Correct server shelve policy check_str
server shelve API policy is default to admin_or_owner[1] but API is allowed (which is expected) for everyone. This is because API does not pass the project_id in policy target so that oslo policy can decide the ownership[2]. If no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access) -c16315165c/nova/policy.py (L191)
Passing the server project_id as target to make it admin_or_owner. [1]e4ac401d1a/nova/api/openstack/compute/shelve.py (L89)
[2]e4ac401d1a/nova/policies/shelve.py (L37)
Closes-bug: #1870881 Change-Id: I493062ed0ee632a9c647cf1f3cf497eebc39c4ca
This commit is contained in:
parent
184fcdaaa4
commit
e4e97e23c1
|
@ -86,8 +86,9 @@ class ShelveController(wsgi.Controller):
|
|||
def _unshelve(self, req, id, body):
|
||||
"""Restore an instance from shelved mode."""
|
||||
context = req.environ["nova.context"]
|
||||
context.can(shelve_policies.POLICY_ROOT % 'unshelve')
|
||||
instance = common.get_instance(self.compute_api, context, id)
|
||||
context.can(shelve_policies.POLICY_ROOT % 'unshelve',
|
||||
target={'project_id': instance.project_id})
|
||||
|
||||
new_az = None
|
||||
unshelve_dict = body['unshelve']
|
||||
|
|
|
@ -181,14 +181,20 @@ class ShelvePolicyEnforcementV21(test.NoDBTestCase):
|
|||
"Policy doesn't allow %s to be performed." % rule_name,
|
||||
exc.format_message())
|
||||
|
||||
def test_unshelve_restricted_by_role(self):
|
||||
@mock.patch('nova.api.openstack.common.get_instance')
|
||||
def test_unshelve_restricted_by_role(self, get_instance_mock):
|
||||
get_instance_mock.return_value = (
|
||||
fake_instance.fake_instance_obj(self.req.environ['nova.context']))
|
||||
rules = {'os_compute_api:os-shelve:unshelve': 'role:admin'}
|
||||
policy.set_rules(oslo_policy.Rules.from_dict(rules))
|
||||
|
||||
self.assertRaises(exception.Forbidden, self.controller._unshelve,
|
||||
self.req, uuidsentinel.fake, body={'unshelve': {}})
|
||||
|
||||
def test_unshelve_policy_failed(self):
|
||||
@mock.patch('nova.api.openstack.common.get_instance')
|
||||
def test_unshelve_policy_failed(self, get_instance_mock):
|
||||
get_instance_mock.return_value = (
|
||||
fake_instance.fake_instance_obj(self.req.environ['nova.context']))
|
||||
rule_name = "os_compute_api:os-shelve:unshelve"
|
||||
self.policy.set_rules({rule_name: "project:non_fake"})
|
||||
exc = self.assertRaises(
|
||||
|
|
Loading…
Reference in New Issue