openstack
/
nova
Code Issues Proposed changes

Pass the actual target in tenant networks policy 

Currently if target is not passed in context.can(),
it use defauls target which is context.user_id, context.project_id.
These defaults target are not useful as it pass the
context's user_id and project_id only which means we tell
oslo policy to verify the context data with context data.

This commit pass the actual target for tenant networks policies
which is context.project_id itself as nova cannot verify the owner of
network. Neutron will return the authorise error is requester is not
owner of network.

Partial implement blueprint policy-defaults-refresh-deprecated-apis

Change-Id: I1efb4aec986cee3ab65aa80559e57b2a407ca444
This commit is contained in:
Ghanshyam Mann 2020-07-23 19:22:58 -05:00
parent cade031eb3
commit 3423d44c5e
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nova/api/openstack/compute/tenant_networks.py
View File

@ -71,7 +71,8 @@ class TenantNetworkController(wsgi.Controller):
@wsgi.expected_errors(())
def index(self, req):
context = req.environ['nova.context']
context.can(tn_policies.POLICY_NAME % 'list')
context.can(tn_policies.POLICY_NAME % 'list',
target={'project_id': context.project_id})
networks = list(self.network_api.get_all(context))
if not self._default_networks:
self._refresh_default_networks()
@ -82,7 +83,8 @@ class TenantNetworkController(wsgi.Controller):
@wsgi.expected_errors(404)
def show(self, req, id):
context = req.environ['nova.context']
context.can(tn_policies.POLICY_NAME % 'show')
context.can(tn_policies.POLICY_NAME % 'show',
target={'project_id': context.project_id})
try:
network = self.network_api.get(context, id)
except exception.NetworkNotFound: