96 lines
3.7 KiB
Diff
96 lines
3.7 KiB
Diff
|
From 6825959560e06725d26625fd21f5c0b78b305492 Mon Sep 17 00:00:00 2001
|
||
|
From: Russell Bryant <rbryant@redhat.com>
|
||
|
Date: Tue, 20 Aug 2013 11:06:12 -0400
|
||
|
Subject: [PATCH] Enforce flavor access during instance boot
|
||
|
|
||
|
The code in the servers API did not pass the context when retrieving
|
||
|
flavor details. That means it would use an admin context instead,
|
||
|
bypassing all flavor access control checks.
|
||
|
|
||
|
This patch includes the fix, and the corresponding unit test for the v2
|
||
|
API.
|
||
|
|
||
|
Closes-bug: #1212179
|
||
|
|
||
|
(cherry picked from commit 4054cc4a22a1fea997dec76afb5646fd6c6ea6b9)
|
||
|
|
||
|
Conflicts:
|
||
|
nova/api/openstack/compute/plugins/v3/servers.py
|
||
|
nova/api/openstack/compute/servers.py
|
||
|
nova/tests/api/openstack/compute/plugins/v3/test_servers.py
|
||
|
nova/tests/api/openstack/compute/test_servers.py
|
||
|
|
||
|
Change-Id: I681ae9965e19767df22fa74c3315e4e03a459d3b
|
||
|
---
|
||
|
nova/api/openstack/compute/servers.py | 3 ++-
|
||
|
nova/tests/api/openstack/compute/test_servers.py | 23 +++++++++++++++++++++--
|
||
|
2 files changed, 23 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/nova/api/openstack/compute/servers.py b/nova/api/openstack/compute/servers.py
|
||
|
index 6908262..ab06595 100644
|
||
|
--- a/nova/api/openstack/compute/servers.py
|
||
|
+++ b/nova/api/openstack/compute/servers.py
|
||
|
@@ -844,7 +844,8 @@ class Controller(wsgi.Controller):
|
||
|
|
||
|
try:
|
||
|
_get_inst_type = instance_types.get_instance_type_by_flavor_id
|
||
|
- inst_type = _get_inst_type(flavor_id, read_deleted="no")
|
||
|
+ inst_type = _get_inst_type(flavor_id, ctxt=context,
|
||
|
+ read_deleted="no")
|
||
|
|
||
|
(instances, resv_id) = self.compute_api.create(context,
|
||
|
inst_type,
|
||
|
diff --git a/nova/tests/api/openstack/compute/test_servers.py b/nova/tests/api/openstack/compute/test_servers.py
|
||
|
index cd88a2a..5cb26bd 100644
|
||
|
--- a/nova/tests/api/openstack/compute/test_servers.py
|
||
|
+++ b/nova/tests/api/openstack/compute/test_servers.py
|
||
|
@@ -34,6 +34,7 @@ import nova.compute.api
|
||
|
from nova.compute import instance_types
|
||
|
from nova.compute import task_states
|
||
|
from nova.compute import vm_states
|
||
|
+import nova.context
|
||
|
import nova.db
|
||
|
from nova.db.sqlalchemy import models
|
||
|
from nova import flags
|
||
|
@@ -1703,10 +1704,10 @@ class ServersControllerCreateTest(test.TestCase):
|
||
|
"""
|
||
|
self.assertTrue("adminPass" not in server_dict)
|
||
|
|
||
|
- def _test_create_instance(self):
|
||
|
+ def _test_create_instance(self, flavor=2):
|
||
|
image_uuid = 'c905cedb-7281-47e4-8a62-f26bc5fc4c77'
|
||
|
body = dict(server=dict(
|
||
|
- name='server_test', imageRef=image_uuid, flavorRef=2,
|
||
|
+ name='server_test', imageRef=image_uuid, flavorRef=flavor,
|
||
|
metadata={'hello': 'world', 'open': 'stack'},
|
||
|
personality={}))
|
||
|
req = fakes.HTTPRequest.blank('/v2/fake/servers')
|
||
|
@@ -1718,6 +1719,24 @@ class ServersControllerCreateTest(test.TestCase):
|
||
|
self._check_admin_pass_len(server)
|
||
|
self.assertEqual(FAKE_UUID, server['id'])
|
||
|
|
||
|
+ def test_create_instance_private_flavor(self):
|
||
|
+ values = {
|
||
|
+ 'name': 'fake_name',
|
||
|
+ 'memory_mb': 512,
|
||
|
+ 'vcpus': 1,
|
||
|
+ 'root_gb': 10,
|
||
|
+ 'ephemeral_gb': 10,
|
||
|
+ 'flavorid': '1324',
|
||
|
+ 'swap': 0,
|
||
|
+ 'rxtx_factor': 0.5,
|
||
|
+ 'vcpu_weight': 1,
|
||
|
+ 'disabled': False,
|
||
|
+ 'is_public': False,
|
||
|
+ }
|
||
|
+ nova.db.instance_type_create(nova.context.get_admin_context(), values)
|
||
|
+ self.assertRaises(webob.exc.HTTPBadRequest, self._test_create_instance,
|
||
|
+ flavor=1324)
|
||
|
+
|
||
|
def test_create_server_bad_image_href(self):
|
||
|
image_href = 1
|
||
|
flavor_ref = 'http://localhost/123/flavors/3'
|
||
|
--
|
||
|
1.8.1.5
|
||
|
|