API: Policy should be enforced at API layer where possible (partial)

Registered by Alex Xu on 2015-04-11

Where possible policy should be enforced at the API layer rather than say in the db or compute layer.

This is continue work for kilo policy works https://blueprints.launchpad.net/nova/+spec/v3-api-policy

Blueprint information

Status:
Complete
Approver:
John Garbutt
Priority:
High
Drafter:
Alex Xu
Direction:
Approved
Assignee:
Alex Xu
Definition:
Approved
Series goal:
Accepted for liberty
Implementation:
Implemented
Milestone target:
milestone icon 12.0.0
Started by
John Garbutt on 2015-04-13
Completed by
John Garbutt on 2015-08-24

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/nova-api-policy-final-part,n,z

Addressed by: https://review.openstack.org/172619
    API: Policy should be enforced at API layer where possible(final part)

Gerrit topic: https://review.openstack.org/#q,topic:bug/1429126,n,z

Addressed by: https://review.openstack.org/162168
    Move unlock_override policy enforcement into V2.1 REST API layer

Addressed by: https://review.openstack.org/150349
    Remove db layer hard-code permission checks for service_get_by_host*

Addressed by: https://review.openstack.org/160089
    Remove db layer hard-code permission checks for service_get_by_compute_host

Addressed by: https://review.openstack.org/161630
    Remove db layer hard-code permission checks for network_get_associated_fixed_ips

Addressed by: https://review.openstack.org/175334
    API: remove admin require from compute_node_get_all_by_* from db layer

Addressed by: https://review.openstack.org/150350
    Remove db layer hard-code permission checks for v2.1 cells

Addressed by: https://review.openstack.org/175693
    API: remove admin require for compute_node_create/update/delete from db layer

Addressed by: https://review.openstack.org/175744
    API: remove admin require for compute_node(get_all/search_by_hyperviso) from db

Addressed by: https://review.openstack.org/175745
    API: Add policy enforcement test cases for pci API

Addressed by: https://review.openstack.org/176231
    Remove db layer hard-code permission checks for keypair_*

Addressed by: https://review.openstack.org/164563
    Disassociate before delete network in os-tenant-networks delete method

Addressed by: https://review.openstack.org/161234
    Remove db layer hard-code permission checks for network_associate

Addressed by: https://review.openstack.org/161626
    Remove db layer hard-code permission checks for network_create_safe

Addressed by: https://review.openstack.org/164549
    Pass project_id when create networks by os-tenant-networks

Addressed by: https://review.openstack.org/160206
    Remove db layer hard-code permission checks for quota_class_create/update

Addressed by: https://review.openstack.org/160205
    Remove db layer hard-code permission checks for quota_class_get_all_by_name

Addressed by: https://review.openstack.org/150351
    Cleanup quota_class unittest with appropriate request context

Addressed by: https://review.openstack.org/160202
    Remove db layer hard-code permission checks for quota_get_all_*

Addressed by: https://review.openstack.org/160203
    Remove db layer hard-code permission checks for quota_create/update

Addressed by: https://review.openstack.org/160201
    Remove db layer hard-code permission checks for quota_destroy_all_*

Addressed by: https://review.openstack.org/160215
    Remove db layer hard-code permission checks for quota_usage_update

Addressed by: https://review.openstack.org/150710
    Remove db layer hard-code permission checks for floating_ip_dns

Addressed by: https://review.openstack.org/161624
    Remove db layer hard-code permission checks for network_disassociate

Addressed by: https://review.openstack.org/161625
    Remove db layer hard-code permission checks for network_set_host

Gerrit topic: https://review.openstack.org/#q,topic:bug/1432455,n,z

Addressed by: https://review.openstack.org/150687
    Remove db layer hard-code permission checks for fixed_ip_associate_*

Addressed by: https://review.openstack.org/150704
    Remove db layer hard-code permission checks for floating_ips_bulk

Addressed by: https://review.openstack.org/160257
    Remove db layer hard-code permission checks for security_group_default_rule_destroy

Addressed by: https://review.openstack.org/150718
    Remove db layer hard-code permission checks for security_group_default_rule_create

Addressed by: https://review.openstack.org/161629
    Remove db layer hard-code permission checks for network_get_all_by_host

Addressed by: https://review.openstack.org/160103
    Remove db layer hard-code permission checks for fixed_ip_get_*

Addressed by: https://review.openstack.org/176648
    API: remove admin require from certificate_* from db layer

Addressed by: https://review.openstack.org/177673
    API: remove compute_node_get_all_by_host hard-code admin check from db

Addressed by: https://review.openstack.org/181467
    Remove policy check security_group_default_rule

Addressed by: https://review.openstack.org/184052
    Remove cell policy check

Addressed by: https://review.openstack.org/199970
    Remove useless db call instance_get_all_hung_in_rebooting

Addressed by: https://review.openstack.org/199971
    Remove useless db call instance_get_all_by_host_and_not_type

Addressed by: https://review.openstack.org/199972
    Remove db layer hard-code permission checks for reservation_expire

Addressed by: https://review.openstack.org/200380
    Remove db layer hard-code permission checks for archive_deleted_rows*

Addressed by: https://review.openstack.org/200381
    Remove db layer hard-code permission checks for provider_fw_rule_*

Addressed by: https://review.openstack.org/200382
    Remove the useless require_admin_context decorator

Addressed by: https://review.openstack.org/202389
    Remove db layer hard-code permission checks for instance_get_all_by_host_and_not_type

Addressed by: https://review.openstack.org/207695
    Remove db layer hard-code permission checks for instance_get_all_hung_in_rebooting

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.