diff options
author | Andrew Laski <andrew.laski@rackspace.com> | 2014-03-20 19:04:09 -0400 |
---|---|---|
committer | Andrew Laski <andrew.laski@rackspace.com> | 2014-04-09 12:53:25 -0400 |
commit | 87f57c0a2cc00a70edc87c5dc10bdefb6c01587b (patch) | |
tree | ecedce1ba17388a73754f4159a690738d76e799f | |
parent | 237b517e75e0a0e3e153923255aea3c555af289a (diff) | |
download | nova-2014.1.rc2.tar.gz |
Add RBAC policy for ec2 API security groups calls2014.1.rc22014.1
The revoke_security_group_ingress, revoke_security_group_ingress, and
delete_security_group calls in the ec2 API were not restricted by policy
checks. This prevented a deployer from restricting their usage via
roles or other checks. Checks have been added for these calls.
Closes-Bug: #1290537
Change-Id: I4bf681bedd68ed2216b429d34db735823e0a6189
(cherry picked from commit d4056f8723cc6cefb28ff6e5a7c0df5ea77f82ef)
-rw-r--r-- | nova/api/ec2/cloud.py | 9 | ||||
-rw-r--r-- | nova/tests/api/ec2/test_cloud.py | 43 |
2 files changed, 52 insertions, 0 deletions
diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py index 64f18ac6c7..6bc899d7a7 100644 --- a/nova/api/ec2/cloud.py +++ b/nova/api/ec2/cloud.py @@ -622,6 +622,9 @@ class CloudController(object): security_group = self.security_group_api.get(context, group_name, group_id) + extensions.check_compute_policy(context, 'security_groups', + security_group, 'compute_extension') + prevalues = kwargs.get('ip_permissions', [kwargs]) rule_ids = [] @@ -656,6 +659,9 @@ class CloudController(object): security_group = self.security_group_api.get(context, group_name, group_id) + extensions.check_compute_policy(context, 'security_groups', + security_group, 'compute_extension') + prevalues = kwargs.get('ip_permissions', [kwargs]) postvalues = [] for values in prevalues: @@ -728,6 +734,9 @@ class CloudController(object): security_group = self.security_group_api.get(context, group_name, group_id) + extensions.check_compute_policy(context, 'security_groups', + security_group, 'compute_extension') + self.security_group_api.destroy(context, security_group) return True diff --git a/nova/tests/api/ec2/test_cloud.py b/nova/tests/api/ec2/test_cloud.py index f34195ea3c..0abd0252d8 100644 --- a/nova/tests/api/ec2/test_cloud.py +++ b/nova/tests/api/ec2/test_cloud.py @@ -21,6 +21,7 @@ import copy import datetime import functools import iso8601 +import mock import os import string import tempfile @@ -481,6 +482,34 @@ class CloudTestCase(test.TestCase): delete = self.cloud.delete_security_group self.assertRaises(exception.MissingParameter, delete, self.context) + def test_delete_security_group_policy_not_allowed(self): + rules = common_policy.Rules( + {'compute_extension:security_groups': + common_policy.parse_rule('project_id:%(project_id)s')}) + common_policy.set_rules(rules) + + with mock.patch.object(self.cloud.security_group_api, + 'get') as get: + get.return_value = {'project_id': 'invalid'} + + self.assertRaises(exception.PolicyNotAuthorized, + self.cloud.delete_security_group, self.context, + 'fake-name', 'fake-id') + + def test_authorize_security_group_ingress_policy_not_allowed(self): + rules = common_policy.Rules( + {'compute_extension:security_groups': + common_policy.parse_rule('project_id:%(project_id)s')}) + common_policy.set_rules(rules) + + with mock.patch.object(self.cloud.security_group_api, + 'get') as get: + get.return_value = {'project_id': 'invalid'} + + self.assertRaises(exception.PolicyNotAuthorized, + self.cloud.authorize_security_group_ingress, self.context, + 'fake-name', 'fake-id') + def test_authorize_security_group_ingress(self): kwargs = {'project_id': self.context.project_id, 'name': 'test'} sec = db.security_group_create(self.context, kwargs) @@ -585,6 +614,20 @@ class CloudTestCase(test.TestCase): db.security_group_destroy(self.context, sec2['id']) db.security_group_destroy(self.context, sec1['id']) + def test_revoke_security_group_ingress_policy_not_allowed(self): + rules = common_policy.Rules( + {'compute_extension:security_groups': + common_policy.parse_rule('project_id:%(project_id)s')}) + common_policy.set_rules(rules) + + with mock.patch.object(self.cloud.security_group_api, + 'get') as get: + get.return_value = {'project_id': 'invalid'} + + self.assertRaises(exception.PolicyNotAuthorized, + self.cloud.revoke_security_group_ingress, self.context, + 'fake-name', 'fake-id') + def test_revoke_security_group_ingress(self): kwargs = {'project_id': self.context.project_id, 'name': 'test'} sec = db.security_group_create(self.context, kwargs) |