Remove db layer hard-code permission checks for service_get_all

This patches remove the hard-code permission checks for db call service_get_all. There are elevated contexts in the code used to call those methods which aren't removed in this patch. The elevated context will be cleaned up in last step. This is safe if we forget removing some hard-code permission. Partially implements bp v3-api-policy Change-Id: I4f642d67f2837655189afb2640a062b8e591943d
2015-02-28 13:41:55 +08:00 · 2015-02-28 13:41:55 +08:00 · e5d0531d8e
parent 0bf5e4f27f
commit e5d0531d8e
8 changed files with 67 additions and 11 deletions
--- a/nova/api/openstack/compute/contrib/availability_zone.py
+++ b/nova/api/openstack/compute/contrib/availability_zone.py
@ -17,6 +17,7 @@ from oslo_config import cfg
 from nova.api.openstack import extensions
 from nova.api.openstack import wsgi
 from nova import availability_zones
+from nova import context as nova_context
 from nova import objects
 from nova import servicegroup

@ -111,7 +112,9 @@ class AvailabilityZoneController(wsgi.Controller):
        """Returns a detailed list of availability zone."""
        context = req.environ['nova.context']
        authorize_detail(context)
-
+        # NOTE(alex_xu): back-compatible with db layer hard-code admin
+        # permission checks.
+        nova_context.require_admin_context(context)
        return self._describe_availability_zones_verbose(context)


--- a/nova/api/openstack/compute/contrib/hosts.py
+++ b/nova/api/openstack/compute/contrib/hosts.py
@ -20,6 +20,7 @@ import webob.exc

 from nova.api.openstack import extensions
 from nova import compute
+from nova import context as nova_context
 from nova import exception
 from nova.i18n import _
 from nova.i18n import _LI
@ -75,6 +76,11 @@ class HostController(object):
        """
        context = req.environ['nova.context']
        authorize(context)
+
+        # NOTE(alex_xu): back-compatible with db layer hard-code admin
+        # permission checks
+        nova_context.require_admin_context(context)
+
        filters = {'disabled': False}
        zone = req.GET.get('zone', None)
        if zone:
--- a/nova/api/openstack/compute/contrib/services.py
+++ b/nova/api/openstack/compute/contrib/services.py
@ -36,6 +36,11 @@ class ServiceController(object):
    def _get_services(self, req):
        context = req.environ['nova.context']
        authorize(context)
+
+        # NOTE(alex_xu): back-compatible with db layer hard-code admin
+        # permission checks
+        nova_context.require_admin_context(context)
+
        services = self.host_api.service_get_all(
            context, set_zones=True)

--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@ -377,7 +377,6 @@ def service_get(context, service_id, use_slave=False):
                        use_slave=use_slave)


-@require_admin_context
 def service_get_all(context, disabled=None):
    query = model_query(context, models.Service)

--- a/nova/tests/unit/api/openstack/compute/contrib/test_availability_zone.py
+++ b/nova/tests/unit/api/openstack/compute/contrib/test_availability_zone.py
@ -16,7 +16,6 @@ import datetime

 from oslo_config import cfg
 from oslo_serialization import jsonutils
-import webob

 from nova.api.openstack.compute.contrib import availability_zone as az_v2
 from nova.api.openstack.compute import plugins
@ -107,8 +106,7 @@ class AvailabilityZoneApiTestV21(test.NoDBTestCase):
                       fake_set_availability_zones)
        self.stubs.Set(servicegroup.API, 'service_is_up', fake_service_is_up)
        self.controller = self.availability_zone.AvailabilityZoneController()
-        self.admin_webreq = webob.Request.blank('')
-        self.admin_webreq.environ['nova.context'] = context.get_admin_context()
+        self.req = fakes.HTTPRequest.blank('')

    def test_filtered_availability_zones(self):
        zones = ['zone1', 'internal']
@ -126,7 +124,7 @@ class AvailabilityZoneApiTestV21(test.NoDBTestCase):
        self.assertEqual(result, expected)

    def test_availability_zone_index(self):
-        resp_dict = self.controller.index(self.admin_webreq)
+        resp_dict = self.controller.index(self.req)

        self.assertIn('availabilityZoneInfo', resp_dict)
        zones = resp_dict['availabilityZoneInfo']
@ -169,7 +167,7 @@ class AvailabilityZoneApiTestV21(test.NoDBTestCase):
            self.assertEqual(zone['zoneName'], name)
            self.assertEqual(zone['zoneState'], status)

-        resp_dict = self.controller.detail(self.admin_webreq)
+        resp_dict = self.controller.detail(self.req)

        self.assertIn('availabilityZoneInfo', resp_dict)
        zones = resp_dict['availabilityZoneInfo']
@ -230,7 +228,7 @@ class AvailabilityZoneApiTestV21(test.NoDBTestCase):
        self.stubs.Set(availability_zones, 'get_availability_zones',
                       fake_get_availability_zones)

-        resp_dict = self.controller.detail(self.admin_webreq)
+        resp_dict = self.controller.detail(self.req)

        self.assertThat(resp_dict,
                        matchers.DictMatches(expected_response))
@ -239,6 +237,15 @@ class AvailabilityZoneApiTestV21(test.NoDBTestCase):
 class AvailabilityZoneApiTestV2(AvailabilityZoneApiTestV21):
    availability_zone = az_v2

+    def setUp(self):
+        super(AvailabilityZoneApiTestV2, self).setUp()
+        self.req = fakes.HTTPRequest.blank('', use_admin_context=True)
+        self.non_admin_req = fakes.HTTPRequest.blank('')
+
+    def test_availability_zone_detail_with_non_admin(self):
+        self.assertRaises(exception.AdminRequired,
+                          self.controller.detail, self.non_admin_req)
+

 class ServersControllerCreateTestV21(test.TestCase):
    base_url = '/v2/fake/'
--- a/nova/tests/unit/api/openstack/compute/contrib/test_hosts.py
+++ b/nova/tests/unit/api/openstack/compute/contrib/test_hosts.py
@ -412,3 +412,25 @@ class HostTestCaseV20(HostTestCaseV21):

    def test_list_hosts_with_invalid_service(self):
        pass
+
+    def test_list_hosts_with_non_admin(self):
+        self.assertRaises(exception.AdminRequired,
+                          self.controller.index, fakes.HTTPRequest.blank(''))
+
+
+class HostsPolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(HostsPolicyEnforcementV21, self).setUp()
+        self.controller = os_hosts_v21.HostController()
+        self.req = fakes.HTTPRequest.blank('')
+
+    def test_index_policy_failed(self):
+        rule_name = "compute_extension:v3:os-hosts"
+        self.policy.set_rules({rule_name: "project_id:non_fake"})
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.index, self.req)
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())
--- a/nova/tests/unit/api/openstack/compute/contrib/test_services.py
+++ b/nova/tests/unit/api/openstack/compute/contrib/test_services.py
@ -582,6 +582,10 @@ class ServicesTestV20(ServicesTestV21):
        self.assertRaises(exception.AdminRequired, self.controller.delete,
                          self.non_admin_req, fakes.FAKE_UUID)

+    def test_index_with_non_admin(self):
+        self.assertRaises(exception.AdminRequired, self.controller.index,
+                          self.non_admin_req)
+

 class ServicesCellsTestV21(test.TestCase):

@ -693,3 +697,13 @@ class ServicesPolicyEnforcementV21(test.NoDBTestCase):
        self.assertEqual(
            "Policy doesn't allow %s to be performed." % rule_name,
            exc.format_message())
+
+    def test_index_policy_failed(self):
+        rule_name = "compute_extension:v3:os-services"
+        self.policy.set_rules({rule_name: "project_id:non_fake"})
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.index, self.req)
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())
--- a/nova/tests/unit/fake_policy.py
+++ b/nova/tests/unit/fake_policy.py
@ -229,7 +229,7 @@ policy_data = """
    "compute_extension:v3:os-fping:all_tenants": "is_admin:True",
    "compute_extension:hide_server_addresses": "",
    "compute_extension:v3:os-hide-server-addresses": "",
-    "compute_extension:hosts": "rule:admin_api",
+    "compute_extension:hosts": "",
    "compute_extension:v3:os-hosts": "rule:admin_api",
    "compute_extension:hypervisors": "rule:admin_api",
    "compute_extension:v3:os-hypervisors": "rule:admin_api",
@ -329,8 +329,8 @@ policy_data = """
    "compute_extension:zones": "",
    "compute_extension:availability_zone:list": "",
    "compute_extension:v3:os-availability-zone:list": "",
-    "compute_extension:availability_zone:detail": "is_admin:True",
-    "compute_extension:v3:os-availability-zone:detail": "is_admin:True",
+    "compute_extension:availability_zone:detail": "",
+    "compute_extension:v3:os-availability-zone:detail": "",
    "compute_extension:used_limits_for_admin": "is_admin:True",
    "compute_extension:v3:os-used-limits": "is_admin:True",
    "compute_extension:migrations:index": "is_admin:True",