Add policy rule for get quotas

This introduces the missing policy customization capability for get quotas API, so that policy rules for all quota APIs can be customized. Also fix missing target project_id in policy evaluation. Change-Id: I0e9a12670b8df448bed97448f8de9e3bbf207364
2024-11-26 23:44:28 +09:00 · 2024-11-26 23:44:28 +09:00 · f2cc2a1036
commit f2cc2a1036
parent fac8aa64a0
3 changed files with 34 additions and 8 deletions
--- a/aodh/api/controllers/v2/quotas.py
+++ b/aodh/api/controllers/v2/quotas.py
@ -48,10 +48,9 @@ class QuotasController(rest.RestController):
        """
        request_project = pecan.request.headers.get('X-Project-Id')
        project_id = project_id if project_id else request_project
-        is_admin = rbac.is_admin(pecan.request, pecan.request.enforcer)
-
-        if project_id != request_project and not is_admin:
-            raise base.ProjectNotAuthorized(project_id)
+        rbac.enforce(
+            'get_quotas', pecan.request,
+            pecan.request.enforcer, {'project_id': project_id})

        LOG.debug('Getting resource quotas for project %s', project_id)

@ -68,12 +67,12 @@ class QuotasController(rest.RestController):
    @wsme_pecan.wsexpose(Quotas, body=Quotas, status_code=201)
    def post(self, body):
        """Create or update quota."""
-        rbac.enforce('update_quotas', pecan.request,
-                     pecan.request.enforcer, {})
-
        params = body.to_dict()
        project_id = params['project_id']

+        rbac.enforce('update_quotas', pecan.request,
+                     pecan.request.enforcer, {'project_id': project_id})
+
        input_quotas = []
        for i in params.get('quotas', []):
            input_quotas.append(i.to_dict())
@ -87,5 +86,5 @@ class QuotasController(rest.RestController):
    def delete(self, project_id):
        """Delete quotas for the given project."""
        rbac.enforce('delete_quotas', pecan.request,
-                     pecan.request.enforcer, {})
+                     pecan.request.enforcer, {'project_id': project_id})
        pecan.request.storage.delete_quotas(project_id)
--- a/aodh/api/policies.py
+++ b/aodh/api/policies.py
@ -96,6 +96,12 @@ deprecated_query_alarm_history = policy.DeprecatedRule(
    deprecated_reason=DEPRECATED_REASON,
    deprecated_since=versionutils.deprecated.WALLABY
 )
+deprecated_get_quotas = policy.DeprecatedRule(
+    name="telemetry:get_quotas",
+    check_str=RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='Epoxy'
+)
 deprecated_update_quotas = policy.DeprecatedRule(
    name="telemetry:update_quotas",
    check_str=RULE_CONTEXT_IS_ADMIN,
@ -281,6 +287,23 @@ rules = [
        ],
        deprecated_rule=deprecated_query_alarm_history
    ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:get_quotas",
+        check_str=PROJECT_READER,
+        scope_types=['project'],
+        description='Get resources quotas for project.',
+        operations=[
+            {
+                'path': '/v2/quotas',
+                'method': 'Get'
+            },
+            {
+                'path': '/v2/quotas/{project_id}',
+                'method': 'Get'
+            }
+        ],
+        deprecated_rule=deprecated_get_quotas
+    ),
    policy.DocumentedRuleDefault(
        name="telemetry:update_quotas",
        check_str=PROJECT_ADMIN,
--- a/releasenotes/notes/get-quotas-policy-b0338f314ec06ae9.yaml
+++ b/releasenotes/notes/get-quotas-policy-b0338f314ec06ae9.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - |
+    The new ``telemetry::get_quotas`` policy has been added.