add code for using new way of roles from context

vinodkumarboppanna · Mar 20, 2014 · 4147173 · 4147173
1 parent 7d2462d
commit 4147173
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 7 deletions.
diff --git a/files/policy.json b/files/policy.json
@@ -3,6 +3,11 @@
     "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
 
+    "project_admin":  "role:project-admin and project_id:%(project_id)s"
+    "admin_or_project_admin": "rule: context_is_admin or rule:project_admin"
+    "member": "role:member and project_id:%(project_id)s"
+    "admin_or_project_admin_or_member": "rule:admin_or_project_admin or rule:member"
+
     "cells_scheduler_filter:TargetCellFilter": "is_admin:True",
 
     "compute:create": "",
@@ -185,9 +190,9 @@
     "compute_extension:networks_associate": "rule:admin_api",
     "compute_extension:v3:os-pci:pci_servers": "",
     "compute_extension:v3:os-pci:discoverable": "",
-    "compute_extension:quotas:show": "rule:admin_or_owner",
-    "compute_extension:quotas:update": "rule:admin_api",
-    "compute_extension:quotas:delete": "rule:admin_api",
+    "compute_extension:quotas:show": "rule:admin_or_project_admin_or_owner",
+    "compute_extension:quotas:update": "rule:admin_or_project_admin",
+    "compute_extension:quotas:delete": "rule:admin_or_project_admin",
     "compute_extension:v3:os-quota-sets:discoverable": "",
     "compute_extension:v3:os-quota-sets:show": "",
     "compute_extension:v3:os-quota-sets:update": "rule:admin_api",

diff --git a/nova/api/openstack/compute/contrib/quotas.py b/nova/api/openstack/compute/contrib/quotas.py
@@ -97,15 +97,24 @@ def _get_quotas(self, context, id, user_id=None, usages=False):
     def show(self, req, id):
         ### The id here is the project hierarchy in the API URL
         context = req.environ['nova.context']
-        authorize_show(context)
         params = urlparse.parse_qs(req.environ.get('QUERY_STRING', ''))
         user_id = None
         if self.ext_mgr.is_loaded('os-user-quotas'):
             user_id = params.get('user_id', [None])[0]
+
+        complete_id = context.project_id + '.' + id
+        """complete_id will be something like projH.projA.projA1 i.e starting
+        from the root to the level at which the operation is being executed
+        """
+
+        target = {'project_id': complete_id,
+                  'user_id': user_id}
+        authorize_show(context, target)
         try:
-            nova.context.authorize_project_context(context, id)
-            return self._format_quota_set(id,
-                    self._get_quotas(context, id, user_id=user_id))
+            nova.context.authorize_project_context(context, complete_id)
+            return self._format_quota_set(complete_id,
+                    self._get_quotas(context, complete_id, user_id=user_id))
+            ### The Quotas table also stores the complete heirarchy
         except exception.NotAuthorized:
             raise webob.exc.HTTPForbidden()