From 4d37ffc111ae8bb43bd33fe995bc3686b065131b Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Sat, 28 Mar 2020 21:35:59 -0500
Subject: [PATCH] Correct limits policy check_str

limits API policy is default to admin_or_owner[1]
but API is allowed (which is expected) for everyone.

This is because API does not pass the project_id in policy
target so that oslo policy can decide the ownership[2]. If no
target is passed then, policy.py add the default targets which
is nothing but context.project_id (allow for everyone try to access)
- https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

There is no owner things in limits and every projects can get
its own limits. We need to make default to RULE_ANY which means
allowed to everyone.

[1] https://github.com/openstack/nova/blob/403fc671a6877889d6fb70360e002d9b22b98fc9/nova/policies/limits.py#L27
Closes-bug: #1869543

Change-Id: I80617e57a6e062e6038e1b3447e116a5f9e23d24
---
 nova/policies/limits.py        | 2 +-
 nova/tests/unit/test_policy.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/nova/policies/limits.py b/nova/policies/limits.py
index 47d5201378c6..a9ee51f0a22c 100644
--- a/nova/policies/limits.py
+++ b/nova/policies/limits.py
@@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:limits'
 limits_policies = [
     policy.DocumentedRuleDefault(
         BASE_POLICY_NAME,
-        base.RULE_ADMIN_OR_OWNER,
+        base.RULE_ANY,
         "Show rate and absolute limits for the project",
         [
             {
diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py
index 09fbe48e000a..a31f4872eae3 100644
--- a/nova/tests/unit/test_policy.py
+++ b/nova/tests/unit/test_policy.py
@@ -426,7 +426,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-flavor-extra-specs:show",
 "os_compute_api:os-floating-ip-pools",
 "os_compute_api:os-floating-ips",
-"os_compute_api:limits",
 "os_compute_api:os-multinic",
 "os_compute_api:os-networks:view",
 "os_compute_api:os-rescue",
@@ -452,6 +451,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
         self.allow_all_rules = (
 "os_compute_api:os-quota-sets:defaults",
 "os_compute_api:os-availability-zone:list",
+"os_compute_api:limits",
 )
 
         self.system_reader_rules = (