Add RBAC policy for ec2 API security groups calls
The revoke_security_group_ingress, revoke_security_group_ingress, and
delete_security_group calls in the ec2 API were not restricted by policy
checks. This prevented a deployer from restricting their usage via
roles or other checks. Checks have been added for these calls.
Closes-Bug: #1290537
Change-Id: I4bf681bedd68ed2216b429d34db735823e0a6189
(cherry picked from commit d4056f8723
)
This commit is contained in:
parent
237b517e75
commit
87f57c0a2c
|
@ -622,6 +622,9 @@ class CloudController(object):
|
|||
security_group = self.security_group_api.get(context, group_name,
|
||||
group_id)
|
||||
|
||||
extensions.check_compute_policy(context, 'security_groups',
|
||||
security_group, 'compute_extension')
|
||||
|
||||
prevalues = kwargs.get('ip_permissions', [kwargs])
|
||||
|
||||
rule_ids = []
|
||||
|
@ -656,6 +659,9 @@ class CloudController(object):
|
|||
security_group = self.security_group_api.get(context, group_name,
|
||||
group_id)
|
||||
|
||||
extensions.check_compute_policy(context, 'security_groups',
|
||||
security_group, 'compute_extension')
|
||||
|
||||
prevalues = kwargs.get('ip_permissions', [kwargs])
|
||||
postvalues = []
|
||||
for values in prevalues:
|
||||
|
@ -728,6 +734,9 @@ class CloudController(object):
|
|||
security_group = self.security_group_api.get(context, group_name,
|
||||
group_id)
|
||||
|
||||
extensions.check_compute_policy(context, 'security_groups',
|
||||
security_group, 'compute_extension')
|
||||
|
||||
self.security_group_api.destroy(context, security_group)
|
||||
|
||||
return True
|
||||
|
|
|
@ -21,6 +21,7 @@ import copy
|
|||
import datetime
|
||||
import functools
|
||||
import iso8601
|
||||
import mock
|
||||
import os
|
||||
import string
|
||||
import tempfile
|
||||
|
@ -481,6 +482,34 @@ class CloudTestCase(test.TestCase):
|
|||
delete = self.cloud.delete_security_group
|
||||
self.assertRaises(exception.MissingParameter, delete, self.context)
|
||||
|
||||
def test_delete_security_group_policy_not_allowed(self):
|
||||
rules = common_policy.Rules(
|
||||
{'compute_extension:security_groups':
|
||||
common_policy.parse_rule('project_id:%(project_id)s')})
|
||||
common_policy.set_rules(rules)
|
||||
|
||||
with mock.patch.object(self.cloud.security_group_api,
|
||||
'get') as get:
|
||||
get.return_value = {'project_id': 'invalid'}
|
||||
|
||||
self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.cloud.delete_security_group, self.context,
|
||||
'fake-name', 'fake-id')
|
||||
|
||||
def test_authorize_security_group_ingress_policy_not_allowed(self):
|
||||
rules = common_policy.Rules(
|
||||
{'compute_extension:security_groups':
|
||||
common_policy.parse_rule('project_id:%(project_id)s')})
|
||||
common_policy.set_rules(rules)
|
||||
|
||||
with mock.patch.object(self.cloud.security_group_api,
|
||||
'get') as get:
|
||||
get.return_value = {'project_id': 'invalid'}
|
||||
|
||||
self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.cloud.authorize_security_group_ingress, self.context,
|
||||
'fake-name', 'fake-id')
|
||||
|
||||
def test_authorize_security_group_ingress(self):
|
||||
kwargs = {'project_id': self.context.project_id, 'name': 'test'}
|
||||
sec = db.security_group_create(self.context, kwargs)
|
||||
|
@ -585,6 +614,20 @@ class CloudTestCase(test.TestCase):
|
|||
db.security_group_destroy(self.context, sec2['id'])
|
||||
db.security_group_destroy(self.context, sec1['id'])
|
||||
|
||||
def test_revoke_security_group_ingress_policy_not_allowed(self):
|
||||
rules = common_policy.Rules(
|
||||
{'compute_extension:security_groups':
|
||||
common_policy.parse_rule('project_id:%(project_id)s')})
|
||||
common_policy.set_rules(rules)
|
||||
|
||||
with mock.patch.object(self.cloud.security_group_api,
|
||||
'get') as get:
|
||||
get.return_value = {'project_id': 'invalid'}
|
||||
|
||||
self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.cloud.revoke_security_group_ingress, self.context,
|
||||
'fake-name', 'fake-id')
|
||||
|
||||
def test_revoke_security_group_ingress(self):
|
||||
kwargs = {'project_id': self.context.project_id, 'name': 'test'}
|
||||
sec = db.security_group_create(self.context, kwargs)
|
||||
|
|
Loading…
Reference in New Issue