openstack
/
nova
Code Issues Proposed changes

Pass the actual target in security_groups policy 

Currently if target is not passed in context.can(),
it use defauls target which is context.user_id, context.project_id.
These defaults target are not useful as it pass the
context's user_id and project_id only which means we tell
oslo policy to verify the context data with context data.

This commit pass the actual target for networks policies
which is context.project_id itself as nova cannot verify the owner of
security_groups. Neutron will return the authorise error is requester
is not owner of security_group.

Partial implement blueprint policy-defaults-refresh-deprecated-apis

Change-Id: I1ce8ad8a16bddb3f7520a3b4e323b75626928186
This commit is contained in:
Ghanshyam Mann 2020-07-23 18:32:05 -05:00
parent a20ab7016e
commit 4ecec2ff73
1 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
nova/api/openstack/compute/security_groups.py
View File

@ -150,7 +150,8 @@ class SecurityGroupController(SecurityGroupControllerBase, wsgi.Controller):
def show(self, req, id):
"""Return data about the given security group."""
context = req.environ['nova.context']
context.can(sg_policies.POLICY_NAME % 'show')
context.can(sg_policies.POLICY_NAME % 'show',
target={'project_id': context.project_id})
try:
id = security_group_api.validate_id(id)
@ -169,7 +170,8 @@ class SecurityGroupController(SecurityGroupControllerBase, wsgi.Controller):
def delete(self, req, id):
"""Delete a security group."""
context = req.environ['nova.context']
context.can(sg_policies.POLICY_NAME % 'delete')
context.can(sg_policies.POLICY_NAME % 'delete',
target={'project_id': context.project_id})
try:
id = security_group_api.validate_id(id)
@ -186,7 +188,8 @@ class SecurityGroupController(SecurityGroupControllerBase, wsgi.Controller):
def index(self, req):
"""Returns a list of security groups."""
context = req.environ['nova.context']
context.can(sg_policies.POLICY_NAME % 'get')
context.can(sg_policies.POLICY_NAME % 'get',
target={'project_id': context.project_id})
search_opts = {}
search_opts.update(req.GET)
@ -208,7 +211,8 @@ class SecurityGroupController(SecurityGroupControllerBase, wsgi.Controller):
def create(self, req, body):
"""Creates a new security group."""
context = req.environ['nova.context']
context.can(sg_policies.POLICY_NAME % 'create')
context.can(sg_policies.POLICY_NAME % 'create',
target={'project_id': context.project_id})
security_group = self._from_body(body, 'security_group')
@ -234,7 +238,8 @@ class SecurityGroupController(SecurityGroupControllerBase, wsgi.Controller):
def update(self, req, id, body):
"""Update a security group."""
context = req.environ['nova.context']
context.can(sg_policies.POLICY_NAME % 'update')
context.can(sg_policies.POLICY_NAME % 'update',
target={'project_id': context.project_id})
try:
id = security_group_api.validate_id(id)
@ -270,7 +275,8 @@ class SecurityGroupRulesController(SecurityGroupControllerBase,
@wsgi.expected_errors((400, 403, 404))
def create(self, req, body):
context = req.environ['nova.context']
context.can(sg_policies.POLICY_NAME % 'rule:create')
context.can(sg_policies.POLICY_NAME % 'rule:create',
target={'project_id': context.project_id})
sg_rule = self._from_body(body, 'security_group_rule')
group_id = sg_rule.get('group_id')
source_group = {}
@ -345,7 +351,8 @@ class SecurityGroupRulesController(SecurityGroupControllerBase,
@wsgi.response(202)
def delete(self, req, id):
context = req.environ['nova.context']
context.can(sg_policies.POLICY_NAME % 'rule:delete')
context.can(sg_policies.POLICY_NAME % 'rule:delete',
target={'project_id': context.project_id})
try:
id = security_group_api.validate_id(id)