diff options
| author | David McNally <dave.mcnally@hp.com> | 2012-10-24 16:39:29 +0100 |
|---|---|---|
| committer | David McNally <dave.mcnally@hp.com> | 2012-11-01 09:33:05 +0000 |
| commit | f17ebebcf76bafb8250e84227dd244f520904072 (patch) | |
| tree | d701d6447a95fdb77b7fa890ecbd5f83ee88d4c0 | |
| parent | 7db75002668dfc9d91914feaea67f49f947099b9 (diff) | |
| download | nova-f17ebebcf76bafb8250e84227dd244f520904072.tar.gz nova-f17ebebcf76bafb8250e84227dd244f520904072.tar.xz nova-f17ebebcf76bafb8250e84227dd244f520904072.zip | |
Ability to specify a host restricted to admin.
Fixes bug 1070880
There is functionality in place, which uses the
format "az:host" on the --availability_zone
parameter to a create request to force scheduling
of an instance onto a specific host. However,
this is limited to users with Admin context.
This fix alters this behaviour to use a specific
policy action allowing fine-grained control over
which users have access to this functionality.
Change-Id: Ibb0e43492dfa2699ab26318736ca55a60b7b4468
| -rw-r--r-- | etc/nova/policy.json | 1 | ||||
| -rw-r--r-- | nova/compute/api.py | 3 | ||||
| -rw-r--r-- | nova/tests/compute/test_compute.py | 17 |
3 files changed, 20 insertions, 1 deletions
diff --git a/etc/nova/policy.json b/etc/nova/policy.json index f77f733c6..bd015802a 100644 --- a/etc/nova/policy.json +++ b/etc/nova/policy.json @@ -7,6 +7,7 @@ "compute:create": "", "compute:create:attach_network": "", "compute:create:attach_volume": "", + "compute:create:forced_host": "is_admin:True", "compute:get_all": "", diff --git a/nova/compute/api.py b/nova/compute/api.py index 601b75e86..a6ae08ec8 100644 --- a/nova/compute/api.py +++ b/nova/compute/api.py @@ -499,7 +499,8 @@ class API(base.Base): LOG.debug(_("Going to run %s instances...") % num_instances) filter_properties = dict(scheduler_hints=scheduler_hints) - if context.is_admin and forced_host: + if forced_host: + check_policy(context, 'create:forced_host', {}) filter_properties['force_hosts'] = [forced_host] for i in xrange(num_instances): diff --git a/nova/tests/compute/test_compute.py b/nova/tests/compute/test_compute.py index 9abca178f..1ba90c4b8 100644 --- a/nova/tests/compute/test_compute.py +++ b/nova/tests/compute/test_compute.py @@ -5246,6 +5246,23 @@ class ComputePolicyTestCase(BaseTestCase): self.compute_api.get_instance_faults, self.context, instances) + def test_force_host_fail(self): + rules = {"compute:create": [], + "compute:create:forced_host": [["role:fake"]]} + self._set_rules(rules) + + self.assertRaises(exception.PolicyNotAuthorized, + self.compute_api.create, self.context, None, '1', + availability_zone='1:1') + + def test_force_host_pass(self): + rules = {"compute:create": [], + "compute:create:forced_host": []} + self._set_rules(rules) + + self.compute_api.create(self.context, None, '1', + availability_zone='1:1') + class ComputeHostAPITestCase(BaseTestCase): def setUp(self): |