58701be615
os-ips API policy is default to admin_or_owner[1] but API
is allowed for everyone.
We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/715477
This is because API does not pass the server project_id in policy target[2]
and if no target is passed then, policy.py add the default targets which is
nothing but context.project_id (allow for everyone who try to access)[3]
This commit fix this policy by passing the server's project_id in policy
target.
Closes-bug: #1869396
[1] eaf08c0b7b/nova/policies/ips.py (L27)
Change-Id: Ie7bcb6537f90813cc5b23d69c886037d25b15a42
59 lines
2.4 KiB
Python
59 lines
2.4 KiB
Python
# Copyright 2011 OpenStack Foundation
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from webob import exc
|
|
|
|
from nova.api.openstack import common
|
|
from nova.api.openstack.compute.views import addresses as views_addresses
|
|
from nova.api.openstack import wsgi
|
|
from nova.compute import api as compute
|
|
from nova.i18n import _
|
|
from nova.policies import ips as ips_policies
|
|
|
|
|
|
class IPsController(wsgi.Controller):
|
|
"""The servers addresses API controller for the OpenStack API."""
|
|
# Note(gmann): here using V2 view builder instead of V3 to have V2.1
|
|
# server ips response same as V2 which does not include "OS-EXT-IPS:type"
|
|
# & "OS-EXT-IPS-MAC:mac_addr". If needed those can be added with
|
|
# microversion by using V2.1 view builder.
|
|
_view_builder_class = views_addresses.ViewBuilder
|
|
|
|
def __init__(self):
|
|
super(IPsController, self).__init__()
|
|
self._compute_api = compute.API()
|
|
|
|
@wsgi.expected_errors(404)
|
|
def index(self, req, server_id):
|
|
context = req.environ["nova.context"]
|
|
instance = common.get_instance(self._compute_api, context, server_id)
|
|
context.can(ips_policies.POLICY_ROOT % 'index',
|
|
target={'project_id': instance.project_id})
|
|
networks = common.get_networks_for_instance(context, instance)
|
|
return self._view_builder.index(networks)
|
|
|
|
@wsgi.expected_errors(404)
|
|
def show(self, req, server_id, id):
|
|
context = req.environ["nova.context"]
|
|
instance = common.get_instance(self._compute_api, context, server_id)
|
|
context.can(ips_policies.POLICY_ROOT % 'show',
|
|
target={'project_id': instance.project_id})
|
|
networks = common.get_networks_for_instance(context, instance)
|
|
if id not in networks:
|
|
msg = _("Instance is not a member of specified network")
|
|
raise exc.HTTPNotFound(explanation=msg)
|
|
|
|
return self._view_builder.show(networks[id], id)
|