Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
commit 91bc0ed7d25dd6efeeb820ca7cbb1f2af3bd53ab (HEAD -> newton/placement-roles)
Author: Mathieu Gagné <mgagne@iweb.com>
Date: Thu Nov 30 18:03:22 2017 -0500
Add ability to override roles allowed to query placement API
Change-Id: I37ac6964a5852aac129107e9be476785ea713fae
diff --git a/nova/api/openstack/placement/handler.py b/nova/api/openstack/placement/handler.py
index 7d41031e37..f1bf225540 100644
--- a/nova/api/openstack/placement/handler.py
+++ b/nova/api/openstack/placement/handler.py
@@ -34,9 +34,11 @@ from nova.api.openstack.placement.handlers import resource_provider
from nova.api.openstack.placement.handlers import root
from nova.api.openstack.placement.handlers import usage
from nova.api.openstack.placement import util
+from nova import conf
from nova import exception
from nova.i18n import _, _LE
+CONF = conf.CONF
LOG = logging.getLogger(__name__)
# URLs and Handlers
@@ -150,7 +152,10 @@ class PlacementHandler(object):
# implement that, probably per handler. Also this is
# just the wrong way to do things, but policy not
# integrated yet.
- if 'admin' not in context.to_policy_values()['roles']:
+ allowed = len(
+ set(CONF.placement.required_roles) &
+ set(context.to_policy_values()['roles'])) != 0
+ if not allowed:
raise webob.exc.HTTPForbidden(
_('admin required'),
json_formatter=util.json_error_formatter)
diff --git a/nova/conf/placement.py b/nova/conf/placement.py
index aa7fa02591..cccb177e29 100644
--- a/nova/conf/placement.py
+++ b/nova/conf/placement.py
@@ -27,6 +27,12 @@ catalog.
Possible values:
* Any string representing region name
+"""),
+
+ cfg.MultiStrOpt('required_roles',
+ default=['admin'],
+ help="""
+List of roles allowed to query the placement API.
"""),
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment