Merge "policy check for node"
This commit is contained in:
commit
da9d3d82e5
|
@ -16,5 +16,12 @@
|
|||
"baymodel:detail": "rule:default",
|
||||
"baymodel:get": "rule:default",
|
||||
"baymodel:get_all": "rule:default",
|
||||
"baymodel:update": "rule:default"
|
||||
"baymodel:update": "rule:default",
|
||||
|
||||
"node:create": "rule:default",
|
||||
"node:delete": "rule:default",
|
||||
"node:detail": "rule:default",
|
||||
"node:get": "rule:default",
|
||||
"node:get_all": "rule:default",
|
||||
"node:update": "rule:default"
|
||||
}
|
||||
|
|
|
@ -27,6 +27,7 @@ from magnum.api.controllers.v1 import collection
|
|||
from magnum.api.controllers.v1 import types
|
||||
from magnum.api.controllers.v1 import utils as api_utils
|
||||
from magnum.common import exception
|
||||
from magnum.common import policy
|
||||
from magnum import objects
|
||||
|
||||
|
||||
|
@ -151,6 +152,7 @@ class NodesController(rest.RestController):
|
|||
sort_key=sort_key,
|
||||
sort_dir=sort_dir)
|
||||
|
||||
@policy.enforce_wsgi("node")
|
||||
@wsme_pecan.wsexpose(NodeCollection, types.uuid,
|
||||
types.uuid, int, wtypes.text, wtypes.text)
|
||||
def get_all(self, node_uuid=None, marker=None, limit=None,
|
||||
|
@ -165,6 +167,7 @@ class NodesController(rest.RestController):
|
|||
return self._get_nodes_collection(marker, limit, sort_key,
|
||||
sort_dir)
|
||||
|
||||
@policy.enforce_wsgi("node")
|
||||
@wsme_pecan.wsexpose(NodeCollection, types.uuid,
|
||||
types.uuid, int, wtypes.text, wtypes.text)
|
||||
def detail(self, node_uuid=None, marker=None, limit=None,
|
||||
|
@ -188,6 +191,7 @@ class NodesController(rest.RestController):
|
|||
sort_key, sort_dir, expand,
|
||||
resource_url)
|
||||
|
||||
@policy.enforce_wsgi("node", "get")
|
||||
@wsme_pecan.wsexpose(Node, types.uuid)
|
||||
def get_one(self, node_uuid):
|
||||
"""Retrieve information about the given node.
|
||||
|
@ -200,6 +204,7 @@ class NodesController(rest.RestController):
|
|||
rpc_node = objects.Node.get_by_uuid(pecan.request.context, node_uuid)
|
||||
return Node.convert_with_links(rpc_node)
|
||||
|
||||
@policy.enforce_wsgi("node", "create")
|
||||
@wsme_pecan.wsexpose(Node, body=Node, status_code=201)
|
||||
def post(self, node):
|
||||
"""Create a new node.
|
||||
|
@ -220,6 +225,7 @@ class NodesController(rest.RestController):
|
|||
pecan.response.location = link.build_url('nodes', new_node.uuid)
|
||||
return Node.convert_with_links(new_node)
|
||||
|
||||
@policy.enforce_wsgi("node", "update")
|
||||
@wsme.validate(types.uuid, [NodePatchType])
|
||||
@wsme_pecan.wsexpose(Node, types.uuid, body=[NodePatchType])
|
||||
def patch(self, node_uuid, patch):
|
||||
|
@ -253,6 +259,7 @@ class NodesController(rest.RestController):
|
|||
rpc_node.save()
|
||||
return Node.convert_with_links(rpc_node)
|
||||
|
||||
@policy.enforce_wsgi("node", "delete")
|
||||
@wsme_pecan.wsexpose(None, types.uuid, status_code=204)
|
||||
def delete(self, node_uuid):
|
||||
"""Delete a node.
|
||||
|
|
|
@ -32,7 +32,14 @@ policy_data = """
|
|||
"baymodel:detail": "",
|
||||
"baymodel:get": "",
|
||||
"baymodel:get_all": "",
|
||||
"baymodel:update": ""
|
||||
"baymodel:update": "",
|
||||
|
||||
"node:create": "",
|
||||
"node:delete": "",
|
||||
"node:detail": "",
|
||||
"node:get": "",
|
||||
"node:get_all": "",
|
||||
"node:update": ""
|
||||
}
|
||||
"""
|
||||
|
||||
|
|
|
@ -14,6 +14,7 @@ import datetime
|
|||
|
||||
import mock
|
||||
from oslo_config import cfg
|
||||
from oslo_policy import policy
|
||||
from oslo_utils import timeutils
|
||||
from six.moves.urllib import parse as urlparse
|
||||
from wsme import types as wtypes
|
||||
|
@ -264,3 +265,45 @@ class TestDelete(api_base.FunctionalTest):
|
|||
self.assertEqual(404, response.status_int)
|
||||
self.assertEqual('application/json', response.content_type)
|
||||
self.assertTrue(response.json['error_message'])
|
||||
|
||||
|
||||
class TestNodePolicyEnforcement(api_base.FunctionalTest):
|
||||
|
||||
def setUp(self):
|
||||
super(TestNodePolicyEnforcement, self).setUp()
|
||||
|
||||
def _common_policy_check(self, rule, func, *arg, **kwarg):
|
||||
self.policy.set_rules({rule: "project:non_fake"})
|
||||
exc = self.assertRaises(policy.PolicyNotAuthorized,
|
||||
func, *arg, **kwarg)
|
||||
self.assertTrue(exc.message.startswith(rule))
|
||||
self.assertTrue(exc.message.endswith("disallowed by policy"))
|
||||
|
||||
def test_policy_disallow_get_all(self):
|
||||
self._common_policy_check(
|
||||
"node:get_all", self.get_json, '/nodes')
|
||||
|
||||
def test_policy_disallow_get_one(self):
|
||||
self._common_policy_check(
|
||||
"node:get", self.get_json, '/nodes/111-222-333')
|
||||
|
||||
def test_policy_disallow_update(self):
|
||||
node = obj_utils.create_test_node(self.context,
|
||||
type='type_A',
|
||||
uuid="333-444-5555")
|
||||
self._common_policy_check(
|
||||
"node:update", self.patch_json,
|
||||
'/nodes/%s' % node.uuid,
|
||||
[{'type': '/type', 'value': "new_type", 'op': 'replace'}])
|
||||
|
||||
def test_policy_disallow_create(self):
|
||||
bdict = apiutils.node_post_data(name='node_example_A')
|
||||
self._common_policy_check(
|
||||
"node:create", self.post_json, '/nodes', bdict)
|
||||
|
||||
def test_policy_disallow_delete(self):
|
||||
node = obj_utils.create_test_node(self.context,
|
||||
uuid='137-246-789')
|
||||
self._common_policy_check(
|
||||
"node:delete", self.delete,
|
||||
'/nodes/%s' % node.uuid)
|
||||
|
|
Loading…
Reference in New Issue