From: Ivan Kolodyazhny <e0ne@e0ne.info>
Date: Mon, 21 Sep 2015 15:15:31 +0000 (+0300)
Subject: Ignore Forbidden error on quotas-get for nested projects
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=97170c9fba69b6570c59ff7008e45fb1a47e3886;p=openstack-build%2Fcinder-build.git
Ignore Forbidden error on quotas-get for nested projects
Keystone API v2 requires admin permissions for project_get method.
We ignore Forbidden exception for non-admin users.
Change-Id: Ia0a17a9377219d3bf92dbbfd6e88077209a22a95
Closes-Bug: #1491495
---
diff --git a/cinder/api/contrib/quotas.py b/cinder/api/contrib/quotas.py
index 27f0401bb..c6614071b 100644
--- a/cinder/api/contrib/quotas.py
+++ b/cinder/api/contrib/quotas.py
@@ -211,13 +211,22 @@ class QuotaSetsController(wsgi.Controller):
else:
usage = False
- # With hierarchical projects, only the admin of the current project or
- # the root project has privilege to perform quota show operations.
- target_project = self._get_project(context, target_project_id)
- context_project = self._get_project(context, context.project_id,
- subtree_as_ids=True)
+ try:
+ # With hierarchical projects, only the admin of the current project
+ # or the root project has privilege to perform quota show
+ # operations.
+ target_project = self._get_project(context, target_project_id)
+ context_project = self._get_project(context, context.project_id,
+ subtree_as_ids=True)
+
+ self._authorize_show(context_project, target_project)
+ parent_project_id = target_project.parent_id
+ except exceptions.Forbidden:
+ # NOTE(e0ne): Keystone API v2 requires admin permissions for
+ # project_get method. We ignore Forbidden exception for
+ # non-admin users.
+ parent_project_id = target_project_id
- self._authorize_show(context_project, target_project)
try:
sqlalchemy_api.authorize_project_context(context,
target_project_id)
@@ -225,7 +234,7 @@ class QuotaSetsController(wsgi.Controller):
raise webob.exc.HTTPForbidden()
quotas = self._get_quotas(context, target_project_id, usage,
- parent_project_id=target_project.parent_id)
+ parent_project_id=parent_project_id)
return self._format_quota_set(target_project_id, quotas)
@wsgi.serializers(xml=QuotaTemplate)
@@ -277,8 +286,8 @@ class QuotaSetsController(wsgi.Controller):
parent_id = target_project.parent_id
if parent_id:
- # Get the children of the project which the token is scoped to in
- # order to know if the target_project is in its hierarchy.
+ # Get the children of the project which the token is scoped to
+ # in order to know if the target_project is in its hierarchy.
context_project = self._get_project(context,
context.project_id,
subtree_as_ids=True)
@@ -340,9 +349,17 @@ class QuotaSetsController(wsgi.Controller):
def defaults(self, req, id):
context = req.environ['cinder.context']
authorize_show(context)
- project = self._get_project(context, context.project_id)
+ try:
+ project = self._get_project(context, context.project_id)
+ parent_id = project.parent_id
+ except exceptions.Forbidden:
+ # NOTE(e0ne): Keystone API v2 requires admin permissions for
+ # project_get method. We ignore Forbidden exception for
+ # non-admin users.
+ parent_id = context.project_id
+
return self._format_quota_set(id, QUOTAS.get_defaults(
- context, parent_project_id=project.parent_id))
+ context, parent_project_id=parent_id))
@wsgi.serializers(xml=QuotaTemplate)
def delete(self, req, id):
diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index d0e316f4d..4c8a8aa50 100644
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -33,7 +33,7 @@
"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
"volume_extension:volume_image_metadata": "rule:admin_or_owner",
- "volume_extension:quotas:show": "rule:admin_api",
+ "volume_extension:quotas:show": "",
"volume_extension:quotas:update": "rule:admin_api",
"volume_extension:quota_classes": "rule:admin_api",