From 29af2252a8bc97157a52fddca78b31224eb55dac Mon Sep 17 00:00:00 2001
From: Eoghan Glynn <eglynn@redhat.com>
Date: Fri, 14 Sep 2012 11:15:29 +0000
Subject: All security groups not returned to admins by default.

Fixes bug 1046054.

Previously security groups relating to all tenants were returned
when requested by an admin user.

Now only those groups related to the current tenant are returned
by default.

To recover the old behaviour, the all_tenants search option may
be specified via the native API with:

  /v2/<project_id>/os-security-groups?all_tenants=1

or via the EC2 API with:

  Action=DescribeSecurityGroups&Filter.1.Name=all-tenants&Filter.1.Value.1=1

Note that the latter is slightly ultra vires with respect to the
EC2 API spec, in the sense that this filter is in addition to the
standard set. Since we don't pay attention to many of these standard
filters as yet, this stepping slightly off-piste is deemed worth it.

Change-Id: I6157e408394d04096d21747d665e3b3aa6aa55de
---
 nova/compute/api.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'nova/compute')

diff --git a/nova/compute/api.py b/nova/compute/api.py
index c4476edb0..0b82d0ed5 100644
--- a/nova/compute/api.py
+++ b/nova/compute/api.py
@@ -2281,7 +2281,8 @@ class SecurityGroupAPI(base.Base):
             else:
                 raise
 
-    def list(self, context, names=None, ids=None, project=None):
+    def list(self, context, names=None, ids=None, project=None,
+             search_opts=None):
         self.ensure_default(context)
 
         groups = []
@@ -2296,7 +2297,14 @@ class SecurityGroupAPI(base.Base):
                     groups.append(self.db.security_group_get(context, id))
 
         elif context.is_admin:
-            groups = self.db.security_group_get_all(context)
+            # TODO(eglynn): support a wider set of search options than just
+            # all_tenants, at least include the standard filters defined for
+            # the EC2 DescribeSecurityGroups API for the non-admin case also
+            if (search_opts and 'all_tenants' in search_opts):
+                groups = self.db.security_group_get_all(context)
+            else:
+                groups = self.db.security_group_get_by_project(context,
+                                                               project)
 
         elif project:
             groups = self.db.security_group_get_by_project(context, project)
-- 
cgit