Remove db layer hard-code permission checks for quota_class_get_all_by_name

This patch removes the hard-code permission checks for db call quota_class_get_all_by_name. For v2 api, there already have same hard-code permission checks in REST API layer, so it is back-compatible. For v2.1 api, to distinguish show and update permission, this patch adds new rule for show method. Partially implements bp nova-api-policy-final-part SecurityImpact UpgradeImpact: Due to the db layer permission checks deleted, they need default policy rule instead of that. In this patch, "os_compute_api:os-quota-class-sets:show" was updated with a default rule. Admin will be notfied to update their policy configure file to keep the behavior as before. Change-Id: I02da6cc8c766e5f43689449ef63121122f537b5b
2015-03-02 08:08:44 +08:00 · 2015-03-02 08:08:44 +08:00 · 1dbb322813
parent 4c8d4e9c93
commit 1dbb322813
5 changed files with 30 additions and 15 deletions
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@ -338,6 +338,7 @@
    "os_compute_api:os-quota-sets:delete": "rule:admin_api",
    "os_compute_api:os-quota-sets:detail": "rule:admin_api",
    "os_compute_api:os-quota-class-sets": "",
+    "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s",
    "os_compute_api:os-quota-class-sets:discoverable": "",
    "os_compute_api:os-rescue": "",
    "os_compute_api:os-rescue:discoverable": "",
--- a/nova/api/openstack/compute/plugins/v3/quota_classes.py
+++ b/nova/api/openstack/compute/plugins/v3/quota_classes.py
@ -20,7 +20,6 @@ from nova.api.openstack.compute.schemas.v3 import quota_classes
 from nova.api.openstack import extensions
 from nova.api.openstack import wsgi
 from nova.api import validation
-import nova.context
 from nova import db
 from nova import exception
 from nova import quota
@ -62,16 +61,12 @@ class QuotaClassSetsController(wsgi.Controller):

        return dict(quota_class_set=result)

-    @extensions.expected_errors(403)
+    @extensions.expected_errors(())
    def show(self, req, id):
        context = req.environ['nova.context']
-        authorize(context)
-        try:
-            nova.context.authorize_quota_class_context(context, id)
-            values = QUOTAS.get_class_quotas(context, id)
-            return self._format_quota_set(id, values)
-        except exception.Forbidden:
-            raise webob.exc.HTTPForbidden()
+        authorize(context, action='show', target={'quota_class': id})
+        values = QUOTAS.get_class_quotas(context, id)
+        return self._format_quota_set(id, values)

    @extensions.expected_errors((403))
    @validation.schema(quota_classes.update)
--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@ -3155,8 +3155,6 @@ def quota_class_get_default(context):

@require_context
 def quota_class_get_all_by_name(context, class_name):
-    nova.context.authorize_quota_class_context(context, class_name)
-
    rows = model_query(context, models.QuotaClass, read_deleted="no").\
                   filter_by(class_name=class_name).\
                   all()
--- a/nova/tests/unit/api/openstack/compute/contrib/test_quota_classes.py
+++ b/nova/tests/unit/api/openstack/compute/contrib/test_quota_classes.py
@ -89,10 +89,6 @@ class QuotaClassSetsTestV21(test.TestCase):

        self.assertEqual(res_dict, quota_set('test_class'))

-    def test_quotas_show_as_unauthorized_user(self):
-        self.assertRaises(webob.exc.HTTPForbidden, self.controller.show,
-                          self.req, 'test_class')
-
    def test_quotas_update_as_admin(self):
        body = {'quota_class_set': {'instances': 50, 'cores': 50,
                                    'ram': 51200, 'floating_ips': 10,
@ -161,3 +157,27 @@ class QuotaClassSetsTestV2(QuotaClassSetsTestV21):
        ext_mgr = extensions.ExtensionManager()
        ext_mgr.extensions = {}
        self.controller = quota_classes.QuotaClassSetsController(ext_mgr)
+
+    def test_quotas_show_as_unauthorized_user(self):
+        self.assertRaises(webob.exc.HTTPForbidden, self.controller.show,
+                          self.req, 'test_class')
+
+
+class QuotaClassesPolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(QuotaClassesPolicyEnforcementV21, self).setUp()
+        ext_info = plugins.LoadedExtensionInfo()
+        self.controller = quota_classes_v21.QuotaClassSetsController(
+            extension_info=ext_info)
+        self.req = fakes.HTTPRequest.blank('')
+
+    def test_show_policy_failed(self):
+        rule_name = "os_compute_api:os-quota-class-sets:show"
+        self.policy.set_rules({rule_name: "quota_class:non_fake"})
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.show, self.req, fakes.FAKE_UUID)
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())
--- a/nova/tests/unit/fake_policy.py
+++ b/nova/tests/unit/fake_policy.py
@ -300,6 +300,7 @@ policy_data = """
    "os_compute_api:os-quota-sets:defaults": "",
    "compute_extension:quota_classes": "",
    "os_compute_api:os-quota-class-sets": "",
+    "os_compute_api:os-quota-class-sets:show": "",
    "compute_extension:rescue": "",
    "os_compute_api:os-rescue": "",
    "compute_extension:security_group_default_rules": "",