Correct limits policy check_str

limits API policy is default to admin_or_owner[1] but API is allowed (which is expected) for everyone. This is because API does not pass the project_id in policy target so that oslo policy can decide the ownership[2]. If no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access) - c16315165c/nova/policy.py (L191) There is no owner things in limits and every projects can get its own limits. We need to make default to RULE_ANY which means allowed to everyone. [1] 403fc671a6/nova/policies/limits.py (L27) Closes-bug: #1869543 Change-Id: I80617e57a6e062e6038e1b3447e116a5f9e23d24
2020-03-28 21:35:59 -05:00
parent 1d5fff5b51
commit 4d37ffc111
2 changed files with 2 additions and 2 deletions
--- a/nova/policies/limits.py
+++ b/nova/policies/limits.py
@@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:limits'
 limits_policies = [
    policy.DocumentedRuleDefault(
        BASE_POLICY_NAME,
-        base.RULE_ADMIN_OR_OWNER,
+        base.RULE_ANY,
        "Show rate and absolute limits for the project",
        [
            {
--- a/nova/tests/unit/test_policy.py
+++ b/nova/tests/unit/test_policy.py
@@ -426,7 +426,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-flavor-extra-specs:show",
 "os_compute_api:os-floating-ip-pools",
 "os_compute_api:os-floating-ips",
-"os_compute_api:limits",
 "os_compute_api:os-multinic",
 "os_compute_api:os-networks:view",
 "os_compute_api:os-rescue",
@@ -452,6 +451,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
        self.allow_all_rules = (
 "os_compute_api:os-quota-sets:defaults",
 "os_compute_api:os-availability-zone:list",
+"os_compute_api:limits",
 )

        self.system_reader_rules = (