openstack/cinder
Code Issues Proposed changes

Ignore Forbidden error on quotas-get for nested projects

Browse Source 
Keystone API v2 requires admin permissions for project_get method.
We ignore Forbidden exception for non-admin users.

Change-Id: Ia0a17a9377219d3bf92dbbfd6e88077209a22a95
Closes-Bug: #1491495
This commit is contained in:
Ivan Kolodyazhny 2015-09-21 18:15:31 +03:00
parent 52e5ed7253
commit 97170c9fba
2 changed files with 29 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
cinder/api/contrib/quotas.py
View File

@ -211,13 +211,22 @@ class QuotaSetsController(wsgi.Controller):
else: else:
usage = False usage = False
# With hierarchical projects, only the admin of the current project or try:
# the root project has privilege to perform quota show operations. # With hierarchical projects, only the admin of the current project
target_project = self._get_project(context, target_project_id) # or the root project has privilege to perform quota show
context_project = self._get_project(context, context.project_id, # operations.
subtree_as_ids=True) target_project = self._get_project(context, target_project_id)
context_project = self._get_project(context, context.project_id,
subtree_as_ids=True)
self._authorize_show(context_project, target_project)
parent_project_id = target_project.parent_id
except exceptions.Forbidden:
# NOTE(e0ne): Keystone API v2 requires admin permissions for
# project_get method. We ignore Forbidden exception for
# non-admin users.
parent_project_id = target_project_id
self._authorize_show(context_project, target_project)
try: try:
sqlalchemy_api.authorize_project_context(context, sqlalchemy_api.authorize_project_context(context,
target_project_id) target_project_id)
@ -225,7 +234,7 @@ class QuotaSetsController(wsgi.Controller):
raise webob.exc.HTTPForbidden() raise webob.exc.HTTPForbidden()
quotas = self._get_quotas(context, target_project_id, usage, quotas = self._get_quotas(context, target_project_id, usage,
parent_project_id=target_project.parent_id) parent_project_id=parent_project_id)
return self._format_quota_set(target_project_id, quotas) return self._format_quota_set(target_project_id, quotas)
@wsgi.serializers(xml=QuotaTemplate) @wsgi.serializers(xml=QuotaTemplate)
@ -277,8 +286,8 @@ class QuotaSetsController(wsgi.Controller):
parent_id = target_project.parent_id parent_id = target_project.parent_id
if parent_id: if parent_id:
# Get the children of the project which the token is scoped to in # Get the children of the project which the token is scoped to
# order to know if the target_project is in its hierarchy. # in order to know if the target_project is in its hierarchy.
context_project = self._get_project(context, context_project = self._get_project(context,
context.project_id, context.project_id,
subtree_as_ids=True) subtree_as_ids=True)
@ -340,9 +349,17 @@ class QuotaSetsController(wsgi.Controller):
def defaults(self, req, id): def defaults(self, req, id):
context = req.environ['cinder.context'] context = req.environ['cinder.context']
authorize_show(context) authorize_show(context)
project = self._get_project(context, context.project_id) try:
project = self._get_project(context, context.project_id)
parent_id = project.parent_id
except exceptions.Forbidden:
# NOTE(e0ne): Keystone API v2 requires admin permissions for
# project_get method. We ignore Forbidden exception for
# non-admin users.
parent_id = context.project_id
return self._format_quota_set(id, QUOTAS.get_defaults( return self._format_quota_set(id, QUOTAS.get_defaults(
context, parent_project_id=project.parent_id)) context, parent_project_id=parent_id))
@wsgi.serializers(xml=QuotaTemplate) @wsgi.serializers(xml=QuotaTemplate)
def delete(self, req, id): def delete(self, req, id):

2
etc/cinder/policy.json
View File

@ -33,7 +33,7 @@
"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner", "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
"volume_extension:volume_image_metadata": "rule:admin_or_owner", "volume_extension:volume_image_metadata": "rule:admin_or_owner",
"volume_extension:quotas:show": "rule:admin_api", "volume_extension:quotas:show": "",
"volume_extension:quotas:update": "rule:admin_api", "volume_extension:quotas:update": "rule:admin_api",
"volume_extension:quota_classes": "rule:admin_api", "volume_extension:quota_classes": "rule:admin_api",