diff --git a/nova/api/openstack/compute/security_group_default_rules.py b/nova/api/openstack/compute/security_group_default_rules.py index 03e342cefa4f..a827f0abbacd 100644 --- a/nova/api/openstack/compute/security_group_default_rules.py +++ b/nova/api/openstack/compute/security_group_default_rules.py @@ -20,10 +20,10 @@ from nova.api.openstack import wsgi from nova import exception from nova.i18n import _ from nova.network.security_group import openstack_driver +from nova.policies import security_group_default_rules as sgdr_policies ALIAS = "os-security-group-default-rules" -authorize = extensions.os_compute_authorizer(ALIAS) class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase): @@ -35,7 +35,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase): @extensions.expected_errors((400, 409, 501)) def create(self, req, body): context = req.environ['nova.context'] - authorize(context) + context.can(sgdr_policies.BASE_POLICY_NAME) sg_rule = self._from_body(body, 'security_group_default_rule') @@ -72,7 +72,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase): @extensions.expected_errors((400, 404, 501)) def show(self, req, id): context = req.environ['nova.context'] - authorize(context) + context.can(sgdr_policies.BASE_POLICY_NAME) try: id = self.security_group_api.validate_id(id) @@ -91,7 +91,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase): @wsgi.response(204) def delete(self, req, id): context = req.environ['nova.context'] - authorize(context) + context.can(sgdr_policies.BASE_POLICY_NAME) try: id = self.security_group_api.validate_id(id) @@ -107,7 +107,7 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase): @extensions.expected_errors((404, 501)) def index(self, req): context = req.environ['nova.context'] - authorize(context) + context.can(sgdr_policies.BASE_POLICY_NAME) ret = {'security_group_default_rules': []} try: diff --git a/nova/api/openstack/compute/security_groups.py b/nova/api/openstack/compute/security_groups.py index 8bff397367cb..d1524707805f 100644 --- a/nova/api/openstack/compute/security_groups.py +++ b/nova/api/openstack/compute/security_groups.py @@ -28,19 +28,18 @@ from nova import compute from nova import exception from nova.i18n import _ from nova.network.security_group import openstack_driver +from nova.policies import security_groups as sg_policies from nova.virt import netutils LOG = logging.getLogger(__name__) ALIAS = 'os-security-groups' ATTRIBUTE_NAME = 'security_groups' -authorize = extensions.os_compute_authorizer(ALIAS) -softauth = extensions.os_compute_soft_authorizer(ALIAS) def _authorize_context(req): context = req.environ['nova.context'] - authorize(context) + context.can(sg_policies.BASE_POLICY_NAME) return context @@ -386,7 +385,7 @@ class SecurityGroupActionController(wsgi.Controller): @wsgi.action('addSecurityGroup') def _addSecurityGroup(self, req, id, body): context = req.environ['nova.context'] - authorize(context) + context.can(sg_policies.BASE_POLICY_NAME) group_name = self._parse(body, 'addSecurityGroup') try: @@ -406,7 +405,7 @@ class SecurityGroupActionController(wsgi.Controller): @wsgi.action('removeSecurityGroup') def _removeSecurityGroup(self, req, id, body): context = req.environ['nova.context'] - authorize(context) + context.can(sg_policies.BASE_POLICY_NAME) group_name = self._parse(body, 'removeSecurityGroup') @@ -436,7 +435,7 @@ class SecurityGroupsOutputController(wsgi.Controller): return key = "security_groups" context = req.environ['nova.context'] - if not softauth(context): + if not context.can(sg_policies.BASE_POLICY_NAME, fatal=False): return if not openstack_driver.is_neutron_security_groups(): diff --git a/nova/api/openstack/compute/server_diagnostics.py b/nova/api/openstack/compute/server_diagnostics.py index 1f24139d5f04..284f6ad462de 100644 --- a/nova/api/openstack/compute/server_diagnostics.py +++ b/nova/api/openstack/compute/server_diagnostics.py @@ -18,10 +18,10 @@ from nova.api.openstack import extensions from nova.api.openstack import wsgi from nova import compute from nova import exception +from nova.policies import server_diagnostics as sd_policies ALIAS = "os-server-diagnostics" -authorize = extensions.os_compute_authorizer(ALIAS) class ServerDiagnosticsController(wsgi.Controller): @@ -31,7 +31,7 @@ class ServerDiagnosticsController(wsgi.Controller): @extensions.expected_errors((404, 409, 501)) def index(self, req, server_id): context = req.environ["nova.context"] - authorize(context) + context.can(sd_policies.BASE_POLICY_NAME) instance = common.get_instance(self.compute_api, context, server_id) diff --git a/nova/api/openstack/compute/server_external_events.py b/nova/api/openstack/compute/server_external_events.py index 6a6b3592da15..ae1294df2f10 100644 --- a/nova/api/openstack/compute/server_external_events.py +++ b/nova/api/openstack/compute/server_external_events.py @@ -24,11 +24,11 @@ from nova import exception from nova.i18n import _ from nova.i18n import _LI from nova import objects +from nova.policies import server_external_events as see_policies LOG = logging.getLogger(__name__) ALIAS = 'os-server-external-events' -authorize = extensions.os_compute_authorizer(ALIAS) class ServerExternalEventsController(wsgi.Controller): @@ -43,7 +43,7 @@ class ServerExternalEventsController(wsgi.Controller): def create(self, req, body): """Creates a new instance event.""" context = req.environ['nova.context'] - authorize(context, action='create') + context.can(see_policies.POLICY_ROOT % 'create') response_events = [] accepted_events = [] diff --git a/nova/api/openstack/compute/server_groups.py b/nova/api/openstack/compute/server_groups.py index 80e0b38764cb..e5e2a4bb68de 100644 --- a/nova/api/openstack/compute/server_groups.py +++ b/nova/api/openstack/compute/server_groups.py @@ -29,18 +29,16 @@ import nova.exception from nova.i18n import _ from nova.i18n import _LE from nova import objects +from nova.policies import server_groups as sg_policies LOG = logging.getLogger(__name__) ALIAS = "os-server-groups" -authorize = extensions.os_compute_authorizer(ALIAS) - - def _authorize_context(req): context = req.environ['nova.context'] - authorize(context) + context.can(sg_policies.BASE_POLICY_NAME) return context diff --git a/nova/api/openstack/compute/server_metadata.py b/nova/api/openstack/compute/server_metadata.py index cf11b23594d3..cfe6bf546861 100644 --- a/nova/api/openstack/compute/server_metadata.py +++ b/nova/api/openstack/compute/server_metadata.py @@ -24,9 +24,9 @@ from nova.api import validation from nova import compute from nova import exception from nova.i18n import _ +from nova.policies import server_metadata as sm_policies ALIAS = 'server-metadata' -authorize = extensions.os_compute_authorizer(ALIAS) class ServerMetadataController(wsgi.Controller): @@ -55,7 +55,7 @@ class ServerMetadataController(wsgi.Controller): def index(self, req, server_id): """Returns the list of metadata for a given instance.""" context = req.environ['nova.context'] - authorize(context, action='index') + context.can(sm_policies.POLICY_ROOT % 'index') return {'metadata': self._get_metadata(context, server_id)} @extensions.expected_errors((400, 403, 404, 409)) @@ -65,7 +65,7 @@ class ServerMetadataController(wsgi.Controller): def create(self, req, server_id, body): metadata = body['metadata'] context = req.environ['nova.context'] - authorize(context, action='create') + context.can(sm_policies.POLICY_ROOT % 'create') new_metadata = self._update_instance_metadata(context, server_id, metadata, @@ -77,7 +77,7 @@ class ServerMetadataController(wsgi.Controller): @validation.schema(server_metadata.update) def update(self, req, server_id, id, body): context = req.environ['nova.context'] - authorize(context, action='update') + context.can(sm_policies.POLICY_ROOT % 'update') meta_item = body['meta'] if id not in meta_item: expl = _('Request body and URI mismatch') @@ -94,7 +94,7 @@ class ServerMetadataController(wsgi.Controller): @validation.schema(server_metadata.update_all) def update_all(self, req, server_id, body): context = req.environ['nova.context'] - authorize(context, action='update_all') + context.can(sm_policies.POLICY_ROOT % 'update_all') metadata = body['metadata'] new_metadata = self._update_instance_metadata(context, server_id, @@ -129,7 +129,7 @@ class ServerMetadataController(wsgi.Controller): def show(self, req, server_id, id): """Return a single metadata item.""" context = req.environ['nova.context'] - authorize(context, action='show') + context.can(sm_policies.POLICY_ROOT % 'show') data = self._get_metadata(context, server_id) try: @@ -143,7 +143,7 @@ class ServerMetadataController(wsgi.Controller): def delete(self, req, server_id, id): """Deletes an existing metadata.""" context = req.environ['nova.context'] - authorize(context, action='delete') + context.can(sm_policies.POLICY_ROOT % 'delete') metadata = self._get_metadata(context, server_id) if id not in metadata: diff --git a/nova/api/openstack/compute/server_migrations.py b/nova/api/openstack/compute/server_migrations.py index 6b1361bdb533..a39082860ed7 100644 --- a/nova/api/openstack/compute/server_migrations.py +++ b/nova/api/openstack/compute/server_migrations.py @@ -23,10 +23,10 @@ from nova.api import validation from nova import compute from nova import exception from nova.i18n import _ +from nova.policies import servers_migrations as sm_policies ALIAS = 'servers:migrations' -authorize = extensions.os_compute_authorizer(ALIAS) def output(migration): @@ -69,7 +69,7 @@ class ServerMigrationsController(wsgi.Controller): @validation.schema(server_migrations.force_complete) def _force_complete(self, req, id, server_id, body): context = req.environ['nova.context'] - authorize(context, action='force_complete') + context.can(sm_policies.POLICY_ROOT % 'force_complete') instance = common.get_instance(self.compute_api, context, server_id) try: @@ -91,7 +91,7 @@ class ServerMigrationsController(wsgi.Controller): def index(self, req, server_id): """Return all migrations of an instance in progress.""" context = req.environ['nova.context'] - authorize(context, action="index") + context.can(sm_policies.POLICY_ROOT % 'index') # NOTE(Shaohe Feng) just check the instance is available. To keep # consistency with other API, check it before get migrations. @@ -107,7 +107,7 @@ class ServerMigrationsController(wsgi.Controller): def show(self, req, server_id, id): """Return the migration of an instance in progress by id.""" context = req.environ['nova.context'] - authorize(context, action="show") + context.can(sm_policies.POLICY_ROOT % 'show') # NOTE(Shaohe Feng) just check the instance is available. To keep # consistency with other API, check it before get migrations. @@ -141,7 +141,7 @@ class ServerMigrationsController(wsgi.Controller): def delete(self, req, server_id, id): """Abort an in progress migration of an instance.""" context = req.environ['nova.context'] - authorize(context, action="delete") + context.can(sm_policies.POLICY_ROOT % 'delete') instance = common.get_instance(self.compute_api, context, server_id) try: diff --git a/nova/api/openstack/compute/server_password.py b/nova/api/openstack/compute/server_password.py index b6d41e05f358..c97c24bb15fb 100644 --- a/nova/api/openstack/compute/server_password.py +++ b/nova/api/openstack/compute/server_password.py @@ -20,10 +20,10 @@ from nova.api.openstack import common from nova.api.openstack import extensions from nova.api.openstack import wsgi from nova import compute +from nova.policies import server_password as sp_policies ALIAS = 'os-server-password' -authorize = extensions.os_compute_authorizer(ALIAS) class ServerPasswordController(wsgi.Controller): @@ -34,7 +34,7 @@ class ServerPasswordController(wsgi.Controller): @extensions.expected_errors(404) def index(self, req, server_id): context = req.environ['nova.context'] - authorize(context) + context.can(sp_policies.BASE_POLICY_NAME) instance = common.get_instance(self.compute_api, context, server_id) passw = password.extract_password(instance) @@ -50,7 +50,7 @@ class ServerPasswordController(wsgi.Controller): """ context = req.environ['nova.context'] - authorize(context) + context.can(sp_policies.BASE_POLICY_NAME) instance = common.get_instance(self.compute_api, context, server_id) meta = password.convert_password(context, None) instance.system_metadata.update(meta) diff --git a/nova/api/openstack/compute/server_tags.py b/nova/api/openstack/compute/server_tags.py index e38fa4493228..94426f637d81 100644 --- a/nova/api/openstack/compute/server_tags.py +++ b/nova/api/openstack/compute/server_tags.py @@ -25,10 +25,10 @@ from nova.compute import vm_states from nova import exception from nova.i18n import _ from nova import objects +from nova.policies import server_tags as st_policies ALIAS = "os-server-tags" -authorize = extensions.os_compute_authorizer(ALIAS) def _get_tags_names(tags): @@ -58,7 +58,7 @@ class ServerTagsController(wsgi.Controller): @extensions.expected_errors(404) def show(self, req, server_id, id): context = req.environ["nova.context"] - authorize(context, action='show') + context.can(st_policies.POLICY_ROOT % 'show') try: exists = objects.Tag.exists(context, server_id, id) @@ -74,7 +74,7 @@ class ServerTagsController(wsgi.Controller): @extensions.expected_errors(404) def index(self, req, server_id): context = req.environ["nova.context"] - authorize(context, action='index') + context.can(st_policies.POLICY_ROOT % 'index') try: tags = objects.TagList.get_by_resource_id(context, server_id) @@ -88,7 +88,7 @@ class ServerTagsController(wsgi.Controller): @validation.schema(schema.update) def update(self, req, server_id, id, body): context = req.environ["nova.context"] - authorize(context, action='update') + context.can(st_policies.POLICY_ROOT % 'update') self._check_instance_in_valid_state(context, server_id, 'update tag') try: @@ -136,7 +136,7 @@ class ServerTagsController(wsgi.Controller): @validation.schema(schema.update_all) def update_all(self, req, server_id, body): context = req.environ["nova.context"] - authorize(context, action='update_all') + context.can(st_policies.POLICY_ROOT % 'update_all') self._check_instance_in_valid_state(context, server_id, 'update tags') invalid_tags = [] @@ -178,7 +178,7 @@ class ServerTagsController(wsgi.Controller): @extensions.expected_errors((404, 409)) def delete(self, req, server_id, id): context = req.environ["nova.context"] - authorize(context, action='delete') + context.can(st_policies.POLICY_ROOT % 'delete') self._check_instance_in_valid_state(context, server_id, 'delete tag') try: @@ -193,7 +193,7 @@ class ServerTagsController(wsgi.Controller): @extensions.expected_errors((404, 409)) def delete_all(self, req, server_id): context = req.environ["nova.context"] - authorize(context, action='delete_all') + context.can(st_policies.POLICY_ROOT % 'delete_all') self._check_instance_in_valid_state(context, server_id, 'delete tags') try: diff --git a/nova/api/openstack/compute/server_usage.py b/nova/api/openstack/compute/server_usage.py index 1ee7adee2463..69a464e8b612 100644 --- a/nova/api/openstack/compute/server_usage.py +++ b/nova/api/openstack/compute/server_usage.py @@ -14,10 +14,10 @@ from nova.api.openstack import extensions from nova.api.openstack import wsgi +from nova.policies import server_usage as su_policies ALIAS = "os-server-usage" -authorize = extensions.os_compute_soft_authorizer(ALIAS) resp_topic = "OS-SRV-USG" @@ -37,7 +37,7 @@ class ServerUsageController(wsgi.Controller): @wsgi.extends def show(self, req, resp_obj, id): context = req.environ['nova.context'] - if authorize(context): + if context.can(su_policies.BASE_POLICY_NAME, fatal=False): server = resp_obj.obj['server'] db_instance = req.get_db_instance(server['id']) # server['id'] is guaranteed to be in the cache due to @@ -47,7 +47,7 @@ class ServerUsageController(wsgi.Controller): @wsgi.extends def detail(self, req, resp_obj): context = req.environ['nova.context'] - if authorize(context): + if context.can(su_policies.BASE_POLICY_NAME, fatal=False): servers = list(resp_obj.obj['servers']) for server in servers: db_instance = req.get_db_instance(server['id']) diff --git a/nova/api/openstack/compute/services.py b/nova/api/openstack/compute/services.py index 0c21442dd1c0..4fd666bbc9ca 100644 --- a/nova/api/openstack/compute/services.py +++ b/nova/api/openstack/compute/services.py @@ -22,11 +22,11 @@ from nova.api import validation from nova import compute from nova import exception from nova.i18n import _ +from nova.policies import services as services_policies from nova import servicegroup from nova import utils ALIAS = "os-services" -authorize = extensions.os_compute_authorizer(ALIAS) class ServiceController(wsgi.Controller): @@ -42,7 +42,7 @@ class ServiceController(wsgi.Controller): api_services = ('nova-osapi_compute', 'nova-ec2', 'nova-metadata') context = req.environ['nova.context'] - authorize(context) + context.can(services_policies.BASE_POLICY_NAME) _services = [ s @@ -155,7 +155,7 @@ class ServiceController(wsgi.Controller): def _perform_action(self, req, id, body, actions): """Calculate action dictionary dependent on provided fields""" context = req.environ['nova.context'] - authorize(context) + context.can(services_policies.BASE_POLICY_NAME) try: action = actions[id] @@ -170,7 +170,7 @@ class ServiceController(wsgi.Controller): def delete(self, req, id): """Deletes the specified service.""" context = req.environ['nova.context'] - authorize(context) + context.can(services_policies.BASE_POLICY_NAME) try: utils.validate_integer(id, 'id') diff --git a/nova/api/openstack/compute/shelve.py b/nova/api/openstack/compute/shelve.py index 336c10bc2118..d9f0525a15ee 100644 --- a/nova/api/openstack/compute/shelve.py +++ b/nova/api/openstack/compute/shelve.py @@ -21,10 +21,10 @@ from nova.api.openstack import extensions as exts from nova.api.openstack import wsgi from nova import compute from nova import exception +from nova.policies import shelve as shelve_policies ALIAS = 'os-shelve' -authorize = exts.os_compute_authorizer(ALIAS) class ShelveController(wsgi.Controller): @@ -38,7 +38,7 @@ class ShelveController(wsgi.Controller): def _shelve(self, req, id, body): """Move an instance into shelved mode.""" context = req.environ["nova.context"] - authorize(context, action='shelve') + context.can(shelve_policies.POLICY_ROOT % 'shelve') instance = common.get_instance(self.compute_api, context, id) try: @@ -57,7 +57,7 @@ class ShelveController(wsgi.Controller): def _shelve_offload(self, req, id, body): """Force removal of a shelved instance from the compute node.""" context = req.environ["nova.context"] - authorize(context, action='shelve_offload') + context.can(shelve_policies.POLICY_ROOT % 'shelve_offload') instance = common.get_instance(self.compute_api, context, id) try: @@ -77,7 +77,7 @@ class ShelveController(wsgi.Controller): def _unshelve(self, req, id, body): """Restore an instance from shelved mode.""" context = req.environ["nova.context"] - authorize(context, action='unshelve') + context.can(shelve_policies.POLICY_ROOT % 'unshelve') instance = common.get_instance(self.compute_api, context, id) try: self.compute_api.unshelve(context, instance) diff --git a/nova/api/openstack/compute/simple_tenant_usage.py b/nova/api/openstack/compute/simple_tenant_usage.py index 62f45cddcd75..f5281a67deb6 100644 --- a/nova/api/openstack/compute/simple_tenant_usage.py +++ b/nova/api/openstack/compute/simple_tenant_usage.py @@ -26,9 +26,9 @@ from nova.api.openstack import wsgi from nova import exception from nova.i18n import _ from nova import objects +from nova.policies import simple_tenant_usage as stu_policies ALIAS = "os-simple-tenant-usage" -authorize = extensions.os_compute_authorizer(ALIAS) def parse_strtime(dstr, fmt): @@ -220,7 +220,7 @@ class SimpleTenantUsageController(wsgi.Controller): """Retrieve tenant_usage for all tenants.""" context = req.environ['nova.context'] - authorize(context, action='list') + context.can(stu_policies.POLICY_ROOT % 'list') try: (period_start, period_stop, detailed) = self._get_datetime_range( @@ -243,7 +243,8 @@ class SimpleTenantUsageController(wsgi.Controller): tenant_id = id context = req.environ['nova.context'] - authorize(context, action='show', target={'project_id': tenant_id}) + context.can(stu_policies.POLICY_ROOT % 'show', + {'project_id': tenant_id}) try: (period_start, period_stop, ignore) = self._get_datetime_range( diff --git a/nova/api/openstack/compute/suspend_server.py b/nova/api/openstack/compute/suspend_server.py index b44d928f3eec..71701e044059 100644 --- a/nova/api/openstack/compute/suspend_server.py +++ b/nova/api/openstack/compute/suspend_server.py @@ -19,13 +19,11 @@ from nova.api.openstack import extensions from nova.api.openstack import wsgi from nova import compute from nova import exception +from nova.policies import suspend_server as ss_policies ALIAS = "os-suspend-server" -authorize = extensions.os_compute_authorizer(ALIAS) - - class SuspendServerController(wsgi.Controller): def __init__(self, *args, **kwargs): super(SuspendServerController, self).__init__(*args, **kwargs) @@ -37,7 +35,7 @@ class SuspendServerController(wsgi.Controller): def _suspend(self, req, id, body): """Permit admins to suspend the server.""" context = req.environ['nova.context'] - authorize(context, action='suspend') + context.can(ss_policies.POLICY_ROOT % 'suspend') try: server = common.get_instance(self.compute_api, context, id) self.compute_api.suspend(context, server) @@ -55,7 +53,7 @@ class SuspendServerController(wsgi.Controller): def _resume(self, req, id, body): """Permit admins to resume the server from suspend.""" context = req.environ['nova.context'] - authorize(context, action='resume') + context.can(ss_policies.POLICY_ROOT % 'resume') try: server = common.get_instance(self.compute_api, context, id) self.compute_api.resume(context, server) diff --git a/nova/api/openstack/compute/tenant_networks.py b/nova/api/openstack/compute/tenant_networks.py index e5a32a45042b..90cc4179091a 100644 --- a/nova/api/openstack/compute/tenant_networks.py +++ b/nova/api/openstack/compute/tenant_networks.py @@ -30,6 +30,7 @@ from nova import exception from nova.i18n import _ from nova.i18n import _LE import nova.network +from nova.policies import tenant_networks as tn_policies from nova import quota @@ -39,7 +40,6 @@ ALIAS = 'os-tenant-networks' QUOTAS = quota.QUOTAS LOG = logging.getLogger(__name__) -authorize = extensions.os_compute_authorizer(ALIAS) def network_dict(network): @@ -76,7 +76,7 @@ class TenantNetworkController(wsgi.Controller): @extensions.expected_errors(()) def index(self, req): context = req.environ['nova.context'] - authorize(context) + context.can(tn_policies.BASE_POLICY_NAME) networks = list(self.network_api.get_all(context)) if not self._default_networks: self._refresh_default_networks() @@ -86,7 +86,7 @@ class TenantNetworkController(wsgi.Controller): @extensions.expected_errors(404) def show(self, req, id): context = req.environ['nova.context'] - authorize(context) + context.can(tn_policies.BASE_POLICY_NAME) try: network = self.network_api.get(context, id) except exception.NetworkNotFound: @@ -98,7 +98,7 @@ class TenantNetworkController(wsgi.Controller): @wsgi.response(202) def delete(self, req, id): context = req.environ['nova.context'] - authorize(context) + context.can(tn_policies.BASE_POLICY_NAME) reservation = None try: if CONF.enable_network_quota: @@ -133,7 +133,7 @@ class TenantNetworkController(wsgi.Controller): @validation.schema(schema.create) def create(self, req, body): context = req.environ["nova.context"] - authorize(context) + context.can(tn_policies.BASE_POLICY_NAME) network = body["network"] keys = ["cidr", "cidr_v6", "ipam", "vlan_start", "network_size", diff --git a/nova/api/openstack/compute/used_limits.py b/nova/api/openstack/compute/used_limits.py index 0be25bc527e4..2c2449bfada9 100644 --- a/nova/api/openstack/compute/used_limits.py +++ b/nova/api/openstack/compute/used_limits.py @@ -16,6 +16,7 @@ import six from nova.api.openstack import extensions from nova.api.openstack import wsgi +from nova.policies import used_limits as ul_policies from nova import quota @@ -23,7 +24,6 @@ QUOTAS = quota.QUOTAS ALIAS = "os-used-limits" -authorize = extensions.os_compute_authorizer(ALIAS) class UsedLimitsController(wsgi.Controller): @@ -65,7 +65,7 @@ class UsedLimitsController(wsgi.Controller): 'project_id': tenant_id, 'user_id': context.user_id } - authorize(context, target=target) + context.can(ul_policies.BASE_POLICY_NAME, target) return tenant_id return context.project_id diff --git a/nova/api/openstack/compute/virtual_interfaces.py b/nova/api/openstack/compute/virtual_interfaces.py index b67eed364f0e..7dcebecdfa8d 100644 --- a/nova/api/openstack/compute/virtual_interfaces.py +++ b/nova/api/openstack/compute/virtual_interfaces.py @@ -24,10 +24,10 @@ from nova.api.openstack import wsgi from nova import compute from nova.i18n import _ from nova import network +from nova.policies import virtual_interfaces as vif_policies ALIAS = 'os-virtual-interfaces' -authorize = extensions.os_compute_authorizer(ALIAS) def _translate_vif_summary_view(req, vif): @@ -56,7 +56,7 @@ class ServerVirtualInterfaceController(wsgi.Controller): def _items(self, req, server_id, entity_maker): """Returns a list of VIFs, transformed through entity_maker.""" context = req.environ['nova.context'] - authorize(context) + context.can(vif_policies.BASE_POLICY_NAME) instance = common.get_instance(self.compute_api, context, server_id) try: diff --git a/nova/api/openstack/compute/volumes.py b/nova/api/openstack/compute/volumes.py index a3ef938becb9..aa7cf386cb6c 100644 --- a/nova/api/openstack/compute/volumes.py +++ b/nova/api/openstack/compute/volumes.py @@ -29,11 +29,11 @@ from nova.compute import vm_states from nova import exception from nova.i18n import _ from nova import objects +from nova.policies import volumes as vol_policies +from nova.policies import volumes_attachments as va_policies from nova import volume ALIAS = "os-volumes" -authorize = extensions.os_compute_authorizer(ALIAS) -authorize_attach = extensions.os_compute_authorizer('os-volumes-attachments') def _translate_volume_detail_view(context, vol): @@ -104,7 +104,7 @@ class VolumeController(wsgi.Controller): def show(self, req, id): """Return data about the given volume.""" context = req.environ['nova.context'] - authorize(context) + context.can(vol_policies.BASE_POLICY_NAME) try: vol = self.volume_api.get(context, id) @@ -118,7 +118,7 @@ class VolumeController(wsgi.Controller): def delete(self, req, id): """Delete a volume.""" context = req.environ['nova.context'] - authorize(context) + context.can(vol_policies.BASE_POLICY_NAME) try: self.volume_api.delete(context, id) @@ -138,7 +138,7 @@ class VolumeController(wsgi.Controller): def _items(self, req, entity_maker): """Returns a list of volumes, transformed through entity_maker.""" context = req.environ['nova.context'] - authorize(context) + context.can(vol_policies.BASE_POLICY_NAME) volumes = self.volume_api.get_all(context) limited_list = common.limited(volumes, req) @@ -150,7 +150,7 @@ class VolumeController(wsgi.Controller): def create(self, req, body): """Creates a new volume.""" context = req.environ['nova.context'] - authorize(context) + context.can(vol_policies.BASE_POLICY_NAME) vol = body['volume'] @@ -256,7 +256,7 @@ class VolumeAttachmentController(wsgi.Controller): def index(self, req, server_id): """Returns the list of volume attachments for a given instance.""" context = req.environ['nova.context'] - authorize_attach(context, action='index') + context.can(va_policies.POLICY_ROOT % 'index') return self._items(req, server_id, entity_maker=_translate_attachment_summary_view) @@ -264,8 +264,8 @@ class VolumeAttachmentController(wsgi.Controller): def show(self, req, server_id, id): """Return data about the given volume attachment.""" context = req.environ['nova.context'] - authorize(context) - authorize_attach(context, action='show') + context.can(vol_policies.BASE_POLICY_NAME) + context.can(va_policies.POLICY_ROOT % 'show') volume_id = id instance = common.get_instance(self.compute_api, context, server_id) @@ -298,8 +298,8 @@ class VolumeAttachmentController(wsgi.Controller): def create(self, req, server_id, body): """Attach a volume to an instance.""" context = req.environ['nova.context'] - authorize(context) - authorize_attach(context, action='create') + context.can(vol_policies.BASE_POLICY_NAME) + context.can(va_policies.POLICY_ROOT % 'create') volume_id = body['volumeAttachment']['volumeId'] device = body['volumeAttachment'].get('device') @@ -350,8 +350,8 @@ class VolumeAttachmentController(wsgi.Controller): @validation.schema(volumes_schema.update_volume_attachment) def update(self, req, server_id, id, body): context = req.environ['nova.context'] - authorize(context) - authorize_attach(context, action='update') + context.can(vol_policies.BASE_POLICY_NAME) + context.can(va_policies.POLICY_ROOT % 'update') old_volume_id = id try: @@ -398,8 +398,8 @@ class VolumeAttachmentController(wsgi.Controller): def delete(self, req, server_id, id): """Detach a volume from an instance.""" context = req.environ['nova.context'] - authorize(context) - authorize_attach(context, action='delete') + context.can(vol_policies.BASE_POLICY_NAME) + context.can(va_policies.POLICY_ROOT % 'delete') volume_id = id @@ -455,7 +455,7 @@ class VolumeAttachmentController(wsgi.Controller): def _items(self, req, server_id, entity_maker): """Returns a list of attachments, transformed through entity_maker.""" context = req.environ['nova.context'] - authorize(context) + context.can(vol_policies.BASE_POLICY_NAME) instance = common.get_instance(self.compute_api, context, server_id) @@ -508,7 +508,7 @@ class SnapshotController(wsgi.Controller): def show(self, req, id): """Return data about the given snapshot.""" context = req.environ['nova.context'] - authorize(context) + context.can(vol_policies.BASE_POLICY_NAME) try: vol = self.volume_api.get_snapshot(context, id) @@ -522,7 +522,7 @@ class SnapshotController(wsgi.Controller): def delete(self, req, id): """Delete a snapshot.""" context = req.environ['nova.context'] - authorize(context) + context.can(vol_policies.BASE_POLICY_NAME) try: self.volume_api.delete_snapshot(context, id) @@ -542,7 +542,7 @@ class SnapshotController(wsgi.Controller): def _items(self, req, entity_maker): """Returns a list of snapshots, transformed through entity_maker.""" context = req.environ['nova.context'] - authorize(context) + context.can(vol_policies.BASE_POLICY_NAME) snapshots = self.volume_api.get_all_snapshots(context) limited_list = common.limited(snapshots, req) @@ -554,7 +554,7 @@ class SnapshotController(wsgi.Controller): def create(self, req, body): """Creates a new snapshot.""" context = req.environ['nova.context'] - authorize(context) + context.can(vol_policies.BASE_POLICY_NAME) snapshot = body['snapshot'] volume_id = snapshot['volume_id'] diff --git a/nova/tests/unit/api/openstack/compute/test_security_groups.py b/nova/tests/unit/api/openstack/compute/test_security_groups.py index 24d9f11ab59f..82649c882ed5 100644 --- a/nova/tests/unit/api/openstack/compute/test_security_groups.py +++ b/nova/tests/unit/api/openstack/compute/test_security_groups.py @@ -1398,11 +1398,11 @@ class SecurityGroupsOutputPolicyEnforcementV21(test.NoDBTestCase): 'server': {'id': '0'}, 'servers': [{'id': '0'}, {'id': '2'}]}) - @mock.patch.object(secgroups_v21, "softauth") - def test_show_policy_softauth_is_called(self, mock_softauth): - mock_softauth.return_value = False + @mock.patch('nova.policy.authorize') + def test_show_policy_softauth_is_called(self, mock_authorize): + mock_authorize.return_value = False self.controller.show(self.req, self.fake_res, FAKE_UUID1) - self.assertTrue(mock_softauth.called) + self.assertTrue(mock_authorize.called) @mock.patch.object(nova.network.security_group.openstack_driver, "is_neutron_security_groups") @@ -1410,11 +1410,11 @@ class SecurityGroupsOutputPolicyEnforcementV21(test.NoDBTestCase): self.controller.show(self.req, self.fake_res, FAKE_UUID1) self.assertFalse(is_neutron_security_groups.called) - @mock.patch.object(secgroups_v21, "softauth") - def test_create_policy_softauth_is_called(self, mock_softauth): - mock_softauth.return_value = False + @mock.patch('nova.policy.authorize') + def test_create_policy_softauth_is_called(self, mock_authorize): + mock_authorize.return_value = False self.controller.show(self.req, self.fake_res, {}) - self.assertTrue(mock_softauth.called) + self.assertTrue(mock_authorize.called) @mock.patch.object(nova.network.security_group.openstack_driver, "is_neutron_security_groups") @@ -1422,11 +1422,11 @@ class SecurityGroupsOutputPolicyEnforcementV21(test.NoDBTestCase): self.controller.create(self.req, self.fake_res, {}) self.assertFalse(is_neutron_security_groups.called) - @mock.patch.object(secgroups_v21, "softauth") - def test_detail_policy_softauth_is_called(self, mock_softauth): - mock_softauth.return_value = False + @mock.patch('nova.policy.authorize') + def test_detail_policy_softauth_is_called(self, mock_authorize): + mock_authorize.return_value = False self.controller.detail(self.req, self.fake_res) - self.assertTrue(mock_softauth.called) + self.assertTrue(mock_authorize.called) @mock.patch.object(nova.network.security_group.openstack_driver, "is_neutron_security_groups") diff --git a/nova/tests/unit/api/openstack/compute/test_used_limits.py b/nova/tests/unit/api/openstack/compute/test_used_limits.py index 182dcda50db5..e7d8650986bb 100644 --- a/nova/tests/unit/api/openstack/compute/test_used_limits.py +++ b/nova/tests/unit/api/openstack/compute/test_used_limits.py @@ -13,6 +13,7 @@ # License for the specific language governing permissions and limitations # under the License. +import mock import six from nova.api.openstack.compute import used_limits \ @@ -20,6 +21,7 @@ from nova.api.openstack.compute import used_limits \ from nova.api.openstack import wsgi import nova.context from nova import exception +from nova.policies import used_limits as ul_policies from nova import quota from nova import test @@ -44,8 +46,9 @@ class UsedLimitsTestCaseV21(test.NoDBTestCase): def _set_up_controller(self): self.ext_mgr = None self.controller = used_limits_v21.UsedLimitsController() - self.mox.StubOutWithMock(used_limits_v21, 'authorize') - self.authorize = used_limits_v21.authorize + patcher = self.mock_can = mock.patch('nova.context.RequestContext.can') + self.mock_can = patcher.start() + self.addCleanup(patcher.stop) def _do_test_used_limits(self, reserved): fake_req = FakeRequest(self.fake_context, reserved=reserved) @@ -120,13 +123,14 @@ class UsedLimitsTestCaseV21(test.NoDBTestCase): self.ext_mgr.is_loaded('os-used-limits-for-admin').AndReturn(True) self.ext_mgr.is_loaded('os-server-group-quotas').AndReturn( self.include_server_group_quotas) - self.authorize(self.fake_context, target=target) self.mox.StubOutWithMock(quota.QUOTAS, 'get_project_quotas') quota.QUOTAS.get_project_quotas(self.fake_context, '%s' % tenant_id, usages=True).AndReturn({}) self.mox.ReplayAll() res = wsgi.ResponseObject(obj) self.controller.index(fake_req, res) + self.mock_can.assert_called_once_with(ul_policies.BASE_POLICY_NAME, + target) def test_admin_can_fetch_used_limits_for_own_project(self): project_id = "123456" @@ -172,13 +176,14 @@ class UsedLimitsTestCaseV21(test.NoDBTestCase): fake_req.GET = {'tenant_id': tenant_id} if self.ext_mgr is not None: self.ext_mgr.is_loaded('os-used-limits-for-admin').AndReturn(True) - self.authorize(self.fake_context, target=target). \ - AndRaise(exception.PolicyNotAuthorized( - action=self.used_limit_extension)) + self.mock_can.side_effect = exception.PolicyNotAuthorized( + action=self.used_limit_extension) self.mox.ReplayAll() res = wsgi.ResponseObject(obj) self.assertRaises(exception.PolicyNotAuthorized, self.controller.index, fake_req, res) + self.mock_can.assert_called_once_with(ul_policies.BASE_POLICY_NAME, + target) def test_used_limits_fetched_for_context_project_id(self): project_id = "123456"