From 68ec9d7b7fb5fcd8b1e80e0121c8079d69f8fb4d Mon Sep 17 00:00:00 2001 From: Anna Sortland Date: Tue, 14 Jul 2015 14:51:51 -0500 Subject: [PATCH] Update authorization actions for services API Previously, the services extension used generic authorization check "volume_extension:services" for both index and update APIs. This change creates separate rules for index and update APIs so that it is possible to assign different rules to different users. The sample /etc/cinder/policy.json is also updated to include new rules: "volume_extension:services:index": "", "volume_extension:services:update" : "rule:admin_api" Change-Id: Ib57171f5011210861478590bbdfc30cce25e62b4 Closes-Bug: #1471995 Closes-Bug: #1471999 --- cinder/api/contrib/services.py | 4 ++-- cinder/tests/unit/policy.json | 2 ++ etc/cinder/policy.json | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/cinder/api/contrib/services.py b/cinder/api/contrib/services.py index 0a976feb2..6a84f04b5 100644 --- a/cinder/api/contrib/services.py +++ b/cinder/api/contrib/services.py @@ -79,7 +79,7 @@ class ServiceController(wsgi.Controller): Filter by host & service name. """ context = req.environ['cinder.context'] - authorize(context) + authorize(context, action='index') detailed = self.ext_mgr.is_loaded('os-extended-services') now = timeutils.utcnow() services = db.service_get_all(context) @@ -142,7 +142,7 @@ class ServiceController(wsgi.Controller): def update(self, req, id, body): """Enable/Disable scheduling for a service.""" context = req.environ['cinder.context'] - authorize(context) + authorize(context, action='update') ext_loaded = self.ext_mgr.is_loaded('os-extended-services') ret_val = {} diff --git a/cinder/tests/unit/policy.json b/cinder/tests/unit/policy.json index 6bd38b47d..2850e6518 100644 --- a/cinder/tests/unit/policy.json +++ b/cinder/tests/unit/policy.json @@ -62,6 +62,8 @@ "volume_extension:quotas:update": "", "volume_extension:quotas:delete": "", "volume_extension:quota_classes": "", + "volume_extension:services:index": "", + "volume_extension:services:update" : "rule:admin_api", "volume_extension:volume_manage": "rule:admin_api", "volume_extension:volume_unmanage": "rule:admin_api", diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json index 42d157b2a..f05d45c21 100644 --- a/etc/cinder/policy.json +++ b/etc/cinder/policy.json @@ -47,7 +47,8 @@ "volume_extension:volume_tenant_attribute": "rule:admin_or_owner", "volume_extension:volume_mig_status_attribute": "rule:admin_api", "volume_extension:hosts": "rule:admin_api", - "volume_extension:services": "rule:admin_api", + "volume_extension:services:index": "", + "volume_extension:services:update" : "rule:admin_api", "volume_extension:volume_manage": "rule:admin_api", "volume_extension:volume_unmanage": "rule:admin_api", -- 2.45.2