Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Enforce flavor access during instance boot
The code in the servers API did not pass the context when retrieving
flavor details.  That means it would use an admin context instead,
bypassing all flavor access control checks.

This patch includes the fix, and the corresponding unit test for the v2
API.

Closes-bug: #1212179

(cherry picked from commit 4054cc4)

Conflicts:
	nova/api/openstack/compute/plugins/v3/servers.py
	nova/api/openstack/compute/servers.py
	nova/tests/api/openstack/compute/plugins/v3/test_servers.py
	nova/tests/api/openstack/compute/test_servers.py

Change-Id: I681ae9965e19767df22fa74c3315e4e03a459d3b
  • Loading branch information
russellb committed Aug 22, 2013
1 parent 37e3b55 commit 8b68619
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 3 deletions.
3 changes: 2 additions & 1 deletion nova/api/openstack/compute/servers.py
Expand Up @@ -873,7 +873,8 @@ def create(self, req, body):

try:
_get_inst_type = instance_types.get_instance_type_by_flavor_id
inst_type = _get_inst_type(flavor_id, read_deleted="no")
inst_type = _get_inst_type(flavor_id, ctxt=context,
read_deleted="no")

(instances, resv_id) = self.compute_api.create(context,
inst_type,
Expand Down
22 changes: 20 additions & 2 deletions nova/tests/api/openstack/compute/test_servers.py
Expand Up @@ -1822,10 +1822,10 @@ def _check_admin_pass_missing(self, server_dict):
"""utility function - check server_dict for absence of adminPass."""
self.assertTrue("adminPass" not in server_dict)

def _test_create_instance(self):
def _test_create_instance(self, flavor=2):
image_uuid = 'c905cedb-7281-47e4-8a62-f26bc5fc4c77'
body = dict(server=dict(
name='server_test', imageRef=image_uuid, flavorRef=2,
name='server_test', imageRef=image_uuid, flavorRef=flavor,
metadata={'hello': 'world', 'open': 'stack'},
personality={}))
req = fakes.HTTPRequest.blank('/v2/fake/servers')
Expand All @@ -1837,6 +1837,24 @@ def _test_create_instance(self):
self._check_admin_pass_len(server)
self.assertEqual(FAKE_UUID, server['id'])

def test_create_instance_private_flavor(self):
values = {
'name': 'fake_name',
'memory_mb': 512,
'vcpus': 1,
'root_gb': 10,
'ephemeral_gb': 10,
'flavorid': '1324',
'swap': 0,
'rxtx_factor': 0.5,
'vcpu_weight': 1,
'disabled': False,
'is_public': False,
}
db.instance_type_create(context.get_admin_context(), values)
self.assertRaises(webob.exc.HTTPBadRequest, self._test_create_instance,
flavor=1324)

def test_create_server_bad_image_href(self):
image_href = 1
flavor_ref = 'http://localhost/123/flavors/3'
Expand Down

0 comments on commit 8b68619

Please sign in to comment.