Fix unpause server policy to be admin_or_owner
unpause server API policy is default to admin_or_owner[1] but API is allowed for everyone. We can see the test trying with other project context can access the API - https://review.opendev.org/#/c/716161/ This is because API does not pass the server project_id in policy target[2] and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone who try to access)[3] This commit fix this policy by passing the server's project_id in policy target. Closes-bug: #1869841 Partial implement blueprint policy-defaults-refresh [1] -eb6bd04e4c/nova/policies/pause_server.py (L38)
[2] -eb6bd04e4c/nova/api/openstack/compute/pause_server.py (L58)
[3] -c16315165c/nova/policy.py (L191)
Change-Id: Iacfaec63eb380863657b44c7f5ff14f6209e3857
This commit is contained in:
parent
eb6bd04e4c
commit
cd0b96176a
|
@ -55,8 +55,9 @@ class PauseServerController(wsgi.Controller):
|
|||
def _unpause(self, req, id, body):
|
||||
"""Permit Admins to unpause the server."""
|
||||
ctxt = req.environ['nova.context']
|
||||
ctxt.can(ps_policies.POLICY_ROOT % 'unpause')
|
||||
server = common.get_instance(self.compute_api, ctxt, id)
|
||||
ctxt.can(ps_policies.POLICY_ROOT % 'unpause',
|
||||
target={'project_id': server.project_id})
|
||||
try:
|
||||
self.compute_api.unpause(ctxt, server)
|
||||
except exception.InstanceIsLocked as e:
|
||||
|
|
|
@ -114,7 +114,12 @@ class PauseServerPolicyEnforcementV21(test.NoDBTestCase):
|
|||
pause_mock.assert_called_once_with(self.req.environ['nova.context'],
|
||||
instance)
|
||||
|
||||
def test_unpause_policy_failed(self):
|
||||
@mock.patch('nova.api.openstack.common.get_instance')
|
||||
def test_unpause_policy_failed(self, get_instance_mock):
|
||||
instance = fake_instance.fake_instance_obj(
|
||||
self.req.environ['nova.context'],
|
||||
user_id=self.req.environ['nova.context'].user_id)
|
||||
get_instance_mock.return_value = instance
|
||||
rule_name = "os_compute_api:os-pause-server:unpause"
|
||||
self.policy.set_rules({rule_name: "project:non_fake"})
|
||||
exc = self.assertRaises(
|
||||
|
|
Loading…
Reference in New Issue