Pass the actual target in networks policy
Currently if target is not passed in context.can(), it use defauls target which is context.user_id, context.project_id. These defaults target are not useful as it pass the context's user_id and project_id only which means we tell oslo policy to verify the context data with context data. This commit pass the actual target for networks policies which is context.project_id itself as nova cannot verify the owner of network. Neutron will return the authorise error is requester is not owner of network. Partial implement blueprint policy-defaults-refresh-deprecated-apis Change-Id: I76bbb570996612c1366b6b6c52772f04a9953080
This commit is contained in:
parent
558c6e752a
commit
fb3bf32fa2
|
@ -70,7 +70,8 @@ class NetworkController(wsgi.Controller):
|
|||
@wsgi.expected_errors(())
|
||||
def index(self, req):
|
||||
context = req.environ['nova.context']
|
||||
context.can(net_policies.POLICY_ROOT % 'list')
|
||||
context.can(net_policies.POLICY_ROOT % 'list',
|
||||
target={'project_id': context.project_id})
|
||||
networks = self.network_api.get_all(context)
|
||||
result = [network_dict(context, net_ref) for net_ref in networks]
|
||||
return {'networks': result}
|
||||
|
@ -79,7 +80,8 @@ class NetworkController(wsgi.Controller):
|
|||
@wsgi.expected_errors(404)
|
||||
def show(self, req, id):
|
||||
context = req.environ['nova.context']
|
||||
context.can(net_policies.POLICY_ROOT % 'show')
|
||||
context.can(net_policies.POLICY_ROOT % 'show',
|
||||
target={'project_id': context.project_id})
|
||||
|
||||
try:
|
||||
network = self.network_api.get(context, id)
|
||||
|
|
Loading…
Reference in New Issue