Fix os-ips policy to be admin_or_owner
os-ips API policy is default to admin_or_owner[1] but API
is allowed for everyone.
We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/715477
This is because API does not pass the server project_id in policy target[2]
and if no target is passed then, policy.py add the default targets which is
nothing but context.project_id (allow for everyone who try to access)[3]
This commit fix this policy by passing the server's project_id in policy
target.
Closes-bug: #1869396
[1] eaf08c0b7b/nova/policies/ips.py (L27)
Change-Id: Ie7bcb6537f90813cc5b23d69c886037d25b15a42
This commit is contained in:
parent
eaf08c0b7b
commit
58701be615
|
@ -38,16 +38,18 @@ class IPsController(wsgi.Controller):
|
||||||
@wsgi.expected_errors(404)
|
@wsgi.expected_errors(404)
|
||||||
def index(self, req, server_id):
|
def index(self, req, server_id):
|
||||||
context = req.environ["nova.context"]
|
context = req.environ["nova.context"]
|
||||||
context.can(ips_policies.POLICY_ROOT % 'index')
|
|
||||||
instance = common.get_instance(self._compute_api, context, server_id)
|
instance = common.get_instance(self._compute_api, context, server_id)
|
||||||
|
context.can(ips_policies.POLICY_ROOT % 'index',
|
||||||
|
target={'project_id': instance.project_id})
|
||||||
networks = common.get_networks_for_instance(context, instance)
|
networks = common.get_networks_for_instance(context, instance)
|
||||||
return self._view_builder.index(networks)
|
return self._view_builder.index(networks)
|
||||||
|
|
||||||
@wsgi.expected_errors(404)
|
@wsgi.expected_errors(404)
|
||||||
def show(self, req, server_id, id):
|
def show(self, req, server_id, id):
|
||||||
context = req.environ["nova.context"]
|
context = req.environ["nova.context"]
|
||||||
context.can(ips_policies.POLICY_ROOT % 'show')
|
|
||||||
instance = common.get_instance(self._compute_api, context, server_id)
|
instance = common.get_instance(self._compute_api, context, server_id)
|
||||||
|
context.can(ips_policies.POLICY_ROOT % 'show',
|
||||||
|
target={'project_id': instance.project_id})
|
||||||
networks = common.get_networks_for_instance(context, instance)
|
networks = common.get_networks_for_instance(context, instance)
|
||||||
if id not in networks:
|
if id not in networks:
|
||||||
msg = _("Instance is not a member of specified network")
|
msg = _("Instance is not a member of specified network")
|
||||||
|
|
|
@ -8109,6 +8109,10 @@ class IPsPolicyEnforcementV21(test.NoDBTestCase):
|
||||||
super(IPsPolicyEnforcementV21, self).setUp()
|
super(IPsPolicyEnforcementV21, self).setUp()
|
||||||
self.controller = ips.IPsController()
|
self.controller = ips.IPsController()
|
||||||
self.req = fakes.HTTPRequest.blank("/v2/%s" % fakes.FAKE_PROJECT_ID)
|
self.req = fakes.HTTPRequest.blank("/v2/%s" % fakes.FAKE_PROJECT_ID)
|
||||||
|
self.mock_get = self.useFixture(
|
||||||
|
fixtures.MockPatch('nova.api.openstack.common.get_instance')).mock
|
||||||
|
self.mock_get.return_value = fake_instance.fake_instance_obj(
|
||||||
|
self.req.environ['nova.context'])
|
||||||
|
|
||||||
def test_index_policy_failed(self):
|
def test_index_policy_failed(self):
|
||||||
rule_name = "os_compute_api:ips:index"
|
rule_name = "os_compute_api:ips:index"
|
||||||
|
|
Loading…
Reference in New Issue