Pass the actual target in os-console-auth-tokens policy
Currently if target is not passed in context.can(), it use defauls target which is context.user_id, context.project_id. These defaults target are not useful as it pass the context's user_id and project_id only which means we tell oslo policy to verify the context data with context data. This commit pass the actual target for os-console-auth-tokens policies which is empty dict because policy rule is system scoped rather than project, so the token scope check deals with the required target checking. Partial implement blueprint policy-defaults-refresh Change-Id: I1c74d772e33de9036037e767197a0bb15b127cd7
This commit is contained in:
parent
3009bc8559
commit
59fb0c52cc
|
@ -30,7 +30,7 @@ class ConsoleAuthTokensController(wsgi.Controller):
|
|||
def _show(self, req, id, rdp_only):
|
||||
"""Checks a console auth token and returns the related connect info."""
|
||||
context = req.environ['nova.context']
|
||||
context.can(cat_policies.BASE_POLICY_NAME)
|
||||
context.can(cat_policies.BASE_POLICY_NAME, target={})
|
||||
|
||||
token = id
|
||||
if not token:
|
||||
|
|
Loading…
Reference in New Issue