From 3903b91676c75b8d0082975337d0192e5dd96788 Mon Sep 17 00:00:00 2001 From: zhangbailin Date: Fri, 28 Feb 2020 15:48:18 +0800 Subject: [PATCH] Correct the actual target in os-instance-actions policy This commit correct the actual target for os-instance-actions policies, which is 'instance' because poolicy rule is system or project scoped rather than project only, so the token scope check deals with the required target checking. Partial implement blueprint policy-defaults-refresh Change-Id: I98405ebc216d4567b004d1222298136ab64fd5d1 --- nova/api/openstack/compute/instance_actions.py | 13 +++++++++---- .../api/openstack/compute/test_instance_actions.py | 6 ++++-- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/nova/api/openstack/compute/instance_actions.py b/nova/api/openstack/compute/instance_actions.py index ae0131f484..8fa089b3d4 100644 --- a/nova/api/openstack/compute/instance_actions.py +++ b/nova/api/openstack/compute/instance_actions.py @@ -84,7 +84,8 @@ class InstanceActionsController(wsgi.Controller): """Returns the list of actions recorded for a given instance.""" context = req.environ["nova.context"] instance = self._get_instance(req, context, server_id) - context.can(ia_policies.BASE_POLICY_NAME, instance) + context.can(ia_policies.BASE_POLICY_NAME, + target={'project_id': instance.project_id}) actions_raw = self.action_api.actions_get(context, instance) actions = [self._format_action(action, ACTION_KEYS) for action in actions_raw] @@ -100,7 +101,8 @@ class InstanceActionsController(wsgi.Controller): """Returns the list of actions recorded for a given instance.""" context = req.environ["nova.context"] instance = self._get_instance(req, context, server_id) - context.can(ia_policies.BASE_POLICY_NAME, instance) + context.can(ia_policies.BASE_POLICY_NAME, + target={'project_id': instance.project_id}) search_opts = {} search_opts.update(req.GET) if 'changes-since' in search_opts: @@ -138,7 +140,8 @@ class InstanceActionsController(wsgi.Controller): """Return data about the given instance action.""" context = req.environ['nova.context'] instance = self._get_instance(req, context, server_id) - context.can(ia_policies.BASE_POLICY_NAME, instance) + context.can(ia_policies.BASE_POLICY_NAME, + target={'project_id': instance.project_id}) action = self.action_api.action_get_by_request_id(context, instance, id) if action is None: @@ -158,7 +161,9 @@ class InstanceActionsController(wsgi.Controller): show_events = False show_traceback = False show_host = False - if context.can(ia_policies.POLICY_ROOT % 'events', fatal=False): + if context.can(ia_policies.POLICY_ROOT % 'events', + target={'project_id': instance.project_id}, + fatal=False): # For all microversions, the user can see all event details # including the traceback. show_events = show_traceback = True diff --git a/nova/tests/unit/api/openstack/compute/test_instance_actions.py b/nova/tests/unit/api/openstack/compute/test_instance_actions.py index 566f86ab5b..813ffc164c 100644 --- a/nova/tests/unit/api/openstack/compute/test_instance_actions.py +++ b/nova/tests/unit/api/openstack/compute/test_instance_actions.py @@ -132,7 +132,8 @@ class InstanceActionsTestV21(test.NoDBTestCase): def fake_get(self, context, instance_uuid, expected_attrs=None, cell_down_support=False): - return objects.Instance(uuid=instance_uuid) + return objects.Instance( + context, id=1, uuid=instance_uuid, project_id=context.project_id) def setUp(self): super(InstanceActionsTestV21, self).setUp() @@ -273,7 +274,8 @@ class InstanceActionsTestV221(InstanceActionsTestV21): def fake_get(self, context, instance_uuid, expected_attrs=None, cell_down_support=False): self.assertEqual('yes', context.read_deleted) - return objects.Instance(uuid=instance_uuid) + return objects.Instance( + context, id=1, uuid=instance_uuid, project_id=context.project_id) class InstanceActionsTestV251(InstanceActionsTestV221):