From 16a38564cb61031466bf60ac393363bfeaedbd93 Mon Sep 17 00:00:00 2001 From: Takashi NATSUME Date: Thu, 4 Aug 2016 17:56:58 +0900 Subject: [PATCH] Fix server operations' policies to admin only Before the following policies were set to admin only operations by default. * detail:get_all_tenants * index:get_all_tenants * create:forced_host But currently they are not limited to admin users by default. They were changed unintentionally in I71b3d1233255125cb280a000b990329f5b03fdfd. So set them admin only again. And a unit test for policy is fixed. Change-Id: I1c0a4f1ff19d68152953dd6b265a7fb2e0f6271a Closes-Bug: #1609625 Closes-Bug: #1609691 Closes-Bug: #1611628 --- nova/policies/servers.py | 7 ++++--- nova/tests/unit/test_policy.py | 3 ++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/nova/policies/servers.py b/nova/policies/servers.py index 320f963f8335..3250c55fa0c1 100644 --- a/nova/policies/servers.py +++ b/nova/policies/servers.py @@ -22,14 +22,15 @@ SERVERS = 'os_compute_api:servers:%s' rules = [ policy.RuleDefault(SERVERS % 'index', RULE_AOO), policy.RuleDefault(SERVERS % 'detail', RULE_AOO), - policy.RuleDefault(SERVERS % 'detail:get_all_tenants', RULE_AOO), - policy.RuleDefault(SERVERS % 'index:get_all_tenants', RULE_AOO), + policy.RuleDefault(SERVERS % 'detail:get_all_tenants', + base.RULE_ADMIN_API), + policy.RuleDefault(SERVERS % 'index:get_all_tenants', base.RULE_ADMIN_API), policy.RuleDefault(SERVERS % 'show', RULE_AOO), # the details in host_status are pretty sensitive, only admins # should do that by default. policy.RuleDefault(SERVERS % 'show:host_status', base.RULE_ADMIN_API), policy.RuleDefault(SERVERS % 'create', RULE_AOO), - policy.RuleDefault(SERVERS % 'create:forced_host', RULE_AOO), + policy.RuleDefault(SERVERS % 'create:forced_host', base.RULE_ADMIN_API), policy.RuleDefault(SERVERS % 'create:attach_volume', RULE_AOO), policy.RuleDefault(SERVERS % 'create:attach_network', RULE_AOO), policy.RuleDefault(SERVERS % 'delete', RULE_AOO), diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py index bc47c861ae1e..f7ff9311a89e 100644 --- a/nova/tests/unit/test_policy.py +++ b/nova/tests/unit/test_policy.py @@ -493,7 +493,8 @@ class RealRolePolicyTestCase(test.NoDBTestCase): def test_admin_only_rules(self): for rule in self.admin_only_rules: self.assertRaises(exception.PolicyNotAuthorized, policy.authorize, - self.non_admin_context, rule, self.target) + self.non_admin_context, rule, + {'project_id': 'fake', 'user_id': 'fake'}) policy.authorize(self.admin_context, rule, self.target) def test_non_admin_only_rules(self):