diff --git a/nova/context.py b/nova/context.py index 624b908e976f..17971bb01e89 100644 --- a/nova/context.py +++ b/nova/context.py @@ -250,8 +250,7 @@ class RequestContext(context.RequestContext): authorized and False if not authorized and fatal is False. """ if target is None: - target = {'project_id': self.project_id, - 'user_id': self.user_id} + target = self.default_target() try: return policy.authorize(self, action, target) @@ -260,6 +259,9 @@ class RequestContext(context.RequestContext): raise return False + def default_target(self): + return {'project_id': self.project_id, 'user_id': self.user_id} + def to_policy_values(self): policy = super(RequestContext, self).to_policy_values() policy['is_admin'] = self.is_admin diff --git a/nova/policy.py b/nova/policy.py index 5a5e9f2af84b..cd5273547b21 100644 --- a/nova/policy.py +++ b/nova/policy.py @@ -176,7 +176,7 @@ def check_is_admin(context): init() # the target is user-self credentials = context.to_policy_values() - target = credentials + target = context.default_target() return _ENFORCER.authorize('context_is_admin', target, credentials) diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py index 67ea9121ead7..55fcfe2e2e37 100644 --- a/nova/tests/unit/test_policy.py +++ b/nova/tests/unit/test_policy.py @@ -244,6 +244,17 @@ class IsAdminCheckTestCase(test.NoDBTestCase): self.assertTrue(check('target', dict(is_admin=False), policy._ENFORCER)) + def test_check_is_admin(self): + ctxt = context.RequestContext( + user_id='fake-user', project_id='fake-project') + with mock.patch('oslo_policy.policy.Enforcer.authorize') as mock_auth: + result = policy.check_is_admin(ctxt) + self.assertEqual(mock_auth.return_value, result) + mock_auth.assert_called_once_with( + 'context_is_admin', + {'user_id': 'fake-user', 'project_id': 'fake-project'}, + ctxt.to_policy_values()) + class AdminRolePolicyTestCase(test.NoDBTestCase): def setUp(self):