baha/skyline-apiserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Use admin permission to list volumes with ids

Browse Source 
By default, id filter for list volumes is only availabe
for admin user. So if we login as a normal user. It will
fail to list volumes with ids.

So we use admin permission to list volumes with ids.

Closes-Bug: #1957142
Change-Id: Ia18bf377b34a11d11df898003242eb763f8cfeea
This commit is contained in:
chenliufeiyang 2022-03-15 17:14:39 +08:00
parent 6494ff6a46
commit 461ddb6632
1 changed files with 8 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
libs/skyline-apiserver/skyline_apiserver/api/v1/extension.py
View File

@ -33,7 +33,7 @@ from skyline_apiserver.config import CONF
from skyline_apiserver.network.neutron import get_ports
from skyline_apiserver.schemas import common
from skyline_apiserver.types import constants
from skyline_apiserver.utils.roles import assert_system_admin_or_reader, is_system_reader_no_admin
from skyline_apiserver.utils.roles import assert_system_admin_or_reader
router = APIRouter()
@ -189,14 +189,6 @@ async def list_servers(
for volume_attached in server["volumes_attached"]:
root_device_ids.append(volume_attached["id"])
# We will use system session when we use all projects and the role
# of use is system_reader but no admin/system_admin role.
cinder_session = (
system_session
if all_projects and is_system_reader_no_admin(profile=profile)
else current_session
)
if all_projects:
tasks = [
keystone.list_projects(
@ -223,7 +215,7 @@ async def list_servers(
tasks.append(
cinder.list_volumes(
profile=profile,
session=cinder_session,
session=system_session,
global_request_id=x_openstack_request_id,
search_opts={"id": root_device_ids[i : i + STEP], "all_tenants": all_projects},
),
@ -417,12 +409,6 @@ async def list_recycle_servers(
for volume_attached in server["volumes_attached"]:
root_device_ids.append(volume_attached["id"])
cinder_session = (
system_session
if all_projects and is_system_reader_no_admin(profile=profile)
else current_session
)
if all_projects:
tasks = [
keystone.list_projects(
@ -449,7 +435,7 @@ async def list_recycle_servers(
tasks.append(
cinder.list_volumes(
profile=profile,
session=cinder_session,
session=system_session,
global_request_id=x_openstack_request_id,
search_opts={"id": root_device_ids[i : i + STEP], "all_tenants": all_projects},
),
@ -600,17 +586,10 @@ async def list_volumes(
"bootable": bootable,
"id": uuid,
}
# if not is_admin, cinder will ignore the all_projects query param.
# role:admin or role:cinder_system_admin is is_admin.
# so here we just use skyline session to get all_projects' volumes.
cinder_session = (
system_session
if all_projects and is_system_reader_no_admin(profile=profile)
else current_session
)
volumes, count = await cinder.list_volumes(
profile=profile,
session=cinder_session,
session=system_session,
global_request_id=x_openstack_request_id,
limit=limit,
marker=marker,
@ -758,6 +737,7 @@ async def list_volume_snapshots(
)
current_session = await generate_session(profile=profile)
system_session = get_system_session()
sort = None
if sort_keys:
@ -817,7 +797,7 @@ async def list_volume_snapshots(
tasks.append(
cinder.list_volumes(
profile=profile,
session=current_session,
session=system_session,
global_request_id=x_openstack_request_id,
search_opts={"id": volume_ids[i : i + STEP], "all_tenants": all_projects},
),
@ -826,7 +806,7 @@ async def list_volume_snapshots(
tasks.append(
cinder.list_volumes(
profile=profile,
session=current_session,
session=system_session,
global_request_id=x_openstack_request_id,
search_opts={
"snapshot_id": snapshot_ids[i : i + STEP],