openstack/deb-heat
Code Issues Proposed changes

Adds default policy rule for resources limited to administrator

Browse Source 
Adds default policy rule for resources which are limited to
administrator, to forbid non-admin to create these resources
at the very start.

Change-Id: I9e1ef86f0c44bce5bde3f9e26e1f2b9cb3aef06d
Closes-Bug: #1582187
This commit is contained in:
huangtianhua 2016-05-17 16:55:45 +08:00
parent c9aff2fc73
commit a52b821857
2 changed files with 72 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
etc/heat/policy.json
View File

@ -82,5 +82,11 @@
"service:index": "rule:context_is_admin",
"resource_types:OS::Nova::Flavor": "rule:context_is_admin"
"resource_types:OS::Nova::Flavor": "rule:context_is_admin",
"resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
"resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
"resource_types:OS::Manila::ShareType": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
"resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
}

76
heat_integrationtests/functional/test_conditional_exposure.py
View File

@ -65,7 +65,7 @@ resources:
class RoleBasedExposureTest(functional_base.FunctionalTestsBase):
forbidden_resource_type = "OS::Nova::Flavor"
fl_tmpl = """
heat_template_version: 2015-10-15
@ -77,21 +77,75 @@ resources:
vcpus: 10
"""
def test_non_admin_forbidden_create_flavors(self):
"""Fail to create Flavor resource w/o admin role.
cvt_tmpl = """
heat_template_version: 2015-10-15
resources:
cvt:
type: OS::Cinder::VolumeType
properties:
name: cvt_test
"""
host_aggr_tmpl = """
heat_template_version: 2015-10-15
parameters:
az:
type: string
default: nova
resources:
cvt:
type: OS::Nova::HostAggregate
properties:
name: aggregate_test
availability_zone: {get_param: az}
"""
scenarios = [
('r_nova_flavor', dict(
stack_name='s_nova_flavor',
template=fl_tmpl,
forbidden_r_type="OS::Nova::Flavor",
test_creation=True)),
('r_nova_host_aggregate', dict(
stack_name='s_nova_ost_aggregate',
template=host_aggr_tmpl,
forbidden_r_type="OS::Nova::HostAggregate",
test_creation=True)),
('r_cinder_vtype', dict(
stack_name='s_cinder_vtype',
template=cvt_tmpl,
forbidden_r_type="OS::Cinder::VolumeType",
test_creation=True)),
('r_cinder_vtype_encrypt', dict(
forbidden_r_type="OS::Cinder::EncryptedVolumeType",
test_creation=False)),
('r_neutron_qos', dict(
forbidden_r_type="OS::Neutron::QoSPolicy",
test_creation=False)),
('r_neutron_qos_bandwidth_limit', dict(
forbidden_r_type="OS::Neutron::QoSBandwidthLimitRule",
test_creation=False)),
('r_manila_share_type', dict(
forbidden_r_type="OS::Manila::ShareType",
test_creation=False))
]
def test_non_admin_forbidden_create_resources(self):
"""Fail to create resource w/o admin role.
Integration tests job runs as normal OpenStack user,
and OS::Nova:Flavor is configured to require
and the resources above are configured to require
admin role in default policy file of Heat.
"""
stack_name = self._stack_rand_name()
ex = self.assertRaises(exc.Forbidden,
self.client.stacks.create,
stack_name=stack_name,
template=self.fl_tmpl)
self.assertIn(self.forbidden_resource_type, ex.message)
if self.test_creation:
ex = self.assertRaises(exc.Forbidden,
self.client.stacks.create,
stack_name=self.stack_name,
template=self.template)
self.assertIn(self.forbidden_r_type, ex.message)
def test_forbidden_resource_not_listed(self):
resources = self.client.resource_types.list()
self.assertNotIn(self.forbidden_resource_type,
self.assertNotIn(self.forbidden_r_type,
(r.resource_type for r in resources))