Currently we allow tenant access for public flavor, however,
we can't query it after that because flavor is public.
This patch adds check for add access function to raise exception
if the flavor is public.
Also, a nit change is use methods introduced in
793bcc07b9 to get flavor.
APIImpact: Adds new 2.7 API microversion due to new error condition
in flavor access API
Implements blueprint check-flavor-type-before-add-tenant
Closes-Bug: #1361476
Change-Id: I461175e9969a0dd5b2b7ef75ea7d9f36f3a306d0
The existing controller didn't change V21's controller makes
the whole test focus on V21 instead of V2.
Change-Id: I31c0bd36cad328a23763e79c8658aaf4ef6a7c3d
For v2.1 quota_class API, all the hard-code permission was deleted.
The quota_class code is un-winded except the policy enforcement at
REST API entrance.
This patch adjusts the request context in the unittest, use non-admin
context for all the v2.1 unittest.
Partially implements bp nova-api-policy-final-part
Change-Id: I0a70c092d572d0989dd6fd7f873638a9570817b7
This patch removes db layer hard-code permission checks for
quota_class_create/update.
For v2 API, this patch adds back-comptiable permission checks at REST
API layer.
For v2.1 API, this patch adds new rule for update method.
Partially implements bp nova-api-policy-final-part
SecurityImpact
UpgradeImpact: Due to the db layer permission checks deleted, the policy
rule "os_compute_api:os-quota-class-sets:update" was updated with
a default that match the permission as before. Admin should be notified
to update their policy configuration to keep permission as before.
Change-Id: Icddc7e5cc1c11ab3d272f61a2ef623d3f750030c
This patch removes the hard-code permission checks for db call
quota_class_get_all_by_name.
For v2 api, there already have same hard-code permission checks in REST API
layer, so it is back-compatible.
For v2.1 api, to distinguish show and update permission, this patch adds
new rule for show method.
Partially implements bp nova-api-policy-final-part
SecurityImpact
UpgradeImpact: Due to the db layer permission checks deleted, they need
default policy rule instead of that. In this patch,
"os_compute_api:os-quota-class-sets:show" was updated with a default
rule. Admin will be notfied to update their policy configure file to keep
the behavior as before.
Change-Id: I02da6cc8c766e5f43689449ef63121122f537b5b
A new API is added with microversion 2.6:
POST /servers/<uuid>/remote-consoles
{
"remote_console": {
"protocol": ["vnc"|"rdp"|"serial"|"spice"],
"type": ["novnc"|"xpvnc"|"rdp-html5"|"spice-html5"|"serial"]
}
}
which supports all protocols and types for remote consoles.
Implements: blueprint consolidate-console-api
APIImpact
Change-Id: I175a778cede8fbeee9c47a502ab7a98f6d73c074
This patches removes db layer hard-code permission checks for
floating_ip_dns.
Partially implements bp nova-api-policy-final-part
SecurityImpact
UpgradeImpact:
Due to the db layer permission checks are removed, we need to add default
policy rule into policy file. In this patch,
"os_compute_api:os-floating-ip-dns:domain:update" and
"os_compute_api:os-floating-ip-dns:domain:delete" were updated with a default
rule. Admin will be notfied to update their policy configure file to keep
the behavior as before.
Change-Id: Ibddf3529a219cb9a0c1d4cfdb89327b53454c436
33e3d4c6b9 drops device names - at the
time of writing, the idea was that Nova should collect all the block
device information and decide on device names with the help of the
hypervisor.
It turns out that as well meaning as that change was - it also removed
the ability to do some of the things that the EC2 API needs device names
for (see the linked bug for a more detailed explanation). An example is
overriding some of the attributes of a block device entry in the image.
The only "indexable" property of a block device from EC2 POV is device
name so we need to put it back even though they may be overriden by the
virt layer upon a successful intance boot.
Change-Id: Ib1ba130042aabbbe7bb8d60fc212c66e446c1d73
Related-bug: #1370177
Related-bug: #1370250
test_create_security_group_with_no_name should be for existence check
of "name" parameter on "create a security group" API. But current test
just checks the existence of "security_group" parameter instead because
the test request body structure was wrong. This patch fixes it.
In addition, this patch adds the type check of "name" parameter to the
MockClient because Neutron receives None value as "name" parameter, it
returns BadRequest to Nova. I11da9ec32b64b5a109d65afe77aa32be71a807a3
fixes the error handling already, but the MockClient was not fixed.
So this patch fixes it also.
Change-Id: I4697b9a2b9ad2a13fbb4a08c0437545cd24c9c2a
In test_delete_security_group_by_admin, security_group_template is
used for getting a test request body. And current code specifies
id and rules. However, "create a security group" API just doesn't
use them at all.
So this patch removes them.
Change-Id: I4ae54e1082b8cd73d2a09d321d71ada1d896eee6
The change to fake_instance here has a couple impacts in the
vmware driver, the test_server_password, and test_nova_manage
tests.
Change-Id: I48c4fbfcac66e9a50b29349cce6824e8985e7205
Currently the command "nova list --ip6 xxx" will return all servers for
non-admins, as the filter option is silently discarded. There is no
reason to treat ip6 different from ip, though, so we add a new
microversion that will allow this filter to be applied.
APIImpact: Filtering by ip6 will now be allowed for non-admin
DocImpact: Filtering by ip6 will now be allowed for non-admin
Implements blueprint allow-ip6-search-for-non-admin
Partial-Bug: 1450859
Change-Id: I26a0b576636bd7e6b4dd7d53ded05907397d2f26
Currently, running 'nova list --all-tenants' with a policy change:
"compute:get_all_tenants": "role:special_role or is_admin:True"
will not work as expected, The returned list of servers will not
contain all instances of all tenants. We should support administrators
who wish to enable this functionality in their policy.json.
We need to fix this problem both in the v2 API and in the v2.1 as well.
Deep in instance_get_all_by_filters_sort, there is a check which adds
a filter of project_id or user_id if the context is NOT an admin context.
So, the returned list will be a subset of all the instances in the
database. To fix this scenario, the easy way is to call get_all with
an elevated context to pass this check in instance_get_all_by_filters_sort.
So in fixing the bug above, we need to fix the default policy so that
all-tenants is available by default only to administrators.
UpgradeImpact
SecurityImpact
DocImpact: --all-tenants will list all servers for non-admin
APIImpact: --all-tenants will list all servers for non-admin
Closes-Bug: #1464381
Change-Id: I6fe512ff00a0fde1c75d49efe8bfa5f3d2d34df6
We add check in security_group_default_rules,
user is not necessary to be authorized to security_groups
in order to access security_group_default_rules.
Then this patch removes the security_groups policy
check from security_group_default_rules.
This is related to bp nova-api-policy-final-part
DocImpact
UpgradeImpact
Change-Id: I221d1056b0101fc5c909222d9cac6739fd106e3f
If you pass limit value above mysql INT type to
quota-class-update api, then it raises 500 internal
server error.
Passed max_value=db.MAX_INT to validate_integer()
method to get appropriate error.
Closes-Bug: #1463387
Change-Id: I1075a20ea0142db6c35f1124ba40b23ffef4c2f8
Since versionutils has graduated, switch to the
is_compatible in oslo_utils.versionutils.py
Depends-On: I1c8fbe857fa7d30d7c74cd7b0e187cc9a2305882
Change-Id: Id0e483c662231f678bddff7ddf77cdb0b0e1a5db
Currently, a primitivized object is sent to sync to the API cell
in Instance.save because instance_update_at_top has not yet been
converted to handle objects. This change does the conversion and
makes Instance.save send an object for the sync.
This change should also address a race where deleting an instance
can result in an "undeleted" instance if an update from a child
occurs after the instance has been destroyed at the top, because
in instance_update_at_top() it uses read_deleted='yes' and
db.instance_update() will update all fields provided, unlike
objects which only update fields that have changed.
Closes-Bug: #1460350
Change-Id: I4e8c1a82a3c9c86038faa7f528b9dfb835f82ee6
This patch removes the hard-code permission checks for db call
quota_get_all_*
For v2 API, there is same project owner hard-code permission checks
at REST API layer, so nothing we need to for it.
For v2.1, adds the 'target' for policy enforcement that used to
enforce owner checks. The default method use same rule with show
method before. After removed hard-code permission checks for show
method, this patch adds new rule for distinguish different permission
of defaults and show.
Partially implements bp nova-api-policy-final-part
UpgradeImpact: Due to the db layer permission checks was deleted. The
default rule is added to "os_compute_api:os-quota-sets:show" for
matching the same permission as before. Show and default action are
shared same rule before. But after the cleanup, those two methods have
different permission. So add new rule for default action
"os_compute_api:os-quota-sets:defaults".
Change-Id: I63f180770a9199046452be7ad6e031a142d3c79d
Switch _prefix from "/v3" to "/v2/fake", can be shared by
v21 and v2
Partially implements blueprint v2-on-v3-api
Change-Id: Iee40bf103d7586e89d5d3573b72086c67eb5324c
Change I9a22e53ca872235e723798d8ce3cb146d88568ab altered the
processing order of the events which broke logic to populate
the event status as 'completed' by default. This broke the
network changed events from Neutron.
This change modifies the logic to preserve the default 'completed'
behavior and adjusts a unit tests to prevent a regression.
Closes-Bug: #1462851
Change-Id: I3f4d10740138f65d704d6f8fa4db06d3d0ed64cf
jichenjc