From abeb47b20d616f6b9be7014f27fbfb79393f256d Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Thu, 23 Jul 2020 21:05:16 -0500 Subject: [PATCH] Pass the actual target in volumes policy Currently if target is not passed in context.can(), it use defauls target which is context.user_id, context.project_id. These defaults target are not useful as it pass the context's user_id and project_id only which means we tell oslo policy to verify the context data with context data. This commit pass the actual target for networks policies which is context.project_id itself as nova cannot verify the owner of volumes. Neutron will return the authorise error is requester is not owner of volumes. Partial implement blueprint policy-defaults-refresh-deprecated-apis Change-Id: I4108f4b98c57174ca4e71dcf53cd0617093d3f88 --- nova/api/openstack/compute/volumes.py | 30 ++++++++++++++++++--------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/nova/api/openstack/compute/volumes.py b/nova/api/openstack/compute/volumes.py index 1bf9310e49..15b752f596 100644 --- a/nova/api/openstack/compute/volumes.py +++ b/nova/api/openstack/compute/volumes.py @@ -104,7 +104,8 @@ class VolumeController(wsgi.Controller): def show(self, req, id): """Return data about the given volume.""" context = req.environ['nova.context'] - context.can(vol_policies.POLICY_NAME % 'show') + context.can(vol_policies.POLICY_NAME % 'show', + target={'project_id': context.project_id}) try: vol = self.volume_api.get(context, id) @@ -119,7 +120,8 @@ class VolumeController(wsgi.Controller): def delete(self, req, id): """Delete a volume.""" context = req.environ['nova.context'] - context.can(vol_policies.POLICY_NAME % 'delete') + context.can(vol_policies.POLICY_NAME % 'delete', + target={'project_id': context.project_id}) try: self.volume_api.delete(context, id) @@ -134,7 +136,8 @@ class VolumeController(wsgi.Controller): def index(self, req): """Returns a summary list of volumes.""" context = req.environ['nova.context'] - context.can(vol_policies.POLICY_NAME % 'list') + context.can(vol_policies.POLICY_NAME % 'list', + target={'project_id': context.project_id}) return self._items(req, entity_maker=_translate_volume_summary_view) @wsgi.Controller.api_version("2.1", MAX_PROXY_API_SUPPORT_VERSION) @@ -143,7 +146,8 @@ class VolumeController(wsgi.Controller): def detail(self, req): """Returns a detailed list of volumes.""" context = req.environ['nova.context'] - context.can(vol_policies.POLICY_NAME % 'detail') + context.can(vol_policies.POLICY_NAME % 'detail', + target={'project_id': context.project_id}) return self._items(req, entity_maker=_translate_volume_detail_view) def _items(self, req, entity_maker): @@ -161,7 +165,8 @@ class VolumeController(wsgi.Controller): def create(self, req, body): """Creates a new volume.""" context = req.environ['nova.context'] - context.can(vol_policies.POLICY_NAME % 'create') + context.can(vol_policies.POLICY_NAME % 'create', + target={'project_id': context.project_id}) vol = body['volume'] @@ -576,7 +581,8 @@ class SnapshotController(wsgi.Controller): def show(self, req, id): """Return data about the given snapshot.""" context = req.environ['nova.context'] - context.can(vol_policies.POLICY_NAME % 'snapshots:show') + context.can(vol_policies.POLICY_NAME % 'snapshots:show', + target={'project_id': context.project_id}) try: vol = self.volume_api.get_snapshot(context, id) @@ -591,7 +597,8 @@ class SnapshotController(wsgi.Controller): def delete(self, req, id): """Delete a snapshot.""" context = req.environ['nova.context'] - context.can(vol_policies.POLICY_NAME % 'snapshots:delete') + context.can(vol_policies.POLICY_NAME % 'snapshots:delete', + target={'project_id': context.project_id}) try: self.volume_api.delete_snapshot(context, id) @@ -604,7 +611,8 @@ class SnapshotController(wsgi.Controller): def index(self, req): """Returns a summary list of snapshots.""" context = req.environ['nova.context'] - context.can(vol_policies.POLICY_NAME % 'snapshots:list') + context.can(vol_policies.POLICY_NAME % 'snapshots:list', + target={'project_id': context.project_id}) return self._items(req, entity_maker=_translate_snapshot_summary_view) @wsgi.Controller.api_version("2.1", MAX_PROXY_API_SUPPORT_VERSION) @@ -613,7 +621,8 @@ class SnapshotController(wsgi.Controller): def detail(self, req): """Returns a detailed list of snapshots.""" context = req.environ['nova.context'] - context.can(vol_policies.POLICY_NAME % 'snapshots:detail') + context.can(vol_policies.POLICY_NAME % 'snapshots:detail', + target={'project_id': context.project_id}) return self._items(req, entity_maker=_translate_snapshot_detail_view) def _items(self, req, entity_maker): @@ -631,7 +640,8 @@ class SnapshotController(wsgi.Controller): def create(self, req, body): """Creates a new snapshot.""" context = req.environ['nova.context'] - context.can(vol_policies.POLICY_NAME % 'snapshots:create') + context.can(vol_policies.POLICY_NAME % 'snapshots:create', + target={'project_id': context.project_id}) snapshot = body['snapshot'] volume_id = snapshot['volume_id']