790d7e5e2e
The access control for patching API was changed to accept GET requests from users with reader role and presence in either admin or services project. For other requests, it is required from the user that it has admin role and presence in either project admin or services. As all default system users have admin role and are present in either admin or services project, this change should not cause regressions. Test Plan: PASS: Successfully deploy an AIO-SX using a Debian image with this change present and create user "readeruser" with reader role. Log in the Horizon interface using "readeruser" user, access page "Admin" -> "Software Management" with no errors (a GET patches list request is executed successfully here), try to upload a patch and check that it fails. Repeat the steps for user "admin" and check that the patch upload succeeds. PASS: Successfully deploy a DC with 1 subcloud using a Debian image with this change present and create user "readeruser" with reader role. Log in the Horizon interface using "readeruser" user, access page "Distributed Cloud Admin" -> "Software Management" with no errors (a GET patches list request is executed successfully here), try to upload a patch and check that it fails. Repeat the steps for user "admin" and check that the patch upload succeeds. Story: 2010149 Task: 46561 Depends-on: https://review.opendev.org/c/starlingx/gui/+/860701 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com> Change-Id: I1b0b06ebeaadc82cd14174a46bf148c564dc7c08
41 lines
1.3 KiB
Python
41 lines
1.3 KiB
Python
#
|
|
# Copyright (c) 2022 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
from oslo_context import context
|
|
|
|
|
|
# Patching calls into fault. so only FM service type
|
|
# needs to be preserved in the service catalog
|
|
REQUIRED_SERVICE_TYPES = ('faultmanagement',)
|
|
|
|
|
|
class RequestContext(context.RequestContext):
|
|
"""Extends security contexts from the OpenStack common library."""
|
|
|
|
def __init__(self, is_public_api=False, service_catalog=None, **kwargs):
|
|
"""Stores several additional request parameters:
|
|
"""
|
|
super(RequestContext, self).__init__(**kwargs)
|
|
self.is_public_api = is_public_api
|
|
if service_catalog:
|
|
# Only include required parts of service_catalog
|
|
self.service_catalog = [s for s in service_catalog
|
|
if s.get('type') in REQUIRED_SERVICE_TYPES]
|
|
else:
|
|
# if list is empty or none
|
|
self.service_catalog = []
|
|
|
|
def to_dict(self):
|
|
value = super(RequestContext, self).to_dict()
|
|
value.update({'is_public_api': self.is_public_api,
|
|
'project_name': self.project_name,
|
|
'service_catalog': self.service_catalog})
|
|
return value
|
|
|
|
|
|
def make_context(*args, **kwargs):
|
|
return RequestContext(*args, **kwargs)
|