Commit 8ea3fe0c by Szabolcs Gelencser

Add initial permission checks

parent d484ad4b
......@@ -14,8 +14,11 @@
<inspection_tool class="PyPackageRequirementsInspection" enabled="true" level="WARNING" enabled_by_default="true">
<option name="ignoredPackages">
<value>
<list size="1">
<list size="4">
<item index="0" class="java.lang.String" itemvalue="salt" />
<item index="1" class="java.lang.String" itemvalue="six" />
<item index="2" class="java.lang.String" itemvalue="netaddr" />
<item index="3" class="java.lang.String" itemvalue="requests" />
</list>
</value>
</option>
......
{
"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "is_admin:True or (role:admin and is_admin_project:True)",
"volume:create": "",
"volume:create_from_image": "",
"volume:delete": "rule:admin_or_owner",
"volume:force_delete": "rule:admin_api",
"volume:get": "rule:admin_or_owner",
"volume:get_all": "rule:admin_or_owner",
"volume:get_volume_metadata": "rule:admin_or_owner",
"volume:create_volume_metadata": "rule:admin_or_owner",
"volume:delete_volume_metadata": "rule:admin_or_owner",
"volume:update_volume_metadata": "rule:admin_or_owner",
"volume:get_volume_admin_metadata": "rule:admin_api",
"volume:update_volume_admin_metadata": "rule:admin_api",
"volume:get_snapshot": "rule:admin_or_owner",
"volume:get_all_snapshots": "rule:admin_or_owner",
"volume:create_snapshot": "rule:admin_or_owner",
"volume:delete_snapshot": "rule:admin_or_owner",
"volume:update_snapshot": "rule:admin_or_owner",
"volume:get_snapshot_metadata": "rule:admin_or_owner",
"volume:delete_snapshot_metadata": "rule:admin_or_owner",
"volume:update_snapshot_metadata": "rule:admin_or_owner",
"volume:extend": "rule:admin_or_owner",
"volume:extend_attached_volume": "rule:admin_or_owner",
"volume:update_readonly_flag": "rule:admin_or_owner",
"volume:retype": "rule:admin_or_owner",
"volume:update": "rule:admin_or_owner",
"volume:revert_to_snapshot": "rule:admin_or_owner",
"volume_extension:types_manage": "rule:admin_api",
"volume_extension:types_extra_specs:create": "rule:admin_api",
"volume_extension:types_extra_specs:delete": "rule:admin_api",
"volume_extension:types_extra_specs:index": "rule:admin_api",
"volume_extension:types_extra_specs:show": "rule:admin_api",
"volume_extension:types_extra_specs:update": "rule:admin_api",
"volume_extension:access_types_qos_specs_id": "rule:admin_api",
"volume_extension:access_types_extra_specs": "rule:admin_api",
"volume_extension:volume_type_access": "rule:admin_or_owner",
"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
"volume_extension:volume_type_encryption": "rule:admin_api",
"volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
"volume_extension:volume_image_metadata": "rule:admin_or_owner",
"volume_extension:qos_specs_manage:create": "rule:admin_api",
"volume_extension:qos_specs_manage:get": "rule:admin_api",
"volume_extension:qos_specs_manage:get_all": "rule:admin_api",
"volume_extension:qos_specs_manage:update": "rule:admin_api",
"volume_extension:qos_specs_manage:delete": "rule:admin_api",
"volume_extension:quotas:show": "",
"volume_extension:quotas:update": "rule:admin_api",
"volume_extension:quotas:delete": "rule:admin_api",
"volume_extension:quota_classes": "rule:admin_api",
"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api",
"volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
"volume_extension:backup_admin_actions:reset_status": "rule:admin_api",
"volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
"volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
"volume_extension:backup_admin_actions:force_delete": "rule:admin_api",
"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",
"volume_extension:volume_actions:upload_public": "rule:admin_api",
"volume_extension:volume_actions:upload_image": "rule:admin_or_owner",
"volume_extension:volume_host_attribute": "rule:admin_api",
"volume_extension:volume_tenant_attribute": "rule:admin_or_owner",
"volume_extension:volume_mig_status_attribute": "rule:admin_api",
"volume_extension:hosts": "rule:admin_api",
"volume_extension:services:index": "rule:admin_api",
"volume_extension:services:update" : "rule:admin_api",
"volume_extension:volume_manage": "rule:admin_api",
"volume_extension:volume_unmanage": "rule:admin_api",
"volume_extension:list_manageable": "rule:admin_api",
"volume_extension:capabilities": "rule:admin_api",
"volume:create_transfer": "rule:admin_or_owner",
"volume:accept_transfer": "",
"volume:delete_transfer": "rule:admin_or_owner",
"volume:get_transfer": "rule:admin_or_owner",
"volume:get_all_transfers": "rule:admin_or_owner",
"volume:failover_host": "rule:admin_api",
"volume:freeze_host": "rule:admin_api",
"volume:thaw_host": "rule:admin_api",
"backup:create" : "",
"backup:delete": "rule:admin_or_owner",
"backup:get": "rule:admin_or_owner",
"backup:get_all": "rule:admin_or_owner",
"backup:restore": "rule:admin_or_owner",
"backup:backup-import": "rule:admin_api",
"backup:backup-export": "rule:admin_api",
"backup:update": "rule:admin_or_owner",
"backup:backup_project_attribute": "rule:admin_api",
"volume:attachment_create": "",
"volume:attachment_update": "rule:admin_or_owner",
"volume:attachment_delete": "rule:admin_or_owner",
"volume:attachment_complete": "rule:admin_or_owner",
"snapshot_extension:snapshot_actions:update_snapshot_status": "",
"snapshot_extension:snapshot_manage": "rule:admin_api",
"snapshot_extension:snapshot_unmanage": "rule:admin_api",
"snapshot_extension:list_manageable": "rule:admin_api",
"consistencygroup:create" : "group:nobody",
"consistencygroup:delete": "group:nobody",
"consistencygroup:update": "group:nobody",
"consistencygroup:get": "group:nobody",
"consistencygroup:get_all": "group:nobody",
"consistencygroup:create_cgsnapshot" : "group:nobody",
"consistencygroup:delete_cgsnapshot": "group:nobody",
"consistencygroup:get_cgsnapshot": "group:nobody",
"consistencygroup:get_all_cgsnapshots": "group:nobody",
"group:group_types_manage": "rule:admin_api",
"group:group_types_specs": "rule:admin_api",
"group:access_group_types_specs": "rule:admin_api",
"group:group_type_access": "rule:admin_or_owner",
"group:create" : "",
"group:delete": "rule:admin_or_owner",
"group:update": "rule:admin_or_owner",
"group:get": "rule:admin_or_owner",
"group:get_all": "rule:admin_or_owner",
"group:create_group_snapshot": "",
"group:delete_group_snapshot": "rule:admin_or_owner",
"group:update_group_snapshot": "rule:admin_or_owner",
"group:get_group_snapshot": "rule:admin_or_owner",
"group:get_all_group_snapshots": "rule:admin_or_owner",
"group:reset_group_snapshot_status":"rule:admin_api",
"group:reset_status":"rule:admin_api",
"group:enable_replication": "rule:admin_or_owner",
"group:disable_replication": "rule:admin_or_owner",
"group:failover_replication": "rule:admin_or_owner",
"group:list_replication_targets": "rule:admin_or_owner",
"scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api",
"message:delete": "rule:admin_or_owner",
"message:get": "rule:admin_or_owner",
"message:get_all": "rule:admin_or_owner",
"clusters:get": "rule:admin_api",
"clusters:get_all": "rule:admin_api",
"clusters:update": "rule:admin_api",
"workers:cleanup": "rule:admin_api"
}
\ No newline at end of file
{
"context_is_admin": "role:admin",
"default": "role:admin",
"add_image": "",
"delete_image": "",
"get_image": "",
"get_images": "",
"modify_image": "",
"publicize_image": "role:admin",
"communitize_image": "",
"copy_from": "",
"download_image": "",
"upload_image": "",
"delete_image_location": "",
"get_image_location": "",
"set_image_location": "",
"add_member": "",
"delete_member": "",
"get_member": "",
"get_members": "",
"modify_member": "",
"manage_image_cache": "role:admin",
"get_task": "",
"get_tasks": "",
"add_task": "",
"modify_task": "",
"tasks_api_access": "role:admin",
"deactivate": "",
"reactivate": "",
"get_metadef_namespace": "",
"get_metadef_namespaces":"",
"modify_metadef_namespace":"",
"add_metadef_namespace":"",
"get_metadef_object":"",
"get_metadef_objects":"",
"modify_metadef_object":"",
"add_metadef_object":"",
"list_metadef_resource_types":"",
"get_metadef_resource_type":"",
"add_metadef_resource_type_association":"",
"get_metadef_property":"",
"get_metadef_properties":"",
"modify_metadef_property":"",
"add_metadef_property":"",
"get_metadef_tag":"",
"get_metadef_tags":"",
"modify_metadef_tag":"",
"add_metadef_tag":"",
"add_metadef_tags":""
}
\ No newline at end of file
......@@ -29,7 +29,6 @@ from django.core.exceptions import ImproperlyConfigured
from django.utils.translation import ugettext_lazy as _
from json import loads
# from socket import SOCK_STREAM
......@@ -535,3 +534,19 @@ BLACKLIST_HOOK_URL = get_env_variable("BLACKLIST_HOOK_URL", "")
REQUEST_HOOK_URL = get_env_variable("REQUEST_HOOK_URL", "")
TWO_FACTOR_ISSUER = get_env_variable("TWO_FACTOR_ISSUER", "CIRCLE")
POLICY_FILES_PATH = os.path.join(BASE_DIR, "os_policies")
# Map of local copy of service policy files
POLICY_FILES = {
'identity': 'keystone_policy.json',
'compute': 'nova_policy.json',
'volume': 'cinder_policy.json',
'image': 'glance_policy.json',
'network': 'neutron_policy.json',
}
# Services for which horizon has extra policies are defined
# in POLICY_DIRS by default.
POLICY_DIRS = {
'compute': ['nova_policy.d'],
'volume': ['cinder_policy.d'],
}
\ No newline at end of file
......@@ -72,7 +72,7 @@ class Operation(object):
"%s" % ", ".join(unexpected_kwargs))
if not skip_auth_check:
self.check_auth(user)
self.check_auth(user, request)
self.check_precond()
return allargs, auxargs
......
......@@ -262,16 +262,17 @@ class OperationView(RedirectToLoginMixin, DetailView):
ctx['template'] = super(OperationView, self).get_template_names()[0]
return ctx
def check_auth(self):
def check_auth(self, request):
logger.debug("OperationView.check_auth(%s)", unicode(self))
self.get_op().check_auth(self.request.user)
self.get_op().check_auth(self.request.user, request)
@classmethod
def check_perms(cls, user):
cls.get_operation_class().check_perms(user)
def get(self, request, *args, **kwargs):
self.check_auth()
self.get_op().instance.get_from_os(request)
self.check_auth(request)
return super(OperationView, self).get(request, *args, **kwargs)
def get_response_data(self, result, done, extra=None, **kwargs):
......@@ -287,7 +288,8 @@ class OperationView(RedirectToLoginMixin, DetailView):
return extra
def post(self, request, extra=None, *args, **kwargs):
self.check_auth()
self.get_op().instance.get_from_os(request)
self.check_auth(request)
self.object = self.get_object()
if extra is None:
extra = {}
......
......@@ -111,7 +111,7 @@ class VmDetailView(LoginRequiredMixin, GraphMixin, DetailView):
context = super(VmDetailView, self).get_context_data(**kwargs)
instance = context['instance']
user = self.request.user
ops = get_operations(instance, user)
ops = get_operations(instance, user, self.request)
hide_tutorial = self.request.COOKIES.get(
"hide_tutorial_for_%s" % instance.pk) == "True"
context.update({
......@@ -293,13 +293,13 @@ class VmOperationView(AjaxOperationMixin, OperationView):
self.object.get_from_os(self.request)
return ctx
#
def get_operations(instance, user):
def get_operations(instance, user, request):
ops = []
for k, v in vm_ops.iteritems():
try:
op = v.get_op_by_object(instance)
# op.check_auth(user)
op.check_auth(user, request)
op.check_precond()
except PermissionDenied as e:
logger.debug('Not showing operation %s for %s: %s',
......@@ -1268,7 +1268,7 @@ def vm_activity(request, pk):
'instance': instance,
'activities': (),
'show_show_all': False,
'ops': get_operations(instance, request.user),
'ops': get_operations(instance, request.user, request),
}
response['activities'] = render_to_string(
......
......@@ -68,7 +68,7 @@ msgpack==0.5.4
msgpack-python==0.5.4
munch==2.2.0
MySQL-python==1.2.5
netaddr==0.7.14
netaddr==0.7.19
netifaces==0.10.6
nltk==3.2.5
numpy==1.14.0
......@@ -78,6 +78,7 @@ os-service-types==1.2.0
osc-lib==1.9.0
oslo.config==5.2.0
oslo.i18n==3.19.0
oslo.policy==1.33.1
oslo.serialization==2.24.0
oslo.utils==3.35.0
packaging==16.8
......@@ -117,7 +118,7 @@ python-novaclient==10.1.0
pytz==2015.4
PyYAML==3.12
repoze.who==2.3
requests==2.7.0
requests==2.18.4
requestsexceptions==1.4.0
rfc3986==1.1.0
rosetta==0.3
......@@ -128,7 +129,7 @@ semantic-version==2.6.0
shutilwhich==1.1.0
simplegeneric==0.8.1
simplejson==3.7.2
six==1.9.0
six==1.11.0
slimit==0.8.1
sqlparse==0.1.15
stevedore==1.28.0
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment