Remove db layer hard-code permission checks for quota_class_get_all_by_name
This patch removes the hard-code permission checks for db call quota_class_get_all_by_name. For v2 api, there already have same hard-code permission checks in REST API layer, so it is back-compatible. For v2.1 api, to distinguish show and update permission, this patch adds new rule for show method. Partially implements bp nova-api-policy-final-part SecurityImpact UpgradeImpact: Due to the db layer permission checks deleted, they need default policy rule instead of that. In this patch, "os_compute_api:os-quota-class-sets:show" was updated with a default rule. Admin will be notfied to update their policy configure file to keep the behavior as before. Change-Id: I02da6cc8c766e5f43689449ef63121122f537b5b
This commit is contained in:
parent
4c8d4e9c93
commit
1dbb322813
|
@ -338,6 +338,7 @@
|
|||
"os_compute_api:os-quota-sets:delete": "rule:admin_api",
|
||||
"os_compute_api:os-quota-sets:detail": "rule:admin_api",
|
||||
"os_compute_api:os-quota-class-sets": "",
|
||||
"os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s",
|
||||
"os_compute_api:os-quota-class-sets:discoverable": "",
|
||||
"os_compute_api:os-rescue": "",
|
||||
"os_compute_api:os-rescue:discoverable": "",
|
||||
|
|
|
@ -20,7 +20,6 @@ from nova.api.openstack.compute.schemas.v3 import quota_classes
|
|||
from nova.api.openstack import extensions
|
||||
from nova.api.openstack import wsgi
|
||||
from nova.api import validation
|
||||
import nova.context
|
||||
from nova import db
|
||||
from nova import exception
|
||||
from nova import quota
|
||||
|
@ -62,16 +61,12 @@ class QuotaClassSetsController(wsgi.Controller):
|
|||
|
||||
return dict(quota_class_set=result)
|
||||
|
||||
@extensions.expected_errors(403)
|
||||
@extensions.expected_errors(())
|
||||
def show(self, req, id):
|
||||
context = req.environ['nova.context']
|
||||
authorize(context)
|
||||
try:
|
||||
nova.context.authorize_quota_class_context(context, id)
|
||||
values = QUOTAS.get_class_quotas(context, id)
|
||||
return self._format_quota_set(id, values)
|
||||
except exception.Forbidden:
|
||||
raise webob.exc.HTTPForbidden()
|
||||
authorize(context, action='show', target={'quota_class': id})
|
||||
values = QUOTAS.get_class_quotas(context, id)
|
||||
return self._format_quota_set(id, values)
|
||||
|
||||
@extensions.expected_errors((403))
|
||||
@validation.schema(quota_classes.update)
|
||||
|
|
|
@ -3155,8 +3155,6 @@ def quota_class_get_default(context):
|
|||
|
||||
@require_context
|
||||
def quota_class_get_all_by_name(context, class_name):
|
||||
nova.context.authorize_quota_class_context(context, class_name)
|
||||
|
||||
rows = model_query(context, models.QuotaClass, read_deleted="no").\
|
||||
filter_by(class_name=class_name).\
|
||||
all()
|
||||
|
|
|
@ -89,10 +89,6 @@ class QuotaClassSetsTestV21(test.TestCase):
|
|||
|
||||
self.assertEqual(res_dict, quota_set('test_class'))
|
||||
|
||||
def test_quotas_show_as_unauthorized_user(self):
|
||||
self.assertRaises(webob.exc.HTTPForbidden, self.controller.show,
|
||||
self.req, 'test_class')
|
||||
|
||||
def test_quotas_update_as_admin(self):
|
||||
body = {'quota_class_set': {'instances': 50, 'cores': 50,
|
||||
'ram': 51200, 'floating_ips': 10,
|
||||
|
@ -161,3 +157,27 @@ class QuotaClassSetsTestV2(QuotaClassSetsTestV21):
|
|||
ext_mgr = extensions.ExtensionManager()
|
||||
ext_mgr.extensions = {}
|
||||
self.controller = quota_classes.QuotaClassSetsController(ext_mgr)
|
||||
|
||||
def test_quotas_show_as_unauthorized_user(self):
|
||||
self.assertRaises(webob.exc.HTTPForbidden, self.controller.show,
|
||||
self.req, 'test_class')
|
||||
|
||||
|
||||
class QuotaClassesPolicyEnforcementV21(test.NoDBTestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(QuotaClassesPolicyEnforcementV21, self).setUp()
|
||||
ext_info = plugins.LoadedExtensionInfo()
|
||||
self.controller = quota_classes_v21.QuotaClassSetsController(
|
||||
extension_info=ext_info)
|
||||
self.req = fakes.HTTPRequest.blank('')
|
||||
|
||||
def test_show_policy_failed(self):
|
||||
rule_name = "os_compute_api:os-quota-class-sets:show"
|
||||
self.policy.set_rules({rule_name: "quota_class:non_fake"})
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller.show, self.req, fakes.FAKE_UUID)
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % rule_name,
|
||||
exc.format_message())
|
||||
|
|
|
@ -300,6 +300,7 @@ policy_data = """
|
|||
"os_compute_api:os-quota-sets:defaults": "",
|
||||
"compute_extension:quota_classes": "",
|
||||
"os_compute_api:os-quota-class-sets": "",
|
||||
"os_compute_api:os-quota-class-sets:show": "",
|
||||
"compute_extension:rescue": "",
|
||||
"os_compute_api:os-rescue": "",
|
||||
"compute_extension:security_group_default_rules": "",
|
||||
|
|
Loading…
Reference in New Issue