Merge "Add missing policy for limits extension"

etc/nova/policy.json

@@ -307,6 +307,7 @@
     "os_compute_api:os-keypairs:create": "",
     "os_compute_api:os-keypairs:delete": "",
     "os_compute_api:limits:discoverable": "",
+    "os_compute_api:limits": "",
     "os_compute_api:os-lock-server:discoverable": "",
     "os_compute_api:os-lock-server:lock": "rule:admin_or_owner",
     "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",

nova/api/openstack/compute/plugins/v3/limits.py

@@ -22,6 +22,7 @@ from nova import quota
 
 QUOTAS = quota.QUOTAS
 ALIAS = 'limits'
+authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class LimitsController(wsgi.Controller):
@@ -31,6 +32,7 @@ class LimitsController(wsgi.Controller):
     def index(self, req):
         """Return all global and rate limit information."""
         context = req.environ['nova.context']
+        authorize(context)
         project_id = req.params.get('tenant_id', context.project_id)
         quotas = QUOTAS.get_project_quotas(context, project_id,
                                            usages=False)

nova/tests/unit/api/openstack/compute/test_limits.py

@@ -31,6 +31,7 @@ from nova.api.openstack.compute.plugins.v3 import limits as limits_v21
 from nova.api.openstack.compute import views
 from nova.api.openstack import wsgi
 import nova.context
+from nova import exception
 from nova import test
 from nova.tests.unit.api.openstack import fakes
 from nova.tests.unit import matchers
@@ -897,3 +898,21 @@ class LimitsViewBuilderTest(test.NoDBTestCase):
         rate_limits = []
         output = self.view_builder.build(rate_limits, abs_limits)
         self.assertThat(output, matchers.DictMatches(expected_limits))
+
+
+class LimitsPolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(LimitsPolicyEnforcementV21, self).setUp()
+        self.controller = limits_v21.LimitsController()
+
+    def test_limits_index_policy_failed(self):
+        rule_name = "os_compute_api:limits"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        req = fakes.HTTPRequest.blank('')
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.index, req=req)
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())

nova/tests/unit/fake_policy.py

@@ -353,6 +353,7 @@ policy_data = """
     "os_compute_api:os-availability-zone:detail": "",
     "compute_extension:used_limits_for_admin": "is_admin:True",
     "os_compute_api:os-used-limits": "is_admin:True",
+    "os_compute_api:limits": "",
     "compute_extension:migrations:index": "is_admin:True",
     "os_compute_api:os-migrations:index": "is_admin:True",
     "compute_extension:os-assisted-volume-snapshots:create": "",