Remove redundant policy check from security_group_default_rule

We add check in security_group_default_rules, user is not necessary to be authorized to security_groups in order to access security_group_default_rules. Then this patch removes the security_groups policy check from security_group_default_rules. This is related to bp nova-api-policy-final-part DocImpact UpgradeImpact Change-Id: I221d1056b0101fc5c909222d9cac6739fd106e3f
2015-05-14 07:51:13 +08:00 · 2015-05-14 07:51:13 +08:00 · 92807d6638
parent 5cdcf7dede
commit 92807d6638
2 changed files with 5 additions and 6 deletions
--- a/nova/api/openstack/compute/plugins/v3/security_group_default_rules.py
+++ b/nova/api/openstack/compute/plugins/v3/security_group_default_rules.py
@ -35,7 +35,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):

    @extensions.expected_errors((400, 409, 501))
    def create(self, req, body):
-        context = sg._authorize_context(req)
+        context = req.environ['nova.context']
        authorize(context)

        sg_rule = self._from_body(body, 'security_group_default_rule')
@ -72,7 +72,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):

    @extensions.expected_errors((400, 404, 501))
    def show(self, req, id):
-        context = sg._authorize_context(req)
+        context = req.environ['nova.context']
        authorize(context)

        try:
@ -91,7 +91,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):
    @extensions.expected_errors((400, 404, 501))
    @wsgi.response(204)
    def delete(self, req, id):
-        context = sg._authorize_context(req)
+        context = req.environ['nova.context']
        authorize(context)

        try:
@ -107,8 +107,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):

    @extensions.expected_errors((404, 501))
    def index(self, req):
-
-        context = sg._authorize_context(req)
+        context = req.environ['nova.context']
        authorize(context)

        ret = {'security_group_default_rules': []}
--- a/nova/tests/unit/api/openstack/compute/contrib/test_security_group_default_rules.py
+++ b/nova/tests/unit/api/openstack/compute/contrib/test_security_group_default_rules.py
@ -379,7 +379,7 @@ class SecurityGroupDefaultRulesPolicyEnforcementV21(test.NoDBTestCase):
        self.req = fakes.HTTPRequest.blank('')

    def _common_policy_check(self, func, *arg, **kwarg):
-        rule_name = "os_compute_api:os-security-groups"
+        rule_name = "os_compute_api:os-security-group-default-rules"
        rule = {rule_name: "project:non_fake"}
        self.policy.set_rules(rule)
        exc = self.assertRaises(