Revert "Check RBAC policy for nested stacks"
This reverts commit 57fdf732a4
.
It breaks magnum gate.
Change-Id: I0553482d6b56edc08d29e1ab318b3b8962edc04d
This commit is contained in:
parent
57fdf732a4
commit
4a4ce672fb
|
@ -111,12 +111,5 @@ class ResourceEnforcer(Enforcer):
|
||||||
return result
|
return result
|
||||||
|
|
||||||
def enforce_stack(self, stack, scope=None, target=None):
|
def enforce_stack(self, stack, scope=None, target=None):
|
||||||
stack.preview_resources()
|
|
||||||
for res in stack.resources.values():
|
for res in stack.resources.values():
|
||||||
if res.has_nested():
|
|
||||||
self.enforce_stack(res.nested())
|
|
||||||
# After the preview_resources() call nested stack name will
|
|
||||||
# be equal to stack.name + res.name, without uuid part. Get
|
|
||||||
# rid of the side effect of preview.
|
|
||||||
res._nested = None
|
|
||||||
self.enforce(stack.context, res.type(), scope=scope, target=target)
|
self.enforce(stack.context, res.type(), scope=scope, target=target)
|
||||||
|
|
|
@ -646,8 +646,6 @@ class Stack(collections.Mapping):
|
||||||
(r.CREATE, r.COMPLETE),
|
(r.CREATE, r.COMPLETE),
|
||||||
(r.RESUME, r.IN_PROGRESS),
|
(r.RESUME, r.IN_PROGRESS),
|
||||||
(r.RESUME, r.COMPLETE),
|
(r.RESUME, r.COMPLETE),
|
||||||
(r.SUSPEND, r.IN_PROGRESS),
|
|
||||||
(r.SUSPEND, r.COMPLETE),
|
|
||||||
(r.UPDATE, r.IN_PROGRESS),
|
(r.UPDATE, r.IN_PROGRESS),
|
||||||
(r.UPDATE, r.COMPLETE)) and r.FnGetRefId() == refid:
|
(r.UPDATE, r.COMPLETE)) and r.FnGetRefId() == refid:
|
||||||
return r
|
return r
|
||||||
|
|
|
@ -80,20 +80,6 @@ resources:
|
||||||
ram: 20000
|
ram: 20000
|
||||||
vcpus: 10
|
vcpus: 10
|
||||||
"""
|
"""
|
||||||
fl_tmpl_nested = """
|
|
||||||
heat_template_version: 2015-10-15
|
|
||||||
|
|
||||||
resources:
|
|
||||||
not4everyonerg:
|
|
||||||
type: OS::Heat::ResourceGroup
|
|
||||||
properties:
|
|
||||||
count: 1
|
|
||||||
resource_def:
|
|
||||||
type: OS::Nova::Flavor
|
|
||||||
properties:
|
|
||||||
ram: 20000
|
|
||||||
vcpus: 10
|
|
||||||
"""
|
|
||||||
|
|
||||||
def test_non_admin_forbidden_create_flavors(self):
|
def test_non_admin_forbidden_create_flavors(self):
|
||||||
"""Fail to create Flavor resource w/o admin role.
|
"""Fail to create Flavor resource w/o admin role.
|
||||||
|
@ -109,14 +95,6 @@ resources:
|
||||||
template=self.fl_tmpl)
|
template=self.fl_tmpl)
|
||||||
self.assertIn(self.forbidden_resource_type, ex.message)
|
self.assertIn(self.forbidden_resource_type, ex.message)
|
||||||
|
|
||||||
def test_non_admin_forbidden_create_flavors_nested(self):
|
|
||||||
stack_name = self._stack_rand_name()
|
|
||||||
ex = self.assertRaises(exc.Forbidden,
|
|
||||||
self.client.stacks.create,
|
|
||||||
stack_name=stack_name,
|
|
||||||
template=self.fl_tmpl_nested)
|
|
||||||
self.assertIn(self.forbidden_resource_type, ex.message)
|
|
||||||
|
|
||||||
def test_forbidden_resource_not_listed(self):
|
def test_forbidden_resource_not_listed(self):
|
||||||
resources = self.client.resource_types.list()
|
resources = self.client.resource_types.list()
|
||||||
self.assertNotIn(self.forbidden_resource_type,
|
self.assertNotIn(self.forbidden_resource_type,
|
||||||
|
|
Loading…
Reference in New Issue