From 59fb0c52ccb8abb918a4d935b2c82a967c9b5236 Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Sat, 8 Feb 2020 21:00:41 -0600 Subject: [PATCH] Pass the actual target in os-console-auth-tokens policy Currently if target is not passed in context.can(), it use defauls target which is context.user_id, context.project_id. These defaults target are not useful as it pass the context's user_id and project_id only which means we tell oslo policy to verify the context data with context data. This commit pass the actual target for os-console-auth-tokens policies which is empty dict because policy rule is system scoped rather than project, so the token scope check deals with the required target checking. Partial implement blueprint policy-defaults-refresh Change-Id: I1c74d772e33de9036037e767197a0bb15b127cd7 --- nova/api/openstack/compute/console_auth_tokens.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nova/api/openstack/compute/console_auth_tokens.py b/nova/api/openstack/compute/console_auth_tokens.py index 0e9c5608d529..41755d12322c 100644 --- a/nova/api/openstack/compute/console_auth_tokens.py +++ b/nova/api/openstack/compute/console_auth_tokens.py @@ -30,7 +30,7 @@ class ConsoleAuthTokensController(wsgi.Controller): def _show(self, req, id, rdp_only): """Checks a console auth token and returns the related connect info.""" context = req.environ['nova.context'] - context.can(cat_policies.BASE_POLICY_NAME) + context.can(cat_policies.BASE_POLICY_NAME, target={}) token = id if not token: