From 4ecec2ff7394d066783819c7febdc2a09623bcd3 Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Thu, 23 Jul 2020 18:32:05 -0500 Subject: [PATCH] Pass the actual target in security_groups policy Currently if target is not passed in context.can(), it use defauls target which is context.user_id, context.project_id. These defaults target are not useful as it pass the context's user_id and project_id only which means we tell oslo policy to verify the context data with context data. This commit pass the actual target for networks policies which is context.project_id itself as nova cannot verify the owner of security_groups. Neutron will return the authorise error is requester is not owner of security_group. Partial implement blueprint policy-defaults-refresh-deprecated-apis Change-Id: I1ce8ad8a16bddb3f7520a3b4e323b75626928186 --- nova/api/openstack/compute/security_groups.py | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/nova/api/openstack/compute/security_groups.py b/nova/api/openstack/compute/security_groups.py index 99294fd2da..b10308393f 100644 --- a/nova/api/openstack/compute/security_groups.py +++ b/nova/api/openstack/compute/security_groups.py @@ -150,7 +150,8 @@ class SecurityGroupController(SecurityGroupControllerBase, wsgi.Controller): def show(self, req, id): """Return data about the given security group.""" context = req.environ['nova.context'] - context.can(sg_policies.POLICY_NAME % 'show') + context.can(sg_policies.POLICY_NAME % 'show', + target={'project_id': context.project_id}) try: id = security_group_api.validate_id(id) @@ -169,7 +170,8 @@ class SecurityGroupController(SecurityGroupControllerBase, wsgi.Controller): def delete(self, req, id): """Delete a security group.""" context = req.environ['nova.context'] - context.can(sg_policies.POLICY_NAME % 'delete') + context.can(sg_policies.POLICY_NAME % 'delete', + target={'project_id': context.project_id}) try: id = security_group_api.validate_id(id) @@ -186,7 +188,8 @@ class SecurityGroupController(SecurityGroupControllerBase, wsgi.Controller): def index(self, req): """Returns a list of security groups.""" context = req.environ['nova.context'] - context.can(sg_policies.POLICY_NAME % 'get') + context.can(sg_policies.POLICY_NAME % 'get', + target={'project_id': context.project_id}) search_opts = {} search_opts.update(req.GET) @@ -208,7 +211,8 @@ class SecurityGroupController(SecurityGroupControllerBase, wsgi.Controller): def create(self, req, body): """Creates a new security group.""" context = req.environ['nova.context'] - context.can(sg_policies.POLICY_NAME % 'create') + context.can(sg_policies.POLICY_NAME % 'create', + target={'project_id': context.project_id}) security_group = self._from_body(body, 'security_group') @@ -234,7 +238,8 @@ class SecurityGroupController(SecurityGroupControllerBase, wsgi.Controller): def update(self, req, id, body): """Update a security group.""" context = req.environ['nova.context'] - context.can(sg_policies.POLICY_NAME % 'update') + context.can(sg_policies.POLICY_NAME % 'update', + target={'project_id': context.project_id}) try: id = security_group_api.validate_id(id) @@ -270,7 +275,8 @@ class SecurityGroupRulesController(SecurityGroupControllerBase, @wsgi.expected_errors((400, 403, 404)) def create(self, req, body): context = req.environ['nova.context'] - context.can(sg_policies.POLICY_NAME % 'rule:create') + context.can(sg_policies.POLICY_NAME % 'rule:create', + target={'project_id': context.project_id}) sg_rule = self._from_body(body, 'security_group_rule') group_id = sg_rule.get('group_id') source_group = {} @@ -345,7 +351,8 @@ class SecurityGroupRulesController(SecurityGroupControllerBase, @wsgi.response(202) def delete(self, req, id): context = req.environ['nova.context'] - context.can(sg_policies.POLICY_NAME % 'rule:delete') + context.can(sg_policies.POLICY_NAME % 'rule:delete', + target={'project_id': context.project_id}) try: id = security_group_api.validate_id(id)