Update delete group snapshot API exception handling

When a role doesn't have access to delete group snapshot API, the response code and exception that is returned is 400 BadRequest. This is incorrect as a 403 PolicyNotAuthorized should be thrown when a role doesn't have access to an API. The HTTPBadRequest exception is raised here [0] regardless of what the real exception is. [0] https://github.com/openstack/cinder/blob/master/cinder/api/v3/group_snapshots.py#L93 Change-Id: I4a24cd35bbbba42ec3e360ce65fe278edc20d4bb Closes-Bug: #1783640
2018-07-25 17:09:06 -04:00 · 2018-07-25 17:09:06 -04:00 · a91d3188e3
commit a91d3188e3
parent fc19a0dca8
2 changed files with 27 additions and 1 deletions
--- a/cinder/api/v3/group_snapshots.py
+++ b/cinder/api/v3/group_snapshots.py
@ -84,7 +84,8 @@ class GroupSnapshotsController(wsgi.Controller):
                                                          group_snapshot)
        except exception.InvalidGroupSnapshot as e:
            raise exc.HTTPBadRequest(explanation=six.text_type(e))
-        except exception.GroupSnapshotNotFound:
+        except (exception.GroupSnapshotNotFound,
+                exception.PolicyNotAuthorized):
            # Not found exception will be handled at the wsgi level
            raise
        except Exception:
--- a/cinder/tests/unit/api/v3/test_group_snapshots.py
+++ b/cinder/tests/unit/api/v3/test_group_snapshots.py
@ -19,6 +19,7 @@ Tests for group_snapshot code.

 import ddt
 import mock
+from oslo_policy import policy as oslo_policy
 from six.moves import http_client
 import webob

@ -30,6 +31,9 @@ from cinder import exception
 from cinder.group import api as group_api
 from cinder import objects
 from cinder.objects import fields
+from cinder.policies import base as base_policy
+from cinder.policies import group_snapshots as group_snapshots_policy
+from cinder import policy
 from cinder import test
 from cinder.tests.unit.api import fakes
 from cinder.tests.unit import fake_constants as fake
@ -487,6 +491,27 @@ class GroupSnapshotsAPITestCase(test.TestCase):

        group_snapshot.destroy()

+    def test_delete_group_snapshot_policy_not_authorized(self):
+        group_snapshot = utils.create_group_snapshot(
+            self.context,
+            group_id=self.group.id,
+            status=fields.GroupSnapshotStatus.AVAILABLE)
+
+        req = fakes.HTTPRequest.blank('/v3/%s/group_snapshots/%s/' %
+                                      (fake.PROJECT_ID, group_snapshot.id),
+                                      version=mv.GROUP_SNAPSHOTS,
+                                      use_admin_context=False)
+
+        rules = {
+            group_snapshots_policy.DELETE_POLICY: base_policy.RULE_ADMIN_API
+        }
+        policy.set_rules(oslo_policy.Rules.from_dict(rules))
+        self.addCleanup(policy.reset)
+
+        self.assertRaises(exception.PolicyNotAuthorized,
+                          self.controller.delete,
+                          req, group_snapshot.id)
+
    @ddt.data((mv.GROUP_TYPE, 'fake_snapshot_001',
               fields.GroupSnapshotStatus.AVAILABLE,
               exception.VersionNotFoundForAPIMethod),