Add policy check for complete attachment API action
Add new policy rule for complete_attachment action to prevent anyone who can read the attachment from the database to complete it (mark it as in-use) Change-Id: Idad8c44acde155e70f6f9f618887a97fc956cdd2 Closes-Bug: #1737000
This commit is contained in:
parent
a367042187
commit
7bcd2a1c6b
@ -24,6 +24,7 @@ from cinder.api import validation
|
||||
from cinder import exception
|
||||
from cinder.i18n import _
|
||||
from cinder import objects
|
||||
from cinder.policies import attachments as attachment_policy
|
||||
from cinder import utils
|
||||
from cinder.volume import api as volume_api
|
||||
|
||||
@ -268,6 +269,8 @@ class AttachmentsController(wsgi.Controller):
|
||||
volume_ref = objects.Volume.get_by_id(
|
||||
context,
|
||||
attachment_ref.volume_id)
|
||||
context.authorize(attachment_policy.COMPLETE_POLICY,
|
||||
target_obj=attachment_ref)
|
||||
attachment_ref.update({'attach_status': 'attached'})
|
||||
attachment_ref.save()
|
||||
volume_ref.update({'status': 'in-use', 'attach_status': 'attached'})
|
||||
|
@ -21,6 +21,7 @@ from cinder.policies import base
|
||||
CREATE_POLICY = 'volume:attachment_create'
|
||||
UPDATE_POLICY = 'volume:attachment_update'
|
||||
DELETE_POLICY = 'volume:attachment_delete'
|
||||
COMPLETE_POLICY = 'volume:attachment_complete'
|
||||
MULTIATTACH_BOOTABLE_VOLUME_POLICY = 'volume:multiattach_bootable_volume'
|
||||
|
||||
attachments_policies = [
|
||||
@ -54,6 +55,16 @@ attachments_policies = [
|
||||
'path': '/attachments/{attachment_id}'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=COMPLETE_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="Mark a volume attachment process as completed (in-use)",
|
||||
operations=[
|
||||
{
|
||||
'method': 'POST',
|
||||
'path': '/attachments/{attachment_id}/action (os-complete)'
|
||||
}
|
||||
]),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=MULTIATTACH_BOOTABLE_VOLUME_POLICY,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
|
@ -108,6 +108,7 @@
|
||||
"volume:attachment_create": "",
|
||||
"volume:attachment_update": "rule:admin_or_owner",
|
||||
"volume:attachment_delete": "rule:admin_or_owner",
|
||||
"volume:attachment_complete": "rule:admin_or_owner",
|
||||
|
||||
"snapshot_extension:snapshot_actions:update_snapshot_status": "",
|
||||
"snapshot_extension:snapshot_manage": "rule:admin_api",
|
||||
|
Loading…
Reference in New Issue
Block a user