From: Joel Coffman Date: Tue, 20 Aug 2013 17:02:24 +0000 (-0400) Subject: Relax policy so owner can access encryption info X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=51fc2bd41e236404a8db8e4beefd0ec265fb1a5a;p=openstack-build%2Fcinder-build.git Relax policy so owner can access encryption info The admin only policy is too restrictive to allow Nova to access a volume's encryption metadata using the owner's request context. Hence, this commit relaxes the policy for the volume encryption metadata API extension so the metadata is accessible to the volume's owner. Implements: blueprint encrypt-cinder-volumes Change-Id: Ia946850b79f7f717ab7528caf7cac2905e650917 SecurityImpact --- diff --git a/cinder/api/contrib/volume_type_encryption.py b/cinder/api/contrib/volume_type_encryption.py index aede70f9f..6c9684f43 100644 --- a/cinder/api/contrib/volume_type_encryption.py +++ b/cinder/api/contrib/volume_type_encryption.py @@ -40,7 +40,7 @@ class VolumeTypeEncryptionTemplate(xmlutil.TemplateBuilder): class VolumeTypeEncryptionController(wsgi.Controller): - """The volume type encryption API controller for the OpenStack API """ + """The volume type encryption API controller for the OpenStack API.""" def _get_volume_type_encryption(self, context, type_id): encryption_ref = db.volume_type_encryption_get(context, type_id) diff --git a/cinder/db/sqlalchemy/api.py b/cinder/db/sqlalchemy/api.py index 265f7cb19..307a895fa 100644 --- a/cinder/db/sqlalchemy/api.py +++ b/cinder/db/sqlalchemy/api.py @@ -1817,7 +1817,6 @@ def volume_type_encryption_delete(context, volume_type_id): 'updated_at': literal_column('updated_at')}) -# TODO(joel-coffman): split into two functions -- update and create @require_admin_context def volume_type_encryption_update_or_create(context, volume_type_id, values): @@ -1847,7 +1846,7 @@ def volume_type_encryption_volume_get(context, volume_type_id, session=None): #################### -@require_admin_context +@require_context def volume_encryption_metadata_get(context, volume_id, session=None): """Return the encryption key id for a given volume.""" diff --git a/cinder/tests/api/contrib/test_volume_encryption_metadata.py b/cinder/tests/api/contrib/test_volume_encryption_metadata.py index a14a2b3ac..8a2ed0616 100644 --- a/cinder/tests/api/contrib/test_volume_encryption_metadata.py +++ b/cinder/tests/api/contrib/test_volume_encryption_metadata.py @@ -74,11 +74,11 @@ class VolumeEncryptionMetadataTest(test.TestCase): self.stubs.Set(db.sqlalchemy.api, 'volume_type_encryption_get', return_volume_type_encryption_metadata) - self.ctxt = context.RequestContext('fake', 'fake', is_admin=True) + self.ctxt = context.RequestContext('fake', 'fake') self.volume_id = self._create_volume(self.ctxt) def tearDown(self): - db.volume_destroy(self.ctxt, self.volume_id) + db.volume_destroy(self.ctxt.elevated(), self.volume_id) super(VolumeEncryptionMetadataTest, self).tearDown() def test_index(self): @@ -189,26 +189,17 @@ class VolumeEncryptionMetadataTest(test.TestCase): % bad_volume_id}} self.assertEqual(expected, res_dict) - def test_retrieve_key_not_admin(self): + def test_retrieve_key_admin(self): self.stubs.Set(volume_types, 'is_encrypted', lambda *a, **kw: True) - ctxt = self.ctxt.deepcopy() - ctxt.is_admin = False + ctxt = context.RequestContext('fake', 'fake', is_admin=True) req = webob.Request.blank('/v2/fake/volumes/%s/encryption/' 'encryption_key_id' % self.volume_id) res = req.get_response(fakes.wsgi_app(fake_auth_context=ctxt)) - self.assertEqual(403, res.status_code) - res_dict = json.loads(res.body) + self.assertEqual(200, res.status_code) - expected = { - 'forbidden': { - 'code': 403, - 'message': ("Policy doesn't allow volume_extension:" - "volume_encryption_metadata to be performed.") - } - } - self.assertEqual(expected, res_dict) + self.assertEqual('fake_key', res.body) def test_show_volume_not_encrypted_type(self): self.stubs.Set(volume_types, 'is_encrypted', lambda *a, **kw: False) diff --git a/cinder/tests/policy.json b/cinder/tests/policy.json index ab48d86d4..98f126f84 100644 --- a/cinder/tests/policy.json +++ b/cinder/tests/policy.json @@ -1,6 +1,7 @@ { "context_is_admin": [["role:admin"]], "admin_api": [["is_admin:True"]], + "admin_or_owner": [["is_admin:True"], ["project_id:%(project_id)s"]], "volume:create": [], "volume:get": [], @@ -37,7 +38,7 @@ "volume_extension:types_manage": [], "volume_extension:types_extra_specs": [], "volume_extension:volume_type_encryption": [["rule:admin_api"]], - "volume_extension:volume_encryption_metadata": [["rule:admin_api"]], + "volume_extension:volume_encryption_metadata": [["rule:admin_or_owner"]], "volume_extension:extended_snapshot_attributes": [], "volume_extension:volume_image_metadata": [], "volume_extension:volume_host_attribute": [["rule:admin_api"]], diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json index f311bba84..c8aaaa960 100644 --- a/etc/cinder/policy.json +++ b/etc/cinder/policy.json @@ -15,7 +15,7 @@ "volume_extension:types_manage": [["rule:admin_api"]], "volume_extension:types_extra_specs": [["rule:admin_api"]], "volume_extension:volume_type_encryption": [["rule:admin_api"]], - "volume_extension:volume_encryption_metadata": [["rule:admin_api"]], + "volume_extension:volume_encryption_metadata": [["rule:admin_or_owner"]], "volume_extension:extended_snapshot_attributes": [], "volume_extension:volume_image_metadata": [],