Fix authorization checks for simple_usage.show

* Normal users shouls be allowed to query their own usage info * Fixes bug 921327 * Address bcwaldon's comment about using a default {} in authorize * Remove is_admin references * Remove policy-related tests * Add back test_verify_show_cant_view_other_tenant, implemented with test policy * Add vish's fixes from trunk merge Change-Id: Ib0ce46419b7aedad34de957bfe2e60b10c5af11c
author: Anthony Young <sleepsonthefloor@gmail.com> 2012-01-24 17:05:20 -0800
committer: Anthony Young <sleepsonthefloor@gmail.com> 2012-01-25 22:08:08 -0800
commit: 2e12797ef6420fa305d1ac093c77a2937a90f357 (patch)
tree: f2a9838714c24447cda53977f3f99ba8dc5c7009
parent: 7b95ee087eff855a68d9ada7a41559b0c3c8d249 (diff)
download: nova-2e12797ef6420fa305d1ac093c77a2937a90f357.tar.gz
5 files changed, 28 insertions, 29 deletions
diff --git a/etc/nova/policy.json b/etc/nova/policy.json
index d63934994b..d2f9046b10 100644
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@@ -33,7 +33,8 @@
     "compute_extension:security_groups": [],
     "compute_extension:server_action_list": [["rule:admin_api"]],
     "compute_extension:server_diagnostics": [["rule:admin_api"]],
-    "compute_extension:simple_tenant_usage": [["rule:admin_api"]],
+    "compute_extension:simple_tenant_usage:show": [["rule:admin_or_owner"]],
+    "compute_extension:simple_tenant_usage:list": [["rule:admin_api"]],
     "compute_extension:users": [["rule:admin_api"]],
     "compute_extension:virtual_interfaces": [],
     "compute_extension:virtual_storage_arrays": [],
diff --git a/nova/api/openstack/compute/contrib/simple_tenant_usage.py b/nova/api/openstack/compute/contrib/simple_tenant_usage.py
index 8e42015469..fd454072d3 100644
--- a/nova/api/openstack/compute/contrib/simple_tenant_usage.py
+++ b/nova/api/openstack/compute/contrib/simple_tenant_usage.py
@@ -29,7 +29,10 @@ from nova import flags
 
 
 FLAGS = flags.FLAGS
-authorize = extensions.extension_authorizer('compute', 'simple_tenant_usage')
+authorize_show = extensions.extension_authorizer('compute',
+                                                 'simple_tenant_usage:show')
+authorize_list = extensions.extension_authorizer('compute',
+                                                 'simple_tenant_usage:list')
 
 
 def make_usage(elem):
@@ -110,8 +113,6 @@ class SimpleTenantUsageController(object):
                                                      period_start,
                                                      period_stop,
                                                      tenant_id)
-        from nova import log as logging
-        logging.info(instances)
         rval = {}
         flavors = {}
 
@@ -212,10 +213,8 @@ class SimpleTenantUsageController(object):
     def index(self, req):
         """Retrive tenant_usage for all tenants"""
         context = req.environ['nova.context']
-        authorize(context)
 
-        if not context.is_admin:
-            return webob.Response(status_int=403)
+        authorize_list(context)
 
         (period_start, period_stop, detailed) = self._get_datetime_range(req)
         usages = self._tenant_usages_for_period(context,
@@ -229,11 +228,8 @@ class SimpleTenantUsageController(object):
         """Retrive tenant_usage for a specified tenant"""
         tenant_id = id
         context = req.environ['nova.context']
-        authorize(context)
 
-        if not context.is_admin:
-            if tenant_id != context.project_id:
-                return webob.Response(status_int=403)
+        authorize_show(context, {'project_id': tenant_id})
 
         (period_start, period_stop, ignore) = self._get_datetime_range(req)
         usage = self._tenant_usages_for_period(context,
diff --git a/nova/api/openstack/extensions.py b/nova/api/openstack/extensions.py
index bf415765c9..b40920f40f 100644
--- a/nova/api/openstack/extensions.py
+++ b/nova/api/openstack/extensions.py
@@ -379,9 +379,11 @@ def load_standard_extensions(ext_mgr, logger, path, package):
 
 
 def extension_authorizer(api_name, extension_name):
-    def authorize(context):
+    def authorize(context, target=None):
+        if target == None:
+            target = {}
         action = '%s_extension:%s' % (api_name, extension_name)
-        nova.policy.enforce(context, action, {})
+        nova.policy.enforce(context, action, target)
     return authorize
 
 
diff --git a/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py b/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py
index 812aac2971..c978809773 100644
--- a/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py
+++ b/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py
@@ -22,9 +22,11 @@ from lxml import etree
 import webob
 
 from nova.api.openstack.compute.contrib import simple_tenant_usage
+from nova.common import policy as common_policy
 from nova.compute import api
 from nova import context
 from nova import flags
+from nova import policy
 from nova import test
 from nova.tests.api.openstack import fakes
 
@@ -133,18 +135,6 @@ class SimpleTenantUsageTest(test.TestCase):
             for j in xrange(SERVERS):
                 self.assertEqual(int(servers[j]['hours']), HOURS)
 
-    def test_verify_index_fails_for_nonadmin(self):
-        req = webob.Request.blank(
-                    '/v2/faketenant_0/os-simple-tenant-usage?'
-                    'detailed=1&start=%s&end=%s' %
-                    (START.isoformat(), STOP.isoformat()))
-        req.method = "GET"
-        req.headers["content-type"] = "application/json"
-
-        res = req.get_response(fakes.wsgi_app(
-                               fake_auth_context=self.user_context))
-        self.assertEqual(res.status_int, 403)
-
     def test_verify_show(self):
         req = webob.Request.blank(
                   '/v2/faketenant_0/os-simple-tenant-usage/'
@@ -172,9 +162,18 @@ class SimpleTenantUsageTest(test.TestCase):
         req.method = "GET"
         req.headers["content-type"] = "application/json"
 
-        res = req.get_response(fakes.wsgi_app(
-                               fake_auth_context=self.alt_user_context))
-        self.assertEqual(res.status_int, 403)
+        rules = {
+            "compute_extension:simple_tenant_usage:show":
+                [["role:admin"], ["project_id:%(project_id)s"]]
+        }
+        common_policy.set_brain(common_policy.HttpBrain(rules))
+
+        try:
+            res = req.get_response(fakes.wsgi_app(
+                                   fake_auth_context=self.alt_user_context))
+            self.assertEqual(res.status_int, 401)
+        finally:
+            policy.reset()
 
 
 class SimpleTenantUsageSerializerTest(test.TestCase):
diff --git a/nova/tests/policy.json b/nova/tests/policy.json
index 737e98f68f..c1497c9994 100644
--- a/nova/tests/policy.json
+++ b/nova/tests/policy.json
@@ -92,7 +92,8 @@
     "compute_extension:security_groups": [],
     "compute_extension:server_action_list": [],
     "compute_extension:server_diagnostics": [],
-    "compute_extension:simple_tenant_usage": [],
+    "compute_extension:simple_tenant_usage:show": [],
+    "compute_extension:simple_tenant_usage:list": [],
     "compute_extension:users": [],
     "compute_extension:virtual_interfaces": [],
     "compute_extension:virtual_storage_arrays": [],
author	Anthony Young <sleepsonthefloor@gmail.com>	2012-01-24 17:05:20 -0800
committer	Anthony Young <sleepsonthefloor@gmail.com>	2012-01-25 22:08:08 -0800
commit	2e12797ef6420fa305d1ac093c77a2937a90f357 (patch)
tree	f2a9838714c24447cda53977f3f99ba8dc5c7009
parent	7b95ee087eff855a68d9ada7a41559b0c3c8d249 (diff)
download	nova-2e12797ef6420fa305d1ac093c77a2937a90f357.tar.gz