From 66df3a8fef3e2372f05a0b23a9a60f8e4110f346 Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Wed, 25 Mar 2020 12:43:21 -0500 Subject: [PATCH] Pass the actual target in os-instance-usage-audit-log policy Currently if target is not passed in context.can(), it use defauls target which is context.user_id, context.project_id. These defaults target are not useful as it pass the context's user_id and project_id only which means we tell oslo policy to verify the context data with context data. This commit pass the actual target for os-instance-usage-audit-log policies which is empty dict because policy rule is system scoped rather than project, so the token scope check deals with the required target checking. Partial implement blueprint policy-defaults-refresh Change-Id: I5584b9bb192dc32c60ba5a83d3bd2de293bbbd27 --- nova/api/openstack/compute/instance_usage_audit_log.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nova/api/openstack/compute/instance_usage_audit_log.py b/nova/api/openstack/compute/instance_usage_audit_log.py index ce1c98f730ff..f15a210b911a 100644 --- a/nova/api/openstack/compute/instance_usage_audit_log.py +++ b/nova/api/openstack/compute/instance_usage_audit_log.py @@ -35,14 +35,14 @@ class InstanceUsageAuditLogController(wsgi.Controller): @wsgi.expected_errors(()) def index(self, req): context = req.environ['nova.context'] - context.can(iual_policies.BASE_POLICY_NAME % 'list') + context.can(iual_policies.BASE_POLICY_NAME % 'list', target={}) task_log = self._get_audit_task_logs(context) return {'instance_usage_audit_logs': task_log} @wsgi.expected_errors(400) def show(self, req, id): context = req.environ['nova.context'] - context.can(iual_policies.BASE_POLICY_NAME % 'show') + context.can(iual_policies.BASE_POLICY_NAME % 'show', target={}) try: if '.' in id: before_date = datetime.datetime.strptime(str(id),