openstack
/
nova
Code Issues Proposed changes

Merge "policy: Replaces 'authorize' in nova-api (part 4)"

This commit is contained in:
Jenkins 2016-06-29 17:57:03 +00:00 committed by Gerrit Code Review
parent cc3fd7cb98 8d16b1f6c4
commit ceaacaa24f
14 changed files with 68 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
nova/api/openstack/compute/keypairs.py
View File

@ -27,11 +27,10 @@ from nova.compute import api as compute_api
from nova import exception
from nova.i18n import _
from nova.objects import keypair as keypair_obj
from nova.policies import keypairs as kp_policies
ALIAS = 'os-keypairs'
authorize = extensions.os_compute_authorizer(ALIAS)
soft_authorize = extensions.os_compute_soft_authorizer(ALIAS)
class KeypairController(wsgi.Controller):
@ -116,9 +115,9 @@ class KeypairController(wsgi.Controller):
name = common.normalize_name(params['name'])
key_type = params.get('type', keypair_obj.KEYPAIR_TYPE_SSH)
user_id = user_id or context.user_id
authorize(context, action='create',
target={'user_id': user_id,
'project_id': context.project_id})
context.can(kp_policies.POLICY_ROOT % 'create',
target={'user_id': user_id,
'project_id': context.project_id})
try:
if 'public_key' in params:
@ -169,9 +168,9 @@ class KeypairController(wsgi.Controller):
context = req.environ['nova.context']
# handle optional user-id for admin only
user_id = user_id or context.user_id
authorize(context, action='delete',
target={'user_id': user_id,
'project_id': context.project_id})
context.can(kp_policies.POLICY_ROOT % 'delete',
target={'user_id': user_id,
'project_id': context.project_id})
try:
self.api.delete_key_pair(context, user_id, id)
except exception.KeypairNotFound as exc:
@ -203,9 +202,9 @@ class KeypairController(wsgi.Controller):
"""Return data for the given key name."""
context = req.environ['nova.context']
user_id = user_id or context.user_id
authorize(context, action='show',
target={'user_id': user_id,
'project_id': context.project_id})
context.can(kp_policies.POLICY_ROOT % 'show',
target={'user_id': user_id,
'project_id': context.project_id})
try:
# The return object needs to be a dict in order to pop the 'type'
@ -243,9 +242,9 @@ class KeypairController(wsgi.Controller):
"""List of keypairs for a user."""
context = req.environ['nova.context']
user_id = user_id or context.user_id
authorize(context, action='index',
target={'user_id': user_id,
'project_id': context.project_id})
context.can(kp_policies.POLICY_ROOT % 'index',
target={'user_id': user_id,
'project_id': context.project_id})
key_pairs = self.api.get_key_pairs(context, user_id)
rval = []
for key_pair in key_pairs:
@ -272,13 +271,14 @@ class Controller(wsgi.Controller):
@wsgi.extends
def show(self, req, resp_obj, id):
context = req.environ['nova.context']
if soft_authorize(context):
if context.can(kp_policies.BASE_POLICY_NAME, fatal=False):
self._show(req, resp_obj)
@wsgi.extends
def detail(self, req, resp_obj):
context = req.environ['nova.context']
if 'servers' in resp_obj.obj and soft_authorize(context):
if 'servers' in resp_obj.obj and context.can(
kp_policies.BASE_POLICY_NAME, fatal=False):
servers = resp_obj.obj['servers']
self._add_key_name(req, servers)

4
nova/api/openstack/compute/limits.py
View File

@ -16,12 +16,12 @@
from nova.api.openstack.compute.views import limits as limits_views
from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova.policies import limits as limits_policies
from nova import quota
QUOTAS = quota.QUOTAS
ALIAS = 'limits'
authorize = extensions.os_compute_authorizer(ALIAS)
class LimitsController(wsgi.Controller):
@ -31,7 +31,7 @@ class LimitsController(wsgi.Controller):
def index(self, req):
"""Return all global limit information."""
context = req.environ['nova.context']
authorize(context)
context.can(limits_policies.BASE_POLICY_NAME)
project_id = req.params.get('tenant_id', context.project_id)
quotas = QUOTAS.get_project_quotas(context, project_id,
usages=False)

11
nova/api/openstack/compute/lock_server.py
View File

@ -17,11 +17,10 @@ from nova.api.openstack import common
from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova import compute
from nova.policies import lock_server as ls_policies
ALIAS = "os-lock-server"
authorize = extensions.os_compute_authorizer(ALIAS)
class LockServerController(wsgi.Controller):
def __init__(self, *args, **kwargs):
@ -34,7 +33,7 @@ class LockServerController(wsgi.Controller):
def _lock(self, req, id, body):
"""Lock a server instance."""
context = req.environ['nova.context']
authorize(context, action='lock')
context.can(ls_policies.POLICY_ROOT % 'lock')
instance = common.get_instance(self.compute_api, context, id)
self.compute_api.lock(context, instance)
@ -44,11 +43,11 @@ class LockServerController(wsgi.Controller):
def _unlock(self, req, id, body):
"""Unlock a server instance."""
context = req.environ['nova.context']
authorize(context, action='unlock')
context.can(ls_policies.POLICY_ROOT % 'unlock')
instance = common.get_instance(self.compute_api, context, id)
if not self.compute_api.is_expected_locked_by(context, instance):
authorize(context, target=instance,
action='unlock:unlock_override')
context.can(ls_policies.POLICY_ROOT % 'unlock:unlock_override',
instance)
self.compute_api.unlock(context, instance)

8
nova/api/openstack/compute/migrate_server.py
View File

@ -25,13 +25,11 @@ from nova.api import validation
from nova import compute
from nova import exception
from nova.i18n import _
from nova.policies import migrate_server as ms_policies
ALIAS = "os-migrate-server"
authorize = extensions.os_compute_authorizer(ALIAS)
class MigrateServerController(wsgi.Controller):
def __init__(self, *args, **kwargs):
super(MigrateServerController, self).__init__(*args, **kwargs)
@ -43,7 +41,7 @@ class MigrateServerController(wsgi.Controller):
def _migrate(self, req, id, body):
"""Permit admins to migrate a server to a new host."""
context = req.environ['nova.context']
authorize(context, action='migrate')
context.can(ms_policies.POLICY_ROOT % 'migrate')
instance = common.get_instance(self.compute_api, context, id)
try:
@ -69,7 +67,7 @@ class MigrateServerController(wsgi.Controller):
def _migrate_live(self, req, id, body):
"""Permit admins to (live) migrate a server to a new host."""
context = req.environ["nova.context"]
authorize(context, action='migrate_live')
context.can(ms_policies.POLICY_ROOT % 'migrate_live')
host = body["os-migrateLive"]["host"]
block_migration = body["os-migrateLive"]["block_migration"]

7
nova/api/openstack/compute/migrations.py
View File

@ -16,15 +16,12 @@ from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova import compute
from nova.objects import base as obj_base
from nova.policies import migrations as migrations_policies
ALIAS = "os-migrations"
def authorize(context, action_name):
extensions.os_compute_authorizer(ALIAS)(context, action=action_name)
class MigrationsController(wsgi.Controller):
"""Controller for accessing migrations in OpenStack API."""
@ -76,7 +73,7 @@ class MigrationsController(wsgi.Controller):
def index(self, req):
"""Return all migrations in progress."""
context = req.environ['nova.context']
authorize(context, "index")
context.can(migrations_policies.POLICY_ROOT % 'index')
migrations = self.compute_api.get_migrations(context, req.GET)
if api_version_request.is_supported(req, min_version='2.23'):

6
nova/api/openstack/compute/multinic.py
View File

@ -24,10 +24,10 @@ from nova.api.openstack import wsgi
from nova.api import validation
from nova import compute
from nova import exception
from nova.policies import multinic as multinic_policies
ALIAS = "os-multinic"
authorize = extensions.os_compute_authorizer(ALIAS)
class MultinicController(wsgi.Controller):
@ -42,7 +42,7 @@ class MultinicController(wsgi.Controller):
def _add_fixed_ip(self, req, id, body):
"""Adds an IP on a given network to an instance."""
context = req.environ['nova.context']
authorize(context)
context.can(multinic_policies.BASE_POLICY_NAME)
instance = common.get_instance(self.compute_api, context, id)
network_id = body['addFixedIp']['networkId']
@ -60,7 +60,7 @@ class MultinicController(wsgi.Controller):
def _remove_fixed_ip(self, req, id, body):
"""Removes an IP from an instance."""
context = req.environ['nova.context']
authorize(context)
context.can(multinic_policies.BASE_POLICY_NAME)
instance = common.get_instance(self.compute_api, context, id)
address = body['removeFixedIp']['address']

14
nova/api/openstack/compute/networks.py
View File

@ -27,9 +27,9 @@ from nova.i18n import _
from nova import network
from nova.objects import base as base_obj
from nova.objects import fields as obj_fields
from nova.policies import networks as net_policies
ALIAS = 'os-networks'
authorize = extensions.os_compute_authorizer(ALIAS)
def network_dict(context, network):
@ -85,7 +85,7 @@ class NetworkController(wsgi.Controller):
@extensions.expected_errors(())
def index(self, req):
context = req.environ['nova.context']
authorize(context, action='view')
context.can(net_policies.POLICY_ROOT % 'view')
networks = self.network_api.get_all(context)
result = [network_dict(context, net_ref) for net_ref in networks]
return {'networks': result}
@ -95,7 +95,7 @@ class NetworkController(wsgi.Controller):
@wsgi.action("disassociate")
def _disassociate_host_and_project(self, req, id, body):
context = req.environ['nova.context']
authorize(context)
context.can(net_policies.BASE_POLICY_NAME)
try:
self.network_api.associate(context, id, host=None, project=None)
@ -108,7 +108,7 @@ class NetworkController(wsgi.Controller):
@extensions.expected_errors(404)
def show(self, req, id):
context = req.environ['nova.context']
authorize(context, action='view')
context.can(net_policies.POLICY_ROOT % 'view')
try:
network = self.network_api.get(context, id)
@ -121,7 +121,7 @@ class NetworkController(wsgi.Controller):
@extensions.expected_errors((404, 409))
def delete(self, req, id):
context = req.environ['nova.context']
authorize(context)
context.can(net_policies.BASE_POLICY_NAME)
try:
self.network_api.delete(context, id)
@ -135,7 +135,7 @@ class NetworkController(wsgi.Controller):
@validation.schema(schema.create)
def create(self, req, body):
context = req.environ['nova.context']
authorize(context)
context.can(net_policies.BASE_POLICY_NAME)
params = body["network"]
@ -160,7 +160,7 @@ class NetworkController(wsgi.Controller):
@validation.schema(schema.add_network_to_project)
def add(self, req, body):
context = req.environ['nova.context']
authorize(context)
context.can(net_policies.BASE_POLICY_NAME)
network_id = body['id']
project_id = context.project_id

9
nova/api/openstack/compute/networks_associate.py
View File

@ -20,11 +20,10 @@ from nova.api import validation
from nova import exception
from nova.i18n import _
from nova import network
from nova.policies import networks_associate as na_policies
ALIAS = "os-networks-associate"
authorize = extensions.os_compute_authorizer(ALIAS)
class NetworkAssociateActionController(wsgi.Controller):
"""Network Association API Controller."""
@ -37,7 +36,7 @@ class NetworkAssociateActionController(wsgi.Controller):
@extensions.expected_errors((404, 501))
def _disassociate_host_only(self, req, id, body):
context = req.environ['nova.context']
authorize(context)
context.can(na_policies.BASE_POLICY_NAME)
try:
self.network_api.associate(context, id, host=None)
except exception.NetworkNotFound:
@ -51,7 +50,7 @@ class NetworkAssociateActionController(wsgi.Controller):
@extensions.expected_errors((404, 501))
def _disassociate_project_only(self, req, id, body):
context = req.environ['nova.context']
authorize(context)
context.can(na_policies.BASE_POLICY_NAME)
try:
self.network_api.associate(context, id, project=None)
except exception.NetworkNotFound:
@ -66,7 +65,7 @@ class NetworkAssociateActionController(wsgi.Controller):
@validation.schema(networks_associate.associate_host)
def _associate_host(self, req, id, body):
context = req.environ['nova.context']
authorize(context)
context.can(na_policies.BASE_POLICY_NAME)
try:
self.network_api.associate(context, id,

7
nova/api/openstack/compute/pause_server.py
View File

@ -20,11 +20,10 @@ from nova.api.openstack import extensions
from nova.api.openstack import wsgi
from nova import compute
from nova import exception
from nova.policies import pause_server as ps_policies
ALIAS = "os-pause-server"
authorize = extensions.os_compute_authorizer(ALIAS)
class PauseServerController(wsgi.Controller):
def __init__(self, *args, **kwargs):
@ -37,7 +36,7 @@ class PauseServerController(wsgi.Controller):
def _pause(self, req, id, body):
"""Permit Admins to pause the server."""
ctxt = req.environ['nova.context']
authorize(ctxt, action='pause')
ctxt.can(ps_policies.POLICY_ROOT % 'pause')
server = common.get_instance(self.compute_api, ctxt, id)
try:
self.compute_api.pause(ctxt, server)
@ -58,7 +57,7 @@ class PauseServerController(wsgi.Controller):
def _unpause(self, req, id, body):
"""Permit Admins to unpause the server."""
ctxt = req.environ['nova.context']
authorize(ctxt, action='unpause')
ctxt.can(ps_policies.POLICY_ROOT % 'unpause')
server = common.get_instance(self.compute_api, ctxt, id)
try:
self.compute_api.unpause(ctxt, server)

11
nova/api/openstack/compute/pci.py
View File

@ -20,11 +20,10 @@ from nova.api.openstack import wsgi
from nova import compute
from nova import exception
from nova import objects
from nova.policies import pci as pci_policies
ALIAS = 'os-pci'
soft_authorize = extensions.os_compute_soft_authorizer(ALIAS + ':pci_servers')
authorize = extensions.os_compute_authorizer(ALIAS)
PCI_ADMIN_KEYS = ['id', 'address', 'vendor_id', 'product_id', 'status',
'compute_node_id']
@ -42,7 +41,7 @@ class PciServerController(wsgi.Controller):
@wsgi.extends
def show(self, req, resp_obj, id):
context = req.environ['nova.context']
if soft_authorize(context):
if context.can(pci_policies.POLICY_ROOT % 'pci_servers', fatal=False):
server = resp_obj.obj['server']
instance = req.get_db_instance(server['id'])
self._extend_server(server, instance)
@ -50,7 +49,7 @@ class PciServerController(wsgi.Controller):
@wsgi.extends
def detail(self, req, resp_obj):
context = req.environ['nova.context']
if soft_authorize(context):
if context.can(pci_policies.POLICY_ROOT % 'pci_servers', fatal=False):
servers = list(resp_obj.obj['servers'])
for server in servers:
instance = req.get_db_instance(server['id'])
@ -99,7 +98,7 @@ class PciController(wsgi.Controller):
def _get_all_nodes_pci_devices(self, req, detail, action):
context = req.environ['nova.context']
authorize(context, action=action)
context.can(pci_policies.POLICY_ROOT % action)
compute_nodes = self.host_api.compute_node_get_all(context)
results = []
for node in compute_nodes:
@ -117,7 +116,7 @@ class PciController(wsgi.Controller):
@extensions.expected_errors(404)
def show(self, req, id):
context = req.environ['nova.context']
authorize(context, action='show')
context.can(pci_policies.POLICY_ROOT % 'show')
try:
pci_dev = objects.PciDevice.get_by_dev_id(context, id)
except exception.PciDeviceNotFoundById as e:

8
nova/api/openstack/compute/quota_classes.py
View File

@ -22,6 +22,7 @@ from nova.api.openstack import wsgi
from nova.api import validation
from nova import db
from nova import exception
from nova.policies import quota_class_sets as qcs_policies
from nova import quota
from nova import utils
@ -34,9 +35,6 @@ EXTENDED_QUOTAS = {'server_groups': 'os-server-group-quotas',
'server_group_members': 'os-server-group-quotas'}
authorize = extensions.os_compute_authorizer(ALIAS)
class QuotaClassSetsController(wsgi.Controller):
supported_quotas = []
@ -65,7 +63,7 @@ class QuotaClassSetsController(wsgi.Controller):
@extensions.expected_errors(())
def show(self, req, id):
context = req.environ['nova.context']
authorize(context, action='show', target={'quota_class': id})
context.can(qcs_policies.POLICY_ROOT % 'show', {'quota_class': id})
values = QUOTAS.get_class_quotas(context, id)
return self._format_quota_set(id, values)
@ -73,7 +71,7 @@ class QuotaClassSetsController(wsgi.Controller):
@validation.schema(quota_classes.update)
def update(self, req, id, body):
context = req.environ['nova.context']
authorize(context, action='update', target={'quota_class': id})
context.can(qcs_policies.POLICY_ROOT % 'update', {'quota_class': id})
try:
utils.check_string_length(id, 'quota_class_name',
min_length=1, max_length=255)

12
nova/api/openstack/compute/quota_sets.py
View File

@ -25,12 +25,12 @@ from nova.api import validation
from nova import exception
from nova.i18n import _
from nova import objects
from nova.policies import quota_sets as qs_policies
from nova import quota
ALIAS = "os-quota-sets"
QUOTAS = quota.QUOTAS
authorize = extensions.os_compute_authorizer(ALIAS)
class QuotaSetsController(wsgi.Controller):
@ -85,7 +85,7 @@ class QuotaSetsController(wsgi.Controller):
@extensions.expected_errors(())
def show(self, req, id):
context = req.environ['nova.context']
authorize(context, action='show', target={'project_id': id})
context.can(qs_policies.POLICY_ROOT % 'show', {'project_id': id})
params = urlparse.parse_qs(req.environ.get('QUERY_STRING', ''))
user_id = params.get('user_id', [None])[0]
return self._format_quota_set(id,
@ -94,7 +94,7 @@ class QuotaSetsController(wsgi.Controller):
@extensions.expected_errors(())
def detail(self, req, id):
context = req.environ['nova.context']
authorize(context, action='detail', target={'project_id': id})
context.can(qs_policies.POLICY_ROOT % 'detail', {'project_id': id})
user_id = req.GET.get('user_id', None)
return self._format_quota_set(id, self._get_quotas(context, id,
user_id=user_id,
@ -104,7 +104,7 @@ class QuotaSetsController(wsgi.Controller):
@validation.schema(quota_sets.update)
def update(self, req, id, body):
context = req.environ['nova.context']
authorize(context, action='update', target={'project_id': id})
context.can(qs_policies.POLICY_ROOT % 'update', {'project_id': id})
project_id = id
params = urlparse.parse_qs(req.environ.get('QUERY_STRING', ''))
user_id = params.get('user_id', [None])[0]
@ -150,7 +150,7 @@ class QuotaSetsController(wsgi.Controller):
@extensions.expected_errors(())
def defaults(self, req, id):
context = req.environ['nova.context']
authorize(context, action='defaults', target={'project_id': id})
context.can(qs_policies.POLICY_ROOT % 'defaults', {'project_id': id})
values = QUOTAS.get_defaults(context)
return self._format_quota_set(id, values)
@ -161,7 +161,7 @@ class QuotaSetsController(wsgi.Controller):
@wsgi.response(202)
def delete(self, req, id):
context = req.environ['nova.context']
authorize(context, action='delete', target={'project_id': id})
context.can(qs_policies.POLICY_ROOT % 'delete', {'project_id': id})
params = urlparse.parse_qs(req.environ.get('QUERY_STRING', ''))
user_id = params.get('user_id', [None])[0]
if user_id:

12
nova/api/openstack/compute/remote_consoles.py
View File

@ -21,10 +21,10 @@ from nova.api.openstack import wsgi
from nova.api import validation
from nova import compute
from nova import exception
from nova.policies import remote_consoles as rc_policies
ALIAS = "os-remote-consoles"
authorize = extensions.os_compute_authorizer(ALIAS)
class RemoteConsolesController(wsgi.Controller):
@ -44,7 +44,7 @@ class RemoteConsolesController(wsgi.Controller):
def get_vnc_console(self, req, id, body):
"""Get text console output."""
context = req.environ['nova.context']
authorize(context)
context.can(rc_policies.BASE_POLICY_NAME)
# If type is not supplied or unknown, get_vnc_console below will cope
console_type = body['os-getVNCConsole'].get('type')
@ -73,7 +73,7 @@ class RemoteConsolesController(wsgi.Controller):
def get_spice_console(self, req, id, body):
"""Get text console output."""
context = req.environ['nova.context']
authorize(context)
context.can(rc_policies.BASE_POLICY_NAME)
# If type is not supplied or unknown, get_spice_console below will cope
console_type = body['os-getSPICEConsole'].get('type')
@ -102,7 +102,7 @@ class RemoteConsolesController(wsgi.Controller):
def get_rdp_console(self, req, id, body):
"""Get text console output."""
context = req.environ['nova.context']
authorize(context)
context.can(rc_policies.BASE_POLICY_NAME)
# If type is not supplied or unknown, get_rdp_console below will cope
console_type = body['os-getRDPConsole'].get('type')
@ -133,7 +133,7 @@ class RemoteConsolesController(wsgi.Controller):
def get_serial_console(self, req, id, body):
"""Get connection to a serial console."""
context = req.environ['nova.context']
authorize(context)
context.can(rc_policies.BASE_POLICY_NAME)
# If type is not supplied or unknown get_serial_console below will cope
console_type = body['os-getSerialConsole'].get('type')
@ -163,7 +163,7 @@ class RemoteConsolesController(wsgi.Controller):
@validation.schema(remote_consoles.create_v28, "2.8")
def create(self, req, server_id, body):
context = req.environ['nova.context']
authorize(context)
context.can(rc_policies.BASE_POLICY_NAME)
instance = common.get_instance(self.compute_api, context, server_id)
protocol = body['remote_console']['protocol']
console_type = body['remote_console']['type']

7
nova/api/openstack/compute/rescue.py
View File

@ -24,14 +24,13 @@ from nova.api import validation
from nova import compute
import nova.conf
from nova import exception
from nova.policies import rescue as rescue_policies
from nova import utils
ALIAS = "os-rescue"
CONF = nova.conf.CONF
authorize = extensions.os_compute_authorizer(ALIAS)
class RescueController(wsgi.Controller):
def __init__(self, *args, **kwargs):
@ -47,7 +46,7 @@ class RescueController(wsgi.Controller):
def _rescue(self, req, id, body):
"""Rescue an instance."""
context = req.environ["nova.context"]
authorize(context)
context.can(rescue_policies.BASE_POLICY_NAME)
if body['rescue'] and 'adminPass' in body['rescue']:
password = body['rescue']['adminPass']
@ -88,7 +87,7 @@ class RescueController(wsgi.Controller):
def _unrescue(self, req, id, body):
"""Unrescue an instance."""
context = req.environ["nova.context"]
authorize(context)
context.can(rescue_policies.BASE_POLICY_NAME)
instance = common.get_instance(self.compute_api, context, id)
try:
self.compute_api.unrescue(context, instance)