]> review.fuel-infra Code Review - openstack-build/cinder-build.git/commitdiff
Code Review / openstack-build / cinder-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: c8941ec)
Honor volume:get policy
authorZhiteng Huang <zhithuang@ebaysf.com>
Tue, 19 Aug 2014 14:27:26 +0000 (22:27 +0800)
committerZhiteng Huang <zhithuang@ebaysf.com>
Wed, 20 Aug 2014 17:47:31 +0000 (01:47 +0800)
The fix for bug 1356368 hard-coded a policy check (same as
rule:admin_or_owner) for volume:get.  While in most cases this is
what people want, it'd be good we honor policy setting.

Note that before commit 0505bb268942534ad5d6ecd5e34a4d9b0e7f5c04,
DB query volume_get() actually acted as the policy checker for
volume:get, and it raised VolumeNotFound if context.project_id didn't
match volume['project_id'].  The check_policy() in volume:get didn't
get a chance to raise PolicyNotAuthorized exception.  So in this
change we keep the same behavor.

Change-Id: If43cec5cce977b9220296709b4e243b35b06ecd5
Related-bug: #1356368

cinder/tests/policy.json patch | blob | history
cinder/volume/api.py patch | blob | history

diff --git a/cinder/tests/policy.json b/cinder/tests/policy.json
index e615dc9226cbb2168daf146b79ebd0704f553cf2..413be34f728553fce66521ea8a673ecd4753cb1d 100644 (file)
--- a/cinder/tests/policy.json
+++ b/cinder/tests/policy.json
@@ -4,7 +4,7 @@
     "admin_or_owner":  [["is_admin:True"], ["project_id:%(project_id)s"]],
 
     "volume:create": [],
-    "volume:get": [],
+    "volume:get": [["rule:admin_or_owner"]],
     "volume:get_all": [],
     "volume:get_volume_metadata": [],
     "volume:delete_volume_metadata": [],
diff --git a/cinder/volume/api.py b/cinder/volume/api.py
index a30333701708f869af6de1cabc2ca5d08ede185b..11ef072ee2b6a0cfa93b20e5482619d47e94a079 100644 (file)
--- a/cinder/volume/api.py
+++ b/cinder/volume/api.py
@@ -282,15 +282,19 @@ class API(base.Base):
         self.db.volume_update(context, volume['id'], fields)
 
     def get(self, context, volume_id, viewable_admin_meta=False):
+        old_ctxt = context.deepcopy()
         if viewable_admin_meta:
             ctxt = context.elevated()
         else:
             ctxt = context
         rv = self.db.volume_get(ctxt, volume_id)
         volume = dict(rv.iteritems())
-        if not context.is_admin and volume['project_id'] != context.project_id:
+        try:
+            check_policy(old_ctxt, 'get', volume)
+        except exception.PolicyNotAuthorized:
+            # raise VolumeNotFound instead to make sure Cinder behaves
+            # as it used to
             raise exception.VolumeNotFound(volume_id=volume_id)
-        check_policy(context, 'get', volume)
         return volume
 
     def get_all(self, context, marker=None, limit=None, sort_key='created_at',