diff --git a/nova/api/openstack/compute/contrib/security_group_default_rules.py b/nova/api/openstack/compute/contrib/security_group_default_rules.py index 04fe78433693..03a55abb6a14 100644 --- a/nova/api/openstack/compute/contrib/security_group_default_rules.py +++ b/nova/api/openstack/compute/contrib/security_group_default_rules.py @@ -88,6 +88,9 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase): def delete(self, req, id): context = sg._authorize_context(req) authorize(context) + # NOTE(shaohe-feng): back-compatible with db layer hard-code + # admin permission checks. + nova_context.require_admin_context(context) try: id = self.security_group_api.validate_id(id) diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py index 8db5a0e067ac..1823d38c166a 100644 --- a/nova/db/sqlalchemy/api.py +++ b/nova/db/sqlalchemy/api.py @@ -4285,7 +4285,6 @@ def security_group_default_rule_get(context, security_group_rule_default_id): return result -@require_admin_context def security_group_default_rule_destroy(context, security_group_rule_default_id): session = get_session() diff --git a/nova/tests/unit/api/openstack/compute/contrib/test_security_group_default_rules.py b/nova/tests/unit/api/openstack/compute/contrib/test_security_group_default_rules.py index 0539a837a83a..3d9bbb5e3ba2 100644 --- a/nova/tests/unit/api/openstack/compute/contrib/test_security_group_default_rules.py +++ b/nova/tests/unit/api/openstack/compute/contrib/test_security_group_default_rules.py @@ -337,6 +337,11 @@ class TestSecurityGroupDefaultRulesV2(test.TestCase): self.assertRaises(exception.AdminRequired, self.controller.create, self.non_admin_req, sgr_dict) + def test_delete_security_group_default_rules_with_non_admin(self): + self.controller = self.controller_cls() + self.assertRaises(exception.AdminRequired, + self.controller.delete, self.non_admin_req, 1) + class SecurityGroupDefaultRulesPolicyEnforcementV21(test.NoDBTestCase):