diff options
| author | Eoghan Glynn <eglynn@redhat.com> | 2012-09-14 11:15:29 +0000 |
|---|---|---|
| committer | Eoghan Glynn <eglynn@redhat.com> | 2012-09-14 13:41:34 +0100 |
| commit | 29af2252a8bc97157a52fddca78b31224eb55dac (patch) | |
| tree | 8dfd54748c6932257901e7a42a397361b373d9f3 /nova/compute | |
| parent | 81b2c8b2a33891d42670e60523d42a85ad227625 (diff) | |
All security groups not returned to admins by default.
Fixes bug 1046054.
Previously security groups relating to all tenants were returned
when requested by an admin user.
Now only those groups related to the current tenant are returned
by default.
To recover the old behaviour, the all_tenants search option may
be specified via the native API with:
/v2/<project_id>/os-security-groups?all_tenants=1
or via the EC2 API with:
Action=DescribeSecurityGroups&Filter.1.Name=all-tenants&Filter.1.Value.1=1
Note that the latter is slightly ultra vires with respect to the
EC2 API spec, in the sense that this filter is in addition to the
standard set. Since we don't pay attention to many of these standard
filters as yet, this stepping slightly off-piste is deemed worth it.
Change-Id: I6157e408394d04096d21747d665e3b3aa6aa55de
Diffstat (limited to 'nova/compute')
| -rw-r--r-- | nova/compute/api.py | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/nova/compute/api.py b/nova/compute/api.py index c4476edb0..0b82d0ed5 100644 --- a/nova/compute/api.py +++ b/nova/compute/api.py @@ -2281,7 +2281,8 @@ class SecurityGroupAPI(base.Base): else: raise - def list(self, context, names=None, ids=None, project=None): + def list(self, context, names=None, ids=None, project=None, + search_opts=None): self.ensure_default(context) groups = [] @@ -2296,7 +2297,14 @@ class SecurityGroupAPI(base.Base): groups.append(self.db.security_group_get(context, id)) elif context.is_admin: - groups = self.db.security_group_get_all(context) + # TODO(eglynn): support a wider set of search options than just + # all_tenants, at least include the standard filters defined for + # the EC2 DescribeSecurityGroups API for the non-admin case also + if (search_opts and 'all_tenants' in search_opts): + groups = self.db.security_group_get_all(context) + else: + groups = self.db.security_group_get_by_project(context, + project) elif project: groups = self.db.security_group_get_by_project(context, project) |