diff options
author | Ghanshyam Mann <gmann@ghanshyammann.com> | 2020-07-17 22:00:59 -0500 |
---|---|---|
committer | Ghanshyam Mann <gmann@ghanshyammann.com> | 2020-07-20 16:53:02 -0500 |
commit | f1d4d9762c8d4ad6cd40c8424f56d0677d0b080b (patch) | |
tree | 58053d0680931573f34c5466f8f507a08a046402 /nova/policies | |
parent | 8c0d1acf6ea41adc3743a4e190eaf777188282c0 (diff) | |
download | nova-f1d4d9762c8d4ad6cd40c8424f56d0677d0b080b.tar.gz |
Correct the check_str and pass actual target in FIP pools policy
FIP pools are not associated with any projects and API
controller also does not take any project_id in request
so anyone requesting that API can get the FIP pools list.
current check_str 'admin_or_owner' is not correct for this
polic, it should be RULE_ANY.
Currently if target is not passed in context.can(),
it use defauls target which is context.user_id, context.project_id.
These defaults target are not useful as it pass the
context's user_id and project_id only which means we tell
oslo policy to verify the context data with context data.
This commit corrects the check_str and pass the actual target for
FIP pools policies which is empty dict.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I06dde5960fdae5ee4e3ce902482361909ac397d6
Diffstat (limited to 'nova/policies')
-rw-r--r-- | nova/policies/floating_ip_pools.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nova/policies/floating_ip_pools.py b/nova/policies/floating_ip_pools.py index 5e8d8e4f1d..61105efcb7 100644 --- a/nova/policies/floating_ip_pools.py +++ b/nova/policies/floating_ip_pools.py @@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-floating-ip-pools' floating_ip_pools_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.RULE_ANY, description="List floating IP pools. This API is deprecated.", operations=[ { |