summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark Goddard <mark@stackhpc.com>2017-05-10 16:50:26 +0100
committerMark Goddard <mark@stackhpc.com>2017-06-15 10:03:24 +0100
commit3afe70ad80d19ed3079fc48bdddcaf65011c48de (patch)
tree9995c003796e06db174fb3cbaea33446907870b5
parentbdddbdf2defd5b8cd4996ee6163746571146ea7c (diff)
Pass a mutable target to oslo policy enforcer
Magnum API previously passed magnum.objects.cluster.Cluster objects as the target argument to magnum.common.policy.enforce(). However, enforce() expects target to be a mutable mapping, as it adds an entry for trustee_domain_id which is used by the magnum policy.json. This causes cluster detailed GET requests to fail with the following message: AttributeError: 'Cluster' object has no attribute 'trustee_domain_id' This change uses the as_dict() method of the magnum RPC objects to provide a mutable mapping to the policy enforcer. Change-Id: I54b136243afff9e0fadae3be4b36cad1679e5721 Closes-Bug: #1689797 (cherry picked from commit f1326626b94778dfd03e1ca76e61cbecb10495aa)
Notes
Notes (review): Code-Review+2: Adrian Otto <aotto@aotto.com> Code-Review+2: yatin <ykarel@redhat.com> Workflow+1: yatin <ykarel@redhat.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Fri, 16 Jun 2017 04:01:21 +0000 Reviewed-on: https://review.openstack.org/474502 Project: openstack/magnum Branch: refs/heads/stable/ocata
-rw-r--r--magnum/api/controllers/v1/bay.py6
-rw-r--r--magnum/api/controllers/v1/baymodel.py6
-rw-r--r--magnum/api/controllers/v1/certificate.py6
-rw-r--r--magnum/api/controllers/v1/cluster.py6
-rw-r--r--magnum/api/controllers/v1/cluster_template.py9
5 files changed, 18 insertions, 15 deletions
diff --git a/magnum/api/controllers/v1/bay.py b/magnum/api/controllers/v1/bay.py
index 3466479..90f4607 100644
--- a/magnum/api/controllers/v1/bay.py
+++ b/magnum/api/controllers/v1/bay.py
@@ -372,7 +372,7 @@ class BaysController(base.Controller):
372 """ 372 """
373 context = pecan.request.context 373 context = pecan.request.context
374 bay = api_utils.get_resource('Cluster', bay_ident) 374 bay = api_utils.get_resource('Cluster', bay_ident)
375 policy.enforce(context, 'bay:get', bay, 375 policy.enforce(context, 'bay:get', bay.as_dict(),
376 action='bay:get') 376 action='bay:get')
377 377
378 bay = Bay.convert_with_links(bay) 378 bay = Bay.convert_with_links(bay)
@@ -479,7 +479,7 @@ class BaysController(base.Controller):
479 def _patch(self, bay_ident, patch): 479 def _patch(self, bay_ident, patch):
480 context = pecan.request.context 480 context = pecan.request.context
481 bay = api_utils.get_resource('Cluster', bay_ident) 481 bay = api_utils.get_resource('Cluster', bay_ident)
482 policy.enforce(context, 'bay:update', bay, 482 policy.enforce(context, 'bay:update', bay.as_dict(),
483 action='bay:update') 483 action='bay:update')
484 try: 484 try:
485 bay_dict = bay.as_dict() 485 bay_dict = bay.as_dict()
@@ -529,6 +529,6 @@ class BaysController(base.Controller):
529 def _delete(self, bay_ident): 529 def _delete(self, bay_ident):
530 context = pecan.request.context 530 context = pecan.request.context
531 bay = api_utils.get_resource('Cluster', bay_ident) 531 bay = api_utils.get_resource('Cluster', bay_ident)
532 policy.enforce(context, 'bay:delete', bay, 532 policy.enforce(context, 'bay:delete', bay.as_dict(),
533 action='bay:delete') 533 action='bay:delete')
534 return bay 534 return bay
diff --git a/magnum/api/controllers/v1/baymodel.py b/magnum/api/controllers/v1/baymodel.py
index a6068a3..b2b21f2 100644
--- a/magnum/api/controllers/v1/baymodel.py
+++ b/magnum/api/controllers/v1/baymodel.py
@@ -312,7 +312,7 @@ class BayModelsController(base.Controller):
312 context = pecan.request.context 312 context = pecan.request.context
313 baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident) 313 baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
314 if not baymodel.public: 314 if not baymodel.public:
315 policy.enforce(context, 'baymodel:get', baymodel, 315 policy.enforce(context, 'baymodel:get', baymodel.as_dict(),
316 action='baymodel:get') 316 action='baymodel:get')
317 317
318 return BayModel.convert_with_links(baymodel) 318 return BayModel.convert_with_links(baymodel)
@@ -369,7 +369,7 @@ class BayModelsController(base.Controller):
369 """ 369 """
370 context = pecan.request.context 370 context = pecan.request.context
371 baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident) 371 baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
372 policy.enforce(context, 'baymodel:update', baymodel, 372 policy.enforce(context, 'baymodel:update', baymodel.as_dict(),
373 action='baymodel:update') 373 action='baymodel:update')
374 try: 374 try:
375 baymodel_dict = baymodel.as_dict() 375 baymodel_dict = baymodel.as_dict()
@@ -410,6 +410,6 @@ class BayModelsController(base.Controller):
410 """ 410 """
411 context = pecan.request.context 411 context = pecan.request.context
412 baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident) 412 baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
413 policy.enforce(context, 'baymodel:delete', baymodel, 413 policy.enforce(context, 'baymodel:delete', baymodel.as_dict(),
414 action='baymodel:delete') 414 action='baymodel:delete')
415 baymodel.destroy() 415 baymodel.destroy()
diff --git a/magnum/api/controllers/v1/certificate.py b/magnum/api/controllers/v1/certificate.py
index 6068d12..069cf12 100644
--- a/magnum/api/controllers/v1/certificate.py
+++ b/magnum/api/controllers/v1/certificate.py
@@ -143,7 +143,7 @@ class CertificateController(base.Controller):
143 """ 143 """
144 context = pecan.request.context 144 context = pecan.request.context
145 cluster = api_utils.get_resource('Cluster', cluster_ident) 145 cluster = api_utils.get_resource('Cluster', cluster_ident)
146 policy.enforce(context, 'certificate:get', cluster, 146 policy.enforce(context, 'certificate:get', cluster.as_dict(),
147 action='certificate:get') 147 action='certificate:get')
148 certificate = pecan.request.rpcapi.get_ca_certificate(cluster) 148 certificate = pecan.request.rpcapi.get_ca_certificate(cluster)
149 return Certificate.convert_with_links(certificate) 149 return Certificate.convert_with_links(certificate)
@@ -156,7 +156,7 @@ class CertificateController(base.Controller):
156 """ 156 """
157 context = pecan.request.context 157 context = pecan.request.context
158 cluster = certificate.get_cluster() 158 cluster = certificate.get_cluster()
159 policy.enforce(context, 'certificate:create', cluster, 159 policy.enforce(context, 'certificate:create', cluster.as_dict(),
160 action='certificate:create') 160 action='certificate:create')
161 certificate_dict = certificate.as_dict() 161 certificate_dict = certificate.as_dict()
162 certificate_dict['project_id'] = context.project_id 162 certificate_dict['project_id'] = context.project_id
@@ -171,7 +171,7 @@ class CertificateController(base.Controller):
171 def patch(self, cluster_ident): 171 def patch(self, cluster_ident):
172 context = pecan.request.context 172 context = pecan.request.context
173 cluster = api_utils.get_resource('Cluster', cluster_ident) 173 cluster = api_utils.get_resource('Cluster', cluster_ident)
174 policy.enforce(context, 'certificate:rotate_ca', cluster, 174 policy.enforce(context, 'certificate:rotate_ca', cluster.as_dict(),
175 action='certificate:rotate_ca') 175 action='certificate:rotate_ca')
176 if cluster.cluster_template.tls_disabled: 176 if cluster.cluster_template.tls_disabled:
177 raise exception.NotSupported("Rotating the CA certificate on a " 177 raise exception.NotSupported("Rotating the CA certificate on a "
diff --git a/magnum/api/controllers/v1/cluster.py b/magnum/api/controllers/v1/cluster.py
index d36954c..18be15e 100644
--- a/magnum/api/controllers/v1/cluster.py
+++ b/magnum/api/controllers/v1/cluster.py
@@ -346,7 +346,7 @@ class ClustersController(base.Controller):
346 """ 346 """
347 context = pecan.request.context 347 context = pecan.request.context
348 cluster = api_utils.get_resource('Cluster', cluster_ident) 348 cluster = api_utils.get_resource('Cluster', cluster_ident)
349 policy.enforce(context, 'cluster:get', cluster, 349 policy.enforce(context, 'cluster:get', cluster.as_dict(),
350 action='cluster:get') 350 action='cluster:get')
351 351
352 cluster = Cluster.convert_with_links(cluster) 352 cluster = Cluster.convert_with_links(cluster)
@@ -451,7 +451,7 @@ class ClustersController(base.Controller):
451 def _patch(self, cluster_ident, patch): 451 def _patch(self, cluster_ident, patch):
452 context = pecan.request.context 452 context = pecan.request.context
453 cluster = api_utils.get_resource('Cluster', cluster_ident) 453 cluster = api_utils.get_resource('Cluster', cluster_ident)
454 policy.enforce(context, 'cluster:update', cluster, 454 policy.enforce(context, 'cluster:update', cluster.as_dict(),
455 action='cluster:update') 455 action='cluster:update')
456 try: 456 try:
457 cluster_dict = cluster.as_dict() 457 cluster_dict = cluster.as_dict()
@@ -485,7 +485,7 @@ class ClustersController(base.Controller):
485 """ 485 """
486 context = pecan.request.context 486 context = pecan.request.context
487 cluster = api_utils.get_resource('Cluster', cluster_ident) 487 cluster = api_utils.get_resource('Cluster', cluster_ident)
488 policy.enforce(context, 'cluster:delete', cluster, 488 policy.enforce(context, 'cluster:delete', cluster.as_dict(),
489 action='cluster:delete') 489 action='cluster:delete')
490 490
491 pecan.request.rpcapi.cluster_delete_async(cluster.uuid) 491 pecan.request.rpcapi.cluster_delete_async(cluster.uuid)
diff --git a/magnum/api/controllers/v1/cluster_template.py b/magnum/api/controllers/v1/cluster_template.py
index 4a4d6b9..8bab353 100644
--- a/magnum/api/controllers/v1/cluster_template.py
+++ b/magnum/api/controllers/v1/cluster_template.py
@@ -320,7 +320,8 @@ class ClusterTemplatesController(base.Controller):
320 cluster_template = api_utils.get_resource('ClusterTemplate', 320 cluster_template = api_utils.get_resource('ClusterTemplate',
321 cluster_template_ident) 321 cluster_template_ident)
322 if not cluster_template.public: 322 if not cluster_template.public:
323 policy.enforce(context, 'clustertemplate:get', cluster_template, 323 policy.enforce(context, 'clustertemplate:get',
324 cluster_template.as_dict(),
324 action='clustertemplate:get') 325 action='clustertemplate:get')
325 326
326 return ClusterTemplate.convert_with_links(cluster_template) 327 return ClusterTemplate.convert_with_links(cluster_template)
@@ -383,7 +384,8 @@ class ClusterTemplatesController(base.Controller):
383 context = pecan.request.context 384 context = pecan.request.context
384 cluster_template = api_utils.get_resource('ClusterTemplate', 385 cluster_template = api_utils.get_resource('ClusterTemplate',
385 cluster_template_ident) 386 cluster_template_ident)
386 policy.enforce(context, 'clustertemplate:update', cluster_template, 387 policy.enforce(context, 'clustertemplate:update',
388 cluster_template.as_dict(),
387 action='clustertemplate:update') 389 action='clustertemplate:update')
388 try: 390 try:
389 cluster_template_dict = cluster_template.as_dict() 391 cluster_template_dict = cluster_template.as_dict()
@@ -427,6 +429,7 @@ class ClusterTemplatesController(base.Controller):
427 context = pecan.request.context 429 context = pecan.request.context
428 cluster_template = api_utils.get_resource('ClusterTemplate', 430 cluster_template = api_utils.get_resource('ClusterTemplate',
429 cluster_template_ident) 431 cluster_template_ident)
430 policy.enforce(context, 'clustertemplate:delete', cluster_template, 432 policy.enforce(context, 'clustertemplate:delete',
433 cluster_template.as_dict(),
431 action='clustertemplate:delete') 434 action='clustertemplate:delete')
432 cluster_template.destroy() 435 cluster_template.destroy()