Merge "Add missing policy for limits extension"

2015-07-29 05:40:45 +00:00 · 2015-07-29 05:40:45 +00:00 · ae134e367d
parent abdadac243 8ebb1bfb7d
commit ae134e367d
4 changed files with 23 additions and 0 deletions
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@ -307,6 +307,7 @@
    "os_compute_api:os-keypairs:create": "",
    "os_compute_api:os-keypairs:delete": "",
    "os_compute_api:limits:discoverable": "",
+    "os_compute_api:limits": "",
    "os_compute_api:os-lock-server:discoverable": "",
    "os_compute_api:os-lock-server:lock": "rule:admin_or_owner",
    "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",
--- a/nova/api/openstack/compute/plugins/v3/limits.py
+++ b/nova/api/openstack/compute/plugins/v3/limits.py
@ -22,6 +22,7 @@ from nova import quota

 QUOTAS = quota.QUOTAS
 ALIAS = 'limits'
+authorize = extensions.os_compute_authorizer(ALIAS)


 class LimitsController(wsgi.Controller):
@ -31,6 +32,7 @@ class LimitsController(wsgi.Controller):
    def index(self, req):
        """Return all global and rate limit information."""
        context = req.environ['nova.context']
+        authorize(context)
        project_id = req.params.get('tenant_id', context.project_id)
        quotas = QUOTAS.get_project_quotas(context, project_id,
                                           usages=False)
--- a/nova/tests/unit/api/openstack/compute/test_limits.py
+++ b/nova/tests/unit/api/openstack/compute/test_limits.py
@ -31,6 +31,7 @@ from nova.api.openstack.compute.plugins.v3 import limits as limits_v21
 from nova.api.openstack.compute import views
 from nova.api.openstack import wsgi
 import nova.context
+from nova import exception
 from nova import test
 from nova.tests.unit.api.openstack import fakes
 from nova.tests.unit import matchers
@ -897,3 +898,21 @@ class LimitsViewBuilderTest(test.NoDBTestCase):
        rate_limits = []
        output = self.view_builder.build(rate_limits, abs_limits)
        self.assertThat(output, matchers.DictMatches(expected_limits))
+
+
+class LimitsPolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(LimitsPolicyEnforcementV21, self).setUp()
+        self.controller = limits_v21.LimitsController()
+
+    def test_limits_index_policy_failed(self):
+        rule_name = "os_compute_api:limits"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        req = fakes.HTTPRequest.blank('')
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.index, req=req)
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())
--- a/nova/tests/unit/fake_policy.py
+++ b/nova/tests/unit/fake_policy.py
@ -353,6 +353,7 @@ policy_data = """
    "os_compute_api:os-availability-zone:detail": "",
    "compute_extension:used_limits_for_admin": "is_admin:True",
    "os_compute_api:os-used-limits": "is_admin:True",
+    "os_compute_api:limits": "",
    "compute_extension:migrations:index": "is_admin:True",
    "os_compute_api:os-migrations:index": "is_admin:True",
    "compute_extension:os-assisted-volume-snapshots:create": "",