Correct server shelve policy check_str

server shelve API policy is default to admin_or_owner[1] but API is allowed (which is expected) for everyone. This is because API does not pass the project_id in policy target so that oslo policy can decide the ownership[2]. If no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access) - c16315165c/nova/policy.py (L191) Passing the server project_id as target to make it admin_or_owner. [1] e4ac401d1a/nova/api/openstack/compute/shelve.py (L89) [2] e4ac401d1a/nova/policies/shelve.py (L37) Closes-bug: #1870881 Change-Id: I493062ed0ee632a9c647cf1f3cf497eebc39c4ca
2020-04-05 01:42:13 -05:00 · 2020-04-05 01:42:13 -05:00 · e4e97e23c1
parent 184fcdaaa4
commit e4e97e23c1
2 changed files with 10 additions and 3 deletions
--- a/nova/api/openstack/compute/shelve.py
+++ b/nova/api/openstack/compute/shelve.py
@ -86,8 +86,9 @@ class ShelveController(wsgi.Controller):
    def _unshelve(self, req, id, body):
        """Restore an instance from shelved mode."""
        context = req.environ["nova.context"]
-        context.can(shelve_policies.POLICY_ROOT % 'unshelve')
        instance = common.get_instance(self.compute_api, context, id)
+        context.can(shelve_policies.POLICY_ROOT % 'unshelve',
+                    target={'project_id': instance.project_id})

        new_az = None
        unshelve_dict = body['unshelve']
--- a/nova/tests/unit/api/openstack/compute/test_shelve.py
+++ b/nova/tests/unit/api/openstack/compute/test_shelve.py
@ -181,14 +181,20 @@ class ShelvePolicyEnforcementV21(test.NoDBTestCase):
            "Policy doesn't allow %s to be performed." % rule_name,
            exc.format_message())

-    def test_unshelve_restricted_by_role(self):
+    @mock.patch('nova.api.openstack.common.get_instance')
+    def test_unshelve_restricted_by_role(self, get_instance_mock):
+        get_instance_mock.return_value = (
+            fake_instance.fake_instance_obj(self.req.environ['nova.context']))
        rules = {'os_compute_api:os-shelve:unshelve': 'role:admin'}
        policy.set_rules(oslo_policy.Rules.from_dict(rules))

        self.assertRaises(exception.Forbidden, self.controller._unshelve,
                self.req, uuidsentinel.fake, body={'unshelve': {}})

-    def test_unshelve_policy_failed(self):
+    @mock.patch('nova.api.openstack.common.get_instance')
+    def test_unshelve_policy_failed(self, get_instance_mock):
+        get_instance_mock.return_value = (
+            fake_instance.fake_instance_obj(self.req.environ['nova.context']))
        rule_name = "os_compute_api:os-shelve:unshelve"
        self.policy.set_rules({rule_name: "project:non_fake"})
        exc = self.assertRaises(