Add policy check for complete attachment API action
Add new policy rule for complete_attachment action to prevent anyone who can read the attachment from the database to complete it (mark it as in-use) Change-Id: Idad8c44acde155e70f6f9f618887a97fc956cdd2 Closes-Bug: #1737000
This commit is contained in:
parent
a367042187
commit
7bcd2a1c6b
@ -24,6 +24,7 @@ from cinder.api import validation
|
|||||||
from cinder import exception
|
from cinder import exception
|
||||||
from cinder.i18n import _
|
from cinder.i18n import _
|
||||||
from cinder import objects
|
from cinder import objects
|
||||||
|
from cinder.policies import attachments as attachment_policy
|
||||||
from cinder import utils
|
from cinder import utils
|
||||||
from cinder.volume import api as volume_api
|
from cinder.volume import api as volume_api
|
||||||
|
|
||||||
@ -268,6 +269,8 @@ class AttachmentsController(wsgi.Controller):
|
|||||||
volume_ref = objects.Volume.get_by_id(
|
volume_ref = objects.Volume.get_by_id(
|
||||||
context,
|
context,
|
||||||
attachment_ref.volume_id)
|
attachment_ref.volume_id)
|
||||||
|
context.authorize(attachment_policy.COMPLETE_POLICY,
|
||||||
|
target_obj=attachment_ref)
|
||||||
attachment_ref.update({'attach_status': 'attached'})
|
attachment_ref.update({'attach_status': 'attached'})
|
||||||
attachment_ref.save()
|
attachment_ref.save()
|
||||||
volume_ref.update({'status': 'in-use', 'attach_status': 'attached'})
|
volume_ref.update({'status': 'in-use', 'attach_status': 'attached'})
|
||||||
|
@ -21,6 +21,7 @@ from cinder.policies import base
|
|||||||
CREATE_POLICY = 'volume:attachment_create'
|
CREATE_POLICY = 'volume:attachment_create'
|
||||||
UPDATE_POLICY = 'volume:attachment_update'
|
UPDATE_POLICY = 'volume:attachment_update'
|
||||||
DELETE_POLICY = 'volume:attachment_delete'
|
DELETE_POLICY = 'volume:attachment_delete'
|
||||||
|
COMPLETE_POLICY = 'volume:attachment_complete'
|
||||||
MULTIATTACH_BOOTABLE_VOLUME_POLICY = 'volume:multiattach_bootable_volume'
|
MULTIATTACH_BOOTABLE_VOLUME_POLICY = 'volume:multiattach_bootable_volume'
|
||||||
|
|
||||||
attachments_policies = [
|
attachments_policies = [
|
||||||
@ -54,6 +55,16 @@ attachments_policies = [
|
|||||||
'path': '/attachments/{attachment_id}'
|
'path': '/attachments/{attachment_id}'
|
||||||
}
|
}
|
||||||
]),
|
]),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
name=COMPLETE_POLICY,
|
||||||
|
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||||
|
description="Mark a volume attachment process as completed (in-use)",
|
||||||
|
operations=[
|
||||||
|
{
|
||||||
|
'method': 'POST',
|
||||||
|
'path': '/attachments/{attachment_id}/action (os-complete)'
|
||||||
|
}
|
||||||
|
]),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=MULTIATTACH_BOOTABLE_VOLUME_POLICY,
|
name=MULTIATTACH_BOOTABLE_VOLUME_POLICY,
|
||||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||||
|
@ -108,6 +108,7 @@
|
|||||||
"volume:attachment_create": "",
|
"volume:attachment_create": "",
|
||||||
"volume:attachment_update": "rule:admin_or_owner",
|
"volume:attachment_update": "rule:admin_or_owner",
|
||||||
"volume:attachment_delete": "rule:admin_or_owner",
|
"volume:attachment_delete": "rule:admin_or_owner",
|
||||||
|
"volume:attachment_complete": "rule:admin_or_owner",
|
||||||
|
|
||||||
"snapshot_extension:snapshot_actions:update_snapshot_status": "",
|
"snapshot_extension:snapshot_actions:update_snapshot_status": "",
|
||||||
"snapshot_extension:snapshot_manage": "rule:admin_api",
|
"snapshot_extension:snapshot_manage": "rule:admin_api",
|
||||||
|
Loading…
Reference in New Issue
Block a user