diff options
author | Anthony Young <sleepsonthefloor@gmail.com> | 2012-01-24 17:05:20 -0800 |
---|---|---|
committer | Anthony Young <sleepsonthefloor@gmail.com> | 2012-01-25 22:08:08 -0800 |
commit | 2e12797ef6420fa305d1ac093c77a2937a90f357 (patch) | |
tree | f2a9838714c24447cda53977f3f99ba8dc5c7009 | |
parent | 7b95ee087eff855a68d9ada7a41559b0c3c8d249 (diff) | |
download | nova-2e12797ef6420fa305d1ac093c77a2937a90f357.tar.gz |
Fix authorization checks for simple_usage.show
* Normal users shouls be allowed to query their own usage info
* Fixes bug 921327
* Address bcwaldon's comment about using a default {} in authorize
* Remove is_admin references
* Remove policy-related tests
* Add back test_verify_show_cant_view_other_tenant, implemented with test policy
* Add vish's fixes from trunk merge
Change-Id: Ib0ce46419b7aedad34de957bfe2e60b10c5af11c
-rw-r--r-- | etc/nova/policy.json | 3 | ||||
-rw-r--r-- | nova/api/openstack/compute/contrib/simple_tenant_usage.py | 16 | ||||
-rw-r--r-- | nova/api/openstack/extensions.py | 6 | ||||
-rw-r--r-- | nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py | 29 | ||||
-rw-r--r-- | nova/tests/policy.json | 3 |
5 files changed, 28 insertions, 29 deletions
diff --git a/etc/nova/policy.json b/etc/nova/policy.json index d63934994b..d2f9046b10 100644 --- a/etc/nova/policy.json +++ b/etc/nova/policy.json @@ -33,7 +33,8 @@ "compute_extension:security_groups": [], "compute_extension:server_action_list": [["rule:admin_api"]], "compute_extension:server_diagnostics": [["rule:admin_api"]], - "compute_extension:simple_tenant_usage": [["rule:admin_api"]], + "compute_extension:simple_tenant_usage:show": [["rule:admin_or_owner"]], + "compute_extension:simple_tenant_usage:list": [["rule:admin_api"]], "compute_extension:users": [["rule:admin_api"]], "compute_extension:virtual_interfaces": [], "compute_extension:virtual_storage_arrays": [], diff --git a/nova/api/openstack/compute/contrib/simple_tenant_usage.py b/nova/api/openstack/compute/contrib/simple_tenant_usage.py index 8e42015469..fd454072d3 100644 --- a/nova/api/openstack/compute/contrib/simple_tenant_usage.py +++ b/nova/api/openstack/compute/contrib/simple_tenant_usage.py @@ -29,7 +29,10 @@ from nova import flags FLAGS = flags.FLAGS -authorize = extensions.extension_authorizer('compute', 'simple_tenant_usage') +authorize_show = extensions.extension_authorizer('compute', + 'simple_tenant_usage:show') +authorize_list = extensions.extension_authorizer('compute', + 'simple_tenant_usage:list') def make_usage(elem): @@ -110,8 +113,6 @@ class SimpleTenantUsageController(object): period_start, period_stop, tenant_id) - from nova import log as logging - logging.info(instances) rval = {} flavors = {} @@ -212,10 +213,8 @@ class SimpleTenantUsageController(object): def index(self, req): """Retrive tenant_usage for all tenants""" context = req.environ['nova.context'] - authorize(context) - if not context.is_admin: - return webob.Response(status_int=403) + authorize_list(context) (period_start, period_stop, detailed) = self._get_datetime_range(req) usages = self._tenant_usages_for_period(context, @@ -229,11 +228,8 @@ class SimpleTenantUsageController(object): """Retrive tenant_usage for a specified tenant""" tenant_id = id context = req.environ['nova.context'] - authorize(context) - if not context.is_admin: - if tenant_id != context.project_id: - return webob.Response(status_int=403) + authorize_show(context, {'project_id': tenant_id}) (period_start, period_stop, ignore) = self._get_datetime_range(req) usage = self._tenant_usages_for_period(context, diff --git a/nova/api/openstack/extensions.py b/nova/api/openstack/extensions.py index bf415765c9..b40920f40f 100644 --- a/nova/api/openstack/extensions.py +++ b/nova/api/openstack/extensions.py @@ -379,9 +379,11 @@ def load_standard_extensions(ext_mgr, logger, path, package): def extension_authorizer(api_name, extension_name): - def authorize(context): + def authorize(context, target=None): + if target == None: + target = {} action = '%s_extension:%s' % (api_name, extension_name) - nova.policy.enforce(context, action, {}) + nova.policy.enforce(context, action, target) return authorize diff --git a/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py b/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py index 812aac2971..c978809773 100644 --- a/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py +++ b/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py @@ -22,9 +22,11 @@ from lxml import etree import webob from nova.api.openstack.compute.contrib import simple_tenant_usage +from nova.common import policy as common_policy from nova.compute import api from nova import context from nova import flags +from nova import policy from nova import test from nova.tests.api.openstack import fakes @@ -133,18 +135,6 @@ class SimpleTenantUsageTest(test.TestCase): for j in xrange(SERVERS): self.assertEqual(int(servers[j]['hours']), HOURS) - def test_verify_index_fails_for_nonadmin(self): - req = webob.Request.blank( - '/v2/faketenant_0/os-simple-tenant-usage?' - 'detailed=1&start=%s&end=%s' % - (START.isoformat(), STOP.isoformat())) - req.method = "GET" - req.headers["content-type"] = "application/json" - - res = req.get_response(fakes.wsgi_app( - fake_auth_context=self.user_context)) - self.assertEqual(res.status_int, 403) - def test_verify_show(self): req = webob.Request.blank( '/v2/faketenant_0/os-simple-tenant-usage/' @@ -172,9 +162,18 @@ class SimpleTenantUsageTest(test.TestCase): req.method = "GET" req.headers["content-type"] = "application/json" - res = req.get_response(fakes.wsgi_app( - fake_auth_context=self.alt_user_context)) - self.assertEqual(res.status_int, 403) + rules = { + "compute_extension:simple_tenant_usage:show": + [["role:admin"], ["project_id:%(project_id)s"]] + } + common_policy.set_brain(common_policy.HttpBrain(rules)) + + try: + res = req.get_response(fakes.wsgi_app( + fake_auth_context=self.alt_user_context)) + self.assertEqual(res.status_int, 401) + finally: + policy.reset() class SimpleTenantUsageSerializerTest(test.TestCase): diff --git a/nova/tests/policy.json b/nova/tests/policy.json index 737e98f68f..c1497c9994 100644 --- a/nova/tests/policy.json +++ b/nova/tests/policy.json @@ -92,7 +92,8 @@ "compute_extension:security_groups": [], "compute_extension:server_action_list": [], "compute_extension:server_diagnostics": [], - "compute_extension:simple_tenant_usage": [], + "compute_extension:simple_tenant_usage:show": [], + "compute_extension:simple_tenant_usage:list": [], "compute_extension:users": [], "compute_extension:virtual_interfaces": [], "compute_extension:virtual_storage_arrays": [], |