Update delete group snapshot API exception handling
When a role doesn't have access to delete group snapshot API, the response code and exception that is returned is 400 BadRequest. This is incorrect as a 403 PolicyNotAuthorized should be thrown when a role doesn't have access to an API. The HTTPBadRequest exception is raised here [0] regardless of what the real exception is. [0] https://github.com/openstack/cinder/blob/master/cinder/api/v3/group_snapshots.py#L93 Change-Id: I4a24cd35bbbba42ec3e360ce65fe278edc20d4bb Closes-Bug: #1783640
This commit is contained in:
parent
fc19a0dca8
commit
a91d3188e3
@ -84,7 +84,8 @@ class GroupSnapshotsController(wsgi.Controller):
|
||||
group_snapshot)
|
||||
except exception.InvalidGroupSnapshot as e:
|
||||
raise exc.HTTPBadRequest(explanation=six.text_type(e))
|
||||
except exception.GroupSnapshotNotFound:
|
||||
except (exception.GroupSnapshotNotFound,
|
||||
exception.PolicyNotAuthorized):
|
||||
# Not found exception will be handled at the wsgi level
|
||||
raise
|
||||
except Exception:
|
||||
|
@ -19,6 +19,7 @@ Tests for group_snapshot code.
|
||||
|
||||
import ddt
|
||||
import mock
|
||||
from oslo_policy import policy as oslo_policy
|
||||
from six.moves import http_client
|
||||
import webob
|
||||
|
||||
@ -30,6 +31,9 @@ from cinder import exception
|
||||
from cinder.group import api as group_api
|
||||
from cinder import objects
|
||||
from cinder.objects import fields
|
||||
from cinder.policies import base as base_policy
|
||||
from cinder.policies import group_snapshots as group_snapshots_policy
|
||||
from cinder import policy
|
||||
from cinder import test
|
||||
from cinder.tests.unit.api import fakes
|
||||
from cinder.tests.unit import fake_constants as fake
|
||||
@ -487,6 +491,27 @@ class GroupSnapshotsAPITestCase(test.TestCase):
|
||||
|
||||
group_snapshot.destroy()
|
||||
|
||||
def test_delete_group_snapshot_policy_not_authorized(self):
|
||||
group_snapshot = utils.create_group_snapshot(
|
||||
self.context,
|
||||
group_id=self.group.id,
|
||||
status=fields.GroupSnapshotStatus.AVAILABLE)
|
||||
|
||||
req = fakes.HTTPRequest.blank('/v3/%s/group_snapshots/%s/' %
|
||||
(fake.PROJECT_ID, group_snapshot.id),
|
||||
version=mv.GROUP_SNAPSHOTS,
|
||||
use_admin_context=False)
|
||||
|
||||
rules = {
|
||||
group_snapshots_policy.DELETE_POLICY: base_policy.RULE_ADMIN_API
|
||||
}
|
||||
policy.set_rules(oslo_policy.Rules.from_dict(rules))
|
||||
self.addCleanup(policy.reset)
|
||||
|
||||
self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.controller.delete,
|
||||
req, group_snapshot.id)
|
||||
|
||||
@ddt.data((mv.GROUP_TYPE, 'fake_snapshot_001',
|
||||
fields.GroupSnapshotStatus.AVAILABLE,
|
||||
exception.VersionNotFoundForAPIMethod),
|
||||
|
Loading…
x
Reference in New Issue
Block a user