Add policy check for complete attachment API action

Add new policy rule for complete_attachment action to
prevent anyone who can read the attachment from the database
to complete it (mark it as in-use)

Change-Id: Idad8c44acde155e70f6f9f618887a97fc956cdd2
Closes-Bug: #1737000
This commit is contained in:
Aseel Awwad 2018-01-21 08:45:13 -05:00 committed by Aseel Awwad
parent a367042187
commit 7bcd2a1c6b
3 changed files with 15 additions and 0 deletions

View File

@ -24,6 +24,7 @@ from cinder.api import validation
from cinder import exception from cinder import exception
from cinder.i18n import _ from cinder.i18n import _
from cinder import objects from cinder import objects
from cinder.policies import attachments as attachment_policy
from cinder import utils from cinder import utils
from cinder.volume import api as volume_api from cinder.volume import api as volume_api
@ -268,6 +269,8 @@ class AttachmentsController(wsgi.Controller):
volume_ref = objects.Volume.get_by_id( volume_ref = objects.Volume.get_by_id(
context, context,
attachment_ref.volume_id) attachment_ref.volume_id)
context.authorize(attachment_policy.COMPLETE_POLICY,
target_obj=attachment_ref)
attachment_ref.update({'attach_status': 'attached'}) attachment_ref.update({'attach_status': 'attached'})
attachment_ref.save() attachment_ref.save()
volume_ref.update({'status': 'in-use', 'attach_status': 'attached'}) volume_ref.update({'status': 'in-use', 'attach_status': 'attached'})

View File

@ -21,6 +21,7 @@ from cinder.policies import base
CREATE_POLICY = 'volume:attachment_create' CREATE_POLICY = 'volume:attachment_create'
UPDATE_POLICY = 'volume:attachment_update' UPDATE_POLICY = 'volume:attachment_update'
DELETE_POLICY = 'volume:attachment_delete' DELETE_POLICY = 'volume:attachment_delete'
COMPLETE_POLICY = 'volume:attachment_complete'
MULTIATTACH_BOOTABLE_VOLUME_POLICY = 'volume:multiattach_bootable_volume' MULTIATTACH_BOOTABLE_VOLUME_POLICY = 'volume:multiattach_bootable_volume'
attachments_policies = [ attachments_policies = [
@ -54,6 +55,16 @@ attachments_policies = [
'path': '/attachments/{attachment_id}' 'path': '/attachments/{attachment_id}'
} }
]), ]),
policy.DocumentedRuleDefault(
name=COMPLETE_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER,
description="Mark a volume attachment process as completed (in-use)",
operations=[
{
'method': 'POST',
'path': '/attachments/{attachment_id}/action (os-complete)'
}
]),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=MULTIATTACH_BOOTABLE_VOLUME_POLICY, name=MULTIATTACH_BOOTABLE_VOLUME_POLICY,
check_str=base.RULE_ADMIN_OR_OWNER, check_str=base.RULE_ADMIN_OR_OWNER,

View File

@ -108,6 +108,7 @@
"volume:attachment_create": "", "volume:attachment_create": "",
"volume:attachment_update": "rule:admin_or_owner", "volume:attachment_update": "rule:admin_or_owner",
"volume:attachment_delete": "rule:admin_or_owner", "volume:attachment_delete": "rule:admin_or_owner",
"volume:attachment_complete": "rule:admin_or_owner",
"snapshot_extension:snapshot_actions:update_snapshot_status": "", "snapshot_extension:snapshot_actions:update_snapshot_status": "",
"snapshot_extension:snapshot_manage": "rule:admin_api", "snapshot_extension:snapshot_manage": "rule:admin_api",