Skip to content

Commit

Permalink
Fix authorization checks for simple_usage.show
Browse files Browse the repository at this point in the history 
 * Normal users shouls be allowed to query their own usage info
 * Fixes bug 921327
 * Address bcwaldon's comment about using a default {} in authorize
 * Remove is_admin references
 * Rebase and change expected auth failure response from 401 to 403
 * Remove policy-related tests
 * Add back test_verify_show_cant_view_other_tenant, implemented with test policy

Change-Id: Ib0ce46419b7aedad34de957bfe2e60b10c5af11c
  • Loading branch information
@sleepsonthefloor @vishvananda
sleepsonthefloor authored and vishvananda committed Jan 26, 2012
1 parent 13dafc9 commit ca22fc9
Show file tree
Hide file tree
Showing 5 changed files with 28 additions and 29 deletions.
3 changes: 2 additions & 1 deletion etc/nova/policy.json
View file
Expand Up @@ -33,7 +33,8 @@
"compute_extension:security_groups": [],
"compute_extension:server_action_list": [["rule:admin_api"]],
"compute_extension:server_diagnostics": [["rule:admin_api"]],
"compute_extension:simple_tenant_usage": [["rule:admin_api"]],
"compute_extension:simple_tenant_usage:show": [["rule:admin_or_owner"]],
"compute_extension:simple_tenant_usage:list": [["rule:admin_api"]],
"compute_extension:users": [["rule:admin_api"]],
"compute_extension:virtual_interfaces": [],
"compute_extension:virtual_storage_arrays": [],
Expand Down
16 changes: 6 additions & 10 deletions nova/api/openstack/compute/contrib/simple_tenant_usage.py
View file
Expand Up @@ -29,7 +29,10 @@


FLAGS = flags.FLAGS
authorize = extensions.extension_authorizer('compute', 'simple_tenant_usage')
authorize_show = extensions.extension_authorizer('compute',
'simple_tenant_usage:show')
authorize_list = extensions.extension_authorizer('compute',
'simple_tenant_usage:list')


def make_usage(elem):
Expand Down Expand Up @@ -110,8 +113,6 @@ def _tenant_usages_for_period(self, context, period_start,
period_start,
period_stop,
tenant_id)
from nova import log as logging
logging.info(instances)
rval = {}
flavors = {}

Expand Down Expand Up @@ -212,10 +213,8 @@ def _get_datetime_range(self, req):
def index(self, req):
"""Retrive tenant_usage for all tenants"""
context = req.environ['nova.context']
authorize(context)

if not context.is_admin:
return webob.Response(status_int=403)
authorize_list(context)

(period_start, period_stop, detailed) = self._get_datetime_range(req)
usages = self._tenant_usages_for_period(context,
Expand All @@ -229,11 +228,8 @@ def show(self, req, id):
"""Retrive tenant_usage for a specified tenant"""
tenant_id = id
context = req.environ['nova.context']
authorize(context)

if not context.is_admin:
if tenant_id != context.project_id:
return webob.Response(status_int=403)
authorize_show(context, {'project_id': tenant_id})

(period_start, period_stop, ignore) = self._get_datetime_range(req)
usage = self._tenant_usages_for_period(context,
Expand Down
6 changes: 4 additions & 2 deletions nova/api/openstack/extensions.py
View file
Expand Up @@ -379,9 +379,11 @@ def load_standard_extensions(ext_mgr, logger, path, package):


def extension_authorizer(api_name, extension_name):
def authorize(context):
def authorize(context, target=None):
if target == None:
target = {}
action = '%s_extension:%s' % (api_name, extension_name)
nova.policy.enforce(context, action, {})
nova.policy.enforce(context, action, target)
return authorize


Expand Down
29 changes: 14 additions & 15 deletions nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py
View file
Expand Up @@ -22,6 +22,8 @@
import webob

from nova.api.openstack.compute.contrib import simple_tenant_usage
from nova import policy
from nova.common import policy as common_policy
from nova.compute import api
from nova import context
from nova import flags
Expand Down Expand Up @@ -133,18 +135,6 @@ def test_verify_detailed_index(self):
for j in xrange(SERVERS):
self.assertEqual(int(servers[j]['hours']), HOURS)

def test_verify_index_fails_for_nonadmin(self):
req = webob.Request.blank(
'/v2/faketenant_0/os-simple-tenant-usage?'
'detailed=1&start=%s&end=%s' %
(START.isoformat(), STOP.isoformat()))
req.method = "GET"
req.headers["content-type"] = "application/json"

res = req.get_response(fakes.wsgi_app(
fake_auth_context=self.user_context))
self.assertEqual(res.status_int, 403)

def test_verify_show(self):
req = webob.Request.blank(
'/v2/faketenant_0/os-simple-tenant-usage/'
Expand Down Expand Up @@ -175,9 +165,18 @@ def test_verify_show_cant_view_other_tenant(self):
req.method = "GET"
req.headers["content-type"] = "application/json"

res = req.get_response(fakes.wsgi_app(
fake_auth_context=self.alt_user_context))
self.assertEqual(res.status_int, 403)
rules = {
"compute_extension:simple_tenant_usage:show":
[["role:admin"], ["project_id:%(project_id)s"]]
}
common_policy.set_brain(common_policy.HttpBrain(rules))

try:
res = req.get_response(fakes.wsgi_app(
fake_auth_context=self.alt_user_context))
self.assertEqual(res.status_int, 403)
finally:
policy.reset()


class SimpleTenantUsageSerializerTest(test.TestCase):
Expand Down
3 changes: 2 additions & 1 deletion nova/tests/policy.json
View file
Expand Up @@ -92,7 +92,8 @@
"compute_extension:security_groups": [],
"compute_extension:server_action_list": [],
"compute_extension:server_diagnostics": [],
"compute_extension:simple_tenant_usage": [],
"compute_extension:simple_tenant_usage:show": [],
"compute_extension:simple_tenant_usage:list": [],
"compute_extension:users": [],
"compute_extension:virtual_interfaces": [],
"compute_extension:virtual_storage_arrays": [],
Expand Down

0 comments on commit ca22fc9

Please sign in to comment.