Correct the check_str and pass actual target in FIP pools policy
FIP pools are not associated with any projects and API controller also does not take any project_id in request so anyone requesting that API can get the FIP pools list. current check_str 'admin_or_owner' is not correct for this polic, it should be RULE_ANY. Currently if target is not passed in context.can(), it use defauls target which is context.user_id, context.project_id. These defaults target are not useful as it pass the context's user_id and project_id only which means we tell oslo policy to verify the context data with context data. This commit corrects the check_str and pass the actual target for FIP pools policies which is empty dict. Partial implement blueprint policy-defaults-refresh-deprecated-apis Change-Id: I06dde5960fdae5ee4e3ce902482361909ac397d6
This commit is contained in:
parent
8c0d1acf6e
commit
f1d4d9762c
|
@ -44,6 +44,6 @@ class FloatingIPPoolsController(wsgi.Controller):
|
|||
def index(self, req):
|
||||
"""Return a list of pools."""
|
||||
context = req.environ['nova.context']
|
||||
context.can(fip_policies.BASE_POLICY_NAME)
|
||||
context.can(fip_policies.BASE_POLICY_NAME, target={})
|
||||
pools = self.network_api.get_floating_ip_pools(context)
|
||||
return _translate_floating_ip_pools_view(pools)
|
||||
|
|
|
@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-floating-ip-pools'
|
|||
floating_ip_pools_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
check_str=base.RULE_ANY,
|
||||
description="List floating IP pools. This API is deprecated.",
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -65,3 +65,10 @@ class FloatingIPPoolsScopeTypePolicyTest(FloatingIPPoolsPolicyTest):
|
|||
def setUp(self):
|
||||
super(FloatingIPPoolsScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
|
||||
|
||||
class FloatingIPPoolsNoLegacyPolicyTest(FloatingIPPoolsScopeTypePolicyTest):
|
||||
"""Test Floating IP Pools APIs policies with system scope enabled,
|
||||
and no more deprecated rules.
|
||||
"""
|
||||
without_deprecated_rules = True
|
||||
|
|
|
@ -425,7 +425,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"os_compute_api:os-flavor-access",
|
||||
"os_compute_api:os-flavor-extra-specs:index",
|
||||
"os_compute_api:os-flavor-extra-specs:show",
|
||||
"os_compute_api:os-floating-ip-pools",
|
||||
"os_compute_api:os-floating-ips",
|
||||
"os_compute_api:os-multinic",
|
||||
"os_compute_api:os-networks:view",
|
||||
|
@ -455,6 +454,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"os_compute_api:os-quota-sets:defaults",
|
||||
"os_compute_api:os-availability-zone:list",
|
||||
"os_compute_api:limits",
|
||||
"os_compute_api:os-floating-ip-pools",
|
||||
)
|
||||
|
||||
self.system_reader_rules = (
|
||||
|
|
Loading…
Reference in New Issue