From 4892607740b8d8536e7ea66a7202b9cc4fc99b87 Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Sat, 8 Feb 2020 21:12:17 -0600
Subject: [PATCH] Pass the actual target in os-availability-zone policy

Currently if target is not passed in context.can(),
it use defauls target which is context.user_id, context.project_id.
These defaults target are not useful as it pass the
context's user_id and project_id only which means we tell
oslo policy to verify the context data with context data.

This commit pass the actual target for os-availability-zone policies
which is empty dict because policy rule is system scoped rather
than project, so the token scope check deals with the required
target checking.

Partial implement blueprint policy-defaults-refresh

Change-Id: I19fa9f2cb762baf5aeb5e9f25465863f9613f6db
---
 nova/api/openstack/compute/availability_zone.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nova/api/openstack/compute/availability_zone.py b/nova/api/openstack/compute/availability_zone.py
index 77b720e315..20b4a2147a 100644
--- a/nova/api/openstack/compute/availability_zone.py
+++ b/nova/api/openstack/compute/availability_zone.py
@@ -106,7 +106,7 @@ class AvailabilityZoneController(wsgi.Controller):
     def index(self, req):
         """Returns a summary list of availability zone."""
         context = req.environ['nova.context']
-        context.can(az_policies.POLICY_ROOT % 'list')
+        context.can(az_policies.POLICY_ROOT % 'list', target={})
 
         return self._describe_availability_zones(context)
 
@@ -114,6 +114,6 @@ class AvailabilityZoneController(wsgi.Controller):
     def detail(self, req):
         """Returns a detailed list of availability zone."""
         context = req.environ['nova.context']
-        context.can(az_policies.POLICY_ROOT % 'detail')
+        context.can(az_policies.POLICY_ROOT % 'detail', target={})
 
         return self._describe_availability_zones_verbose(context)