diff --git a/glance/tests/etc/policy.yaml b/glance/tests/etc/policy.yaml index 1a4abf4103..ef11373cfb 100644 --- a/glance/tests/etc/policy.yaml +++ b/glance/tests/etc/policy.yaml @@ -1,164 +1,4 @@ -# Defines the default rule used for policies that historically had an -# empty policy in the supplied policy.yaml file. -#"default": "" - -# Defines the rule for the is_admin:True check. -#"context_is_admin": "role:admin" - -# Default for admin-only metadef rules -"metadef_admin": "role:admin" - -# add_image -"add_image": "" - -# delete_image -"delete_image": "" - -# get_image -"get_image": "" - -# get_images -"get_images": "" - -# modify_image -"modify_image": "" - -# publicize_image -"publicize_image": "" - -# communitize_image -"communitize_image": "" - -# download_image -"download_image": "" - -# upload_image -"upload_image": "" - -# delete_image_location -"delete_image_location": "" - -# get_image_location -"get_image_location": "" - -# set_image_location -"set_image_location": "" - -# add_member -"add_member": "" - -# delete_member -"delete_member": "" - -# get_member -"get_member": "" - -# get_members -"get_members": "" - -# modify_member -"modify_member": "" - -# manage_image_cache -"manage_image_cache": "" - -# deactivate -"deactivate": "" - -# reactivate -"reactivate": "" - -# get_task -"get_task": "role:admin" - -# get_tasks -"get_tasks": "role:admin" - -# add_task -"add_task": "role:admin" - -# modify_task -"modify_task": "role:admin" - -# get_metadef_namespace -"get_metadef_namespace": "" - -# get_metadef_namespaces -"get_metadef_namespaces": "" - -# modify_metadef_namespace -"modify_metadef_namespace": "rule:metadef_admin" - -# add_metadef_namespace -"add_metadef_namespace": "rule:metadef_admin" - -# delete_metadef_namespace -"delete_metadef_namespace": "rule:metadef_admin" - -# get_metadef_object -"get_metadef_object": "" - -# get_metadef_objects -"get_metadef_objects": "" - -# modify_metadef_object -"modify_metadef_object": "rule:metadef_admin" - -# add_metadef_object -"add_metadef_object": "rule:metadef_admin" - -# delete_metadef_object -"delete_metadef_object": "rule:metadef_admin" - -# list_metadef_resource_types -"list_metadef_resource_types": "" - -# get_metadef_resource_type -"get_metadef_resource_type": "" - -# add_metadef_resource_type_association -"add_metadef_resource_type_association": "rule:metadef_admin" - -# remove_metadef_resource_type_association -"remove_metadef_resource_type_association": "rule:metadef_admin" - -# get_metadef_property -"get_metadef_property": "" - -# get_metadef_properties -"get_metadef_properties": "" - -# modify_metadef_property -"modify_metadef_property": "rule:metadef_admin" - -# add_metadef_property -"add_metadef_property": "rule:metadef_admin" - -# remove_metadef_property -"remove_metadef_property": "rule:metadef_admin" - -# get_metadef_tag -"get_metadef_tag": "" - -# get_metadef_tags -"get_metadef_tags": "" - -# modify_metadef_tag -"modify_metadef_tag": "rule:metadef_admin" - -# add_metadef_tag -"add_metadef_tag": "rule:metadef_admin" - -# add_metadef_tags -"add_metadef_tags": "rule:metadef_admin" - -# delete_metadef_tag -"delete_metadef_tag": "rule:metadef_admin" - -# delete_metadef_tags -"delete_metadef_tags": "rule:metadef_admin" - -# WARNING: Below rules are either deprecated rules -# or extra rules in policy file, it is strongly -# recommended to switch to new rules. +# FIXME (abhishekk): This special rule is required in unit tests +# to test property protection using policies. Need to make provision +# to set such rules on the fly. "glance_creator": "role:admin or role:spl_role" diff --git a/glance/tests/functional/__init__.py b/glance/tests/functional/__init__.py index b35b5190df..4e0db981d8 100644 --- a/glance/tests/functional/__init__.py +++ b/glance/tests/functional/__init__.py @@ -804,7 +804,6 @@ class FunctionalTest(test_utils.BaseTestCase): conf_dir = os.path.join(self.test_dir, 'etc') utils.safe_mkdirs(conf_dir) self.copy_data_file('schema-image.json', conf_dir) - self.copy_data_file('policy.yaml', conf_dir) self.copy_data_file('property-protections.conf', conf_dir) self.copy_data_file('property-protections-policies.conf', conf_dir) self.property_file_roles = os.path.join(conf_dir, @@ -1153,7 +1152,6 @@ class MultipleBackendFunctionalTest(test_utils.BaseTestCase): conf_dir = os.path.join(self.test_dir, 'etc') utils.safe_mkdirs(conf_dir) self.copy_data_file('schema-image.json', conf_dir) - self.copy_data_file('policy.yaml', conf_dir) self.copy_data_file('property-protections.conf', conf_dir) self.copy_data_file('property-protections-policies.conf', conf_dir) self.property_file_roles = os.path.join(conf_dir, diff --git a/glance/tests/functional/serial/test_scrubber.py b/glance/tests/functional/serial/test_scrubber.py index db0cb20820..bfe50fbb46 100644 --- a/glance/tests/functional/serial/test_scrubber.py +++ b/glance/tests/functional/serial/test_scrubber.py @@ -57,7 +57,8 @@ class TestScrubber(functional.FunctionalTest): def _send_create_image_http_request(self, path, body=None): headers = { - "Content-Type": "application/json" + "Content-Type": "application/json", + "X-Roles": "admin", } body = body or {'container_format': 'ovf', 'disk_format': 'raw', diff --git a/glance/tests/functional/test_cache_middleware.py b/glance/tests/functional/test_cache_middleware.py index 4f4b15c947..7e5a1a68a2 100644 --- a/glance/tests/functional/test_cache_middleware.py +++ b/glance/tests/functional/test_cache_middleware.py @@ -59,7 +59,8 @@ class BaseCacheMiddlewareTest(object): # Add an image and verify success path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port) http = httplib2.Http() - headers = self._headers({'content-type': 'application/json'}) + headers = self._headers({'content-type': 'application/json', + 'X-Roles': 'admin'}) image_entity = { 'name': 'Image1', 'visibility': 'public', @@ -121,7 +122,8 @@ class BaseCacheMiddlewareTest(object): # Add an image and verify success path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port) http = httplib2.Http() - headers = self._headers({'content-type': 'application/json'}) + headers = self._headers({'content-type': 'application/json', + 'X-Roles': 'admin'}) image_entity = { 'name': 'Image1', 'visibility': 'public', @@ -187,7 +189,8 @@ class BaseCacheMiddlewareTest(object): # Add an image and verify success path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port) http = httplib2.Http() - headers = self._headers({'content-type': 'application/json'}) + headers = self._headers({'content-type': 'application/json', + 'X-Roles': 'admin'}) image_entity = { 'name': 'Image1', 'visibility': 'public', @@ -269,7 +272,8 @@ class BaseCacheMiddlewareTest(object): # Add an image and verify success path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port) http = httplib2.Http() - headers = self._headers({'content-type': 'application/json'}) + headers = self._headers({'content-type': 'application/json', + 'X-Roles': 'admin'}) image_entity = { 'name': 'Image1', 'visibility': 'public', diff --git a/glance/tests/functional/v2/test_images.py b/glance/tests/functional/v2/test_images.py index eaaa9b4c5b..e1aee139f9 100644 --- a/glance/tests/functional/v2/test_images.py +++ b/glance/tests/functional/v2/test_images.py @@ -785,7 +785,8 @@ class TestImages(functional.FunctionalTest): # Change the image to public so TENANT2 can see it path = self._url('/v2/images/%s' % image_id) media_type = 'application/openstack-images-v2.0-json-patch' - headers = self._headers({'content-type': media_type}) + headers = self._headers({'content-type': media_type, + 'X-Roles': 'admin'}) data = jsonutils.dumps([{"replace": "/visibility", "value": "public"}]) response = requests.patch(path, headers=headers, data=data) self.assertEqual(http.OK, response.status_code, response.text) @@ -2423,6 +2424,10 @@ class TestImages(functional.FunctionalTest): def test_property_protections_with_policies(self): # Enable property protection + rules = { + "glance_creator": "role:admin or role:spl_role" + } + self.set_policy_rules(rules) self.api_server.property_protection_file = self.property_file_policies self.api_server.property_protection_rule_format = 'policies' self.start_servers(**self.__dict__.copy()) @@ -3789,7 +3794,8 @@ class TestImageDirectURLVisibility(functional.FunctionalTest): # Create an image path = self._url('/v2/images') - headers = self._headers({'content-type': 'application/json'}) + headers = self._headers({'content-type': 'application/json', + 'X-Roles': 'admin'}) data = jsonutils.dumps({'name': 'image-1', 'type': 'kernel', 'foo': 'bar', 'disk_format': 'aki', 'container_format': 'aki', @@ -4073,9 +4079,13 @@ class TestImageMembers(functional.FunctionalTest): for owner in owners: for visibility in visibilities: path = self._url('/v2/images') + role = 'member' + if visibility == 'public': + role = 'admin' headers = self._headers({ 'content-type': 'application/json', 'X-Auth-Token': 'createuser:%s:admin' % owner, + 'X-Roles': role, }) data = jsonutils.dumps({ 'name': '%s-%s' % (owner, visibility), @@ -6385,9 +6395,14 @@ class TestMultiStoreImageMembers(functional.MultipleBackendFunctionalTest): for owner in owners: for visibility in visibilities: path = self._url('/v2/images') + role = 'member' + if visibility == 'public': + role = 'admin' + headers = self._headers(custom_headers={ 'content-type': 'application/json', 'X-Auth-Token': 'createuser:%s:admin' % owner, + 'X-Roles': role, }) data = jsonutils.dumps({ 'name': '%s-%s' % (owner, visibility),