From 97170c9fba69b6570c59ff7008e45fb1a47e3886 Mon Sep 17 00:00:00 2001 From: Ivan Kolodyazhny Date: Mon, 21 Sep 2015 18:15:31 +0300 Subject: [PATCH] Ignore Forbidden error on quotas-get for nested projects Keystone API v2 requires admin permissions for project_get method. We ignore Forbidden exception for non-admin users. Change-Id: Ia0a17a9377219d3bf92dbbfd6e88077209a22a95 Closes-Bug: #1491495 --- cinder/api/contrib/quotas.py | 39 ++++++++++++++++++++++++++---------- etc/cinder/policy.json | 2 +- 2 files changed, 29 insertions(+), 12 deletions(-) diff --git a/cinder/api/contrib/quotas.py b/cinder/api/contrib/quotas.py index 27f0401bbb5..c6614071bd2 100644 --- a/cinder/api/contrib/quotas.py +++ b/cinder/api/contrib/quotas.py @@ -211,13 +211,22 @@ class QuotaSetsController(wsgi.Controller): else: usage = False - # With hierarchical projects, only the admin of the current project or - # the root project has privilege to perform quota show operations. - target_project = self._get_project(context, target_project_id) - context_project = self._get_project(context, context.project_id, - subtree_as_ids=True) + try: + # With hierarchical projects, only the admin of the current project + # or the root project has privilege to perform quota show + # operations. + target_project = self._get_project(context, target_project_id) + context_project = self._get_project(context, context.project_id, + subtree_as_ids=True) + + self._authorize_show(context_project, target_project) + parent_project_id = target_project.parent_id + except exceptions.Forbidden: + # NOTE(e0ne): Keystone API v2 requires admin permissions for + # project_get method. We ignore Forbidden exception for + # non-admin users. + parent_project_id = target_project_id - self._authorize_show(context_project, target_project) try: sqlalchemy_api.authorize_project_context(context, target_project_id) @@ -225,7 +234,7 @@ class QuotaSetsController(wsgi.Controller): raise webob.exc.HTTPForbidden() quotas = self._get_quotas(context, target_project_id, usage, - parent_project_id=target_project.parent_id) + parent_project_id=parent_project_id) return self._format_quota_set(target_project_id, quotas) @wsgi.serializers(xml=QuotaTemplate) @@ -277,8 +286,8 @@ class QuotaSetsController(wsgi.Controller): parent_id = target_project.parent_id if parent_id: - # Get the children of the project which the token is scoped to in - # order to know if the target_project is in its hierarchy. + # Get the children of the project which the token is scoped to + # in order to know if the target_project is in its hierarchy. context_project = self._get_project(context, context.project_id, subtree_as_ids=True) @@ -340,9 +349,17 @@ class QuotaSetsController(wsgi.Controller): def defaults(self, req, id): context = req.environ['cinder.context'] authorize_show(context) - project = self._get_project(context, context.project_id) + try: + project = self._get_project(context, context.project_id) + parent_id = project.parent_id + except exceptions.Forbidden: + # NOTE(e0ne): Keystone API v2 requires admin permissions for + # project_get method. We ignore Forbidden exception for + # non-admin users. + parent_id = context.project_id + return self._format_quota_set(id, QUOTAS.get_defaults( - context, parent_project_id=project.parent_id)) + context, parent_project_id=parent_id)) @wsgi.serializers(xml=QuotaTemplate) def delete(self, req, id): diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json index d0e316f4d08..4c8a8aa5079 100644 --- a/etc/cinder/policy.json +++ b/etc/cinder/policy.json @@ -33,7 +33,7 @@ "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner", "volume_extension:volume_image_metadata": "rule:admin_or_owner", - "volume_extension:quotas:show": "rule:admin_api", + "volume_extension:quotas:show": "", "volume_extension:quotas:update": "rule:admin_api", "volume_extension:quota_classes": "rule:admin_api",