From 03c228f56aba7fc3cd7c71963570a7f5582c3cd9 Mon Sep 17 00:00:00 2001 From: Jay Payne Date: Sun, 9 Jun 2013 10:20:12 -0500 Subject: [PATCH] Added policy check for backup operations This patch adds policy checks for operations in the backup extension consisting of create, delete, restore, get and get_all. It also adds policies into the policy.json files in the tests and etc directories. Fixes Bug: 1188386 Change-Id: I847640051c5d25cebf06b8658b27d4b82603d796 --- cinder/backup/api.py | 15 +++++++++++++++ cinder/tests/policy.json | 9 +++++++-- etc/cinder/policy.json | 8 +++++++- 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/cinder/backup/api.py b/cinder/backup/api.py index 1b5d1d49b..725c7f854 100644 --- a/cinder/backup/api.py +++ b/cinder/backup/api.py @@ -24,6 +24,7 @@ from cinder.db import base from cinder import exception from cinder import flags from cinder.openstack.common import log as logging +import cinder.policy import cinder.volume @@ -32,6 +33,15 @@ FLAGS = flags.FLAGS LOG = logging.getLogger(__name__) +def check_policy(context, action): + target = { + 'project_id': context.project_id, + 'user_id': context.user_id, + } + _action = 'backup:%s' % action + cinder.policy.enforce(context, _action, target) + + class API(base.Base): """API for interacting with the volume backup manager.""" @@ -41,6 +51,7 @@ class API(base.Base): super(API, self).__init__(db_driver) def get(self, context, backup_id): + check_policy(context, 'get') rv = self.db.backup_get(context, backup_id) return dict(rv.iteritems()) @@ -48,6 +59,7 @@ class API(base.Base): """ Make the RPC call to delete a volume backup. """ + check_policy(context, 'delete') backup = self.get(context, backup_id) if backup['status'] not in ['available', 'error']: msg = _('Backup status must be available or error') @@ -60,6 +72,7 @@ class API(base.Base): # TODO(moorehef): Add support for search_opts, discarded atm def get_all(self, context, search_opts={}): + check_policy(context, 'get_all') if context.is_admin: backups = self.db.backup_get_all(context) else: @@ -73,6 +86,7 @@ class API(base.Base): """ Make the RPC call to create a volume backup. """ + check_policy(context, 'create') volume = self.volume_api.get(context, volume_id) if volume['status'] != "available": msg = _('Volume to be backed up must be available') @@ -107,6 +121,7 @@ class API(base.Base): """ Make the RPC call to restore a volume backup. """ + check_policy(context, 'restore') backup = self.get(context, backup_id) if backup['status'] != 'available': msg = _('Backup status must be available') diff --git a/cinder/tests/policy.json b/cinder/tests/policy.json index d11c0139e..86ee69dc5 100644 --- a/cinder/tests/policy.json +++ b/cinder/tests/policy.json @@ -43,6 +43,11 @@ "volume:create_transfer": [], "volume:accept_transfer": [], "volume:delete_transfer": [], - "volume:get_all_transfers": [] - + "volume:get_all_transfers": [], + + "backup:create" : [], + "backup:delete": [], + "backup:get": [], + "backup:get_all": [], + "backup:restore": [] } diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json index a6a805a3a..63196f8de 100644 --- a/etc/cinder/policy.json +++ b/etc/cinder/policy.json @@ -34,6 +34,12 @@ "volume:create_transfer": [], "volume:accept_transfer": [], "volume:delete_transfer": [], - "volume:get_all_transfers": [] + "volume:get_all_transfers": [], + + "backup:create" : [], + "backup:delete": [], + "backup:get": [], + "backup:get_all": [], + "backup:restore": [] } -- 2.45.2