From 1476367e098fb82e19528f78c2e52fd6ca29418d Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Tue, 14 Apr 2020 12:47:50 -0500 Subject: [PATCH] Pass the actual target in quota class policy Currently if target is not passed in context.can(), it use defauls target which is context.user_id, context.project_id. These defaults target are not useful as it pass the context's user_id and project_id only which means we tell oslo policy to verify the context data with context data. This commit pass the actual target for quota class policies which is empty dict because policy rule is system scoped rather than project, so the token scope check deals with the required target checking. Partial implement blueprint policy-defaults-refresh Change-Id: I37a78180cfc67515e5a6485b91d541ec269904f5 --- nova/api/openstack/compute/quota_classes.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nova/api/openstack/compute/quota_classes.py b/nova/api/openstack/compute/quota_classes.py index 6ad7f43af7..0077ff9158 100644 --- a/nova/api/openstack/compute/quota_classes.py +++ b/nova/api/openstack/compute/quota_classes.py @@ -93,7 +93,7 @@ class QuotaClassSetsController(wsgi.Controller): def _show(self, req, id, filtered_quotas=None, exclude_server_groups=False): context = req.environ['nova.context'] - context.can(qcs_policies.POLICY_ROOT % 'show', {'quota_class': id}) + context.can(qcs_policies.POLICY_ROOT % 'show', target={}) values = QUOTAS.get_class_quotas(context, id) return self._format_quota_set(id, values, filtered_quotas, exclude_server_groups) @@ -119,7 +119,7 @@ class QuotaClassSetsController(wsgi.Controller): def _update(self, req, id, body, filtered_quotas=None, exclude_server_groups=False): context = req.environ['nova.context'] - context.can(qcs_policies.POLICY_ROOT % 'update', {'quota_class': id}) + context.can(qcs_policies.POLICY_ROOT % 'update', target={}) try: utils.check_string_length(id, 'quota_class_name', min_length=1, max_length=255)