From f2cc2a1036bec02fa6119f870b9b56345afaaa0a Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 26 Nov 2024 23:44:28 +0900 Subject: [PATCH] Add policy rule for get quotas This introduces the missing policy customization capability for get quotas API, so that policy rules for all quota APIs can be customized. Also fix missing target project_id in policy evaluation. Change-Id: I0e9a12670b8df448bed97448f8de9e3bbf207364 --- aodh/api/controllers/v2/quotas.py | 15 ++++++------ aodh/api/policies.py | 23 +++++++++++++++++++ .../get-quotas-policy-b0338f314ec06ae9.yaml | 4 ++++ 3 files changed, 34 insertions(+), 8 deletions(-) create mode 100644 releasenotes/notes/get-quotas-policy-b0338f314ec06ae9.yaml diff --git a/aodh/api/controllers/v2/quotas.py b/aodh/api/controllers/v2/quotas.py index 7e168cf6d..deac5510f 100644 --- a/aodh/api/controllers/v2/quotas.py +++ b/aodh/api/controllers/v2/quotas.py @@ -48,10 +48,9 @@ class QuotasController(rest.RestController): """ request_project = pecan.request.headers.get('X-Project-Id') project_id = project_id if project_id else request_project - is_admin = rbac.is_admin(pecan.request, pecan.request.enforcer) - - if project_id != request_project and not is_admin: - raise base.ProjectNotAuthorized(project_id) + rbac.enforce( + 'get_quotas', pecan.request, + pecan.request.enforcer, {'project_id': project_id}) LOG.debug('Getting resource quotas for project %s', project_id) @@ -68,12 +67,12 @@ class QuotasController(rest.RestController): @wsme_pecan.wsexpose(Quotas, body=Quotas, status_code=201) def post(self, body): """Create or update quota.""" - rbac.enforce('update_quotas', pecan.request, - pecan.request.enforcer, {}) - params = body.to_dict() project_id = params['project_id'] + rbac.enforce('update_quotas', pecan.request, + pecan.request.enforcer, {'project_id': project_id}) + input_quotas = [] for i in params.get('quotas', []): input_quotas.append(i.to_dict()) @@ -87,5 +86,5 @@ class QuotasController(rest.RestController): def delete(self, project_id): """Delete quotas for the given project.""" rbac.enforce('delete_quotas', pecan.request, - pecan.request.enforcer, {}) + pecan.request.enforcer, {'project_id': project_id}) pecan.request.storage.delete_quotas(project_id) diff --git a/aodh/api/policies.py b/aodh/api/policies.py index 2df7654ff..acd6c4fda 100644 --- a/aodh/api/policies.py +++ b/aodh/api/policies.py @@ -96,6 +96,12 @@ deprecated_query_alarm_history = policy.DeprecatedRule( deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) +deprecated_get_quotas = policy.DeprecatedRule( + name="telemetry:get_quotas", + check_str=RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='Epoxy' +) deprecated_update_quotas = policy.DeprecatedRule( name="telemetry:update_quotas", check_str=RULE_CONTEXT_IS_ADMIN, @@ -281,6 +287,23 @@ rules = [ ], deprecated_rule=deprecated_query_alarm_history ), + policy.DocumentedRuleDefault( + name="telemetry:get_quotas", + check_str=PROJECT_READER, + scope_types=['project'], + description='Get resources quotas for project.', + operations=[ + { + 'path': '/v2/quotas', + 'method': 'Get' + }, + { + 'path': '/v2/quotas/{project_id}', + 'method': 'Get' + } + ], + deprecated_rule=deprecated_get_quotas + ), policy.DocumentedRuleDefault( name="telemetry:update_quotas", check_str=PROJECT_ADMIN, diff --git a/releasenotes/notes/get-quotas-policy-b0338f314ec06ae9.yaml b/releasenotes/notes/get-quotas-policy-b0338f314ec06ae9.yaml new file mode 100644 index 000000000..1806cfb7f --- /dev/null +++ b/releasenotes/notes/get-quotas-policy-b0338f314ec06ae9.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + The new ``telemetry::get_quotas`` policy has been added.