Merge "Require admin privilege to retrieve some fields"
This commit is contained in:
commit
3f57a6fde2
@ -16,6 +16,7 @@ import itertools
|
||||
|
||||
from zun.api.controllers import link
|
||||
from zun.api.controllers.v1.views import containers_view
|
||||
from zun.common.policies import capsule as policies
|
||||
|
||||
|
||||
_basic_keys = (
|
||||
@ -41,6 +42,10 @@ def format_capsule(url, capsule, context, legacy_api_version=False):
|
||||
def transform(key, value):
|
||||
if key not in _basic_keys:
|
||||
return
|
||||
# strip the key if it is not allowed by policy
|
||||
policy_action = policies.CAPSULE % ('get:%s' % key)
|
||||
if not context.can(policy_action, fatal=False, might_not_exist=True):
|
||||
return
|
||||
if key == 'uuid':
|
||||
yield ('uuid', value)
|
||||
yield ('links', [link.make_link(
|
||||
|
@ -76,6 +76,28 @@ rules = [
|
||||
# FIXME(lbragstad): This API call isn't actually listed in zun's API
|
||||
# reference:
|
||||
# https://developer.openstack.org/api-ref/application-container/
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CAPSULE % 'get:host',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description='Retrieve the host field of a capsule.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v1/capsules/{capsule_ident}',
|
||||
'method': 'GET'
|
||||
},
|
||||
{
|
||||
'path': '/v1/capsules',
|
||||
'method': 'GET'
|
||||
},
|
||||
{
|
||||
'path': '/v1/capsules',
|
||||
'method': 'POST'
|
||||
},
|
||||
]
|
||||
),
|
||||
# FIXME(lbragstad): This API call isn't actually listed in zun's API
|
||||
# reference:
|
||||
# https://developer.openstack.org/api-ref/application-container/
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CAPSULE % 'get_one_all_projects',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
|
@ -131,6 +131,75 @@ rules = [
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CONTAINER % 'get_one:image_pull_policy',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description='Retrieve the image_pull_policy field of containers.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v1/containers/{container_ident}',
|
||||
'method': 'GET'
|
||||
},
|
||||
{
|
||||
'path': '/v1/containers',
|
||||
'method': 'GET'
|
||||
},
|
||||
{
|
||||
'path': '/v1/containers',
|
||||
'method': 'POST'
|
||||
},
|
||||
{
|
||||
'path': '/v1/containers/{container_ident}',
|
||||
'method': 'PATCH'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CONTAINER % 'get_one:privileged',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description='Retrieve the privileged field of containers.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v1/containers/{container_ident}',
|
||||
'method': 'GET'
|
||||
},
|
||||
{
|
||||
'path': '/v1/containers',
|
||||
'method': 'GET'
|
||||
},
|
||||
{
|
||||
'path': '/v1/containers',
|
||||
'method': 'POST'
|
||||
},
|
||||
{
|
||||
'path': '/v1/containers/{container_ident}',
|
||||
'method': 'PATCH'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CONTAINER % 'get_one:runtime',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description='Retrieve the runtime field of containers.',
|
||||
operations=[
|
||||
{
|
||||
'path': '/v1/containers/{container_ident}',
|
||||
'method': 'GET'
|
||||
},
|
||||
{
|
||||
'path': '/v1/containers',
|
||||
'method': 'GET'
|
||||
},
|
||||
{
|
||||
'path': '/v1/containers',
|
||||
'method': 'POST'
|
||||
},
|
||||
{
|
||||
'path': '/v1/containers/{container_ident}',
|
||||
'method': 'PATCH'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CONTAINER % 'get_one_all_projects',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
|
@ -317,7 +317,6 @@ class TestContainerController(api_base.FunctionalTest):
|
||||
self.assertEqual('512', c.get('memory'))
|
||||
self.assertEqual({"key1": "val1", "key2": "val2"},
|
||||
c.get('environment'))
|
||||
self.assertEqual('runc', c.get('runtime'))
|
||||
self.assertEqual('testhost', c.get('hostname'))
|
||||
self.assertEqual(20, c.get('disk'))
|
||||
self.assertEqual({"Name": "no", "MaximumRetryCount": "0"},
|
||||
@ -868,7 +867,7 @@ class TestContainerController(api_base.FunctionalTest):
|
||||
actual_containers[0].get('uuid'))
|
||||
|
||||
@patch('zun.objects.Container.list')
|
||||
def test_get_all_has_status_reason_and_image_pull_policy(
|
||||
def test_get_all_has_status_reason(
|
||||
self, mock_container_list):
|
||||
test_container = utils.get_test_container()
|
||||
containers = [objects.Container(self.context, **test_container)]
|
||||
@ -881,7 +880,6 @@ class TestContainerController(api_base.FunctionalTest):
|
||||
self.assertEqual(test_container['uuid'],
|
||||
actual_containers[0].get('uuid'))
|
||||
self.assertIn('status_reason', actual_containers[0].keys())
|
||||
self.assertIn('image_pull_policy', actual_containers[0].keys())
|
||||
|
||||
@patch('zun.objects.Container.list')
|
||||
def test_get_all_containers_with_pagination_marker(self,
|
||||
|
Loading…
Reference in New Issue
Block a user