9c1714b3ae
oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html Each policy rules will be covered with appropriate oslo.policy’s “scope_types”, ‘system’ and ‘project’ in cyborg cases as that defined in the policies: https://wiki.openstack.org/wiki/Cyborg/Policy This commit introduce scope_type for Device Profiles API policies. Create and delete Device Profiles policies are scopped as 'system' because device_profile operation should not be given access to project scopped token, it has the same security requirement as that of manage a nova flavor. GET operations are scopped as [‘system’, ‘project’] because any reader(either system_reader or project_reader) can retrieve a device profile. Also adds the test case with scope_type enabled and verify we pass and fail the policy check with expected context. Story: 2007024 Task: 40836 Change-Id: Ib58e6ba92513245dac915dfff29b02c556b542ee |
||
---|---|---|
.. | ||
__init__.py | ||
base.py | ||
device_profiles.py |