Thanks vish<br><br>I think it is better not to modify the wsgi file which is depended by others, it will not be safe for other extensions<br><br>My opinion is that only modify the networks extension, for example, add project-id along with network-id in body, so the NetworkController.add() use the project-id from body instead from context. (This solution is mentioned in my mail on Mar 8.)<br>
<br>There is a danger that if a admin:user-project pass the authentication and since he is a admin role, then he can associate any network to any project, or i may have some misunderstand of the authentication. If only admin:admin has a valid authorize on the networks extension, then this is safe.( ps, i think the option you mentiond to check context.is_admin will have the same problem if admin:user-project's context will set is_admin to True)<br>
<br><br>best wish.<br><br>ps:<br>Detail why add project-id in body is not safe is listed bellow:<br>Here is my knowledge from following the extension's authentication:<br><br>in the networks.py<br>there is a function pointer:<br>
authorize = extensions.extension_authorizer('compute', 'networks')<br><br>and in the class NetworkController.add() function, it invokes<br><br>authorize(context)<br><br>in nova.api.openstack.extension.extension_authorize(), it says: (in essex it is the same)<br>
<br>def extension_authorizer(api_name, extension_name):<br> def authorize(context, target=None):<br> if target is None:<br> target = {'project_id': context.project_id,<br> 'user_id': context.user_id}<br>
action = '%s_extension:%s' % (api_name, extension_name)<br> nova.policy.enforce(context, action, target)<br> return authorize<br><br>in the /etc/nova/policy.json, the networks extension's rule is:<br>
"admin_api": [["is_admin:True"]],<br>"compute_extension:networks": [["rule:admin_api"]],<br><br>the nova.openstack.common.policy will _check_rule(), _check_role() and _check_generic(), and for the _check_generic, it will check context["is_admin"] == True.<br>
<br>nova.api.auth.NovaKeystoneContext will instance nova.context.RequestContext with a self.is_admin = nova.policy.check_is_admin(self.roles), while the check_is_admin only invoke nova.openstack.common.policy.enforce() to check if it has a role named "admin", so if <a href="http://keystone.middleware.auth_token.py">keystone.middleware.auth_token.py</a> fill the header with a "admin" in "X-Roles", this will be authorized. Which i think admin:user-porject will be valid.<br>
<br><br><br><div class="gmail_quote">On Thu, Mar 28, 2013 at 11:12 PM, Vishvananda Ishaya <span dir="ltr"><<a href="mailto:vishvananda@gmail.com" target="_blank">vishvananda@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">I just looked at the code and it appears this is not possible through the os_networks extension. This appears to be an oversight. It should probably allow a project to be passed in.<div><br>
</div><div>Bug report here: <a href="https://bugs.launchpad.net/nova/+bug/1161441" target="_blank">https://bugs.launchpad.net/nova/+bug/1161441</a></div><div><br></div><div>That said, the first time a user boots an instance, he automatically gets assigned a network, so in many cases it isn't needed.</div>
<div><br></div><div>Another option would be to modify the code you mentioned to allow a workaround:</div><div><br></div><div><div><span>if</span> <span>(</span><span>context</span> <span>and</span> not <a href="http://context.is" target="_blank">context.is</a>_admin and <span>project_id</span> <span>and</span> <span>(</span><span>project_id</span> <span>!=</span> <span>context</span><span>.</span><span>project_id</span><span>)):</span></div>
<div><span><br></span></div><div><span>Vish</span></div><div><span><br></span></div><div><div><div class="im"><div>On Mar 28, 2013, at 1:46 AM, Ajiva Fan <<a href="mailto:aji.zqfan@gmail.com" target="_blank">aji.zqfan@gmail.com</a>> wrote:</div>
<br></div><blockquote type="cite"><div><div class="h5">hello everyone:<br><br>i have a very simple question which confuses me for a long time:<br>how should i add a network to a project via rest api?<br><br>1) i'm admin of the whole cloud env essex, (i think the folsom is same in this case)<br>
2) using nova-network:vlan (if using flatdhcp, the associate action is meanless)<br>3) a user project "user-project" is created, and the admin:admin is not that project's admin (and even not a member of it)<br>
4) a network "user-network" is created, but not associated with "user-project"<br>5) how to associate the "user-network" with "user-project" ?<br><br>i know i can use "nova-manage" via nova-client in the control node, <br>
but what i need to know is how to do this operation via rest api, like curl or in horizon?<br><br>the rest api is: <a href="http://api.openstack.org/api-ref.html" target="_blank">http://api.openstack.org/api-ref.html</a><br>
<div>
<span>POST</span></div>
<div>v2/{tenant_id}/os-networks/add <br>with a body identifier the network's id<br><br>the problem is that, even i have admin:admin token, i *cannot* associate the "user-network" with "user-project", <br>
because from the source code of folsom(and essex) nova, in the <a href="http://nova.api.openstack.wsgi.py/" target="_blank">nova.api.openstack.wsgi.py</a> of line 931, i find this:<br></div><div><span><br>
project_id</span> <span>=</span> <span>action_args</span><span>.</span><span>pop</span><span>(</span><span>"project_id"</span><span>,</span> <span>None</span><span>)</span></div>
<div> <span>context</span> <span>=</span> <span>request</span><span>.</span><span>environ</span><span>.</span><span>get</span><span>(</span><span>'nova.context'</span><span>)</span></div>
<div> <span>if</span> <span>(</span><span>context</span> <span>and</span> <span>project_id</span> <span>and</span> <span>(</span><span>project_id</span> <span>!=</span> <span>context</span><span>.</span><span>project_id</span><span>)):</span></div>
<div> <span>msg</span> <span>=</span> <span>_</span><span>(</span><span>"Malformed request url"</span><span>)</span></div>
<div> <span>return</span> <span>Fault</span><span>(</span><span>webob</span><span>.</span><span>exc</span><span>.</span><span>HTTPBadRequest</span><span>(</span><span>explanation</span><span>=</span><span>msg</span><span>))<br>
<br>since nova.context.project_id is the project admin_id, and the project_id is extract from the url, <br>so the webob.exc is returned.<br><br>please help me, i read a lot, (both document and source code, i just cannot understand or just miss something important)<br>
but still don't know how to do it.<br></span></div><br>ps: i have sent a mail to openstack-dev on mar 8, but no one reply me. is my question nonsense?<br>Note this mail is not the exactly same as previous one since i've more knowledge of it but the main problem is same<br>
</div></div><div class="im">
_______________________________________________<br>Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</div></blockquote></div><br></div></div></div></blockquote></div><br>