Require admin privilege for image APIs
The image APIs are designed for pull/delete images at a compute node. Non-admin users should be disallowed to access individual compute node. This patch enforce that. Change-Id: I23b559dae6d695903a7ea26b48a1a17c45515910 Partial-Implements: blueprint rework-image-api
This commit is contained in:
parent
a7ae077e85
commit
e3e1a455b7
@ -22,7 +22,7 @@ rules = [
|
||||
# https://developer.openstack.org/api-ref/application-container/
|
||||
policy.DocumentedRuleDefault(
|
||||
name=IMAGE % 'pull',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description='Pull an image.',
|
||||
operations=[
|
||||
{
|
||||
@ -36,7 +36,7 @@ rules = [
|
||||
# https://developer.openstack.org/api-ref/application-container/
|
||||
policy.DocumentedRuleDefault(
|
||||
name=IMAGE % 'get_all',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description='Print a list of available images.',
|
||||
operations=[
|
||||
{
|
||||
@ -47,7 +47,7 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=IMAGE % 'get_one',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description='Retrieve the details of a specific image.',
|
||||
operations=[
|
||||
{
|
||||
|
@ -23,8 +23,9 @@ from zun.tests.unit.db import utils
|
||||
|
||||
|
||||
class TestImageController(api_base.FunctionalTest):
|
||||
@mock.patch('zun.common.policy.enforce', return_value=True)
|
||||
@patch('zun.compute.api.API.image_pull')
|
||||
def test_image_pull(self, mock_image_pull):
|
||||
def test_image_pull(self, mock_image_pull, mock_policy_enforce):
|
||||
mock_image_pull.side_effect = lambda x, y: y
|
||||
|
||||
params = ('{"repo": "hello-world"}')
|
||||
@ -53,8 +54,9 @@ class TestImageController(api_base.FunctionalTest):
|
||||
content_type='application/json')
|
||||
self.assertTrue(mock_image_pull.not_called)
|
||||
|
||||
@mock.patch('zun.common.policy.enforce', return_value=True)
|
||||
@patch('zun.compute.api.API.image_pull')
|
||||
def test_image_pull_conflict(self, mock_image_pull):
|
||||
def test_image_pull_conflict(self, mock_image_pull, mock_policy_enforce):
|
||||
mock_image_pull.side_effect = lambda x, y: y
|
||||
|
||||
params = ('{"repo": "hello-world"}')
|
||||
@ -68,9 +70,10 @@ class TestImageController(api_base.FunctionalTest):
|
||||
params=params, content_type='application/json')
|
||||
self.assertTrue(mock_image_pull.not_called)
|
||||
|
||||
@mock.patch('zun.common.policy.enforce', return_value=True)
|
||||
@patch('zun.compute.api.API.image_pull')
|
||||
def test_pull_image_set_project_id_and_user_id(
|
||||
self, mock_image_pull):
|
||||
self, mock_image_pull, mock_policy_enforce):
|
||||
def _create_side_effect(cnxt, image):
|
||||
self.assertEqual(self.context.project_id, image.project_id)
|
||||
self.assertEqual(self.context.user_id, image.user_id)
|
||||
@ -82,8 +85,9 @@ class TestImageController(api_base.FunctionalTest):
|
||||
params=params,
|
||||
content_type='application/json')
|
||||
|
||||
@mock.patch('zun.common.policy.enforce', return_value=True)
|
||||
@patch('zun.compute.api.API.image_pull')
|
||||
def test_image_pull_with_tag(self, mock_image_pull):
|
||||
def test_image_pull_with_tag(self, mock_image_pull, mock_policy_enforce):
|
||||
mock_image_pull.side_effect = lambda x, y: y
|
||||
|
||||
params = ('{"repo": "hello-world:latest"}')
|
||||
@ -94,8 +98,9 @@ class TestImageController(api_base.FunctionalTest):
|
||||
self.assertEqual(202, response.status_int)
|
||||
self.assertTrue(mock_image_pull.called)
|
||||
|
||||
@mock.patch('zun.common.policy.enforce', return_value=True)
|
||||
@patch('zun.objects.Image.list')
|
||||
def test_get_all_images(self, mock_image_list):
|
||||
def test_get_all_images(self, mock_image_list, mock_policy_enforce):
|
||||
test_image = utils.get_test_image()
|
||||
images = [objects.Image(self.context, **test_image)]
|
||||
mock_image_list.return_value = images
|
||||
@ -127,9 +132,10 @@ class TestImageController(api_base.FunctionalTest):
|
||||
self.assertEqual(test_image['uuid'],
|
||||
response.json['uuid'])
|
||||
|
||||
@mock.patch('zun.common.policy.enforce', return_value=True)
|
||||
@patch('zun.objects.Image.list')
|
||||
def test_get_all_images_with_pagination_marker(self, mock_image_list
|
||||
):
|
||||
def test_get_all_images_with_pagination_marker(
|
||||
self, mock_image_list, mock_policy_enforce):
|
||||
image_list = []
|
||||
for id_ in range(4):
|
||||
test_image = utils.create_test_image(
|
||||
|
Loading…
Reference in New Issue
Block a user