OpenStack Compute (nova)

API: Policy should be enforced at API layer where possible (partial)

Registered by Alex Xu

Where possible policy should be enforced at the API layer rather than say in the db or compute layer.

This is continue work for kilo policy works https://blueprints.launchpad.net/nova/+spec/v3-api-policy

Blueprint information

Status:
Complete
Approver:
John Garbutt
Priority:
High
Drafter:
Alex Xu
Direction:
Approved
Assignee:
Alex Xu
Definition:
Approved
Series goal:
Accepted for liberty
Implementation:
Implemented
Milestone target:
milestone icon 12.0.0
Started by
John Garbutt
Completed by
John Garbutt

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/nova-api-policy-final-part,n,z

Addressed by: https://review.openstack.org/172619
    API: Policy should be enforced at API layer where possible(final part)

Gerrit topic: https://review.openstack.org/#q,topic:bug/1429126,n,z

Addressed by: https://review.openstack.org/162168
    Move unlock_override policy enforcement into V2.1 REST API layer

Addressed by: https://review.openstack.org/150349
    Remove db layer hard-code permission checks for service_get_by_host*

Addressed by: https://review.openstack.org/160089
    Remove db layer hard-code permission checks for service_get_by_compute_host

Addressed by: https://review.openstack.org/161630
    Remove db layer hard-code permission checks for network_get_associated_fixed_ips

Addressed by: https://review.openstack.org/175334
    API: remove admin require from compute_node_get_all_by_* from db layer

Addressed by: https://review.openstack.org/150350
    Remove db layer hard-code permission checks for v2.1 cells

Addressed by: https://review.openstack.org/175693
    API: remove admin require for compute_node_create/update/delete from db layer

Addressed by: https://review.openstack.org/175744
    API: remove admin require for compute_node(get_all/search_by_hyperviso) from db

Addressed by: https://review.openstack.org/175745
    API: Add policy enforcement test cases for pci API

Addressed by: https://review.openstack.org/176231
    Remove db layer hard-code permission checks for keypair_*

Addressed by: https://review.openstack.org/164563
    Disassociate before delete network in os-tenant-networks delete method

Addressed by: https://review.openstack.org/161234
    Remove db layer hard-code permission checks for network_associate

Addressed by: https://review.openstack.org/161626
    Remove db layer hard-code permission checks for network_create_safe

Addressed by: https://review.openstack.org/164549
    Pass project_id when create networks by os-tenant-networks

Addressed by: https://review.openstack.org/160206
    Remove db layer hard-code permission checks for quota_class_create/update

Addressed by: https://review.openstack.org/160205
    Remove db layer hard-code permission checks for quota_class_get_all_by_name

Addressed by: https://review.openstack.org/150351
    Cleanup quota_class unittest with appropriate request context

Addressed by: https://review.openstack.org/160202
    Remove db layer hard-code permission checks for quota_get_all_*

Addressed by: https://review.openstack.org/160203
    Remove db layer hard-code permission checks for quota_create/update

Addressed by: https://review.openstack.org/160201
    Remove db layer hard-code permission checks for quota_destroy_all_*

Addressed by: https://review.openstack.org/160215
    Remove db layer hard-code permission checks for quota_usage_update

Addressed by: https://review.openstack.org/150710
    Remove db layer hard-code permission checks for floating_ip_dns

Addressed by: https://review.openstack.org/161624
    Remove db layer hard-code permission checks for network_disassociate

Addressed by: https://review.openstack.org/161625
    Remove db layer hard-code permission checks for network_set_host

Gerrit topic: https://review.openstack.org/#q,topic:bug/1432455,n,z

Addressed by: https://review.openstack.org/150687
    Remove db layer hard-code permission checks for fixed_ip_associate_*

Addressed by: https://review.openstack.org/150704
    Remove db layer hard-code permission checks for floating_ips_bulk

Addressed by: https://review.openstack.org/160257
    Remove db layer hard-code permission checks for security_group_default_rule_destroy

Addressed by: https://review.openstack.org/150718
    Remove db layer hard-code permission checks for security_group_default_rule_create

Addressed by: https://review.openstack.org/161629
    Remove db layer hard-code permission checks for network_get_all_by_host

Addressed by: https://review.openstack.org/160103
    Remove db layer hard-code permission checks for fixed_ip_get_*

Addressed by: https://review.openstack.org/176648
    API: remove admin require from certificate_* from db layer

Addressed by: https://review.openstack.org/177673
    API: remove compute_node_get_all_by_host hard-code admin check from db

Addressed by: https://review.openstack.org/181467
    Remove policy check security_group_default_rule

Addressed by: https://review.openstack.org/184052
    Remove cell policy check

Addressed by: https://review.openstack.org/199970
    Remove useless db call instance_get_all_hung_in_rebooting

Addressed by: https://review.openstack.org/199971
    Remove useless db call instance_get_all_by_host_and_not_type

Addressed by: https://review.openstack.org/199972
    Remove db layer hard-code permission checks for reservation_expire

Addressed by: https://review.openstack.org/200380
    Remove db layer hard-code permission checks for archive_deleted_rows*

Addressed by: https://review.openstack.org/200381
    Remove db layer hard-code permission checks for provider_fw_rule_*

Addressed by: https://review.openstack.org/200382
    Remove the useless require_admin_context decorator

Addressed by: https://review.openstack.org/202389
    Remove db layer hard-code permission checks for instance_get_all_by_host_and_not_type

Addressed by: https://review.openstack.org/207695
    Remove db layer hard-code permission checks for instance_get_all_hung_in_rebooting

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.