Correct the check_str and pass actual target in FIP pools policy

FIP pools are not associated with any projects and API controller also does not take any project_id in request so anyone requesting that API can get the FIP pools list. current check_str 'admin_or_owner' is not correct for this polic, it should be RULE_ANY. Currently if target is not passed in context.can(), it use defauls target which is context.user_id, context.project_id. These defaults target are not useful as it pass the context's user_id and project_id only which means we tell oslo policy to verify the context data with context data. This commit corrects the check_str and pass the actual target for FIP pools policies which is empty dict. Partial implement blueprint policy-defaults-refresh-deprecated-apis Change-Id: I06dde5960fdae5ee4e3ce902482361909ac397d6
2020-07-17 22:00:59 -05:00 · 2020-07-17 22:00:59 -05:00 · f1d4d9762c
parent 8c0d1acf6e
commit f1d4d9762c
4 changed files with 10 additions and 3 deletions
--- a/nova/api/openstack/compute/floating_ip_pools.py
+++ b/nova/api/openstack/compute/floating_ip_pools.py
@ -44,6 +44,6 @@ class FloatingIPPoolsController(wsgi.Controller):
    def index(self, req):
        """Return a list of pools."""
        context = req.environ['nova.context']
-        context.can(fip_policies.BASE_POLICY_NAME)
+        context.can(fip_policies.BASE_POLICY_NAME, target={})
        pools = self.network_api.get_floating_ip_pools(context)
        return _translate_floating_ip_pools_view(pools)
--- a/nova/policies/floating_ip_pools.py
+++ b/nova/policies/floating_ip_pools.py
@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-floating-ip-pools'
 floating_ip_pools_policies = [
    policy.DocumentedRuleDefault(
        name=BASE_POLICY_NAME,
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.RULE_ANY,
        description="List floating IP pools. This API is deprecated.",
        operations=[
            {
--- a/nova/tests/unit/policies/test_floating_ip_pools.py
+++ b/nova/tests/unit/policies/test_floating_ip_pools.py
@ -65,3 +65,10 @@ class FloatingIPPoolsScopeTypePolicyTest(FloatingIPPoolsPolicyTest):
    def setUp(self):
        super(FloatingIPPoolsScopeTypePolicyTest, self).setUp()
        self.flags(enforce_scope=True, group="oslo_policy")
+
+
+class FloatingIPPoolsNoLegacyPolicyTest(FloatingIPPoolsScopeTypePolicyTest):
+    """Test Floating IP Pools APIs policies with system scope enabled,
+    and no more deprecated rules.
+    """
+    without_deprecated_rules = True
--- a/nova/tests/unit/test_policy.py
+++ b/nova/tests/unit/test_policy.py
@ -425,7 +425,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-flavor-access",
 "os_compute_api:os-flavor-extra-specs:index",
 "os_compute_api:os-flavor-extra-specs:show",
-"os_compute_api:os-floating-ip-pools",
 "os_compute_api:os-floating-ips",
 "os_compute_api:os-multinic",
 "os_compute_api:os-networks:view",
@ -455,6 +454,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "os_compute_api:os-quota-sets:defaults",
 "os_compute_api:os-availability-zone:list",
 "os_compute_api:limits",
+"os_compute_api:os-floating-ip-pools",
 )

        self.system_reader_rules = (