Require admin privilege to retrieve some fields

* Skip container fields 'image_pull_policy', 'runtime', 'privilege'
  if users don't have admin privilege because only admin should
  view those fields.
* Skip capsule field 'host' if users don't have admin privilege.

Change-Id: Ib414b24de676ae62d06fa08d8e8102141a40219a
This commit is contained in:
Hongbin Lu 2019-04-07 16:26:05 +00:00
parent b2c812f453
commit 570fb14414
4 changed files with 97 additions and 3 deletions

View File

@ -16,6 +16,7 @@ import itertools
from zun.api.controllers import link
from zun.api.controllers.v1.views import containers_view
from zun.common.policies import capsule as policies
_basic_keys = (
@ -41,6 +42,10 @@ def format_capsule(url, capsule, context, legacy_api_version=False):
def transform(key, value):
if key not in _basic_keys:
return
# strip the key if it is not allowed by policy
policy_action = policies.CAPSULE % ('get:%s' % key)
if not context.can(policy_action, fatal=False, might_not_exist=True):
return
if key == 'uuid':
yield ('uuid', value)
yield ('links', [link.make_link(

View File

@ -76,6 +76,28 @@ rules = [
# FIXME(lbragstad): This API call isn't actually listed in zun's API
# reference:
# https://developer.openstack.org/api-ref/application-container/
policy.DocumentedRuleDefault(
name=CAPSULE % 'get:host',
check_str=base.RULE_ADMIN_API,
description='Retrieve the host field of a capsule.',
operations=[
{
'path': '/v1/capsules/{capsule_ident}',
'method': 'GET'
},
{
'path': '/v1/capsules',
'method': 'GET'
},
{
'path': '/v1/capsules',
'method': 'POST'
},
]
),
# FIXME(lbragstad): This API call isn't actually listed in zun's API
# reference:
# https://developer.openstack.org/api-ref/application-container/
policy.DocumentedRuleDefault(
name=CAPSULE % 'get_one_all_projects',
check_str=base.RULE_ADMIN_API,

View File

@ -131,6 +131,75 @@ rules = [
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'get_one:image_pull_policy',
check_str=base.RULE_ADMIN_API,
description='Retrieve the image_pull_policy field of containers.',
operations=[
{
'path': '/v1/containers/{container_ident}',
'method': 'GET'
},
{
'path': '/v1/containers',
'method': 'GET'
},
{
'path': '/v1/containers',
'method': 'POST'
},
{
'path': '/v1/containers/{container_ident}',
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'get_one:privileged',
check_str=base.RULE_ADMIN_API,
description='Retrieve the privileged field of containers.',
operations=[
{
'path': '/v1/containers/{container_ident}',
'method': 'GET'
},
{
'path': '/v1/containers',
'method': 'GET'
},
{
'path': '/v1/containers',
'method': 'POST'
},
{
'path': '/v1/containers/{container_ident}',
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'get_one:runtime',
check_str=base.RULE_ADMIN_API,
description='Retrieve the runtime field of containers.',
operations=[
{
'path': '/v1/containers/{container_ident}',
'method': 'GET'
},
{
'path': '/v1/containers',
'method': 'GET'
},
{
'path': '/v1/containers',
'method': 'POST'
},
{
'path': '/v1/containers/{container_ident}',
'method': 'PATCH'
}
]
),
policy.DocumentedRuleDefault(
name=CONTAINER % 'get_one_all_projects',
check_str=base.RULE_ADMIN_API,

View File

@ -317,7 +317,6 @@ class TestContainerController(api_base.FunctionalTest):
self.assertEqual('512', c.get('memory'))
self.assertEqual({"key1": "val1", "key2": "val2"},
c.get('environment'))
self.assertEqual('runc', c.get('runtime'))
self.assertEqual('testhost', c.get('hostname'))
self.assertEqual(20, c.get('disk'))
self.assertEqual({"Name": "no", "MaximumRetryCount": "0"},
@ -868,7 +867,7 @@ class TestContainerController(api_base.FunctionalTest):
actual_containers[0].get('uuid'))
@patch('zun.objects.Container.list')
def test_get_all_has_status_reason_and_image_pull_policy(
def test_get_all_has_status_reason(
self, mock_container_list):
test_container = utils.get_test_container()
containers = [objects.Container(self.context, **test_container)]
@ -881,7 +880,6 @@ class TestContainerController(api_base.FunctionalTest):
self.assertEqual(test_container['uuid'],
actual_containers[0].get('uuid'))
self.assertIn('status_reason', actual_containers[0].keys())
self.assertIn('image_pull_policy', actual_containers[0].keys())
@patch('zun.objects.Container.list')
def test_get_all_containers_with_pagination_marker(self,