diff options
| author | Zuul <zuul@review.opendev.org> | 2019-12-27 11:31:52 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2019-12-27 11:31:52 +0000 |
| commit | c39e84d4f5bf80ecc822f96e9a88d4e6f6b12023 (patch) | |
| tree | 5179b93d13ac5d4a502f88884dfa3b8b4765d46e /ironic/api/controllers/v1/utils.py | |
| parent | 3fc278625ab24a0cb00801dfe48a631e98b5c28b (diff) | |
| parent | f22ab44888e4b9fd549a5da8e907f4b8fa01faed (diff) | |
| download | ironic-c39e84d4f5bf80ecc822f96e9a88d4e6f6b12023.tar.gz | |
Merge "Restrict ability to change owner on provisioned or allocated node"
Diffstat (limited to 'ironic/api/controllers/v1/utils.py')
| -rw-r--r-- | ironic/api/controllers/v1/utils.py | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/ironic/api/controllers/v1/utils.py b/ironic/api/controllers/v1/utils.py index 158468423..fc6d00a9d 100644 --- a/ironic/api/controllers/v1/utils.py +++ b/ironic/api/controllers/v1/utils.py @@ -1164,7 +1164,23 @@ def check_policy(policy_name): policy.authorize(policy_name, cdict, cdict) -def check_node_policy_and_retrieve(policy_name, node_ident, with_suffix=False): +def check_node_policy(policy_name, node_owner): + """Check if the specified policy authorizes this request on a node. + + :param: policy_name: Name of the policy to check. + :param: node_owner: the node owner + + :raises: HTTPForbidden if the policy forbids access. + """ + cdict = api.request.context.to_policy_values() + + target_dict = dict(cdict) + target_dict['node.owner'] = node_owner + policy.authorize(policy_name, target_dict, cdict) + + +def check_node_policy_and_retrieve(policy_name, node_ident, + with_suffix=False): """Check if the specified policy authorizes this request on a node. :param: policy_name: Name of the policy to check. @@ -1175,8 +1191,6 @@ def check_node_policy_and_retrieve(policy_name, node_ident, with_suffix=False): :raises: NodeNotFound if the node is not found. :return: RPC node identified by node_ident """ - cdict = api.request.context.to_policy_values() - try: if with_suffix: rpc_node = get_rpc_node_with_suffix(node_ident) @@ -1185,13 +1199,11 @@ def check_node_policy_and_retrieve(policy_name, node_ident, with_suffix=False): except exception.NodeNotFound: # don't expose non-existence of node unless requester # has generic access to policy + cdict = api.request.context.to_policy_values() policy.authorize(policy_name, cdict, cdict) raise - target_dict = dict(cdict) - target_dict['node.owner'] = rpc_node['owner'] - policy.authorize(policy_name, target_dict, cdict) - + check_node_policy(policy_name, rpc_node['owner']) return rpc_node |