openstack/mistral
Code Issues Proposed changes

Merge "Allow admin to retrieve everything"

Browse Source
This commit is contained in:
Zuul
2025-10-02 08:48:13 +00:00
committed by Gerrit Code Review
parent 8be59adc38 9e856dbdf4
commit e2015bae38
1 changed files with 73 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
mistral/db/v2/sqlalchemy/api.py
View File

@@ -269,6 +269,10 @@ def _delete_all(model, **kwargs):
def _get_collection(model, insecure=False, limit=None, marker=None, def _get_collection(model, insecure=False, limit=None, marker=None,
sort_keys=None, sort_dirs=None, fields=None, **filters): sort_keys=None, sort_dirs=None, fields=None, **filters):
# Allow admin to retrieve all objects by overwriting insecure
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
columns = ( columns = (
tuple([getattr(model, f) for f in fields if hasattr(model, f)]) tuple([getattr(model, f) for f in fields if hasattr(model, f)])
if fields else () if fields else ()
@@ -291,6 +295,10 @@ def _get_collection(model, insecure=False, limit=None, marker=None,
def get_db_objects(model, insecure=False, **filters): def get_db_objects(model, insecure=False, **filters):
# Allow admin to retrieve all objects by overwriting insecure
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
query = b.model_query(model) if insecure else _secure_query(model) query = b.model_query(model) if insecure else _secure_query(model)
query = db_filters.apply_filters(query, model, **filters) query = db_filters.apply_filters(query, model, **filters)
@@ -298,6 +306,10 @@ def get_db_objects(model, insecure=False, **filters):
def _get_count(model, insecure=False, **filters): def _get_count(model, insecure=False, **filters):
# Allow admin to retrieve all objects by overwriting insecure
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
query = b.model_query(model) if insecure else _secure_query(model) query = b.model_query(model) if insecure else _secure_query(model)
query = db_filters.apply_filters(query, model, **filters) query = db_filters.apply_filters(query, model, **filters)
@@ -312,6 +324,10 @@ def _get_db_object_by_name(model, name, columns=()):
def _get_db_object_by_id(model, id, insecure=False, columns=()): def _get_db_object_by_id(model, id, insecure=False, columns=()):
# Allow admin to retrieve all objects by overwriting insecure
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
columns = ( columns = (
tuple([getattr(model, f) for f in columns if hasattr(model, f)]) tuple([getattr(model, f) for f in columns if hasattr(model, f)])
if columns and isinstance(columns, list) else columns if columns and isinstance(columns, list) else columns
@@ -329,6 +345,10 @@ def _get_db_object_by_id(model, id, insecure=False, columns=()):
def _get_db_object_by_name_and_namespace_or_id(model, identifier, def _get_db_object_by_name_and_namespace_or_id(model, identifier,
namespace=None, insecure=False, namespace=None, insecure=False,
columns=()): columns=()):
# Allow admin to retrieve all objects by overwriting insecure
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
columns = ( columns = (
tuple([getattr(model, f) for f in columns if hasattr(model, f)]) tuple([getattr(model, f) for f in columns if hasattr(model, f)])
if columns and isinstance(columns, list) else columns if columns and isinstance(columns, list) else columns
@@ -359,6 +379,10 @@ def _get_db_object_by_name_and_namespace_or_id(model, identifier,
def _get_db_object_by_name_and_namespace(model, name, def _get_db_object_by_name_and_namespace(model, name,
namespace='', insecure=False, namespace='', insecure=False,
columns=()): columns=()):
# Allow admin to retrieve all objects by overwriting insecure
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
query = ( query = (
b.model_query(model, columns=columns) b.model_query(model, columns=columns)
if insecure if insecure
@@ -484,13 +508,16 @@ def get_workflow_definition(identifier, namespace='', fields=(), session=None):
(WorkflowDefinition.name,) (WorkflowDefinition.name,)
:return: Workflow definition. :return: Workflow definition.
""" """
ctx = context.ctx() # Allow admin to retrieve all objects by overwriting insecure
insecure = False
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
wf_def = _get_db_object_by_name_and_namespace_or_id( wf_def = _get_db_object_by_name_and_namespace_or_id(
models.WorkflowDefinition, models.WorkflowDefinition,
identifier, identifier,
namespace=namespace, namespace=namespace,
insecure=ctx.is_admin, insecure=insecure,
columns=fields columns=fields
) )
@@ -936,8 +963,8 @@ def delete_action_definitions(session=None, **kwargs):
@b.session_aware() @b.session_aware()
def get_action_execution(id, insecure=False, fields=(), session=None): def get_action_execution(id, insecure=False, fields=(), session=None):
# Allow admin to retrieve action execution by overwriting insecure # Allow admin to retrieve action execution by overwriting insecure
ctx = context.ctx() if context.has_ctx():
insecure = ctx.is_admin or insecure insecure = context.ctx().is_admin or insecure
a_ex = _get_db_object_by_id(models.ActionExecution, id, insecure=insecure, a_ex = _get_db_object_by_id(models.ActionExecution, id, insecure=insecure,
columns=fields) columns=fields)
@@ -978,6 +1005,10 @@ def create_action_execution(values, session=None):
@b.session_aware() @b.session_aware()
def update_action_execution(id, values, insecure=False, session=None): def update_action_execution(id, values, insecure=False, session=None):
# Allow admin to retrieve all objects by overwriting insecure
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
a_ex = get_action_execution(id, insecure) a_ex = get_action_execution(id, insecure)
a_ex.update(values.copy()) a_ex.update(values.copy())
@@ -1028,12 +1059,15 @@ def _get_action_executions(**kwargs):
@b.session_aware() @b.session_aware()
def get_workflow_execution(id, fields=(), session=None): def get_workflow_execution(id, fields=(), session=None):
ctx = context.ctx() # Allow admin to retrieve all objects by overwriting insecure
insecure = False
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
wf_ex = _get_db_object_by_id( wf_ex = _get_db_object_by_id(
models.WorkflowExecution, models.WorkflowExecution,
id, id,
insecure=ctx.is_admin, insecure=insecure,
columns=fields columns=fields
) )
@@ -1095,7 +1129,10 @@ def create_or_update_workflow_execution(id, values, session=None):
@b.session_aware() @b.session_aware()
def delete_workflow_execution(id, session=None): def delete_workflow_execution(id, session=None):
model = models.WorkflowExecution model = models.WorkflowExecution
insecure = context.ctx().is_admin # Allow admin to retrieve all objects by overwriting insecure
insecure = False
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
query = b.model_query(model) if insecure else _secure_query(model) query = b.model_query(model) if insecure else _secure_query(model)
try: try:
@@ -1138,7 +1175,11 @@ def delete_workflow_execution_recurse(wf_ex_id):
def _get_all_direct_subworkflows(wf_ex_id): def _get_all_direct_subworkflows(wf_ex_id):
model = models.WorkflowExecution model = models.WorkflowExecution
insecure = context.ctx().is_admin # Allow admin to retrieve all objects by overwriting insecure
insecure = False
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
if insecure: if insecure:
query = b.model_query(model, [model.id]) query = b.model_query(model, [model.id])
else: else:
@@ -1168,11 +1209,13 @@ def update_workflow_execution_state(id, cur_state, state):
@b.session_aware() @b.session_aware()
def get_task_execution(id, fields=(), session=None): def get_task_execution(id, fields=(), session=None):
# Allow admin to retrieve all tasks # Allow admin to retrieve all objects by overwriting insecure
ctx = context.ctx() insecure = False
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
task_ex = _get_db_object_by_id(models.TaskExecution, id, task_ex = _get_db_object_by_id(models.TaskExecution, id,
insecure=ctx.is_admin, columns=fields) insecure=insecure, columns=fields)
if not task_ex: if not task_ex:
raise exc.DBEntityNotFoundError( raise exc.DBEntityNotFoundError(
@@ -1623,12 +1666,15 @@ def _get_completed_root_executions_query(columns):
@b.session_aware() @b.session_aware()
def get_cron_trigger(identifier, session=None, fields=()): def get_cron_trigger(identifier, session=None, fields=()):
ctx = context.ctx() # Allow admin to retrieve all objects by overwriting insecure
insecure = False
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
cron_trigger = _get_db_object_by_name_and_namespace_or_id( cron_trigger = _get_db_object_by_name_and_namespace_or_id(
models.CronTrigger, models.CronTrigger,
identifier, identifier,
insecure=ctx.is_admin, insecure=insecure,
columns=fields, columns=fields,
) )
@@ -1642,9 +1688,13 @@ def get_cron_trigger(identifier, session=None, fields=()):
@b.session_aware() @b.session_aware()
def get_cron_trigger_by_id(id, session=None, fields=()): def get_cron_trigger_by_id(id, session=None, fields=()):
ctx = context.ctx() # Allow admin to retrieve all objects by overwriting insecure
insecure = False
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
cron_trigger = _get_db_object_by_id(models.CronTrigger, id, cron_trigger = _get_db_object_by_id(models.CronTrigger, id,
insecure=ctx.is_admin, insecure=insecure,
columns=fields) columns=fields)
if not cron_trigger: if not cron_trigger:
raise exc.DBEntityNotFoundError( raise exc.DBEntityNotFoundError(
@@ -2009,6 +2059,10 @@ def _get_accepted_resources(res_type):
@b.session_aware() @b.session_aware()
def get_event_trigger(id, insecure=False, session=None, fields=()): def get_event_trigger(id, insecure=False, session=None, fields=()):
# Allow admin to retrieve all objects by overwriting insecure
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
event_trigger = _get_db_object_by_id(models.EventTrigger, id, insecure, event_trigger = _get_db_object_by_id(models.EventTrigger, id, insecure,
columns=fields) columns=fields)
@@ -2022,6 +2076,10 @@ def get_event_trigger(id, insecure=False, session=None, fields=()):
@b.session_aware() @b.session_aware()
def load_event_trigger(id, insecure=False, session=None, fields=()): def load_event_trigger(id, insecure=False, session=None, fields=()):
# Allow admin to retrieve all objects by overwriting insecure
if context.has_ctx():
insecure = context.ctx().is_admin or insecure
return _get_db_object_by_id(models.EventTrigger, id, insecure, return _get_db_object_by_id(models.EventTrigger, id, insecure,
columns=fields) columns=fields)