From dcc2934921c5b2770878eee5afd088a1a8dbf645 Mon Sep 17 00:00:00 2001 From: Andrey Volkov Date: Thu, 13 Oct 2016 17:19:28 +0300 Subject: [PATCH] Change default policy to view quota details Default policy for quota details was an admin only privilege but it was able to get used and reserved resource data via nova limits call even for non admin owners. Horizon worked around the issue by using the limits API instead of the os-quota-sets API. And this removes the need to workaround it and just use the single os-quota-sets API. This patch sets the quotas detail default policy to RULE_ADMIN_OR_OWNER. Change-Id: I65b9de24a1310079a67e033606eaf2dde796cd48 Closes-Bug: #1618513 --- nova/policies/quota_sets.py | 2 +- nova/tests/unit/test_policy.py | 2 +- .../notes/quota-show-detail-access-d6f37282d288fa33.yaml | 5 +++++ 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/quota-show-detail-access-d6f37282d288fa33.yaml diff --git a/nova/policies/quota_sets.py b/nova/policies/quota_sets.py index 9cc46e078c50..d6b6b2873f82 100644 --- a/nova/policies/quota_sets.py +++ b/nova/policies/quota_sets.py @@ -62,7 +62,7 @@ quota_sets_policies = [ ]), base.create_rule_default( POLICY_ROOT % 'detail', - base.RULE_ADMIN_API, + base.RULE_ADMIN_OR_OWNER, "Show the detail of quota", [ { diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py index ad671cfedd55..337d2efd681d 100644 --- a/nova/tests/unit/test_policy.py +++ b/nova/tests/unit/test_policy.py @@ -356,7 +356,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase): "os_compute_api:os-networks-associate", "os_compute_api:os-quota-sets:update", "os_compute_api:os-quota-sets:delete", -"os_compute_api:os-quota-sets:detail", "os_compute_api:os-security-group-default-rules", "os_compute_api:os-server-diagnostics", "os_compute_api:os-services", @@ -391,6 +390,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase): "os_compute_api:os-pause-server:pause", "os_compute_api:os-pause-server:unpause", "os_compute_api:os-quota-sets:show", +"os_compute_api:os-quota-sets:detail", "os_compute_api:server-metadata:index", "os_compute_api:server-metadata:show", "os_compute_api:server-metadata:delete", diff --git a/releasenotes/notes/quota-show-detail-access-d6f37282d288fa33.yaml b/releasenotes/notes/quota-show-detail-access-d6f37282d288fa33.yaml new file mode 100644 index 000000000000..48791011e735 --- /dev/null +++ b/releasenotes/notes/quota-show-detail-access-d6f37282d288fa33.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - The default policy for os_compute_api:os-quota-sets:detail has + been changed to permit listing of quotas with details to project + users, not only to admins.