openstack
/
nova
Code Issues Proposed changes

Pass the actual target in flavor access policy 

Currently if target is not passed in context.can(),
it use defauls target which is context.user_id, context.project_id.
These defaults target are not useful as it pass the
context's user_id and project_id only which means we tell
oslo policy to verify the context data with context data.

This commit pass the actual target for flavor access policies
which is empty dict for policy with system scoped and context project_id
for GET which is system and project scoped.

Partial implement blueprint policy-defaults-refresh

Change-Id: I178d619d54d50c9a3d615879e40ab8359f4227b6
This commit is contained in:
Ghanshyam Mann 2020-04-13 06:56:38 -05:00
parent a40c694125
commit c375b541a5
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nova/api/openstack/compute/flavor_access.py
View File

@ -63,7 +63,7 @@ class FlavorActionController(wsgi.Controller):
@validation.schema(flavor_access.add_tenant_access)
def _add_tenant_access(self, req, id, body):
context = req.environ['nova.context']
context.can(fa_policies.POLICY_ROOT % "add_tenant_access")
context.can(fa_policies.POLICY_ROOT % "add_tenant_access", target={})
vals = body['addTenantAccess']
tenant = vals['tenant']
@ -89,7 +89,7 @@ class FlavorActionController(wsgi.Controller):
def _remove_tenant_access(self, req, id, body):
context = req.environ['nova.context']
context.can(
fa_policies.POLICY_ROOT % "remove_tenant_access")
fa_policies.POLICY_ROOT % "remove_tenant_access", target={})
vals = body['removeTenantAccess']
tenant = vals['tenant']