Hi, While working on https://review.openstack.org/33782, I saw that compute.api.get_all does a policy check that is essentially a no-op (the default policy for compute is admin_or_owner, so this is always true):
---------
#TODO(bcwaldon): determine the best argument for target here
target = {
'project_id': context.project_id,
'user_id': context.user_id,
}
check_policy(context, "get_all", target)
------
But the real "policy" enforcement happens in
db.sqlalchemy.api.instance_get_all_by_filters:
-----
if not context.is_admin:
# If we're not admin context, add appropriate filter..
if context.project_id:
filters['project_id'] = context.project_id
else:
filters['user_id'] = context.user_id
-----
I don't know the history here, but would it make more sense instead of
hard-coding the filter to enforce the policy set by get_all? I can
imagine situations where the admins would want set set more liberal
policies across users.
Also, I think the unit tests are testing with a much more liberal
policy.json than what ships in devstack -- should that get tightened down?
- B
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
