diff options
| author | Anthony Young <sleepsonthefloor@gmail.com> | 2012-01-24 17:05:20 -0800 |
|---|---|---|
| committer | Vishvananda Ishaya <vishvananda@gmail.com> | 2012-01-25 20:48:41 -0800 |
| commit | ca22fc9d3114ebb9d8b1e07f951941ac2028a1c1 (patch) | |
| tree | 8e71aee96b1e08734773f2623669b34b10d26813 /nova/api | |
| parent | 13dafc977d5ac79e3cbf2e324bb0250ed343d7a2 (diff) | |
Fix authorization checks for simple_usage.show
* Normal users shouls be allowed to query their own usage info
* Fixes bug 921327
* Address bcwaldon's comment about using a default {} in authorize
* Remove is_admin references
* Rebase and change expected auth failure response from 401 to 403
* Remove policy-related tests
* Add back test_verify_show_cant_view_other_tenant, implemented with test policy
Change-Id: Ib0ce46419b7aedad34de957bfe2e60b10c5af11c
Diffstat (limited to 'nova/api')
| -rw-r--r-- | nova/api/openstack/compute/contrib/simple_tenant_usage.py | 16 | ||||
| -rw-r--r-- | nova/api/openstack/extensions.py | 6 |
2 files changed, 10 insertions, 12 deletions
diff --git a/nova/api/openstack/compute/contrib/simple_tenant_usage.py b/nova/api/openstack/compute/contrib/simple_tenant_usage.py index 576f37fd8..eb32e9f08 100644 --- a/nova/api/openstack/compute/contrib/simple_tenant_usage.py +++ b/nova/api/openstack/compute/contrib/simple_tenant_usage.py @@ -29,7 +29,10 @@ from nova import flags FLAGS = flags.FLAGS -authorize = extensions.extension_authorizer('compute', 'simple_tenant_usage') +authorize_show = extensions.extension_authorizer('compute', + 'simple_tenant_usage:show') +authorize_list = extensions.extension_authorizer('compute', + 'simple_tenant_usage:list') def make_usage(elem): @@ -110,8 +113,6 @@ class SimpleTenantUsageController(object): period_start, period_stop, tenant_id) - from nova import log as logging - logging.info(instances) rval = {} flavors = {} @@ -212,10 +213,8 @@ class SimpleTenantUsageController(object): def index(self, req): """Retrive tenant_usage for all tenants""" context = req.environ['nova.context'] - authorize(context) - if not context.is_admin: - return webob.Response(status_int=403) + authorize_list(context) (period_start, period_stop, detailed) = self._get_datetime_range(req) usages = self._tenant_usages_for_period(context, @@ -229,11 +228,8 @@ class SimpleTenantUsageController(object): """Retrive tenant_usage for a specified tenant""" tenant_id = id context = req.environ['nova.context'] - authorize(context) - if not context.is_admin: - if tenant_id != context.project_id: - return webob.Response(status_int=403) + authorize_show(context, {'project_id': tenant_id}) (period_start, period_stop, ignore) = self._get_datetime_range(req) usage = self._tenant_usages_for_period(context, diff --git a/nova/api/openstack/extensions.py b/nova/api/openstack/extensions.py index bf415765c..b40920f40 100644 --- a/nova/api/openstack/extensions.py +++ b/nova/api/openstack/extensions.py @@ -379,9 +379,11 @@ def load_standard_extensions(ext_mgr, logger, path, package): def extension_authorizer(api_name, extension_name): - def authorize(context): + def authorize(context, target=None): + if target == None: + target = {} action = '%s_extension:%s' % (api_name, extension_name) - nova.policy.enforce(context, action, {}) + nova.policy.enforce(context, action, target) return authorize |