[openstack-dev] [Nova] RBAC (policy) in compute.api.get_all

Burt Holzman burt at fnal.gov
Thu Jun 27 21:19:08 UTC 2013


Hi,

While working on https://review.openstack.org/33782, I saw that
compute.api.get_all does a policy check that is essentially a no-op (the
default policy for compute is admin_or_owner, so this is always true):

---------
        #TODO(bcwaldon): determine the best argument for target here

        target = {
            'project_id': context.project_id,
            'user_id': context.user_id,
        }

        check_policy(context, "get_all", target)
------

But the real "policy" enforcement happens in
db.sqlalchemy.api.instance_get_all_by_filters:

-----
    if not context.is_admin:
        # If we're not admin context, add appropriate filter..

        if context.project_id:
            filters['project_id'] = context.project_id
        else:
            filters['user_id'] = context.user_id
-----

I don't know the history here, but would it make more sense instead of
hard-coding the filter to enforce the policy set by get_all? I can
imagine situations where the admins would want set set more liberal
policies across users.

Also, I think the unit tests are testing with a much more liberal
policy.json than what ships in devstack -- should that get tightened down?

- B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3216 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130627/6e49dcd9/attachment.bin>


More information about the OpenStack-dev mailing list