Pass the actual target in os-console-auth-tokens policy

Currently if target is not passed in context.can(), it use defauls target which is context.user_id, context.project_id. These defaults target are not useful as it pass the context's user_id and project_id only which means we tell oslo policy to verify the context data with context data. This commit pass the actual target for os-console-auth-tokens policies which is empty dict because policy rule is system scoped rather than project, so the token scope check deals with the required target checking. Partial implement blueprint policy-defaults-refresh Change-Id: I1c74d772e33de9036037e767197a0bb15b127cd7
2020-02-08 21:00:41 -06:00 · 2020-02-08 21:00:41 -06:00 · 59fb0c52cc
parent 3009bc8559
commit 59fb0c52cc
1 changed files with 1 additions and 1 deletions
--- a/nova/api/openstack/compute/console_auth_tokens.py
+++ b/nova/api/openstack/compute/console_auth_tokens.py
@ -30,7 +30,7 @@ class ConsoleAuthTokensController(wsgi.Controller):
    def _show(self, req, id, rdp_only):
        """Checks a console auth token and returns the related connect info."""
        context = req.environ['nova.context']
-        context.can(cat_policies.BASE_POLICY_NAME)
+        context.can(cat_policies.BASE_POLICY_NAME, target={})

        token = id
        if not token: