From 8ebb1bfb7d9a3aa406bc898a69db132231b39b71 Mon Sep 17 00:00:00 2001 From: yuntongjin Date: Tue, 14 Apr 2015 13:58:19 +0800 Subject: [PATCH] Add missing policy for limits extension Add default policy check for limits extension in API layer Change-Id: Ie8cd4f1d90dad2a1118b636e3f5d46f9968731b7 Closes-Bug:#1415289 --- etc/nova/policy.json | 1 + .../openstack/compute/plugins/v3/limits.py | 2 ++ .../unit/api/openstack/compute/test_limits.py | 19 +++++++++++++++++++ nova/tests/unit/fake_policy.py | 1 + 4 files changed, 23 insertions(+) diff --git a/etc/nova/policy.json b/etc/nova/policy.json index 4b666ecbc08c..338b7d6e24f1 100644 --- a/etc/nova/policy.json +++ b/etc/nova/policy.json @@ -307,6 +307,7 @@ "os_compute_api:os-keypairs:create": "", "os_compute_api:os-keypairs:delete": "", "os_compute_api:limits:discoverable": "", + "os_compute_api:limits": "", "os_compute_api:os-lock-server:discoverable": "", "os_compute_api:os-lock-server:lock": "rule:admin_or_owner", "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner", diff --git a/nova/api/openstack/compute/plugins/v3/limits.py b/nova/api/openstack/compute/plugins/v3/limits.py index 662ec4db5324..0fd5d762593e 100644 --- a/nova/api/openstack/compute/plugins/v3/limits.py +++ b/nova/api/openstack/compute/plugins/v3/limits.py @@ -22,6 +22,7 @@ from nova import quota QUOTAS = quota.QUOTAS ALIAS = 'limits' +authorize = extensions.os_compute_authorizer(ALIAS) class LimitsController(wsgi.Controller): @@ -31,6 +32,7 @@ class LimitsController(wsgi.Controller): def index(self, req): """Return all global and rate limit information.""" context = req.environ['nova.context'] + authorize(context) project_id = req.params.get('tenant_id', context.project_id) quotas = QUOTAS.get_project_quotas(context, project_id, usages=False) diff --git a/nova/tests/unit/api/openstack/compute/test_limits.py b/nova/tests/unit/api/openstack/compute/test_limits.py index e4d532e29427..78f248a35cc2 100644 --- a/nova/tests/unit/api/openstack/compute/test_limits.py +++ b/nova/tests/unit/api/openstack/compute/test_limits.py @@ -31,6 +31,7 @@ from nova.api.openstack.compute.plugins.v3 import limits as limits_v21 from nova.api.openstack.compute import views from nova.api.openstack import wsgi import nova.context +from nova import exception from nova import test from nova.tests.unit.api.openstack import fakes from nova.tests.unit import matchers @@ -897,3 +898,21 @@ class LimitsViewBuilderTest(test.NoDBTestCase): rate_limits = [] output = self.view_builder.build(rate_limits, abs_limits) self.assertThat(output, matchers.DictMatches(expected_limits)) + + +class LimitsPolicyEnforcementV21(test.NoDBTestCase): + + def setUp(self): + super(LimitsPolicyEnforcementV21, self).setUp() + self.controller = limits_v21.LimitsController() + + def test_limits_index_policy_failed(self): + rule_name = "os_compute_api:limits" + self.policy.set_rules({rule_name: "project:non_fake"}) + req = fakes.HTTPRequest.blank('') + exc = self.assertRaises( + exception.PolicyNotAuthorized, + self.controller.index, req=req) + self.assertEqual( + "Policy doesn't allow %s to be performed." % rule_name, + exc.format_message()) diff --git a/nova/tests/unit/fake_policy.py b/nova/tests/unit/fake_policy.py index 01acfaccfcda..ed5de175e850 100644 --- a/nova/tests/unit/fake_policy.py +++ b/nova/tests/unit/fake_policy.py @@ -353,6 +353,7 @@ policy_data = """ "os_compute_api:os-availability-zone:detail": "", "compute_extension:used_limits_for_admin": "is_admin:True", "os_compute_api:os-used-limits": "is_admin:True", + "os_compute_api:limits": "", "compute_extension:migrations:index": "is_admin:True", "os_compute_api:os-migrations:index": "is_admin:True", "compute_extension:os-assisted-volume-snapshots:create": "",