Remove db layer hard-code permission checks for service_get_all
This patches remove the hard-code permission checks for db call service_get_all. There are elevated contexts in the code used to call those methods which aren't removed in this patch. The elevated context will be cleaned up in last step. This is safe if we forget removing some hard-code permission. Partially implements bp v3-api-policy Change-Id: I4f642d67f2837655189afb2640a062b8e591943d
This commit is contained in:
parent
0bf5e4f27f
commit
e5d0531d8e
|
@ -17,6 +17,7 @@ from oslo_config import cfg
|
|||
from nova.api.openstack import extensions
|
||||
from nova.api.openstack import wsgi
|
||||
from nova import availability_zones
|
||||
from nova import context as nova_context
|
||||
from nova import objects
|
||||
from nova import servicegroup
|
||||
|
||||
|
@ -111,7 +112,9 @@ class AvailabilityZoneController(wsgi.Controller):
|
|||
"""Returns a detailed list of availability zone."""
|
||||
context = req.environ['nova.context']
|
||||
authorize_detail(context)
|
||||
|
||||
# NOTE(alex_xu): back-compatible with db layer hard-code admin
|
||||
# permission checks.
|
||||
nova_context.require_admin_context(context)
|
||||
return self._describe_availability_zones_verbose(context)
|
||||
|
||||
|
||||
|
|
|
@ -20,6 +20,7 @@ import webob.exc
|
|||
|
||||
from nova.api.openstack import extensions
|
||||
from nova import compute
|
||||
from nova import context as nova_context
|
||||
from nova import exception
|
||||
from nova.i18n import _
|
||||
from nova.i18n import _LI
|
||||
|
@ -75,6 +76,11 @@ class HostController(object):
|
|||
"""
|
||||
context = req.environ['nova.context']
|
||||
authorize(context)
|
||||
|
||||
# NOTE(alex_xu): back-compatible with db layer hard-code admin
|
||||
# permission checks
|
||||
nova_context.require_admin_context(context)
|
||||
|
||||
filters = {'disabled': False}
|
||||
zone = req.GET.get('zone', None)
|
||||
if zone:
|
||||
|
|
|
@ -36,6 +36,11 @@ class ServiceController(object):
|
|||
def _get_services(self, req):
|
||||
context = req.environ['nova.context']
|
||||
authorize(context)
|
||||
|
||||
# NOTE(alex_xu): back-compatible with db layer hard-code admin
|
||||
# permission checks
|
||||
nova_context.require_admin_context(context)
|
||||
|
||||
services = self.host_api.service_get_all(
|
||||
context, set_zones=True)
|
||||
|
||||
|
|
|
@ -377,7 +377,6 @@ def service_get(context, service_id, use_slave=False):
|
|||
use_slave=use_slave)
|
||||
|
||||
|
||||
@require_admin_context
|
||||
def service_get_all(context, disabled=None):
|
||||
query = model_query(context, models.Service)
|
||||
|
||||
|
|
|
@ -16,7 +16,6 @@ import datetime
|
|||
|
||||
from oslo_config import cfg
|
||||
from oslo_serialization import jsonutils
|
||||
import webob
|
||||
|
||||
from nova.api.openstack.compute.contrib import availability_zone as az_v2
|
||||
from nova.api.openstack.compute import plugins
|
||||
|
@ -107,8 +106,7 @@ class AvailabilityZoneApiTestV21(test.NoDBTestCase):
|
|||
fake_set_availability_zones)
|
||||
self.stubs.Set(servicegroup.API, 'service_is_up', fake_service_is_up)
|
||||
self.controller = self.availability_zone.AvailabilityZoneController()
|
||||
self.admin_webreq = webob.Request.blank('')
|
||||
self.admin_webreq.environ['nova.context'] = context.get_admin_context()
|
||||
self.req = fakes.HTTPRequest.blank('')
|
||||
|
||||
def test_filtered_availability_zones(self):
|
||||
zones = ['zone1', 'internal']
|
||||
|
@ -126,7 +124,7 @@ class AvailabilityZoneApiTestV21(test.NoDBTestCase):
|
|||
self.assertEqual(result, expected)
|
||||
|
||||
def test_availability_zone_index(self):
|
||||
resp_dict = self.controller.index(self.admin_webreq)
|
||||
resp_dict = self.controller.index(self.req)
|
||||
|
||||
self.assertIn('availabilityZoneInfo', resp_dict)
|
||||
zones = resp_dict['availabilityZoneInfo']
|
||||
|
@ -169,7 +167,7 @@ class AvailabilityZoneApiTestV21(test.NoDBTestCase):
|
|||
self.assertEqual(zone['zoneName'], name)
|
||||
self.assertEqual(zone['zoneState'], status)
|
||||
|
||||
resp_dict = self.controller.detail(self.admin_webreq)
|
||||
resp_dict = self.controller.detail(self.req)
|
||||
|
||||
self.assertIn('availabilityZoneInfo', resp_dict)
|
||||
zones = resp_dict['availabilityZoneInfo']
|
||||
|
@ -230,7 +228,7 @@ class AvailabilityZoneApiTestV21(test.NoDBTestCase):
|
|||
self.stubs.Set(availability_zones, 'get_availability_zones',
|
||||
fake_get_availability_zones)
|
||||
|
||||
resp_dict = self.controller.detail(self.admin_webreq)
|
||||
resp_dict = self.controller.detail(self.req)
|
||||
|
||||
self.assertThat(resp_dict,
|
||||
matchers.DictMatches(expected_response))
|
||||
|
@ -239,6 +237,15 @@ class AvailabilityZoneApiTestV21(test.NoDBTestCase):
|
|||
class AvailabilityZoneApiTestV2(AvailabilityZoneApiTestV21):
|
||||
availability_zone = az_v2
|
||||
|
||||
def setUp(self):
|
||||
super(AvailabilityZoneApiTestV2, self).setUp()
|
||||
self.req = fakes.HTTPRequest.blank('', use_admin_context=True)
|
||||
self.non_admin_req = fakes.HTTPRequest.blank('')
|
||||
|
||||
def test_availability_zone_detail_with_non_admin(self):
|
||||
self.assertRaises(exception.AdminRequired,
|
||||
self.controller.detail, self.non_admin_req)
|
||||
|
||||
|
||||
class ServersControllerCreateTestV21(test.TestCase):
|
||||
base_url = '/v2/fake/'
|
||||
|
|
|
@ -412,3 +412,25 @@ class HostTestCaseV20(HostTestCaseV21):
|
|||
|
||||
def test_list_hosts_with_invalid_service(self):
|
||||
pass
|
||||
|
||||
def test_list_hosts_with_non_admin(self):
|
||||
self.assertRaises(exception.AdminRequired,
|
||||
self.controller.index, fakes.HTTPRequest.blank(''))
|
||||
|
||||
|
||||
class HostsPolicyEnforcementV21(test.NoDBTestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(HostsPolicyEnforcementV21, self).setUp()
|
||||
self.controller = os_hosts_v21.HostController()
|
||||
self.req = fakes.HTTPRequest.blank('')
|
||||
|
||||
def test_index_policy_failed(self):
|
||||
rule_name = "compute_extension:v3:os-hosts"
|
||||
self.policy.set_rules({rule_name: "project_id:non_fake"})
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller.index, self.req)
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % rule_name,
|
||||
exc.format_message())
|
||||
|
|
|
@ -582,6 +582,10 @@ class ServicesTestV20(ServicesTestV21):
|
|||
self.assertRaises(exception.AdminRequired, self.controller.delete,
|
||||
self.non_admin_req, fakes.FAKE_UUID)
|
||||
|
||||
def test_index_with_non_admin(self):
|
||||
self.assertRaises(exception.AdminRequired, self.controller.index,
|
||||
self.non_admin_req)
|
||||
|
||||
|
||||
class ServicesCellsTestV21(test.TestCase):
|
||||
|
||||
|
@ -693,3 +697,13 @@ class ServicesPolicyEnforcementV21(test.NoDBTestCase):
|
|||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % rule_name,
|
||||
exc.format_message())
|
||||
|
||||
def test_index_policy_failed(self):
|
||||
rule_name = "compute_extension:v3:os-services"
|
||||
self.policy.set_rules({rule_name: "project_id:non_fake"})
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller.index, self.req)
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % rule_name,
|
||||
exc.format_message())
|
||||
|
|
|
@ -229,7 +229,7 @@ policy_data = """
|
|||
"compute_extension:v3:os-fping:all_tenants": "is_admin:True",
|
||||
"compute_extension:hide_server_addresses": "",
|
||||
"compute_extension:v3:os-hide-server-addresses": "",
|
||||
"compute_extension:hosts": "rule:admin_api",
|
||||
"compute_extension:hosts": "",
|
||||
"compute_extension:v3:os-hosts": "rule:admin_api",
|
||||
"compute_extension:hypervisors": "rule:admin_api",
|
||||
"compute_extension:v3:os-hypervisors": "rule:admin_api",
|
||||
|
@ -329,8 +329,8 @@ policy_data = """
|
|||
"compute_extension:zones": "",
|
||||
"compute_extension:availability_zone:list": "",
|
||||
"compute_extension:v3:os-availability-zone:list": "",
|
||||
"compute_extension:availability_zone:detail": "is_admin:True",
|
||||
"compute_extension:v3:os-availability-zone:detail": "is_admin:True",
|
||||
"compute_extension:availability_zone:detail": "",
|
||||
"compute_extension:v3:os-availability-zone:detail": "",
|
||||
"compute_extension:used_limits_for_admin": "is_admin:True",
|
||||
"compute_extension:v3:os-used-limits": "is_admin:True",
|
||||
"compute_extension:migrations:index": "is_admin:True",
|
||||
|
|
Loading…
Reference in New Issue