diff options
| author | Matt Riedemann <mriedem.os@gmail.com> | 2018-12-10 14:58:46 -0500 |
|---|---|---|
| committer | Matt Riedemann <mriedem.os@gmail.com> | 2018-12-10 15:12:42 -0500 |
| commit | c27af238ad99c0330eb4b55398f44be28e6f0485 (patch) | |
| tree | 41a1ec5ebcaf72d1b6c6546a140e65ddf5fd777c /nova/policy.py | |
| parent | 08d617084e5aa69ada0898d674022621d130aef3 (diff) | |
| download | nova-c27af238ad99c0330eb4b55398f44be28e6f0485.tar.gz | |
Fix target used in nova.policy.check_is_admin
The target passed to Enforcer.authorize should be a dict,
similar to the target dict to the RequestContext.can method.
However, we were passing an instance of _DeprecatedPolicyValues
because that is ultimately what comes out of
RequestContext.to_policy_values(). As of change
I4642c57990b145c0e691140970574412682e66a5 in oslo.policy, that
incorrect type for the target parameter results in an error in
the debug logs for the policy check:
cannot format data, exception: Expected a dictionary, got
<class 'oslo_context.context._DeprecatedPolicyValues'> instead.
This resolves the issue by using the same default target dict
that RequestContext.can uses if a target is not supplied.
Note that we get here from NovaKeystoneContext via API middleware
before any request handler is invoked in the wsgi stack, so there
is no context from the request as to what to pass for the target
besides the user_id/project_id.
Change-Id: I4442a7b95d15233f76f7795d45b18ac440ddb831
Closes-Bug: #1807747
Diffstat (limited to 'nova/policy.py')
| -rw-r--r-- | nova/policy.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nova/policy.py b/nova/policy.py index cfdb1097a3..cad1f16f5c 100644 --- a/nova/policy.py +++ b/nova/policy.py @@ -176,7 +176,7 @@ def check_is_admin(context): init() # the target is user-self credentials = context.to_policy_values() - target = credentials + target = context.default_target() return _ENFORCER.authorize('context_is_admin', target, credentials) |