openstack
/
nova
Code Issues Proposed changes

policy: Replaces 'authorize' in nova-api (part 3) 

Partially-Implements: bp policy-in-code

Change-Id: I316679f3fc3a2022fd6fe57c6bd3fa0e80d8136b
This commit is contained in:
Claudiu Belu 2016-06-15 18:21:08 +03:00
parent 0871f4953d
commit a46e3c89ea
17 changed files with 82 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nova/api/openstack/compute/fixed_ips.py
View File

@ -22,9 +22,9 @@ from nova.api import validation
from nova import exception
from nova.i18n import _
from nova import objects
from nova.policies import fixed_ips as fi_policies
ALIAS = 'os-fixed-ips'
authorize = extensions.os_compute_authorizer(ALIAS)
class FixedIPController(wsgi.Controller):
@ -43,7 +43,7 @@ class FixedIPController(wsgi.Controller):
def show(self, req, id):
"""Return data about the given fixed IP."""
context = req.environ['nova.context']
authorize(context)
context.can(fi_policies.BASE_POLICY_NAME)
attrs = ['network', 'instance']
try:
@ -79,7 +79,7 @@ class FixedIPController(wsgi.Controller):
@wsgi.action('reserve')
def reserve(self, req, id, body):
context = req.environ['nova.context']
authorize(context)
context.can(fi_policies.BASE_POLICY_NAME)
return self._set_reserved(context, id, True)
@ -89,7 +89,7 @@ class FixedIPController(wsgi.Controller):
@wsgi.action('unreserve')
def unreserve(self, req, id, body):
context = req.environ['nova.context']
authorize(context)
context.can(fi_policies.BASE_POLICY_NAME)
return self._set_reserved(context, id, False)
def _set_reserved(self, context, address, reserved):

16
nova/api/openstack/compute/flavor_access.py
View File

@ -26,10 +26,9 @@ from nova.api import validation
from nova import exception
from nova.i18n import _
from nova import objects
from nova.policies import flavor_access as fa_policies
ALIAS = 'os-flavor-access'
soft_authorize = extensions.os_compute_soft_authorizer(ALIAS)
authorize = extensions.os_compute_authorizer(ALIAS)
def _marshall_flavor_access(flavor):
@ -46,7 +45,7 @@ class FlavorAccessController(wsgi.Controller):
@extensions.expected_errors(404)
def index(self, req, flavor_id):
context = req.environ['nova.context']
authorize(context)
context.can(fa_policies.BASE_POLICY_NAME)
flavor = common.get_flavor(context, flavor_id)
@ -68,7 +67,7 @@ class FlavorActionController(wsgi.Controller):
@wsgi.extends
def show(self, req, resp_obj, id):
context = req.environ['nova.context']
if soft_authorize(context):
if context.can(fa_policies.BASE_POLICY_NAME, fatal=False):
db_flavor = req.get_db_flavor(id)
self._extend_flavor(resp_obj.obj['flavor'], db_flavor)
@ -76,7 +75,7 @@ class FlavorActionController(wsgi.Controller):
@wsgi.extends
def detail(self, req, resp_obj):
context = req.environ['nova.context']
if soft_authorize(context):
if context.can(fa_policies.BASE_POLICY_NAME, fatal=False):
flavors = list(resp_obj.obj['flavors'])
for flavor_rval in flavors:
db_flavor = req.get_db_flavor(flavor_rval['id'])
@ -85,7 +84,7 @@ class FlavorActionController(wsgi.Controller):
@wsgi.extends(action='create')
def create(self, req, body, resp_obj):
context = req.environ['nova.context']
if soft_authorize(context):
if context.can(fa_policies.BASE_POLICY_NAME, fatal=False):
db_flavor = req.get_db_flavor(resp_obj.obj['flavor']['id'])
self._extend_flavor(resp_obj.obj['flavor'], db_flavor)
@ -95,7 +94,7 @@ class FlavorActionController(wsgi.Controller):
@validation.schema(flavor_access.add_tenant_access)
def _add_tenant_access(self, req, id, body):
context = req.environ['nova.context']
authorize(context, action="add_tenant_access")
context.can(fa_policies.POLICY_ROOT % "add_tenant_access")
vals = body['addTenantAccess']
tenant = vals['tenant']
@ -121,7 +120,8 @@ class FlavorActionController(wsgi.Controller):
@validation.schema(flavor_access.remove_tenant_access)
def _remove_tenant_access(self, req, id, body):
context = req.environ['nova.context']
authorize(context, action="remove_tenant_access")
context.can(
fa_policies.POLICY_ROOT % "remove_tenant_access")
vals = body['removeTenantAccess']
tenant = vals['tenant']

7
nova/api/openstack/compute/flavor_manage.py
View File

@ -21,11 +21,10 @@ from nova.compute import flavors
from nova import exception
from nova.i18n import _
from nova import objects
from nova.policies import flavor_manage as fm_policies
ALIAS = "os-flavor-manage"
authorize = extensions.os_compute_authorizer(ALIAS)
class FlavorManageController(wsgi.Controller):
"""The Flavor Lifecycle API controller for the OpenStack API."""
@ -42,7 +41,7 @@ class FlavorManageController(wsgi.Controller):
@wsgi.action("delete")
def _delete(self, req, id):
context = req.environ['nova.context']
authorize(context)
context.can(fm_policies.BASE_POLICY_NAME)
flavor = objects.Flavor(context=context, flavorid=id)
try:
@ -58,7 +57,7 @@ class FlavorManageController(wsgi.Controller):
@validation.schema(flavor_manage.create, '2.1')
def _create(self, req, body):
context = req.environ['nova.context']
authorize(context)
context.can(fm_policies.BASE_POLICY_NAME)
vals = body['flavor']

8
nova/api/openstack/compute/flavor_rxtx.py
View File

@ -16,9 +16,9 @@
from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova.policies import flavor_rxtx as fr_policies
ALIAS = 'os-flavor-rxtx'
authorize = extensions.os_compute_soft_authorizer(ALIAS)
class FlavorRxtxController(wsgi.Controller):
@ -29,7 +29,8 @@ class FlavorRxtxController(wsgi.Controller):
flavor[key] = db_flavor['rxtx_factor'] or ""
def _show(self, req, resp_obj):
if not authorize(req.environ['nova.context']):
context = req.environ['nova.context']
if not context.can(fr_policies.BASE_POLICY_NAME, fatal=False):
return
if 'flavor' in resp_obj.obj:
self._extend_flavors(req, [resp_obj.obj['flavor']])
@ -44,7 +45,8 @@ class FlavorRxtxController(wsgi.Controller):
@wsgi.extends
def detail(self, req, resp_obj):
if not authorize(req.environ['nova.context']):
context = req.environ['nova.context']
if not context.can(fr_policies.BASE_POLICY_NAME, fatal=False):
return
self._extend_flavors(req, list(resp_obj.obj['flavors']))

12
nova/api/openstack/compute/flavors_extraspecs.py
View File

@ -23,10 +23,10 @@ from nova.api.openstack import wsgi
from nova.api import validation
from nova import exception
from nova.i18n import _
from nova.policies import flavor_extra_specs as fes_policies
from nova import utils
ALIAS = 'os-flavor-extra-specs'
authorize = extensions.os_compute_authorizer(ALIAS)
class FlavorExtraSpecsController(wsgi.Controller):
@ -52,7 +52,7 @@ class FlavorExtraSpecsController(wsgi.Controller):
def index(self, req, flavor_id):
"""Returns the list of extra specs for a given flavor."""
context = req.environ['nova.context']
authorize(context, action='index')
context.can(fes_policies.POLICY_ROOT % 'index')
return self._get_extra_specs(context, flavor_id)
# NOTE(gmann): Here should be 201 instead of 200 by v2.1
@ -62,7 +62,7 @@ class FlavorExtraSpecsController(wsgi.Controller):
@validation.schema(flavors_extraspecs.create)
def create(self, req, flavor_id, body):
context = req.environ['nova.context']
authorize(context, action='create')
context.can(fes_policies.POLICY_ROOT % 'create')
specs = body['extra_specs']
self._check_extra_specs_value(specs)
@ -80,7 +80,7 @@ class FlavorExtraSpecsController(wsgi.Controller):
@validation.schema(flavors_extraspecs.update)
def update(self, req, flavor_id, id, body):
context = req.environ['nova.context']
authorize(context, action='update')
context.can(fes_policies.POLICY_ROOT % 'update')
self._check_extra_specs_value(body)
if id not in body:
@ -100,7 +100,7 @@ class FlavorExtraSpecsController(wsgi.Controller):
def show(self, req, flavor_id, id):
"""Return a single extra spec item."""
context = req.environ['nova.context']
authorize(context, action='show')
context.can(fes_policies.POLICY_ROOT % 'show')
flavor = common.get_flavor(context, flavor_id)
try:
return {id: flavor.extra_specs[id]}
@ -117,7 +117,7 @@ class FlavorExtraSpecsController(wsgi.Controller):
def delete(self, req, flavor_id, id):
"""Deletes an existing extra spec."""
context = req.environ['nova.context']
authorize(context, action='delete')
context.can(fes_policies.POLICY_ROOT % 'delete')
flavor = common.get_flavor(context, flavor_id)
try:
del flavor.extra_specs[id]

14
nova/api/openstack/compute/floating_ip_dns.py
View File

@ -24,10 +24,10 @@ from nova.api import validation
from nova import exception
from nova.i18n import _
from nova import network
from nova.policies import floating_ip_dns as fid_policies
ALIAS = "os-floating-ip-dns"
authorize = extensions.os_compute_authorizer(ALIAS)
def _translate_dns_entry_view(dns_entry):
@ -90,7 +90,7 @@ class FloatingIPDNSDomainController(wsgi.Controller):
def index(self, req):
"""Return a list of available DNS domains."""
context = req.environ['nova.context']
authorize(context)
context.can(fid_policies.BASE_POLICY_NAME)
try:
domains = self.network_api.get_dns_domains(context)
@ -110,7 +110,7 @@ class FloatingIPDNSDomainController(wsgi.Controller):
def update(self, req, id, body):
"""Add or modify domain entry."""
context = req.environ['nova.context']
authorize(context, action="domain:update")
context.can(fid_policies.POLICY_ROOT % "domain:update")
fqdomain = _unquote_domain(id)
entry = body['domain_entry']
scope = entry['scope']
@ -145,7 +145,7 @@ class FloatingIPDNSDomainController(wsgi.Controller):
def delete(self, req, id):
"""Delete the domain identified by id."""
context = req.environ['nova.context']
authorize(context, action="domain:delete")
context.can(fid_policies.POLICY_ROOT % "domain:delete")
domain = _unquote_domain(id)
# Delete the whole domain
@ -168,7 +168,7 @@ class FloatingIPDNSEntryController(wsgi.Controller):
def show(self, req, domain_id, id):
"""Return the DNS entry that corresponds to domain_id and id."""
context = req.environ['nova.context']
authorize(context)
context.can(fid_policies.BASE_POLICY_NAME)
domain = _unquote_domain(domain_id)
floating_ip = None
@ -206,7 +206,7 @@ class FloatingIPDNSEntryController(wsgi.Controller):
def update(self, req, domain_id, id, body):
"""Add or modify dns entry."""
context = req.environ['nova.context']
authorize(context)
context.can(fid_policies.BASE_POLICY_NAME)
domain = _unquote_domain(domain_id)
name = id
entry = body['dns_entry']
@ -237,7 +237,7 @@ class FloatingIPDNSEntryController(wsgi.Controller):
def delete(self, req, domain_id, id):
"""Delete the entry identified by req and id."""
context = req.environ['nova.context']
authorize(context)
context.can(fid_policies.BASE_POLICY_NAME)
domain = _unquote_domain(domain_id)
name = id

4
nova/api/openstack/compute/floating_ip_pools.py
View File

@ -15,10 +15,10 @@
from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova import network
from nova.policies import floating_ip_pools as fip_policies
ALIAS = 'os-floating-ip-pools'
authorize = extensions.os_compute_authorizer(ALIAS)
def _translate_floating_ip_view(pool_name):
@ -45,7 +45,7 @@ class FloatingIPPoolsController(wsgi.Controller):
def index(self, req):
"""Return a list of pools."""
context = req.environ['nova.context']
authorize(context)
context.can(fip_policies.BASE_POLICY_NAME)
pools = self.network_api.get_floating_ip_pools(context)
return _translate_floating_ip_pools_view(pools)

14
nova/api/openstack/compute/floating_ips.py
View File

@ -31,11 +31,11 @@ from nova import exception
from nova.i18n import _
from nova.i18n import _LW
from nova import network
from nova.policies import floating_ips as fi_policies
LOG = logging.getLogger(__name__)
ALIAS = 'os-floating-ips'
authorize = extensions.os_compute_authorizer(ALIAS)
def _translate_floating_ip_view(floating_ip):
@ -116,7 +116,7 @@ class FloatingIPController(object):
def show(self, req, id):
"""Return data about the given floating IP."""
context = req.environ['nova.context']
authorize(context)
context.can(fi_policies.BASE_POLICY_NAME)
try:
floating_ip = self.network_api.get_floating_ip(context, id)
@ -132,7 +132,7 @@ class FloatingIPController(object):
def index(self, req):
"""Return a list of floating IPs allocated to a project."""
context = req.environ['nova.context']
authorize(context)
context.can(fi_policies.BASE_POLICY_NAME)
floating_ips = self.network_api.get_floating_ips_by_project(context)
@ -141,7 +141,7 @@ class FloatingIPController(object):
@extensions.expected_errors((400, 403, 404))
def create(self, req, body=None):
context = req.environ['nova.context']
authorize(context)
context.can(fi_policies.BASE_POLICY_NAME)
pool = None
if body and 'pool' in body:
@ -172,7 +172,7 @@ class FloatingIPController(object):
@extensions.expected_errors((400, 403, 404, 409))
def delete(self, req, id):
context = req.environ['nova.context']
authorize(context)
context.can(fi_policies.BASE_POLICY_NAME)
# get the floating ip object
try:
@ -209,7 +209,7 @@ class FloatingIPActionController(wsgi.Controller):
def _add_floating_ip(self, req, id, body):
"""Associate floating_ip to an instance."""
context = req.environ['nova.context']
authorize(context)
context.can(fi_policies.BASE_POLICY_NAME)
address = body['addFloatingIp']['address']
@ -287,7 +287,7 @@ class FloatingIPActionController(wsgi.Controller):
def _remove_floating_ip(self, req, id, body):
"""Dissociate floating_ip from an instance."""
context = req.environ['nova.context']
authorize(context)
context.can(fi_policies.BASE_POLICY_NAME)
address = body['removeFloatingIp']['address']

10
nova/api/openstack/compute/floating_ips_bulk.py
View File

@ -24,12 +24,12 @@ import nova.conf
from nova import exception
from nova.i18n import _
from nova import objects
from nova.policies import floating_ips_bulk as fib_policies
CONF = nova.conf.CONF
ALIAS = 'os-floating-ips-bulk'
authorize = extensions.os_compute_authorizer(ALIAS)
class FloatingIPBulkController(wsgi.Controller):
@ -38,7 +38,7 @@ class FloatingIPBulkController(wsgi.Controller):
def index(self, req):
"""Return a list of all floating IPs."""
context = req.environ['nova.context']
authorize(context)
context.can(fib_policies.BASE_POLICY_NAME)
return self._get_floating_ip_info(context)
@ -46,7 +46,7 @@ class FloatingIPBulkController(wsgi.Controller):
def show(self, req, id):
"""Return a list of all floating IPs for a given host."""
context = req.environ['nova.context']
authorize(context)
context.can(fib_policies.BASE_POLICY_NAME)
return self._get_floating_ip_info(context, id)
@ -87,7 +87,7 @@ class FloatingIPBulkController(wsgi.Controller):
def create(self, req, body):
"""Bulk create floating IPs."""
context = req.environ['nova.context']
authorize(context)
context.can(fib_policies.BASE_POLICY_NAME)
params = body['floating_ips_bulk_create']
ip_range = params['ip_range']
@ -115,7 +115,7 @@ class FloatingIPBulkController(wsgi.Controller):
def update(self, req, id, body):
"""Bulk delete floating IPs."""
context = req.environ['nova.context']
authorize(context)
context.can(fib_policies.BASE_POLICY_NAME)
if id != "delete":
msg = _("Unknown action")

9
nova/api/openstack/compute/fping.py
View File

@ -26,12 +26,11 @@ from nova.api.openstack import wsgi
from nova import compute
import nova.conf
from nova.i18n import _
from nova.policies import fping as fping_policies
from nova import utils
ALIAS = "os-fping"
authorize = extensions.os_compute_authorizer(ALIAS)
CONF = nova.conf.CONF
@ -73,9 +72,9 @@ class FpingController(wsgi.Controller):
context = req.environ["nova.context"]
search_opts = dict(deleted=False)
if "all_tenants" in req.GET:
authorize(context, action='all_tenants')
context.can(fping_policies.POLICY_ROOT % 'all_tenants')
else:
authorize(context)
context.can(fping_policies.BASE_POLICY_NAME)
if context.project_id:
search_opts["project_id"] = context.project_id
else:
@ -121,7 +120,7 @@ class FpingController(wsgi.Controller):
@extensions.expected_errors((404, 503))
def show(self, req, id):
context = req.environ["nova.context"]
authorize(context)
context.can(fping_policies.BASE_POLICY_NAME)
self.check_fping()
instance = common.get_instance(self.compute_api, context, id)
ips = [str(ip) for ip in self._get_instance_ips(context, instance)]

8
nova/api/openstack/compute/hide_server_addresses.py
View File

@ -19,12 +19,12 @@ from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova.compute import vm_states
import nova.conf
from nova.policies import hide_server_addresses as hsa_policies
CONF = nova.conf.CONF
ALIAS = 'os-hide-server-addresses'
authorize = extensions.os_compute_soft_authorizer(ALIAS)
class Controller(wsgi.Controller):
@ -47,7 +47,8 @@ class Controller(wsgi.Controller):
@wsgi.extends
def show(self, req, resp_obj, id):
resp = resp_obj
if not authorize(req.environ['nova.context']):
context = req.environ['nova.context']
if not context.can(hsa_policies.BASE_POLICY_NAME, fatal=False):
return
if 'server' in resp.obj and 'addresses' in resp.obj['server']:
@ -57,7 +58,8 @@ class Controller(wsgi.Controller):
@wsgi.extends
def detail(self, req, resp_obj):
resp = resp_obj
if not authorize(req.environ['nova.context']):
context = req.environ['nova.context']
if not context.can(hsa_policies.BASE_POLICY_NAME, fatal=False):
return
for server in list(resp.obj['servers']):

10
nova/api/openstack/compute/hosts.py
View File

@ -28,10 +28,10 @@ from nova import compute
from nova import exception
from nova.i18n import _LI
from nova import objects
from nova.policies import hosts as hosts_policies
LOG = logging.getLogger(__name__)
ALIAS = 'os-hosts'
authorize = extensions.os_compute_authorizer(ALIAS)
class HostController(wsgi.Controller):
@ -80,7 +80,7 @@ class HostController(wsgi.Controller):
"""
context = req.environ['nova.context']
authorize(context)
context.can(hosts_policies.BASE_POLICY_NAME)
filters = {'disabled': False}
zone = req.GET.get('zone', None)
if zone:
@ -116,7 +116,7 @@ class HostController(wsgi.Controller):
return val == "enable"
context = req.environ['nova.context']
authorize(context)
context.can(hosts_policies.BASE_POLICY_NAME)
# See what the user wants to 'update'
status = body.get('status')
maint_mode = body.get('maintenance_mode')
@ -178,7 +178,7 @@ class HostController(wsgi.Controller):
def _host_power_action(self, req, host_name, action):
"""Reboots, shuts down or powers up the host."""
context = req.environ['nova.context']
authorize(context)
context.can(hosts_policies.BASE_POLICY_NAME)
try:
result = self.api.host_power_action(context, host_name=host_name,
action=action)
@ -264,7 +264,7 @@ class HostController(wsgi.Controller):
'cpu': 1, 'memory_mb': 2048, 'disk_gb': 30}
"""
context = req.environ['nova.context']
authorize(context)
context.can(hosts_policies.BASE_POLICY_NAME)
host_name = id
try:
compute_node = (

16
nova/api/openstack/compute/hypervisors.py
View File

@ -25,11 +25,11 @@ from nova.api.openstack import wsgi
from nova import compute
from nova import exception
from nova.i18n import _
from nova.policies import hypervisors as hv_policies
from nova import servicegroup
ALIAS = "os-hypervisors"
authorize = extensions.os_compute_authorizer(ALIAS)
class HypervisorsController(wsgi.Controller):
@ -83,7 +83,7 @@ class HypervisorsController(wsgi.Controller):
@extensions.expected_errors(())
def index(self, req):
context = req.environ['nova.context']
authorize(context)
context.can(hv_policies.BASE_POLICY_NAME)
compute_nodes = self.host_api.compute_node_get_all(context)
req.cache_db_compute_nodes(compute_nodes)
return dict(hypervisors=[self._view_hypervisor(
@ -96,7 +96,7 @@ class HypervisorsController(wsgi.Controller):
@extensions.expected_errors(())
def detail(self, req):
context = req.environ['nova.context']
authorize(context)
context.can(hv_policies.BASE_POLICY_NAME)
compute_nodes = self.host_api.compute_node_get_all(context)
req.cache_db_compute_nodes(compute_nodes)
return dict(hypervisors=[self._view_hypervisor(
@ -106,7 +106,7 @@ class HypervisorsController(wsgi.Controller):
@extensions.expected_errors(404)
def show(self, req, id):
context = req.environ['nova.context']
authorize(context)
context.can(hv_policies.BASE_POLICY_NAME)
try:
hyp = self.host_api.compute_node_get(context, id)
req.cache_db_compute_node(hyp)
@ -121,7 +121,7 @@ class HypervisorsController(wsgi.Controller):
@extensions.expected_errors((400, 404, 501))
def uptime(self, req, id):
context = req.environ['nova.context']
authorize(context)
context.can(hv_policies.BASE_POLICY_NAME)
try:
hyp = self.host_api.compute_node_get(context, id)
req.cache_db_compute_node(hyp)
@ -145,7 +145,7 @@ class HypervisorsController(wsgi.Controller):
@extensions.expected_errors(404)
def search(self, req, id):
context = req.environ['nova.context']
authorize(context)
context.can(hv_policies.BASE_POLICY_NAME)
hypervisors = self.host_api.compute_node_search_by_hypervisor(
context, id)
if hypervisors:
@ -162,7 +162,7 @@ class HypervisorsController(wsgi.Controller):
@extensions.expected_errors(404)
def servers(self, req, id):
context = req.environ['nova.context']
authorize(context)
context.can(hv_policies.BASE_POLICY_NAME)
compute_nodes = self.host_api.compute_node_search_by_hypervisor(
context, id)
if not compute_nodes:
@ -182,7 +182,7 @@ class HypervisorsController(wsgi.Controller):
@extensions.expected_errors(())
def statistics(self, req):
context = req.environ['nova.context']
authorize(context)
context.can(hv_policies.BASE_POLICY_NAME)
stats = self.host_api.compute_node_statistics(context)
return dict(hypervisor_statistics=stats)

7
nova/api/openstack/compute/image_size.py
View File

@ -15,11 +15,10 @@
from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova.policies import image_size as is_policies
ALIAS = "image-size"
authorize = extensions.os_compute_soft_authorizer(ALIAS)
class ImageSizeController(wsgi.Controller):
@ -33,7 +32,7 @@ class ImageSizeController(wsgi.Controller):
@wsgi.extends
def show(self, req, resp_obj, id):
context = req.environ["nova.context"]
if authorize(context):
if context.can(is_policies.BASE_POLICY_NAME, fatal=False):
image_resp = resp_obj.obj['image']
# image guaranteed to be in the cache due to the core API adding
# it in its 'show' method
@ -43,7 +42,7 @@ class ImageSizeController(wsgi.Controller):
@wsgi.extends
def detail(self, req, resp_obj):
context = req.environ['nova.context']
if authorize(context):
if context.can(is_policies.BASE_POLICY_NAME, fatal=False):
images_resp = list(resp_obj.obj['images'])
# images guaranteed to be in the cache due to the core API adding
# it in its 'detail' method

9
nova/api/openstack/compute/instance_actions.py
View File

@ -20,11 +20,10 @@ from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova import compute
from nova.i18n import _
from nova.policies import instance_actions as ia_policies
from nova import utils
ALIAS = "os-instance-actions"
authorize = extensions.os_compute_authorizer(ALIAS)
soft_authorize = extensions.os_compute_soft_authorizer(ALIAS)
ACTION_KEYS = ['action', 'instance_uuid', 'request_id', 'user_id',
'project_id', 'start_time', 'message']
@ -64,7 +63,7 @@ class InstanceActionsController(wsgi.Controller):
"""Returns the list of actions recorded for a given instance."""
context = req.environ["nova.context"]
instance = self._get_instance(req, context, server_id)
authorize(context, target=instance)
context.can(ia_policies.BASE_POLICY_NAME, instance)
actions_raw = self.action_api.actions_get(context, instance)
actions = [self._format_action(action) for action in actions_raw]
return {'instanceActions': actions}
@ -74,7 +73,7 @@ class InstanceActionsController(wsgi.Controller):
"""Return data about the given instance action."""
context = req.environ['nova.context']
instance = self._get_instance(req, context, server_id)
authorize(context, target=instance)
context.can(ia_policies.BASE_POLICY_NAME, instance)
action = self.action_api.action_get_by_request_id(context, instance,
id)
if action is None:
@ -83,7 +82,7 @@ class InstanceActionsController(wsgi.Controller):
action_id = action['id']
action = self._format_action(action)
if soft_authorize(context, action='events'):
if context.can(ia_policies.POLICY_ROOT % 'events', fatal=False):
events_raw = self.action_api.action_events_get(context, instance,
action_id)
action['events'] = [self._format_event(evt) for evt in events_raw]

6
nova/api/openstack/compute/instance_usage_audit_log.py
View File

@ -23,12 +23,12 @@ from nova.api.openstack import wsgi
from nova import compute
import nova.conf
from nova.i18n import _
from nova.policies import instance_usage_audit_log as iual_policies
from nova import utils
CONF = nova.conf.CONF
ALIAS = 'os-instance-usage-audit-log'
authorize = extensions.os_compute_authorizer(ALIAS)
class InstanceUsageAuditLogController(wsgi.Controller):
@ -38,14 +38,14 @@ class InstanceUsageAuditLogController(wsgi.Controller):
@extensions.expected_errors(())
def index(self, req):
context = req.environ['nova.context']
authorize(context)
context.can(iual_policies.BASE_POLICY_NAME)
task_log = self._get_audit_task_logs(context)
return {'instance_usage_audit_logs': task_log}
@extensions.expected_errors(400)
def show(self, req, id):
context = req.environ['nova.context']
authorize(context)
context.can(iual_policies.BASE_POLICY_NAME)
try:
if '.' in id:
before_date = datetime.datetime.strptime(str(id),

6
nova/api/openstack/compute/ips.py
View File

@ -21,9 +21,9 @@ from nova.api.openstack.compute.views import addresses as views_addresses
from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova.i18n import _
from nova.policies import ips as ips_policies
ALIAS = 'ips'
authorize = extensions.os_compute_authorizer(ALIAS)
class IPsController(wsgi.Controller):
@ -41,7 +41,7 @@ class IPsController(wsgi.Controller):
@extensions.expected_errors(404)
def index(self, req, server_id):
context = req.environ["nova.context"]
authorize(context, action='index')
context.can(ips_policies.POLICY_ROOT % 'index')
instance = common.get_instance(self._compute_api, context, server_id)
networks = common.get_networks_for_instance(context, instance)
return self._view_builder.index(networks)
@ -49,7 +49,7 @@ class IPsController(wsgi.Controller):
@extensions.expected_errors(404)
def show(self, req, server_id, id):
context = req.environ["nova.context"]
authorize(context, action='show')
context.can(ips_policies.POLICY_ROOT % 'show')
instance = common.get_instance(self._compute_api, context, server_id)
networks = common.get_networks_for_instance(context, instance)
if id not in networks: