openstack
/
nova
Code Issues Proposed changes

Merge "policy: Replaces 'authorize' in nova-api (part 5)"

This commit is contained in:
Jenkins 2016-06-30 12:22:35 +00:00 committed by Gerrit Code Review
parent 3b87313eb4 955c921b33
commit bc22a15e4e
20 changed files with 108 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nova/api/openstack/compute/security_group_default_rules.py
View File

@ -20,10 +20,10 @@ from nova.api.openstack import wsgi
from nova import exception
from nova.i18n import _
from nova.network.security_group import openstack_driver
from nova.policies import security_group_default_rules as sgdr_policies
ALIAS = "os-security-group-default-rules"
authorize = extensions.os_compute_authorizer(ALIAS)
class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):
@ -35,7 +35,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):
@extensions.expected_errors((400, 409, 501))
def create(self, req, body):
context = req.environ['nova.context']
authorize(context)
context.can(sgdr_policies.BASE_POLICY_NAME)
sg_rule = self._from_body(body, 'security_group_default_rule')
@ -72,7 +72,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):
@extensions.expected_errors((400, 404, 501))
def show(self, req, id):
context = req.environ['nova.context']
authorize(context)
context.can(sgdr_policies.BASE_POLICY_NAME)
try:
id = self.security_group_api.validate_id(id)
@ -91,7 +91,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):
@wsgi.response(204)
def delete(self, req, id):
context = req.environ['nova.context']
authorize(context)
context.can(sgdr_policies.BASE_POLICY_NAME)
try:
id = self.security_group_api.validate_id(id)
@ -107,7 +107,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):
@extensions.expected_errors((404, 501))
def index(self, req):
context = req.environ['nova.context']
authorize(context)
context.can(sgdr_policies.BASE_POLICY_NAME)
ret = {'security_group_default_rules': []}
try:

11
nova/api/openstack/compute/security_groups.py
View File

@ -28,19 +28,18 @@ from nova import compute
from nova import exception
from nova.i18n import _
from nova.network.security_group import openstack_driver
from nova.policies import security_groups as sg_policies
from nova.virt import netutils
LOG = logging.getLogger(__name__)
ALIAS = 'os-security-groups'
ATTRIBUTE_NAME = 'security_groups'
authorize = extensions.os_compute_authorizer(ALIAS)
softauth = extensions.os_compute_soft_authorizer(ALIAS)
def _authorize_context(req):
context = req.environ['nova.context']
authorize(context)
context.can(sg_policies.BASE_POLICY_NAME)
return context
@ -386,7 +385,7 @@ class SecurityGroupActionController(wsgi.Controller):
@wsgi.action('addSecurityGroup')
def _addSecurityGroup(self, req, id, body):
context = req.environ['nova.context']
authorize(context)
context.can(sg_policies.BASE_POLICY_NAME)
group_name = self._parse(body, 'addSecurityGroup')
try:
@ -406,7 +405,7 @@ class SecurityGroupActionController(wsgi.Controller):
@wsgi.action('removeSecurityGroup')
def _removeSecurityGroup(self, req, id, body):
context = req.environ['nova.context']
authorize(context)
context.can(sg_policies.BASE_POLICY_NAME)
group_name = self._parse(body, 'removeSecurityGroup')
@ -436,7 +435,7 @@ class SecurityGroupsOutputController(wsgi.Controller):
return
key = "security_groups"
context = req.environ['nova.context']
if not softauth(context):
if not context.can(sg_policies.BASE_POLICY_NAME, fatal=False):
return
if not openstack_driver.is_neutron_security_groups():

4
nova/api/openstack/compute/server_diagnostics.py
View File

@ -18,10 +18,10 @@ from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova import compute
from nova import exception
from nova.policies import server_diagnostics as sd_policies
ALIAS = "os-server-diagnostics"
authorize = extensions.os_compute_authorizer(ALIAS)
class ServerDiagnosticsController(wsgi.Controller):
@ -31,7 +31,7 @@ class ServerDiagnosticsController(wsgi.Controller):
@extensions.expected_errors((404, 409, 501))
def index(self, req, server_id):
context = req.environ["nova.context"]
authorize(context)
context.can(sd_policies.BASE_POLICY_NAME)
instance = common.get_instance(self.compute_api, context, server_id)

4
nova/api/openstack/compute/server_external_events.py
View File

@ -24,11 +24,11 @@ from nova import exception
from nova.i18n import _
from nova.i18n import _LI
from nova import objects
from nova.policies import server_external_events as see_policies
LOG = logging.getLogger(__name__)
ALIAS = 'os-server-external-events'
authorize = extensions.os_compute_authorizer(ALIAS)
class ServerExternalEventsController(wsgi.Controller):
@ -43,7 +43,7 @@ class ServerExternalEventsController(wsgi.Controller):
def create(self, req, body):
"""Creates a new instance event."""
context = req.environ['nova.context']
authorize(context, action='create')
context.can(see_policies.POLICY_ROOT % 'create')
response_events = []
accepted_events = []

6
nova/api/openstack/compute/server_groups.py
View File

@ -29,18 +29,16 @@ import nova.exception
from nova.i18n import _
from nova.i18n import _LE
from nova import objects
from nova.policies import server_groups as sg_policies
LOG = logging.getLogger(__name__)
ALIAS = "os-server-groups"
authorize = extensions.os_compute_authorizer(ALIAS)
def _authorize_context(req):
context = req.environ['nova.context']
authorize(context)
context.can(sg_policies.BASE_POLICY_NAME)
return context

14
nova/api/openstack/compute/server_metadata.py
View File

@ -24,9 +24,9 @@ from nova.api import validation
from nova import compute
from nova import exception
from nova.i18n import _
from nova.policies import server_metadata as sm_policies
ALIAS = 'server-metadata'
authorize = extensions.os_compute_authorizer(ALIAS)
class ServerMetadataController(wsgi.Controller):
@ -55,7 +55,7 @@ class ServerMetadataController(wsgi.Controller):
def index(self, req, server_id):
"""Returns the list of metadata for a given instance."""
context = req.environ['nova.context']
authorize(context, action='index')
context.can(sm_policies.POLICY_ROOT % 'index')
return {'metadata': self._get_metadata(context, server_id)}
@extensions.expected_errors((400, 403, 404, 409))
@ -65,7 +65,7 @@ class ServerMetadataController(wsgi.Controller):
def create(self, req, server_id, body):
metadata = body['metadata']
context = req.environ['nova.context']
authorize(context, action='create')
context.can(sm_policies.POLICY_ROOT % 'create')
new_metadata = self._update_instance_metadata(context,
server_id,
metadata,
@ -77,7 +77,7 @@ class ServerMetadataController(wsgi.Controller):
@validation.schema(server_metadata.update)
def update(self, req, server_id, id, body):
context = req.environ['nova.context']
authorize(context, action='update')
context.can(sm_policies.POLICY_ROOT % 'update')
meta_item = body['meta']
if id not in meta_item:
expl = _('Request body and URI mismatch')
@ -94,7 +94,7 @@ class ServerMetadataController(wsgi.Controller):
@validation.schema(server_metadata.update_all)
def update_all(self, req, server_id, body):
context = req.environ['nova.context']
authorize(context, action='update_all')
context.can(sm_policies.POLICY_ROOT % 'update_all')
metadata = body['metadata']
new_metadata = self._update_instance_metadata(context,
server_id,
@ -129,7 +129,7 @@ class ServerMetadataController(wsgi.Controller):
def show(self, req, server_id, id):
"""Return a single metadata item."""
context = req.environ['nova.context']
authorize(context, action='show')
context.can(sm_policies.POLICY_ROOT % 'show')
data = self._get_metadata(context, server_id)
try:
@ -143,7 +143,7 @@ class ServerMetadataController(wsgi.Controller):
def delete(self, req, server_id, id):
"""Deletes an existing metadata."""
context = req.environ['nova.context']
authorize(context, action='delete')
context.can(sm_policies.POLICY_ROOT % 'delete')
metadata = self._get_metadata(context, server_id)
if id not in metadata:

10
nova/api/openstack/compute/server_migrations.py
View File

@ -23,10 +23,10 @@ from nova.api import validation
from nova import compute
from nova import exception
from nova.i18n import _
from nova.policies import servers_migrations as sm_policies
ALIAS = 'servers:migrations'
authorize = extensions.os_compute_authorizer(ALIAS)
def output(migration):
@ -69,7 +69,7 @@ class ServerMigrationsController(wsgi.Controller):
@validation.schema(server_migrations.force_complete)
def _force_complete(self, req, id, server_id, body):
context = req.environ['nova.context']
authorize(context, action='force_complete')
context.can(sm_policies.POLICY_ROOT % 'force_complete')
instance = common.get_instance(self.compute_api, context, server_id)
try:
@ -91,7 +91,7 @@ class ServerMigrationsController(wsgi.Controller):
def index(self, req, server_id):
"""Return all migrations of an instance in progress."""
context = req.environ['nova.context']
authorize(context, action="index")
context.can(sm_policies.POLICY_ROOT % 'index')
# NOTE(Shaohe Feng) just check the instance is available. To keep
# consistency with other API, check it before get migrations.
@ -107,7 +107,7 @@ class ServerMigrationsController(wsgi.Controller):
def show(self, req, server_id, id):
"""Return the migration of an instance in progress by id."""
context = req.environ['nova.context']
authorize(context, action="show")
context.can(sm_policies.POLICY_ROOT % 'show')
# NOTE(Shaohe Feng) just check the instance is available. To keep
# consistency with other API, check it before get migrations.
@ -141,7 +141,7 @@ class ServerMigrationsController(wsgi.Controller):
def delete(self, req, server_id, id):
"""Abort an in progress migration of an instance."""
context = req.environ['nova.context']
authorize(context, action="delete")
context.can(sm_policies.POLICY_ROOT % 'delete')
instance = common.get_instance(self.compute_api, context, server_id)
try:

6
nova/api/openstack/compute/server_password.py
View File

@ -20,10 +20,10 @@ from nova.api.openstack import common
from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova import compute
from nova.policies import server_password as sp_policies
ALIAS = 'os-server-password'
authorize = extensions.os_compute_authorizer(ALIAS)
class ServerPasswordController(wsgi.Controller):
@ -34,7 +34,7 @@ class ServerPasswordController(wsgi.Controller):
@extensions.expected_errors(404)
def index(self, req, server_id):
context = req.environ['nova.context']
authorize(context)
context.can(sp_policies.BASE_POLICY_NAME)
instance = common.get_instance(self.compute_api, context, server_id)
passw = password.extract_password(instance)
@ -50,7 +50,7 @@ class ServerPasswordController(wsgi.Controller):
"""
context = req.environ['nova.context']
authorize(context)
context.can(sp_policies.BASE_POLICY_NAME)
instance = common.get_instance(self.compute_api, context, server_id)
meta = password.convert_password(context, None)
instance.system_metadata.update(meta)

14
nova/api/openstack/compute/server_tags.py
View File

@ -25,10 +25,10 @@ from nova.compute import vm_states
from nova import exception
from nova.i18n import _
from nova import objects
from nova.policies import server_tags as st_policies
ALIAS = "os-server-tags"
authorize = extensions.os_compute_authorizer(ALIAS)
def _get_tags_names(tags):
@ -58,7 +58,7 @@ class ServerTagsController(wsgi.Controller):
@extensions.expected_errors(404)
def show(self, req, server_id, id):
context = req.environ["nova.context"]
authorize(context, action='show')
context.can(st_policies.POLICY_ROOT % 'show')
try:
exists = objects.Tag.exists(context, server_id, id)
@ -74,7 +74,7 @@ class ServerTagsController(wsgi.Controller):
@extensions.expected_errors(404)
def index(self, req, server_id):
context = req.environ["nova.context"]
authorize(context, action='index')
context.can(st_policies.POLICY_ROOT % 'index')
try:
tags = objects.TagList.get_by_resource_id(context, server_id)
@ -88,7 +88,7 @@ class ServerTagsController(wsgi.Controller):
@validation.schema(schema.update)
def update(self, req, server_id, id, body):
context = req.environ["nova.context"]
authorize(context, action='update')
context.can(st_policies.POLICY_ROOT % 'update')
self._check_instance_in_valid_state(context, server_id, 'update tag')
try:
@ -136,7 +136,7 @@ class ServerTagsController(wsgi.Controller):
@validation.schema(schema.update_all)
def update_all(self, req, server_id, body):
context = req.environ["nova.context"]
authorize(context, action='update_all')
context.can(st_policies.POLICY_ROOT % 'update_all')
self._check_instance_in_valid_state(context, server_id, 'update tags')
invalid_tags = []
@ -178,7 +178,7 @@ class ServerTagsController(wsgi.Controller):
@extensions.expected_errors((404, 409))
def delete(self, req, server_id, id):
context = req.environ["nova.context"]
authorize(context, action='delete')
context.can(st_policies.POLICY_ROOT % 'delete')
self._check_instance_in_valid_state(context, server_id, 'delete tag')
try:
@ -193,7 +193,7 @@ class ServerTagsController(wsgi.Controller):
@extensions.expected_errors((404, 409))
def delete_all(self, req, server_id):
context = req.environ["nova.context"]
authorize(context, action='delete_all')
context.can(st_policies.POLICY_ROOT % 'delete_all')
self._check_instance_in_valid_state(context, server_id, 'delete tags')
try:

6
nova/api/openstack/compute/server_usage.py
View File

@ -14,10 +14,10 @@
from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova.policies import server_usage as su_policies
ALIAS = "os-server-usage"
authorize = extensions.os_compute_soft_authorizer(ALIAS)
resp_topic = "OS-SRV-USG"
@ -37,7 +37,7 @@ class ServerUsageController(wsgi.Controller):
@wsgi.extends
def show(self, req, resp_obj, id):
context = req.environ['nova.context']
if authorize(context):
if context.can(su_policies.BASE_POLICY_NAME, fatal=False):
server = resp_obj.obj['server']
db_instance = req.get_db_instance(server['id'])
# server['id'] is guaranteed to be in the cache due to
@ -47,7 +47,7 @@ class ServerUsageController(wsgi.Controller):
@wsgi.extends
def detail(self, req, resp_obj):
context = req.environ['nova.context']
if authorize(context):
if context.can(su_policies.BASE_POLICY_NAME, fatal=False):
servers = list(resp_obj.obj['servers'])
for server in servers:
db_instance = req.get_db_instance(server['id'])

8
nova/api/openstack/compute/services.py
View File

@ -22,11 +22,11 @@ from nova.api import validation
from nova import compute
from nova import exception
from nova.i18n import _
from nova.policies import services as services_policies
from nova import servicegroup
from nova import utils
ALIAS = "os-services"
authorize = extensions.os_compute_authorizer(ALIAS)
class ServiceController(wsgi.Controller):
@ -42,7 +42,7 @@ class ServiceController(wsgi.Controller):
api_services = ('nova-osapi_compute', 'nova-ec2', 'nova-metadata')
context = req.environ['nova.context']
authorize(context)
context.can(services_policies.BASE_POLICY_NAME)
_services = [
s
@ -155,7 +155,7 @@ class ServiceController(wsgi.Controller):
def _perform_action(self, req, id, body, actions):
"""Calculate action dictionary dependent on provided fields"""
context = req.environ['nova.context']
authorize(context)
context.can(services_policies.BASE_POLICY_NAME)
try:
action = actions[id]
@ -170,7 +170,7 @@ class ServiceController(wsgi.Controller):
def delete(self, req, id):
"""Deletes the specified service."""
context = req.environ['nova.context']
authorize(context)
context.can(services_policies.BASE_POLICY_NAME)
try:
utils.validate_integer(id, 'id')

8
nova/api/openstack/compute/shelve.py
View File

@ -21,10 +21,10 @@ from nova.api.openstack import extensions as exts
from nova.api.openstack import wsgi
from nova import compute
from nova import exception
from nova.policies import shelve as shelve_policies
ALIAS = 'os-shelve'
authorize = exts.os_compute_authorizer(ALIAS)
class ShelveController(wsgi.Controller):
@ -38,7 +38,7 @@ class ShelveController(wsgi.Controller):
def _shelve(self, req, id, body):
"""Move an instance into shelved mode."""
context = req.environ["nova.context"]
authorize(context, action='shelve')
context.can(shelve_policies.POLICY_ROOT % 'shelve')
instance = common.get_instance(self.compute_api, context, id)
try:
@ -57,7 +57,7 @@ class ShelveController(wsgi.Controller):
def _shelve_offload(self, req, id, body):
"""Force removal of a shelved instance from the compute node."""
context = req.environ["nova.context"]
authorize(context, action='shelve_offload')
context.can(shelve_policies.POLICY_ROOT % 'shelve_offload')
instance = common.get_instance(self.compute_api, context, id)
try:
@ -77,7 +77,7 @@ class ShelveController(wsgi.Controller):
def _unshelve(self, req, id, body):
"""Restore an instance from shelved mode."""
context = req.environ["nova.context"]
authorize(context, action='unshelve')
context.can(shelve_policies.POLICY_ROOT % 'unshelve')
instance = common.get_instance(self.compute_api, context, id)
try:
self.compute_api.unshelve(context, instance)

7
nova/api/openstack/compute/simple_tenant_usage.py
View File

@ -26,9 +26,9 @@ from nova.api.openstack import wsgi
from nova import exception
from nova.i18n import _
from nova import objects
from nova.policies import simple_tenant_usage as stu_policies
ALIAS = "os-simple-tenant-usage"
authorize = extensions.os_compute_authorizer(ALIAS)
def parse_strtime(dstr, fmt):
@ -220,7 +220,7 @@ class SimpleTenantUsageController(wsgi.Controller):
"""Retrieve tenant_usage for all tenants."""
context = req.environ['nova.context']
authorize(context, action='list')
context.can(stu_policies.POLICY_ROOT % 'list')
try:
(period_start, period_stop, detailed) = self._get_datetime_range(
@ -243,7 +243,8 @@ class SimpleTenantUsageController(wsgi.Controller):
tenant_id = id
context = req.environ['nova.context']
authorize(context, action='show', target={'project_id': tenant_id})
context.can(stu_policies.POLICY_ROOT % 'show',
{'project_id': tenant_id})
try:
(period_start, period_stop, ignore) = self._get_datetime_range(

8
nova/api/openstack/compute/suspend_server.py
View File

@ -19,13 +19,11 @@ from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova import compute
from nova import exception
from nova.policies import suspend_server as ss_policies
ALIAS = "os-suspend-server"
authorize = extensions.os_compute_authorizer(ALIAS)
class SuspendServerController(wsgi.Controller):
def __init__(self, *args, **kwargs):
super(SuspendServerController, self).__init__(*args, **kwargs)
@ -37,7 +35,7 @@ class SuspendServerController(wsgi.Controller):
def _suspend(self, req, id, body):
"""Permit admins to suspend the server."""
context = req.environ['nova.context']
authorize(context, action='suspend')
context.can(ss_policies.POLICY_ROOT % 'suspend')
try:
server = common.get_instance(self.compute_api, context, id)
self.compute_api.suspend(context, server)
@ -55,7 +53,7 @@ class SuspendServerController(wsgi.Controller):
def _resume(self, req, id, body):
"""Permit admins to resume the server from suspend."""
context = req.environ['nova.context']
authorize(context, action='resume')
context.can(ss_policies.POLICY_ROOT % 'resume')
try:
server = common.get_instance(self.compute_api, context, id)
self.compute_api.resume(context, server)

10
nova/api/openstack/compute/tenant_networks.py
View File

@ -30,6 +30,7 @@ from nova import exception
from nova.i18n import _
from nova.i18n import _LE
import nova.network
from nova.policies import tenant_networks as tn_policies
from nova import quota
@ -39,7 +40,6 @@ ALIAS = 'os-tenant-networks'
QUOTAS = quota.QUOTAS
LOG = logging.getLogger(__name__)
authorize = extensions.os_compute_authorizer(ALIAS)
def network_dict(network):
@ -76,7 +76,7 @@ class TenantNetworkController(wsgi.Controller):
@extensions.expected_errors(())
def index(self, req):
context = req.environ['nova.context']
authorize(context)
context.can(tn_policies.BASE_POLICY_NAME)
networks = list(self.network_api.get_all(context))
if not self._default_networks:
self._refresh_default_networks()
@ -86,7 +86,7 @@ class TenantNetworkController(wsgi.Controller):
@extensions.expected_errors(404)
def show(self, req, id):
context = req.environ['nova.context']
authorize(context)
context.can(tn_policies.BASE_POLICY_NAME)
try:
network = self.network_api.get(context, id)
except exception.NetworkNotFound:
@ -98,7 +98,7 @@ class TenantNetworkController(wsgi.Controller):
@wsgi.response(202)
def delete(self, req, id):
context = req.environ['nova.context']
authorize(context)
context.can(tn_policies.BASE_POLICY_NAME)
reservation = None
try:
if CONF.enable_network_quota:
@ -133,7 +133,7 @@ class TenantNetworkController(wsgi.Controller):
@validation.schema(schema.create)
def create(self, req, body):
context = req.environ["nova.context"]
authorize(context)
context.can(tn_policies.BASE_POLICY_NAME)
network = body["network"]
keys = ["cidr", "cidr_v6", "ipam", "vlan_start", "network_size",

4
nova/api/openstack/compute/used_limits.py
View File

@ -16,6 +16,7 @@ import six
from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova.policies import used_limits as ul_policies
from nova import quota
@ -23,7 +24,6 @@ QUOTAS = quota.QUOTAS
ALIAS = "os-used-limits"
authorize = extensions.os_compute_authorizer(ALIAS)
class UsedLimitsController(wsgi.Controller):
@ -65,7 +65,7 @@ class UsedLimitsController(wsgi.Controller):
'project_id': tenant_id,
'user_id': context.user_id
}
authorize(context, target=target)
context.can(ul_policies.BASE_POLICY_NAME, target)
return tenant_id
return context.project_id

4
nova/api/openstack/compute/virtual_interfaces.py
View File

@ -24,10 +24,10 @@ from nova.api.openstack import wsgi
from nova import compute
from nova.i18n import _
from nova import network
from nova.policies import virtual_interfaces as vif_policies
ALIAS = 'os-virtual-interfaces'
authorize = extensions.os_compute_authorizer(ALIAS)
def _translate_vif_summary_view(req, vif):
@ -56,7 +56,7 @@ class ServerVirtualInterfaceController(wsgi.Controller):
def _items(self, req, server_id, entity_maker):
"""Returns a list of VIFs, transformed through entity_maker."""
context = req.environ['nova.context']
authorize(context)
context.can(vif_policies.BASE_POLICY_NAME)
instance = common.get_instance(self.compute_api, context, server_id)
try:

40
nova/api/openstack/compute/volumes.py
View File

@ -29,11 +29,11 @@ from nova.compute import vm_states
from nova import exception
from nova.i18n import _
from nova import objects
from nova.policies import volumes as vol_policies
from nova.policies import volumes_attachments as va_policies
from nova import volume
ALIAS = "os-volumes"
authorize = extensions.os_compute_authorizer(ALIAS)
authorize_attach = extensions.os_compute_authorizer('os-volumes-attachments')
def _translate_volume_detail_view(context, vol):
@ -104,7 +104,7 @@ class VolumeController(wsgi.Controller):
def show(self, req, id):
"""Return data about the given volume."""
context = req.environ['nova.context']
authorize(context)
context.can(vol_policies.BASE_POLICY_NAME)
try:
vol = self.volume_api.get(context, id)
@ -118,7 +118,7 @@ class VolumeController(wsgi.Controller):
def delete(self, req, id):
"""Delete a volume."""
context = req.environ['nova.context']
authorize(context)
context.can(vol_policies.BASE_POLICY_NAME)
try:
self.volume_api.delete(context, id)
@ -138,7 +138,7 @@ class VolumeController(wsgi.Controller):
def _items(self, req, entity_maker):
"""Returns a list of volumes, transformed through entity_maker."""
context = req.environ['nova.context']
authorize(context)
context.can(vol_policies.BASE_POLICY_NAME)
volumes = self.volume_api.get_all(context)
limited_list = common.limited(volumes, req)
@ -150,7 +150,7 @@ class VolumeController(wsgi.Controller):
def create(self, req, body):
"""Creates a new volume."""
context = req.environ['nova.context']
authorize(context)
context.can(vol_policies.BASE_POLICY_NAME)
vol = body['volume']
@ -256,7 +256,7 @@ class VolumeAttachmentController(wsgi.Controller):
def index(self, req, server_id):
"""Returns the list of volume attachments for a given instance."""
context = req.environ['nova.context']
authorize_attach(context, action='index')
context.can(va_policies.POLICY_ROOT % 'index')
return self._items(req, server_id,
entity_maker=_translate_attachment_summary_view)
@ -264,8 +264,8 @@ class VolumeAttachmentController(wsgi.Controller):
def show(self, req, server_id, id):
"""Return data about the given volume attachment."""
context = req.environ['nova.context']
authorize(context)
authorize_attach(context, action='show')
context.can(vol_policies.BASE_POLICY_NAME)
context.can(va_policies.POLICY_ROOT % 'show')
volume_id = id
instance = common.get_instance(self.compute_api, context, server_id)
@ -298,8 +298,8 @@ class VolumeAttachmentController(wsgi.Controller):
def create(self, req, server_id, body):
"""Attach a volume to an instance."""
context = req.environ['nova.context']
authorize(context)
authorize_attach(context, action='create')
context.can(vol_policies.BASE_POLICY_NAME)
context.can(va_policies.POLICY_ROOT % 'create')
volume_id = body['volumeAttachment']['volumeId']
device = body['volumeAttachment'].get('device')
@ -350,8 +350,8 @@ class VolumeAttachmentController(wsgi.Controller):
@validation.schema(volumes_schema.update_volume_attachment)
def update(self, req, server_id, id, body):
context = req.environ['nova.context']
authorize(context)
authorize_attach(context, action='update')
context.can(vol_policies.BASE_POLICY_NAME)
context.can(va_policies.POLICY_ROOT % 'update')
old_volume_id = id
try:
@ -398,8 +398,8 @@ class VolumeAttachmentController(wsgi.Controller):
def delete(self, req, server_id, id):
"""Detach a volume from an instance."""
context = req.environ['nova.context']
authorize(context)
authorize_attach(context, action='delete')
context.can(vol_policies.BASE_POLICY_NAME)
context.can(va_policies.POLICY_ROOT % 'delete')
volume_id = id
@ -455,7 +455,7 @@ class VolumeAttachmentController(wsgi.Controller):
def _items(self, req, server_id, entity_maker):
"""Returns a list of attachments, transformed through entity_maker."""
context = req.environ['nova.context']
authorize(context)
context.can(vol_policies.BASE_POLICY_NAME)
instance = common.get_instance(self.compute_api, context, server_id)
@ -508,7 +508,7 @@ class SnapshotController(wsgi.Controller):
def show(self, req, id):
"""Return data about the given snapshot."""
context = req.environ['nova.context']
authorize(context)
context.can(vol_policies.BASE_POLICY_NAME)
try:
vol = self.volume_api.get_snapshot(context, id)
@ -522,7 +522,7 @@ class SnapshotController(wsgi.Controller):
def delete(self, req, id):
"""Delete a snapshot."""
context = req.environ['nova.context']
authorize(context)
context.can(vol_policies.BASE_POLICY_NAME)
try:
self.volume_api.delete_snapshot(context, id)
@ -542,7 +542,7 @@ class SnapshotController(wsgi.Controller):
def _items(self, req, entity_maker):
"""Returns a list of snapshots, transformed through entity_maker."""
context = req.environ['nova.context']
authorize(context)
context.can(vol_policies.BASE_POLICY_NAME)
snapshots = self.volume_api.get_all_snapshots(context)
limited_list = common.limited(snapshots, req)
@ -554,7 +554,7 @@ class SnapshotController(wsgi.Controller):
def create(self, req, body):
"""Creates a new snapshot."""
context = req.environ['nova.context']
authorize(context)
context.can(vol_policies.BASE_POLICY_NAME)
snapshot = body['snapshot']
volume_id = snapshot['volume_id']

24
nova/tests/unit/api/openstack/compute/test_security_groups.py
View File

@ -1398,11 +1398,11 @@ class SecurityGroupsOutputPolicyEnforcementV21(test.NoDBTestCase):
'server': {'id': '0'},
'servers': [{'id': '0'}, {'id': '2'}]})
@mock.patch.object(secgroups_v21, "softauth")
def test_show_policy_softauth_is_called(self, mock_softauth):
mock_softauth.return_value = False
@mock.patch('nova.policy.authorize')
def test_show_policy_softauth_is_called(self, mock_authorize):
mock_authorize.return_value = False
self.controller.show(self.req, self.fake_res, FAKE_UUID1)
self.assertTrue(mock_softauth.called)
self.assertTrue(mock_authorize.called)
@mock.patch.object(nova.network.security_group.openstack_driver,
"is_neutron_security_groups")
@ -1410,11 +1410,11 @@ class SecurityGroupsOutputPolicyEnforcementV21(test.NoDBTestCase):
self.controller.show(self.req, self.fake_res, FAKE_UUID1)
self.assertFalse(is_neutron_security_groups.called)
@mock.patch.object(secgroups_v21, "softauth")
def test_create_policy_softauth_is_called(self, mock_softauth):
mock_softauth.return_value = False
@mock.patch('nova.policy.authorize')
def test_create_policy_softauth_is_called(self, mock_authorize):
mock_authorize.return_value = False
self.controller.show(self.req, self.fake_res, {})
self.assertTrue(mock_softauth.called)
self.assertTrue(mock_authorize.called)
@mock.patch.object(nova.network.security_group.openstack_driver,
"is_neutron_security_groups")
@ -1422,11 +1422,11 @@ class SecurityGroupsOutputPolicyEnforcementV21(test.NoDBTestCase):
self.controller.create(self.req, self.fake_res, {})
self.assertFalse(is_neutron_security_groups.called)
@mock.patch.object(secgroups_v21, "softauth")
def test_detail_policy_softauth_is_called(self, mock_softauth):
mock_softauth.return_value = False
@mock.patch('nova.policy.authorize')
def test_detail_policy_softauth_is_called(self, mock_authorize):
mock_authorize.return_value = False
self.controller.detail(self.req, self.fake_res)
self.assertTrue(mock_softauth.called)
self.assertTrue(mock_authorize.called)
@mock.patch.object(nova.network.security_group.openstack_driver,
"is_neutron_security_groups")

17
nova/tests/unit/api/openstack/compute/test_used_limits.py
View File

@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
import mock
import six
from nova.api.openstack.compute import used_limits \
@ -20,6 +21,7 @@ from nova.api.openstack.compute import used_limits \
from nova.api.openstack import wsgi
import nova.context
from nova import exception
from nova.policies import used_limits as ul_policies
from nova import quota
from nova import test
@ -44,8 +46,9 @@ class UsedLimitsTestCaseV21(test.NoDBTestCase):
def _set_up_controller(self):
self.ext_mgr = None
self.controller = used_limits_v21.UsedLimitsController()
self.mox.StubOutWithMock(used_limits_v21, 'authorize')
self.authorize = used_limits_v21.authorize
patcher = self.mock_can = mock.patch('nova.context.RequestContext.can')
self.mock_can = patcher.start()
self.addCleanup(patcher.stop)
def _do_test_used_limits(self, reserved):
fake_req = FakeRequest(self.fake_context, reserved=reserved)
@ -120,13 +123,14 @@ class UsedLimitsTestCaseV21(test.NoDBTestCase):
self.ext_mgr.is_loaded('os-used-limits-for-admin').AndReturn(True)
self.ext_mgr.is_loaded('os-server-group-quotas').AndReturn(
self.include_server_group_quotas)
self.authorize(self.fake_context, target=target)
self.mox.StubOutWithMock(quota.QUOTAS, 'get_project_quotas')
quota.QUOTAS.get_project_quotas(self.fake_context, '%s' % tenant_id,
usages=True).AndReturn({})
self.mox.ReplayAll()
res = wsgi.ResponseObject(obj)
self.controller.index(fake_req, res)
self.mock_can.assert_called_once_with(ul_policies.BASE_POLICY_NAME,
target)
def test_admin_can_fetch_used_limits_for_own_project(self):
project_id = "123456"
@ -172,13 +176,14 @@ class UsedLimitsTestCaseV21(test.NoDBTestCase):
fake_req.GET = {'tenant_id': tenant_id}
if self.ext_mgr is not None:
self.ext_mgr.is_loaded('os-used-limits-for-admin').AndReturn(True)
self.authorize(self.fake_context, target=target). \
AndRaise(exception.PolicyNotAuthorized(
action=self.used_limit_extension))
self.mock_can.side_effect = exception.PolicyNotAuthorized(
action=self.used_limit_extension)
self.mox.ReplayAll()
res = wsgi.ResponseObject(obj)
self.assertRaises(exception.PolicyNotAuthorized, self.controller.index,
fake_req, res)
self.mock_can.assert_called_once_with(ul_policies.BASE_POLICY_NAME,
target)
def test_used_limits_fetched_for_context_project_id(self):
project_id = "123456"