From 6e35b5785d12513dc0076145f4de5e1f98034250 Mon Sep 17 00:00:00 2001
From: Dan Prince <dan.prince@rackspace.com>
Date: Sat, 28 Jan 2012 22:52:29 -0500
Subject: Add 'all_tenants' filter to GET /servers.

Update the OpenStack API's GET /servers method so that it only returns
servers from a single tenant when an admin account is used.

Adds an 'all_tenants' filter option that can be used to obtain servers
from all tenants (legacy behavior).

Fixes LP Bug # 923218.

Change-Id: I2fd3bd3e2c374ff1aed9c11006585c3f93449c6e
---
 nova/api/openstack/compute/servers.py            | 11 ++++++
 nova/tests/api/openstack/compute/test_servers.py | 44 ++++++++++++++++++++++++
 2 files changed, 55 insertions(+)

diff --git a/nova/api/openstack/compute/servers.py b/nova/api/openstack/compute/servers.py
index d0e771e22..1a9411bb6 100644
--- a/nova/api/openstack/compute/servers.py
+++ b/nova/api/openstack/compute/servers.py
@@ -450,6 +450,17 @@ class Controller(wsgi.Controller):
                 # No 'changes-since', so we only want non-deleted servers
                 search_opts['deleted'] = False
 
+        # NOTE(dprince) This prevents computes' get_all() from returning
+        # instances from multiple tenants when an admin accounts is used.
+        # By default non-admin accounts are always limited to project/user
+        # both here and in the compute API.
+        if not context.is_admin or (context.is_admin and 'all_tenants'
+            not in search_opts):
+            if context.project_id:
+                search_opts['project_id'] = context.project_id
+            else:
+                search_opts['user_id'] = context.user_id
+
         instance_list = self.compute_api.get_all(context,
                                                  search_opts=search_opts)
 
diff --git a/nova/tests/api/openstack/compute/test_servers.py b/nova/tests/api/openstack/compute/test_servers.py
index c6c7fcc43..42018a23d 100644
--- a/nova/tests/api/openstack/compute/test_servers.py
+++ b/nova/tests/api/openstack/compute/test_servers.py
@@ -884,6 +884,50 @@ class ServersControllerTest(test.TestCase):
 
         self.assertTrue('servers' in res)
 
+    def test_admin_restricted_tenant(self):
+        def fake_get_all(context, filters=None, instances=None):
+            self.assertNotEqual(filters, None)
+            self.assertEqual(filters['project_id'], 'fake')
+            return [fakes.stub_instance(100)]
+
+        self.stubs.Set(nova.db, 'instance_get_all_by_filters',
+                       fake_get_all)
+
+        req = fakes.HTTPRequest.blank('/v2/fake/servers',
+                                      use_admin_context=True)
+        res = self.controller.index(req)
+
+        self.assertTrue('servers' in res)
+
+    def test_admin_all_tenants(self):
+        def fake_get_all(context, filters=None, instances=None):
+            self.assertNotEqual(filters, None)
+            self.assertTrue('project_id' not in filters)
+            return [fakes.stub_instance(100)]
+
+        self.stubs.Set(nova.db, 'instance_get_all_by_filters',
+                       fake_get_all)
+
+        req = fakes.HTTPRequest.blank('/v2/fake/servers?all_tenants=1',
+                                      use_admin_context=True)
+        res = self.controller.index(req)
+
+        self.assertTrue('servers' in res)
+
+    def test_all_tenants(self):
+        def fake_get_all(context, filters=None, instances=None):
+            self.assertNotEqual(filters, None)
+            self.assertEqual(filters['project_id'], 'fake')
+            return [fakes.stub_instance(100)]
+
+        self.stubs.Set(nova.db, 'instance_get_all_by_filters',
+                       fake_get_all)
+
+        req = fakes.HTTPRequest.blank('/v2/fake/servers?all_tenants=1')
+        res = self.controller.index(req)
+
+        self.assertTrue('servers' in res)
+
     def test_get_servers_allows_flavor(self):
         server_uuid = str(utils.gen_uuid())
 
-- 
cgit