Adding policy check in quota call

The default policy for server_list API in nova has changed. This exposed a problem in the way Horizon was calling server_list when reading quota values. The call was always made with all_tenants=True, which is only something admin should be able to do. Instead of ignoring the privilege problem in the API as in the past, there is a pre-emptive policy check that makes the call fail. The fix in Horizon is to only pass in all_tenants=True when the user has the appropriate privilege level. nova_policy.json has been updated with the appropriate default and the permission check has been added. Removing passing in all_tenants=True at all was contemplated, but when setting quota values on projects in the identity dashboard, the administrator level user needs to read quota values from a project that they are not currently scoped to. This fixes the error on the network topology screen that was the motivation for the original bug report. Closes-Bug: #1468551 Change-Id: I4255c57f81a13cac121596c99eea4ac629ed9ca7
2015-06-25 14:13:59 -06:00 · 2015-06-25 14:13:59 -06:00 · 6bfeee5baf
parent f1779d8cef
commit 6bfeee5baf
2 changed files with 9 additions and 2 deletions
--- a/openstack_dashboard/conf/nova_policy.json
+++ b/openstack_dashboard/conf/nova_policy.json
@ -11,7 +11,7 @@
    "compute:create:forced_host": "is_admin:True",
    "compute:delete": "rule:default",
    "compute:get_all": "",
-    "compute:get_all_tenants": "",
+    "compute:get_all_tenants": "is_admin:True",
    "compute:reboot": "rule:default",
    "compute:rebuild": "rule:default",
    "compute:snapshot": "rule:default",
--- a/openstack_dashboard/usage/quotas.py
+++ b/openstack_dashboard/usage/quotas.py
@ -24,6 +24,7 @@ from openstack_dashboard.api import cinder
 from openstack_dashboard.api import network
 from openstack_dashboard.api import neutron
 from openstack_dashboard.api import nova
+from openstack_dashboard import policy


 LOG = logging.getLogger(__name__)
@ -254,8 +255,14 @@ def get_disabled_quotas(request):

 def _get_tenant_compute_usages(request, usages, disabled_quotas, tenant_id):
    if tenant_id:
+        # determine if the user has permission to view across projects
+        # there are cases where an administrator wants to check the quotas
+        # on a project they are not scoped to
+        all_tenants = policy.check((("compute", "compute:get_all_tenants"),),
+                                   request)
        instances, has_more = nova.server_list(
-            request, search_opts={'tenant_id': tenant_id}, all_tenants=True)
+            request, search_opts={'tenant_id': tenant_id},
+            all_tenants=all_tenants)
    else:
        instances, has_more = nova.server_list(request)