[openstack-dev] [Nova] RBAC (policy) in compute.api.get_all
Burt Holzman
burt at fnal.gov
Thu Jun 27 21:19:08 UTC 2013
Hi,
While working on https://review.openstack.org/33782, I saw that
compute.api.get_all does a policy check that is essentially a no-op (the
default policy for compute is admin_or_owner, so this is always true):
---------
#TODO(bcwaldon): determine the best argument for target here
target = {
'project_id': context.project_id,
'user_id': context.user_id,
}
check_policy(context, "get_all", target)
------
But the real "policy" enforcement happens in
db.sqlalchemy.api.instance_get_all_by_filters:
-----
if not context.is_admin:
# If we're not admin context, add appropriate filter..
if context.project_id:
filters['project_id'] = context.project_id
else:
filters['user_id'] = context.user_id
-----
I don't know the history here, but would it make more sense instead of
hard-coding the filter to enforce the policy set by get_all? I can
imagine situations where the admins would want set set more liberal
policies across users.
Also, I think the unit tests are testing with a much more liberal
policy.json than what ships in devstack -- should that get tightened down?
- B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3216 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130627/6e49dcd9/attachment.bin>
More information about the OpenStack-dev
mailing list