openstack/magnum
Code Issues Proposed changes

Admin can now delete clusters in any project

Browse Source 
After merging https://review.openstack.org/#/c/531066/
it would be interesting for admin users to be able to
delete clusters and cluster templates as well.

Related-Bug: #1740982
Change-Id: I91f909e8814b86fd5f8b555573238b99b47ffd03
This commit is contained in:
Daniel Abad 2018-02-15 12:29:45 +00:00 committed by Spyros Trigazis (strigazi)
parent c6e7b290ab
commit 6aac36358c
6 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
magnum/api/controllers/v1/cluster.py
View File

@ -554,6 +554,11 @@ class ClustersController(base.Controller):
:param cluster_ident: UUID of cluster or logical name of the cluster.
"""
context = pecan.request.context
if context.is_admin:
policy.enforce(context, 'cluster:delete_all_projects',
action='cluster:delete_all_projects')
context.all_tenants = True
cluster = api_utils.get_resource('Cluster', cluster_ident)
policy.enforce(context, 'cluster:delete', cluster.as_dict(),
action='cluster:delete')

5
magnum/api/controllers/v1/cluster_template.py
View File

@ -464,6 +464,11 @@ class ClusterTemplatesController(base.Controller):
ClusterTemplate.
"""
context = pecan.request.context
if context.is_admin:
policy.enforce(context, 'clustertemplate:delete_all_projects',
action='clustertemplate:delete_all_projects')
context.all_tenants = True
cluster_template = api_utils.get_resource('ClusterTemplate',
cluster_template_ident)
policy.enforce(context, 'clustertemplate:delete',

11
magnum/common/policies/cluster.py
View File

@ -40,6 +40,17 @@ rules = [
}
]
),
policy.DocumentedRuleDefault(
name=CLUSTER % 'delete_all_projects',
check_str=base.RULE_ADMIN_API,
description='Delete a cluster from any project.',
operations=[
{
'path': '/v1/clusters/{cluster_ident}',
'method': 'DELETE'
}
]
),
policy.DocumentedRuleDefault(
name=CLUSTER % 'detail',
check_str=base.RULE_DENY_CLUSTER_USER,

11
magnum/common/policies/cluster_template.py
View File

@ -40,6 +40,17 @@ rules = [
}
]
),
policy.DocumentedRuleDefault(
name=CLUSTER_TEMPLATE % 'delete_all_projects',
check_str=base.RULE_ADMIN_API,
description='Delete a cluster template from any project.',
operations=[
{
'path': '/v1/clustertemplate/{clustertemplate_ident}',
'method': 'DELETE'
}
]
),
policy.DocumentedRuleDefault(
name=CLUSTER_TEMPLATE % 'detail_all_projects',
check_str=base.RULE_ADMIN_API,

10
magnum/tests/unit/api/controllers/v1/test_cluster.py
View File

@ -950,6 +950,16 @@ class TestDelete(api_base.FunctionalTest):
self.assertEqual('application/json', response.content_type)
self.assertTrue(response.json['errors'])
@mock.patch("magnum.common.policy.enforce")
@mock.patch("magnum.common.context.make_context")
def test_delete_cluster_as_admin(self, mock_context, mock_policy):
temp_uuid = uuidutils.generate_uuid()
obj_utils.create_test_cluster(self.context, uuid=temp_uuid)
self.context.is_admin = True
response = self.delete('/clusters/%s' % temp_uuid,
expect_errors=True)
self.assertEqual(204, response.status_int)
class TestClusterPolicyEnforcement(api_base.FunctionalTest):
def setUp(self):

11
magnum/tests/unit/api/controllers/v1/test_cluster_template.py
View File

@ -1077,6 +1077,17 @@ class TestDelete(api_base.FunctionalTest):
self.assertEqual('application/json', response.content_type)
self.assertTrue(response.json['errors'])
@mock.patch("magnum.common.policy.enforce")
@mock.patch("magnum.common.context.make_context")
def test_delete_cluster_template_as_admin(self, mock_context, mock_policy):
temp_uuid = uuidutils.generate_uuid()
obj_utils.create_test_cluster_template(self.context, uuid=temp_uuid,
project_id=temp_uuid)
self.context.is_admin = True
response = self.delete('/clustertemplates/%s' % temp_uuid,
expect_errors=True)
self.assertEqual(204, response.status_int)
class TestClusterTemplatePolicyEnforcement(api_base.FunctionalTest):