policy: Replaces 'authorize' in nova-api (part 4)

Partially-Implements: bp policy-in-code

Change-Id: I98ea5591c0a08c57dbb1986fc2b70401071a0107

nova/api/openstack/compute/keypairs.py

@@ -27,11 +27,10 @@ from nova.compute import api as compute_api
 from nova import exception
 from nova.i18n import _
 from nova.objects import keypair as keypair_obj
+from nova.policies import keypairs as kp_policies
 
 
 ALIAS = 'os-keypairs'
-authorize = extensions.os_compute_authorizer(ALIAS)
-soft_authorize = extensions.os_compute_soft_authorizer(ALIAS)
 
 
 class KeypairController(wsgi.Controller):
@@ -116,7 +115,7 @@ class KeypairController(wsgi.Controller):
         name = common.normalize_name(params['name'])
         key_type = params.get('type', keypair_obj.KEYPAIR_TYPE_SSH)
         user_id = user_id or context.user_id
-        authorize(context, action='create',
+        context.can(kp_policies.POLICY_ROOT % 'create',
                     target={'user_id': user_id,
                             'project_id': context.project_id})
 
@@ -169,7 +168,7 @@ class KeypairController(wsgi.Controller):
         context = req.environ['nova.context']
         # handle optional user-id for admin only
         user_id = user_id or context.user_id
-        authorize(context, action='delete',
+        context.can(kp_policies.POLICY_ROOT % 'delete',
                     target={'user_id': user_id,
                             'project_id': context.project_id})
         try:
@@ -203,7 +202,7 @@ class KeypairController(wsgi.Controller):
         """Return data for the given key name."""
         context = req.environ['nova.context']
         user_id = user_id or context.user_id
-        authorize(context, action='show',
+        context.can(kp_policies.POLICY_ROOT % 'show',
                     target={'user_id': user_id,
                             'project_id': context.project_id})
 
@@ -243,7 +242,7 @@ class KeypairController(wsgi.Controller):
         """List of keypairs for a user."""
         context = req.environ['nova.context']
         user_id = user_id or context.user_id
-        authorize(context, action='index',
+        context.can(kp_policies.POLICY_ROOT % 'index',
                     target={'user_id': user_id,
                             'project_id': context.project_id})
         key_pairs = self.api.get_key_pairs(context, user_id)
@@ -272,13 +271,14 @@ class Controller(wsgi.Controller):
     @wsgi.extends
     def show(self, req, resp_obj, id):
         context = req.environ['nova.context']
-        if soft_authorize(context):
+        if context.can(kp_policies.BASE_POLICY_NAME, fatal=False):
             self._show(req, resp_obj)
 
     @wsgi.extends
     def detail(self, req, resp_obj):
         context = req.environ['nova.context']
-        if 'servers' in resp_obj.obj and soft_authorize(context):
+        if 'servers' in resp_obj.obj and context.can(
+                kp_policies.BASE_POLICY_NAME, fatal=False):
             servers = resp_obj.obj['servers']
             self._add_key_name(req, servers)
 

nova/api/openstack/compute/limits.py

@@ -16,12 +16,12 @@
 from nova.api.openstack.compute.views import limits as limits_views
 from nova.api.openstack import extensions
 from nova.api.openstack import wsgi
+from nova.policies import limits as limits_policies
 from nova import quota
 
 
 QUOTAS = quota.QUOTAS
 ALIAS = 'limits'
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class LimitsController(wsgi.Controller):
@@ -31,7 +31,7 @@ class LimitsController(wsgi.Controller):
     def index(self, req):
         """Return all global limit information."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(limits_policies.BASE_POLICY_NAME)
         project_id = req.params.get('tenant_id', context.project_id)
         quotas = QUOTAS.get_project_quotas(context, project_id,
                                            usages=False)

nova/api/openstack/compute/lock_server.py

@@ -17,11 +17,10 @@ from nova.api.openstack import common
 from nova.api.openstack import extensions
 from nova.api.openstack import wsgi
 from nova import compute
+from nova.policies import lock_server as ls_policies
 
 ALIAS = "os-lock-server"
 
-authorize = extensions.os_compute_authorizer(ALIAS)
-
 
 class LockServerController(wsgi.Controller):
     def __init__(self, *args, **kwargs):
@@ -34,7 +33,7 @@ class LockServerController(wsgi.Controller):
     def _lock(self, req, id, body):
         """Lock a server instance."""
         context = req.environ['nova.context']
-        authorize(context, action='lock')
+        context.can(ls_policies.POLICY_ROOT % 'lock')
         instance = common.get_instance(self.compute_api, context, id)
         self.compute_api.lock(context, instance)
 
@@ -44,11 +43,11 @@ class LockServerController(wsgi.Controller):
     def _unlock(self, req, id, body):
         """Unlock a server instance."""
         context = req.environ['nova.context']
-        authorize(context, action='unlock')
+        context.can(ls_policies.POLICY_ROOT % 'unlock')
         instance = common.get_instance(self.compute_api, context, id)
         if not self.compute_api.is_expected_locked_by(context, instance):
-            authorize(context, target=instance,
+            context.can(ls_policies.POLICY_ROOT % 'unlock:unlock_override',
-                      action='unlock:unlock_override')
+                        instance)
 
         self.compute_api.unlock(context, instance)
 

nova/api/openstack/compute/migrate_server.py

@@ -25,13 +25,11 @@ from nova.api import validation
 from nova import compute
 from nova import exception
 from nova.i18n import _
+from nova.policies import migrate_server as ms_policies
 
 ALIAS = "os-migrate-server"
 
 
-authorize = extensions.os_compute_authorizer(ALIAS)
-
-
 class MigrateServerController(wsgi.Controller):
     def __init__(self, *args, **kwargs):
         super(MigrateServerController, self).__init__(*args, **kwargs)
@@ -43,7 +41,7 @@ class MigrateServerController(wsgi.Controller):
     def _migrate(self, req, id, body):
         """Permit admins to migrate a server to a new host."""
         context = req.environ['nova.context']
-        authorize(context, action='migrate')
+        context.can(ms_policies.POLICY_ROOT % 'migrate')
 
         instance = common.get_instance(self.compute_api, context, id)
         try:
@@ -69,7 +67,7 @@ class MigrateServerController(wsgi.Controller):
     def _migrate_live(self, req, id, body):
         """Permit admins to (live) migrate a server to a new host."""
         context = req.environ["nova.context"]
-        authorize(context, action='migrate_live')
+        context.can(ms_policies.POLICY_ROOT % 'migrate_live')
 
         host = body["os-migrateLive"]["host"]
         block_migration = body["os-migrateLive"]["block_migration"]

nova/api/openstack/compute/migrations.py

@@ -16,15 +16,12 @@ from nova.api.openstack import extensions
 from nova.api.openstack import wsgi
 from nova import compute
 from nova.objects import base as obj_base
+from nova.policies import migrations as migrations_policies
 
 
 ALIAS = "os-migrations"
 
 
-def authorize(context, action_name):
-    extensions.os_compute_authorizer(ALIAS)(context, action=action_name)
-
-
 class MigrationsController(wsgi.Controller):
     """Controller for accessing migrations in OpenStack API."""
 
@@ -76,7 +73,7 @@ class MigrationsController(wsgi.Controller):
     def index(self, req):
         """Return all migrations in progress."""
         context = req.environ['nova.context']
-        authorize(context, "index")
+        context.can(migrations_policies.POLICY_ROOT % 'index')
         migrations = self.compute_api.get_migrations(context, req.GET)
 
         if api_version_request.is_supported(req, min_version='2.23'):

nova/api/openstack/compute/multinic.py

@@ -24,10 +24,10 @@ from nova.api.openstack import wsgi
 from nova.api import validation
 from nova import compute
 from nova import exception
+from nova.policies import multinic as multinic_policies
 
 
 ALIAS = "os-multinic"
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class MultinicController(wsgi.Controller):
@@ -42,7 +42,7 @@ class MultinicController(wsgi.Controller):
     def _add_fixed_ip(self, req, id, body):
         """Adds an IP on a given network to an instance."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(multinic_policies.BASE_POLICY_NAME)
 
         instance = common.get_instance(self.compute_api, context, id)
         network_id = body['addFixedIp']['networkId']
@@ -60,7 +60,7 @@ class MultinicController(wsgi.Controller):
     def _remove_fixed_ip(self, req, id, body):
         """Removes an IP from an instance."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(multinic_policies.BASE_POLICY_NAME)
 
         instance = common.get_instance(self.compute_api, context, id)
         address = body['removeFixedIp']['address']

nova/api/openstack/compute/networks.py

@@ -27,9 +27,9 @@ from nova.i18n import _
 from nova import network
 from nova.objects import base as base_obj
 from nova.objects import fields as obj_fields
+from nova.policies import networks as net_policies
 
 ALIAS = 'os-networks'
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 def network_dict(context, network):
@@ -85,7 +85,7 @@ class NetworkController(wsgi.Controller):
     @extensions.expected_errors(())
     def index(self, req):
         context = req.environ['nova.context']
-        authorize(context, action='view')
+        context.can(net_policies.POLICY_ROOT % 'view')
         networks = self.network_api.get_all(context)
         result = [network_dict(context, net_ref) for net_ref in networks]
         return {'networks': result}
@@ -95,7 +95,7 @@ class NetworkController(wsgi.Controller):
     @wsgi.action("disassociate")
     def _disassociate_host_and_project(self, req, id, body):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(net_policies.BASE_POLICY_NAME)
 
         try:
             self.network_api.associate(context, id, host=None, project=None)
@@ -108,7 +108,7 @@ class NetworkController(wsgi.Controller):
     @extensions.expected_errors(404)
     def show(self, req, id):
         context = req.environ['nova.context']
-        authorize(context, action='view')
+        context.can(net_policies.POLICY_ROOT % 'view')
 
         try:
             network = self.network_api.get(context, id)
@@ -121,7 +121,7 @@ class NetworkController(wsgi.Controller):
     @extensions.expected_errors((404, 409))
     def delete(self, req, id):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(net_policies.BASE_POLICY_NAME)
 
         try:
             self.network_api.delete(context, id)
@@ -135,7 +135,7 @@ class NetworkController(wsgi.Controller):
     @validation.schema(schema.create)
     def create(self, req, body):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(net_policies.BASE_POLICY_NAME)
 
         params = body["network"]
 
@@ -160,7 +160,7 @@ class NetworkController(wsgi.Controller):
     @validation.schema(schema.add_network_to_project)
     def add(self, req, body):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(net_policies.BASE_POLICY_NAME)
 
         network_id = body['id']
         project_id = context.project_id

nova/api/openstack/compute/networks_associate.py

@@ -20,11 +20,10 @@ from nova.api import validation
 from nova import exception
 from nova.i18n import _
 from nova import network
+from nova.policies import networks_associate as na_policies
 
 ALIAS = "os-networks-associate"
 
-authorize = extensions.os_compute_authorizer(ALIAS)
-
 
 class NetworkAssociateActionController(wsgi.Controller):
     """Network Association API Controller."""
@@ -37,7 +36,7 @@ class NetworkAssociateActionController(wsgi.Controller):
     @extensions.expected_errors((404, 501))
     def _disassociate_host_only(self, req, id, body):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(na_policies.BASE_POLICY_NAME)
         try:
             self.network_api.associate(context, id, host=None)
         except exception.NetworkNotFound:
@@ -51,7 +50,7 @@ class NetworkAssociateActionController(wsgi.Controller):
     @extensions.expected_errors((404, 501))
     def _disassociate_project_only(self, req, id, body):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(na_policies.BASE_POLICY_NAME)
         try:
             self.network_api.associate(context, id, project=None)
         except exception.NetworkNotFound:
@@ -66,7 +65,7 @@ class NetworkAssociateActionController(wsgi.Controller):
     @validation.schema(networks_associate.associate_host)
     def _associate_host(self, req, id, body):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(na_policies.BASE_POLICY_NAME)
 
         try:
             self.network_api.associate(context, id,

nova/api/openstack/compute/pause_server.py

@@ -20,11 +20,10 @@ from nova.api.openstack import extensions
 from nova.api.openstack import wsgi
 from nova import compute
 from nova import exception
+from nova.policies import pause_server as ps_policies
 
 ALIAS = "os-pause-server"
 
-authorize = extensions.os_compute_authorizer(ALIAS)
-
 
 class PauseServerController(wsgi.Controller):
     def __init__(self, *args, **kwargs):
@@ -37,7 +36,7 @@ class PauseServerController(wsgi.Controller):
     def _pause(self, req, id, body):
         """Permit Admins to pause the server."""
         ctxt = req.environ['nova.context']
-        authorize(ctxt, action='pause')
+        ctxt.can(ps_policies.POLICY_ROOT % 'pause')
         server = common.get_instance(self.compute_api, ctxt, id)
         try:
             self.compute_api.pause(ctxt, server)
@@ -58,7 +57,7 @@ class PauseServerController(wsgi.Controller):
     def _unpause(self, req, id, body):
         """Permit Admins to unpause the server."""
         ctxt = req.environ['nova.context']
-        authorize(ctxt, action='unpause')
+        ctxt.can(ps_policies.POLICY_ROOT % 'unpause')
         server = common.get_instance(self.compute_api, ctxt, id)
         try:
             self.compute_api.unpause(ctxt, server)

nova/api/openstack/compute/pci.py

@@ -20,11 +20,10 @@ from nova.api.openstack import wsgi
 from nova import compute
 from nova import exception
 from nova import objects
+from nova.policies import pci as pci_policies
 
 
 ALIAS = 'os-pci'
-soft_authorize = extensions.os_compute_soft_authorizer(ALIAS + ':pci_servers')
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 PCI_ADMIN_KEYS = ['id', 'address', 'vendor_id', 'product_id', 'status',
                   'compute_node_id']
@@ -42,7 +41,7 @@ class PciServerController(wsgi.Controller):
     @wsgi.extends
     def show(self, req, resp_obj, id):
         context = req.environ['nova.context']
-        if soft_authorize(context):
+        if context.can(pci_policies.POLICY_ROOT % 'pci_servers', fatal=False):
             server = resp_obj.obj['server']
             instance = req.get_db_instance(server['id'])
             self._extend_server(server, instance)
@@ -50,7 +49,7 @@ class PciServerController(wsgi.Controller):
     @wsgi.extends
     def detail(self, req, resp_obj):
         context = req.environ['nova.context']
-        if soft_authorize(context):
+        if context.can(pci_policies.POLICY_ROOT % 'pci_servers', fatal=False):
             servers = list(resp_obj.obj['servers'])
             for server in servers:
                 instance = req.get_db_instance(server['id'])
@@ -99,7 +98,7 @@ class PciController(wsgi.Controller):
 
     def _get_all_nodes_pci_devices(self, req, detail, action):
         context = req.environ['nova.context']
-        authorize(context, action=action)
+        context.can(pci_policies.POLICY_ROOT % action)
         compute_nodes = self.host_api.compute_node_get_all(context)
         results = []
         for node in compute_nodes:
@@ -117,7 +116,7 @@ class PciController(wsgi.Controller):
     @extensions.expected_errors(404)
     def show(self, req, id):
         context = req.environ['nova.context']
-        authorize(context, action='show')
+        context.can(pci_policies.POLICY_ROOT % 'show')
         try:
             pci_dev = objects.PciDevice.get_by_dev_id(context, id)
         except exception.PciDeviceNotFoundById as e:

nova/api/openstack/compute/quota_classes.py

@@ -22,6 +22,7 @@ from nova.api.openstack import wsgi
 from nova.api import validation
 from nova import db
 from nova import exception
+from nova.policies import quota_class_sets as qcs_policies
 from nova import quota
 from nova import utils
 
@@ -34,9 +35,6 @@ EXTENDED_QUOTAS = {'server_groups': 'os-server-group-quotas',
                    'server_group_members': 'os-server-group-quotas'}
 
 
-authorize = extensions.os_compute_authorizer(ALIAS)
-
-
 class QuotaClassSetsController(wsgi.Controller):
 
     supported_quotas = []
@@ -65,7 +63,7 @@ class QuotaClassSetsController(wsgi.Controller):
     @extensions.expected_errors(())
     def show(self, req, id):
         context = req.environ['nova.context']
-        authorize(context, action='show', target={'quota_class': id})
+        context.can(qcs_policies.POLICY_ROOT % 'show', {'quota_class': id})
         values = QUOTAS.get_class_quotas(context, id)
         return self._format_quota_set(id, values)
 
@@ -73,7 +71,7 @@ class QuotaClassSetsController(wsgi.Controller):
     @validation.schema(quota_classes.update)
     def update(self, req, id, body):
         context = req.environ['nova.context']
-        authorize(context, action='update', target={'quota_class': id})
+        context.can(qcs_policies.POLICY_ROOT % 'update', {'quota_class': id})
         try:
             utils.check_string_length(id, 'quota_class_name',
                                       min_length=1, max_length=255)

nova/api/openstack/compute/quota_sets.py

@@ -25,12 +25,12 @@ from nova.api import validation
 from nova import exception
 from nova.i18n import _
 from nova import objects
+from nova.policies import quota_sets as qs_policies
 from nova import quota
 
 
 ALIAS = "os-quota-sets"
 QUOTAS = quota.QUOTAS
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class QuotaSetsController(wsgi.Controller):
@@ -85,7 +85,7 @@ class QuotaSetsController(wsgi.Controller):
     @extensions.expected_errors(())
     def show(self, req, id):
         context = req.environ['nova.context']
-        authorize(context, action='show', target={'project_id': id})
+        context.can(qs_policies.POLICY_ROOT % 'show', {'project_id': id})
         params = urlparse.parse_qs(req.environ.get('QUERY_STRING', ''))
         user_id = params.get('user_id', [None])[0]
         return self._format_quota_set(id,
@@ -94,7 +94,7 @@ class QuotaSetsController(wsgi.Controller):
     @extensions.expected_errors(())
     def detail(self, req, id):
         context = req.environ['nova.context']
-        authorize(context, action='detail', target={'project_id': id})
+        context.can(qs_policies.POLICY_ROOT % 'detail', {'project_id': id})
         user_id = req.GET.get('user_id', None)
         return self._format_quota_set(id, self._get_quotas(context, id,
                                                            user_id=user_id,
@@ -104,7 +104,7 @@ class QuotaSetsController(wsgi.Controller):
     @validation.schema(quota_sets.update)
     def update(self, req, id, body):
         context = req.environ['nova.context']
-        authorize(context, action='update', target={'project_id': id})
+        context.can(qs_policies.POLICY_ROOT % 'update', {'project_id': id})
         project_id = id
         params = urlparse.parse_qs(req.environ.get('QUERY_STRING', ''))
         user_id = params.get('user_id', [None])[0]
@@ -150,7 +150,7 @@ class QuotaSetsController(wsgi.Controller):
     @extensions.expected_errors(())
     def defaults(self, req, id):
         context = req.environ['nova.context']
-        authorize(context, action='defaults', target={'project_id': id})
+        context.can(qs_policies.POLICY_ROOT % 'defaults', {'project_id': id})
         values = QUOTAS.get_defaults(context)
         return self._format_quota_set(id, values)
 
@@ -161,7 +161,7 @@ class QuotaSetsController(wsgi.Controller):
     @wsgi.response(202)
     def delete(self, req, id):
         context = req.environ['nova.context']
-        authorize(context, action='delete', target={'project_id': id})
+        context.can(qs_policies.POLICY_ROOT % 'delete', {'project_id': id})
         params = urlparse.parse_qs(req.environ.get('QUERY_STRING', ''))
         user_id = params.get('user_id', [None])[0]
         if user_id:

nova/api/openstack/compute/remote_consoles.py

@@ -21,10 +21,10 @@ from nova.api.openstack import wsgi
 from nova.api import validation
 from nova import compute
 from nova import exception
+from nova.policies import remote_consoles as rc_policies
 
 
 ALIAS = "os-remote-consoles"
-authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class RemoteConsolesController(wsgi.Controller):
@@ -44,7 +44,7 @@ class RemoteConsolesController(wsgi.Controller):
     def get_vnc_console(self, req, id, body):
         """Get text console output."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(rc_policies.BASE_POLICY_NAME)
 
         # If type is not supplied or unknown, get_vnc_console below will cope
         console_type = body['os-getVNCConsole'].get('type')
@@ -73,7 +73,7 @@ class RemoteConsolesController(wsgi.Controller):
     def get_spice_console(self, req, id, body):
         """Get text console output."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(rc_policies.BASE_POLICY_NAME)
 
         # If type is not supplied or unknown, get_spice_console below will cope
         console_type = body['os-getSPICEConsole'].get('type')
@@ -102,7 +102,7 @@ class RemoteConsolesController(wsgi.Controller):
     def get_rdp_console(self, req, id, body):
         """Get text console output."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(rc_policies.BASE_POLICY_NAME)
 
         # If type is not supplied or unknown, get_rdp_console below will cope
         console_type = body['os-getRDPConsole'].get('type')
@@ -133,7 +133,7 @@ class RemoteConsolesController(wsgi.Controller):
     def get_serial_console(self, req, id, body):
         """Get connection to a serial console."""
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(rc_policies.BASE_POLICY_NAME)
 
         # If type is not supplied or unknown get_serial_console below will cope
         console_type = body['os-getSerialConsole'].get('type')
@@ -163,7 +163,7 @@ class RemoteConsolesController(wsgi.Controller):
     @validation.schema(remote_consoles.create_v28, "2.8")
     def create(self, req, server_id, body):
         context = req.environ['nova.context']
-        authorize(context)
+        context.can(rc_policies.BASE_POLICY_NAME)
         instance = common.get_instance(self.compute_api, context, server_id)
         protocol = body['remote_console']['protocol']
         console_type = body['remote_console']['type']

nova/api/openstack/compute/rescue.py

@@ -24,14 +24,13 @@ from nova.api import validation
 from nova import compute
 import nova.conf
 from nova import exception
+from nova.policies import rescue as rescue_policies
 from nova import utils
 
 
 ALIAS = "os-rescue"
 CONF = nova.conf.CONF
 
-authorize = extensions.os_compute_authorizer(ALIAS)
-
 
 class RescueController(wsgi.Controller):
     def __init__(self, *args, **kwargs):
@@ -47,7 +46,7 @@ class RescueController(wsgi.Controller):
     def _rescue(self, req, id, body):
         """Rescue an instance."""
         context = req.environ["nova.context"]
-        authorize(context)
+        context.can(rescue_policies.BASE_POLICY_NAME)
 
         if body['rescue'] and 'adminPass' in body['rescue']:
             password = body['rescue']['adminPass']
@@ -88,7 +87,7 @@ class RescueController(wsgi.Controller):
     def _unrescue(self, req, id, body):
         """Unrescue an instance."""
         context = req.environ["nova.context"]
-        authorize(context)
+        context.can(rescue_policies.BASE_POLICY_NAME)
         instance = common.get_instance(self.compute_api, context, id)
         try:
             self.compute_api.unrescue(context, instance)