From a2d9645703e54623df3593a3e5629fb3ad60765e Mon Sep 17 00:00:00 2001
From: Brian Waldon <bcwaldon@gmail.com>
Date: Tue, 31 Jan 2012 22:56:37 -0800
Subject: Expand policies for admin_actions extension

Fixes bug 924417

Change-Id: Ibf62e8e824753dff43e0e86cb9d320086c2c753b
---
 .../api/openstack/compute/contrib/admin_actions.py | 32 +++++++++++-----------
 1 file changed, 16 insertions(+), 16 deletions(-)

(limited to 'nova/api')

diff --git a/nova/api/openstack/compute/contrib/admin_actions.py b/nova/api/openstack/compute/contrib/admin_actions.py
index f68126fb2..a61150958 100644
--- a/nova/api/openstack/compute/contrib/admin_actions.py
+++ b/nova/api/openstack/compute/contrib/admin_actions.py
@@ -30,7 +30,11 @@ from nova.scheduler import api as scheduler_api
 
 FLAGS = flags.FLAGS
 LOG = logging.getLogger("nova.api.openstack.compute.contrib.admin_actions")
-authorize = extensions.extension_authorizer('compute', 'admin_actions')
+
+
+def authorize(context, action_name):
+    action = 'admin_actions:%s' % action_name
+    extensions.extension_authorizer('compute', action)(context)
 
 
 class AdminActionsController(wsgi.Controller):
@@ -46,7 +50,7 @@ class AdminActionsController(wsgi.Controller):
     def _pause(self, req, id, body):
         """Permit Admins to pause the server"""
         ctxt = req.environ['nova.context']
-        authorize(ctxt)
+        authorize(ctxt, 'pause')
         try:
             server = self.compute_api.get(ctxt, id)
             self.compute_api.pause(ctxt, server)
@@ -65,7 +69,7 @@ class AdminActionsController(wsgi.Controller):
     def _unpause(self, req, id, body):
         """Permit Admins to unpause the server"""
         ctxt = req.environ['nova.context']
-        authorize(ctxt)
+        authorize(ctxt, 'unpause')
         try:
             server = self.compute_api.get(ctxt, id)
             self.compute_api.unpause(ctxt, server)
@@ -84,7 +88,7 @@ class AdminActionsController(wsgi.Controller):
     def _suspend(self, req, id, body):
         """Permit admins to suspend the server"""
         context = req.environ['nova.context']
-        authorize(context)
+        authorize(context, 'suspend')
         try:
             server = self.compute_api.get(context, id)
             self.compute_api.suspend(context, server)
@@ -103,7 +107,7 @@ class AdminActionsController(wsgi.Controller):
     def _resume(self, req, id, body):
         """Permit admins to resume the server from suspend"""
         context = req.environ['nova.context']
-        authorize(context)
+        authorize(context, 'resume')
         try:
             server = self.compute_api.get(context, id)
             self.compute_api.resume(context, server)
@@ -122,7 +126,7 @@ class AdminActionsController(wsgi.Controller):
     def _migrate(self, req, id, body):
         """Permit admins to migrate a server to a new host"""
         context = req.environ['nova.context']
-        authorize(context)
+        authorize(context, 'migrate')
         try:
             instance = self.compute_api.get(context, id)
             self.compute_api.resize(req.environ['nova.context'], instance)
@@ -140,7 +144,7 @@ class AdminActionsController(wsgi.Controller):
     def _reset_network(self, req, id, body):
         """Permit admins to reset networking on an server"""
         context = req.environ['nova.context']
-        authorize(context)
+        authorize(context, 'resetNetwork')
         try:
             instance = self.compute_api.get(context, id)
             self.compute_api.reset_network(context, instance)
@@ -156,7 +160,7 @@ class AdminActionsController(wsgi.Controller):
     def _inject_network_info(self, req, id, body):
         """Permit admins to inject network info into a server"""
         context = req.environ['nova.context']
-        authorize(context)
+        authorize(context, 'injectNetworkInfo')
         try:
             instance = self.compute_api.get(context, id)
             self.compute_api.inject_network_info(context, instance)
@@ -174,7 +178,7 @@ class AdminActionsController(wsgi.Controller):
     def _lock(self, req, id, body):
         """Permit admins to lock a server"""
         context = req.environ['nova.context']
-        authorize(context)
+        authorize(context, 'lock')
         try:
             instance = self.compute_api.get(context, id)
             self.compute_api.lock(context, instance)
@@ -192,7 +196,7 @@ class AdminActionsController(wsgi.Controller):
     def _unlock(self, req, id, body):
         """Permit admins to lock a server"""
         context = req.environ['nova.context']
-        authorize(context)
+        authorize(context, 'unlock')
         try:
             instance = self.compute_api.get(context, id)
             self.compute_api.unlock(context, instance)
@@ -217,7 +221,7 @@ class AdminActionsController(wsgi.Controller):
 
         """
         context = req.environ["nova.context"]
-        authorize(context)
+        authorize(context, 'createBackup')
 
         try:
             entity = body["createBackup"]
@@ -278,11 +282,7 @@ class AdminActionsController(wsgi.Controller):
     def _migrate_live(self, req, id, body):
         """Permit admins to (live) migrate a server to a new host"""
         context = req.environ["nova.context"]
-        # Expected to use AuthMiddleware.
-        # Otherwise, non-admin user can use live migration
-        if not context.is_admin:
-            msg = _("Live migration is admin only functionality")
-            raise exc.HTTPForbidden(explanation=msg)
+        authorize(context, 'migrateLive')
 
         try:
             block_migration = body["os-migrateLive"]["block_migration"]
-- 
cgit