From a52b82185723e2bcea8a1f1cdea32214ed7287e5 Mon Sep 17 00:00:00 2001 From: huangtianhua Date: Tue, 17 May 2016 16:55:45 +0800 Subject: [PATCH] Adds default policy rule for resources limited to administrator Adds default policy rule for resources which are limited to administrator, to forbid non-admin to create these resources at the very start. Change-Id: I9e1ef86f0c44bce5bde3f9e26e1f2b9cb3aef06d Closes-Bug: #1582187 --- etc/heat/policy.json | 8 +- .../functional/test_conditional_exposure.py | 76 ++++++++++++++++--- 2 files changed, 72 insertions(+), 12 deletions(-) diff --git a/etc/heat/policy.json b/etc/heat/policy.json index dba2c8705..b40b1eef2 100644 --- a/etc/heat/policy.json +++ b/etc/heat/policy.json @@ -82,5 +82,11 @@ "service:index": "rule:context_is_admin", - "resource_types:OS::Nova::Flavor": "rule:context_is_admin" + "resource_types:OS::Nova::Flavor": "rule:context_is_admin", + "resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin", + "resource_types:OS::Cinder::VolumeType": "rule:context_is_admin", + "resource_types:OS::Manila::ShareType": "rule:context_is_admin", + "resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin", + "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin", + "resource_types:OS::Nova::HostAggregate": "rule:context_is_admin" } diff --git a/heat_integrationtests/functional/test_conditional_exposure.py b/heat_integrationtests/functional/test_conditional_exposure.py index c1175f178..bf6cc47d1 100644 --- a/heat_integrationtests/functional/test_conditional_exposure.py +++ b/heat_integrationtests/functional/test_conditional_exposure.py @@ -65,7 +65,7 @@ resources: class RoleBasedExposureTest(functional_base.FunctionalTestsBase): - forbidden_resource_type = "OS::Nova::Flavor" + fl_tmpl = """ heat_template_version: 2015-10-15 @@ -77,21 +77,75 @@ resources: vcpus: 10 """ - def test_non_admin_forbidden_create_flavors(self): - """Fail to create Flavor resource w/o admin role. + cvt_tmpl = """ +heat_template_version: 2015-10-15 + +resources: + cvt: + type: OS::Cinder::VolumeType + properties: + name: cvt_test +""" + + host_aggr_tmpl = """ +heat_template_version: 2015-10-15 +parameters: + az: + type: string + default: nova +resources: + cvt: + type: OS::Nova::HostAggregate + properties: + name: aggregate_test + availability_zone: {get_param: az} +""" + + scenarios = [ + ('r_nova_flavor', dict( + stack_name='s_nova_flavor', + template=fl_tmpl, + forbidden_r_type="OS::Nova::Flavor", + test_creation=True)), + ('r_nova_host_aggregate', dict( + stack_name='s_nova_ost_aggregate', + template=host_aggr_tmpl, + forbidden_r_type="OS::Nova::HostAggregate", + test_creation=True)), + ('r_cinder_vtype', dict( + stack_name='s_cinder_vtype', + template=cvt_tmpl, + forbidden_r_type="OS::Cinder::VolumeType", + test_creation=True)), + ('r_cinder_vtype_encrypt', dict( + forbidden_r_type="OS::Cinder::EncryptedVolumeType", + test_creation=False)), + ('r_neutron_qos', dict( + forbidden_r_type="OS::Neutron::QoSPolicy", + test_creation=False)), + ('r_neutron_qos_bandwidth_limit', dict( + forbidden_r_type="OS::Neutron::QoSBandwidthLimitRule", + test_creation=False)), + ('r_manila_share_type', dict( + forbidden_r_type="OS::Manila::ShareType", + test_creation=False)) + ] + + def test_non_admin_forbidden_create_resources(self): + """Fail to create resource w/o admin role. Integration tests job runs as normal OpenStack user, - and OS::Nova:Flavor is configured to require + and the resources above are configured to require admin role in default policy file of Heat. """ - stack_name = self._stack_rand_name() - ex = self.assertRaises(exc.Forbidden, - self.client.stacks.create, - stack_name=stack_name, - template=self.fl_tmpl) - self.assertIn(self.forbidden_resource_type, ex.message) + if self.test_creation: + ex = self.assertRaises(exc.Forbidden, + self.client.stacks.create, + stack_name=self.stack_name, + template=self.template) + self.assertIn(self.forbidden_r_type, ex.message) def test_forbidden_resource_not_listed(self): resources = self.client.resource_types.list() - self.assertNotIn(self.forbidden_resource_type, + self.assertNotIn(self.forbidden_r_type, (r.resource_type for r in resources))