Fix os-create-backup policy to be admin_or_owner
os-create-backup API policy is default to admin_or_owner[1] but API is allowed for everyone. We can see the test trying with other project context can access the API - https://review.opendev.org/#/c/706726/ This is because API does not pass the server project_id in policy target[2] and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone who try to access)[3] This commit fix this policy by passing the server's project_id in policy target. [1]1fcd74730d/nova/policies/create_backup.py (L27)
[2]1fcd74730d/nova/api/openstack/compute/create_backup.py (L50)
[3]c16315165c/nova/policy.py (L191)
Change-Id: I36cba4c6760f8f9faa5f3039cbb11ea1dc296f68 Closes-bug: #1862561
This commit is contained in:
parent
608e063c63
commit
30bcb43ca5
|
@ -47,7 +47,9 @@ class CreateBackupController(wsgi.Controller):
|
|||
|
||||
"""
|
||||
context = req.environ["nova.context"]
|
||||
context.can(cb_policies.BASE_POLICY_NAME)
|
||||
instance = common.get_instance(self.compute_api, context, id)
|
||||
context.can(cb_policies.BASE_POLICY_NAME,
|
||||
target={'project_id': instance.project_id})
|
||||
entity = body["createBackup"]
|
||||
|
||||
image_name = common.normalize_name(entity["name"])
|
||||
|
@ -63,8 +65,6 @@ class CreateBackupController(wsgi.Controller):
|
|||
common.check_img_metadata_properties_quota(context, metadata)
|
||||
props.update(metadata)
|
||||
|
||||
instance = common.get_instance(self.compute_api, context, id)
|
||||
|
||||
try:
|
||||
image = self.compute_api.backup(context, instance, image_name,
|
||||
backup_type, rotation, extra_properties=props)
|
||||
|
|
|
@ -340,8 +340,7 @@ class CreateBackupTestsV21(admin_only_action_common.CommonMixin,
|
|||
self.assertIn("Cannot 'createBackup' instance %(id)s"
|
||||
% {'id': instance.uuid}, ex.explanation)
|
||||
|
||||
@mock.patch.object(common, 'check_img_metadata_properties_quota')
|
||||
def test_create_backup_with_non_existed_instance(self, mock_check_image):
|
||||
def test_create_backup_with_non_existed_instance(self):
|
||||
body_map = {
|
||||
'createBackup': {
|
||||
'name': 'Backup 1',
|
||||
|
@ -355,7 +354,6 @@ class CreateBackupTestsV21(admin_only_action_common.CommonMixin,
|
|||
self.assertRaises(webob.exc.HTTPNotFound,
|
||||
self.controller._create_backup,
|
||||
self.req, uuid, body=body_map)
|
||||
mock_check_image.assert_called_once_with(self.context, {})
|
||||
|
||||
def test_create_backup_with_invalid_create_backup(self):
|
||||
body = {
|
||||
|
@ -404,6 +402,9 @@ class CreateBackupPolicyEnforcementv21(test.NoDBTestCase):
|
|||
super(CreateBackupPolicyEnforcementv21, self).setUp()
|
||||
self.controller = create_backup_v21.CreateBackupController()
|
||||
self.req = fakes.HTTPRequest.blank('')
|
||||
patch_get = mock.patch.object(self.controller.compute_api, 'get')
|
||||
self.mock_get = patch_get.start()
|
||||
self.addCleanup(patch_get.stop)
|
||||
|
||||
def test_create_backup_policy_failed(self):
|
||||
rule_name = "os_compute_api:os-create-backup"
|
||||
|
|
Loading…
Reference in New Issue