Fix policy dict checkers

After the ironic context refactor, the default policy values were
changed to use project_domain_id and project_name, while not
changing the checker methods in API to fetch the correct values
from the context. This change fixes this issue.

Closes-Bug: #1650203
Change-Id: If9bf67b9d7d6f66b12a99d1ee7826af9634415b5
This commit is contained in:
Vladyslav Drok 2016-12-16 13:30:29 +02:00
parent e69c77a13f
commit 633abbeff8
7 changed files with 51 additions and 47 deletions

View File

@ -211,7 +211,7 @@ class ChassisController(rest.RestController):
:param fields: Optional, a list with a specified set of fields
of the resource to be returned.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:chassis:get', cdict, cdict)
api_utils.check_allow_specify_fields(fields)
@ -234,7 +234,7 @@ class ChassisController(rest.RestController):
:param sort_key: column to sort results by. Default: id.
:param sort_dir: direction to sort. "asc" or "desc". Default: asc.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:chassis:get', cdict, cdict)
# /detail should only work against collections
@ -255,7 +255,7 @@ class ChassisController(rest.RestController):
:param fields: Optional, a list with a specified set of fields
of the resource to be returned.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:chassis:get', cdict, cdict)
api_utils.check_allow_specify_fields(fields)
@ -270,7 +270,7 @@ class ChassisController(rest.RestController):
:param chassis: a chassis within the request body.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:chassis:create', cdict, cdict)
new_chassis = objects.Chassis(pecan.request.context,
@ -289,7 +289,7 @@ class ChassisController(rest.RestController):
:param chassis_uuid: UUID of a chassis.
:param patch: a json PATCH document to apply to this chassis.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:chassis:update', cdict, cdict)
rpc_chassis = objects.Chassis.get_by_uuid(pecan.request.context,
@ -323,7 +323,7 @@ class ChassisController(rest.RestController):
:param chassis_uuid: UUID of a chassis.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:chassis:delete', cdict, cdict)
rpc_chassis = objects.Chassis.get_by_uuid(pecan.request.context,

View File

@ -154,7 +154,7 @@ class DriverPassthruController(rest.RestController):
:raises: DriverNotFound if the driver name is invalid or the
driver cannot be loaded.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:driver:vendor_passthru', cdict, cdict)
if driver_name not in _VENDOR_METHODS:
@ -176,7 +176,7 @@ class DriverPassthruController(rest.RestController):
implementation.
:param data: body of data to supply to the specified method.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
if method == "lookup":
policy.authorize('baremetal:driver:ipa_lookup', cdict, cdict)
else:
@ -208,7 +208,7 @@ class DriverRaidController(rest.RestController):
:raises: DriverNotFound, if driver is not loaded on any of the
conductors.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:driver:get_raid_logical_disk_properties',
cdict, cdict)
@ -250,7 +250,7 @@ class DriversController(rest.RestController):
# will break from a single-line doc string.
# This is a result of a bug in sphinxcontrib-pecanwsme
# https://github.com/dreamhost/sphinxcontrib-pecanwsme/issues/8
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:driver:get', cdict, cdict)
driver_list = pecan.request.dbapi.get_active_driver_dict()
@ -264,7 +264,7 @@ class DriversController(rest.RestController):
# retrieving a list of drivers using the current sqlalchemy schema, but
# this path must be exposed for Pecan to route any paths we might
# choose to expose below it.
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:driver:get', cdict, cdict)
driver_dict = pecan.request.dbapi.get_active_driver_dict()
@ -285,7 +285,7 @@ class DriversController(rest.RestController):
:raises: DriverNotFound (HTTP 404) if the driver name is invalid or
the driver cannot be loaded.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:driver:get_properties', cdict, cdict)
if driver_name not in _DRIVER_PROPERTIES:

View File

@ -196,7 +196,7 @@ class BootDeviceController(rest.RestController):
Default: False.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:set_boot_device', cdict, cdict)
rpc_node = api_utils.get_rpc_node(node_ident)
@ -221,7 +221,7 @@ class BootDeviceController(rest.RestController):
future boots or not, None if it is unknown.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:get_boot_device', cdict, cdict)
return self._get_boot_device(node_ident)
@ -236,7 +236,7 @@ class BootDeviceController(rest.RestController):
devices.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:get_boot_device', cdict, cdict)
boot_devices = self._get_boot_device(node_ident, supported=True)
@ -274,7 +274,7 @@ class NodeConsoleController(rest.RestController):
:param node_ident: UUID or logical name of a node.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:get_console', cdict, cdict)
rpc_node = api_utils.get_rpc_node(node_ident)
@ -299,7 +299,7 @@ class NodeConsoleController(rest.RestController):
:param enabled: Boolean value; whether to enable or disable the
console.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:set_console_state', cdict, cdict)
rpc_node = api_utils.get_rpc_node(node_ident)
@ -390,7 +390,7 @@ class NodeStatesController(rest.RestController):
:param node_ident: the UUID or logical_name of a node.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:get_states', cdict, cdict)
# NOTE(lucasagomes): All these state values come from the
@ -414,7 +414,7 @@ class NodeStatesController(rest.RestController):
:raises: NotAcceptable, if requested version of the API is less than
1.12.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:set_raid_state', cdict, cdict)
if not api_utils.allow_raid_config():
@ -445,7 +445,7 @@ class NodeStatesController(rest.RestController):
state is not valid or if the node is in CLEANING state.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:set_power_state', cdict, cdict)
# TODO(lucasagomes): Test if it's able to transition to the
@ -525,7 +525,7 @@ class NodeStatesController(rest.RestController):
:raises: NotAcceptable (HTTP 406) if the API version specified does
not allow the requested state transition.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:set_provision_state', cdict, cdict)
api_utils.check_allow_management_verbs(target)
@ -826,7 +826,7 @@ class Node(base.APIBase):
if fields is not None:
api_utils.check_for_invalid_fields(fields, node.as_dict())
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
# NOTE(deva): the 'show_password' policy setting name exists for legacy
# purposes and can not be changed. Changing it will cause
# upgrade problems for any operators who have customized
@ -962,7 +962,7 @@ class NodeVendorPassthruController(rest.RestController):
entries.
:raises: NodeNotFound if the node is not found.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:vendor_passthru', cdict, cdict)
# Raise an exception if node is not found
@ -986,7 +986,7 @@ class NodeVendorPassthruController(rest.RestController):
:param method: name of the method in vendor driver.
:param data: body of data to supply to the specified method.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
if method == 'heartbeat':
policy.authorize('baremetal:node:ipa_heartbeat', cdict, cdict)
else:
@ -1024,7 +1024,7 @@ class NodeMaintenanceController(rest.RestController):
:param reason: Optional, the reason why it's in maintenance.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:set_maintenance', cdict, cdict)
self._set_maintenance(node_ident, True, reason=reason)
@ -1037,7 +1037,7 @@ class NodeMaintenanceController(rest.RestController):
:param node_ident: the UUID or logical name of a node.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:clear_maintenance', cdict, cdict)
self._set_maintenance(node_ident, False)
@ -1268,7 +1268,7 @@ class NodesController(rest.RestController):
:param fields: Optional, a list with a specified set of fields
of the resource to be returned.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:get', cdict, cdict)
api_utils.check_allow_specify_fields(fields)
@ -1320,7 +1320,7 @@ class NodesController(rest.RestController):
:param resource_class: Optional string value to get only nodes with
that resource_class.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:get', cdict, cdict)
api_utils.check_for_invalid_state_and_allow_filter(provision_state)
@ -1351,7 +1351,7 @@ class NodesController(rest.RestController):
:param node: UUID or name of a node.
:param node_uuid: UUID of a node.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:validate', cdict, cdict)
if node is not None:
@ -1376,7 +1376,7 @@ class NodesController(rest.RestController):
:param fields: Optional, a list with a specified set of fields
of the resource to be returned.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:get', cdict, cdict)
if self.from_chassis:
@ -1395,7 +1395,7 @@ class NodesController(rest.RestController):
:param node: a node within the request body.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:create', cdict, cdict)
if self.from_chassis:
@ -1448,7 +1448,7 @@ class NodesController(rest.RestController):
:param node_ident: UUID or logical name of a node.
:param patch: a json PATCH document to apply to this node.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:update', cdict, cdict)
if self.from_chassis:
@ -1521,7 +1521,7 @@ class NodesController(rest.RestController):
:param node_ident: UUID or logical name of a node.
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:delete', cdict, cdict)
if self.from_chassis:

View File

@ -383,7 +383,7 @@ class PortsController(rest.RestController):
for that portgroup.
:raises: NotAcceptable, HTTPNotFound
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:port:get', cdict, cdict)
api_utils.check_allow_specify_fields(fields)
@ -441,7 +441,7 @@ class PortsController(rest.RestController):
:param sort_dir: direction to sort. "asc" or "desc". Default: asc.
:raises: NotAcceptable, HTTPNotFound
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:port:get', cdict, cdict)
if portgroup and not api_utils.allow_portgroups_subcontrollers():
@ -475,7 +475,7 @@ class PortsController(rest.RestController):
of the resource to be returned.
:raises: NotAcceptable, HTTPNotFound
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:port:get', cdict, cdict)
if self.parent_node_ident or self.parent_portgroup_ident:
@ -494,7 +494,7 @@ class PortsController(rest.RestController):
:param port: a port within the request body.
:raises: NotAcceptable, HTTPNotFound, Conflict
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:port:create', cdict, cdict)
if self.parent_node_ident or self.parent_portgroup_ident:
@ -540,7 +540,7 @@ class PortsController(rest.RestController):
:param patch: a json PATCH document to apply to this port.
:raises: NotAcceptable, HTTPNotFound
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:port:update', cdict, cdict)
if self.parent_node_ident or self.parent_portgroup_ident:
@ -608,7 +608,7 @@ class PortsController(rest.RestController):
:param port_uuid: UUID of a port.
:raises OperationNotPermitted, HTTPNotFound
"""
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:port:delete', cdict, cdict)
if self.parent_node_ident or self.parent_portgroup_ident:

View File

@ -336,7 +336,7 @@ class PortgroupsController(pecan.rest.RestController):
if not api_utils.allow_portgroups():
raise exception.NotFound()
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:portgroup:get', cdict, cdict)
if fields is None:
@ -369,7 +369,7 @@ class PortgroupsController(pecan.rest.RestController):
if not api_utils.allow_portgroups():
raise exception.NotFound()
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:portgroup:get', cdict, cdict)
# NOTE: /detail should only work against collections
@ -394,7 +394,7 @@ class PortgroupsController(pecan.rest.RestController):
if not api_utils.allow_portgroups():
raise exception.NotFound()
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:portgroup:get', cdict, cdict)
if self.parent_node_ident:
@ -413,7 +413,7 @@ class PortgroupsController(pecan.rest.RestController):
if not api_utils.allow_portgroups():
raise exception.NotFound()
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:portgroup:create', cdict, cdict)
if self.parent_node_ident:
@ -446,7 +446,7 @@ class PortgroupsController(pecan.rest.RestController):
if not api_utils.allow_portgroups():
raise exception.NotFound()
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:portgroup:update', cdict, cdict)
if self.parent_node_ident:
@ -509,7 +509,7 @@ class PortgroupsController(pecan.rest.RestController):
if not api_utils.allow_portgroups():
raise exception.NotFound()
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:portgroup:delete', cdict, cdict)
if self.parent_node_ident:

View File

@ -98,7 +98,7 @@ class LookupController(rest.RestController):
if not api_utils.allow_ramdisk_endpoints():
raise exception.NotFound()
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:driver:ipa_lookup', cdict, cdict)
# Validate the list of MAC addresses
@ -160,7 +160,7 @@ class HeartbeatController(rest.RestController):
if not api_utils.allow_ramdisk_endpoints():
raise exception.NotFound()
cdict = pecan.request.context.to_dict()
cdict = pecan.request.context.to_policy_values()
policy.authorize('baremetal:node:ipa_heartbeat', cdict, cdict)
rpc_node = api_utils.get_rpc_node(node_ident)

View File

@ -0,0 +1,4 @@
---
fixes:
- Some of the API methods were not using the right context values for
checking the policy, this release fixes the issue.