Fix os-create-backup policy to be admin_or_owner

os-create-backup API policy is default to admin_or_owner[1] but API is allowed for everyone. We can see the test trying with other project context can access the API - https://review.opendev.org/#/c/706726/ This is because API does not pass the server project_id in policy target[2] and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone who try to access)[3] This commit fix this policy by passing the server's project_id in policy target. [1] 1fcd74730d/nova/policies/create_backup.py (L27) [2] 1fcd74730d/nova/api/openstack/compute/create_backup.py (L50) [3] c16315165c/nova/policy.py (L191) Change-Id: I36cba4c6760f8f9faa5f3039cbb11ea1dc296f68 Closes-bug: #1862561
2020-02-09 19:57:10 -06:00 · 2020-02-09 19:57:10 -06:00 · 30bcb43ca5
parent 608e063c63
commit 30bcb43ca5
2 changed files with 7 additions and 6 deletions
--- a/nova/api/openstack/compute/create_backup.py
+++ b/nova/api/openstack/compute/create_backup.py
@ -47,7 +47,9 @@ class CreateBackupController(wsgi.Controller):

        """
        context = req.environ["nova.context"]
-        context.can(cb_policies.BASE_POLICY_NAME)
+        instance = common.get_instance(self.compute_api, context, id)
+        context.can(cb_policies.BASE_POLICY_NAME,
+                    target={'project_id': instance.project_id})
        entity = body["createBackup"]

        image_name = common.normalize_name(entity["name"])
@ -63,8 +65,6 @@ class CreateBackupController(wsgi.Controller):
            common.check_img_metadata_properties_quota(context, metadata)
        props.update(metadata)

-        instance = common.get_instance(self.compute_api, context, id)
-
        try:
            image = self.compute_api.backup(context, instance, image_name,
                    backup_type, rotation, extra_properties=props)
--- a/nova/tests/unit/api/openstack/compute/test_create_backup.py
+++ b/nova/tests/unit/api/openstack/compute/test_create_backup.py
@ -340,8 +340,7 @@ class CreateBackupTestsV21(admin_only_action_common.CommonMixin,
        self.assertIn("Cannot 'createBackup' instance %(id)s"
                      % {'id': instance.uuid}, ex.explanation)

-    @mock.patch.object(common, 'check_img_metadata_properties_quota')
-    def test_create_backup_with_non_existed_instance(self, mock_check_image):
+    def test_create_backup_with_non_existed_instance(self):
        body_map = {
            'createBackup': {
                'name': 'Backup 1',
@ -355,7 +354,6 @@ class CreateBackupTestsV21(admin_only_action_common.CommonMixin,
        self.assertRaises(webob.exc.HTTPNotFound,
                          self.controller._create_backup,
                          self.req, uuid, body=body_map)
-        mock_check_image.assert_called_once_with(self.context, {})

    def test_create_backup_with_invalid_create_backup(self):
        body = {
@ -404,6 +402,9 @@ class CreateBackupPolicyEnforcementv21(test.NoDBTestCase):
        super(CreateBackupPolicyEnforcementv21, self).setUp()
        self.controller = create_backup_v21.CreateBackupController()
        self.req = fakes.HTTPRequest.blank('')
+        patch_get = mock.patch.object(self.controller.compute_api, 'get')
+        self.mock_get = patch_get.start()
+        self.addCleanup(patch_get.stop)

    def test_create_backup_policy_failed(self):
        rule_name = "os_compute_api:os-create-backup"