Modify admin_api policy rule

Magnum API's magnum_service:get_all is enforced by admin_api.
Modifying the rule to use context_is_admin. Also changing the to_dict()
call to include change in roles.

Change-Id: I44dda27857945dfd3ad43fa28ea458ce2966388c
Closes-Bug: #1503402
changes/43/232743/2
Surojit Pathak 7 years ago
parent 30d9ce3f81
commit deae4e44b0
  1. 2
      etc/magnum/policy.json
  2. 1
      magnum/common/context.py
  3. 2
      magnum/tests/fake_policy.py
  4. 4
      magnum/tests/unit/common/test_context.py

@ -2,7 +2,7 @@
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "is_admin:True",
"admin_api": "rule:context_is_admin",
"bay:create": "rule:default",
"bay:delete": "rule:default",

@ -65,6 +65,7 @@ class RequestContext(context.RequestContext):
'is_admin': self.is_admin,
'is_public_api': self.is_public_api,
'read_only': self.read_only,
'roles': self.roles,
'show_deleted': self.show_deleted,
'request_id': self.request_id,
'trust_id': self.trust_id,

@ -18,7 +18,7 @@ policy_data = """
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "is_admin:True",
"admin_api": "rule:context_is_admin",
"bay:create": "",
"bay:delete": "",

@ -27,6 +27,7 @@ class ContextTestCase(base.TestCase):
user_id='user-id1',
project_name='tenant1',
project_id='tenant-id1',
roles=['admin', 'service'],
is_admin=True,
is_public_api=True,
read_only=True,
@ -46,6 +47,8 @@ class ContextTestCase(base.TestCase):
self.assertEqual("user-id1", ctx.user_id)
self.assertEqual("tenant1", ctx.project_name)
self.assertEqual("tenant-id1", ctx.project_id)
for role in ctx.roles:
self.assertTrue(role in ['admin', 'service'])
self.assertTrue(ctx.is_admin)
self.assertTrue(ctx.is_public_api)
self.assertTrue(ctx.read_only)
@ -70,6 +73,7 @@ class ContextTestCase(base.TestCase):
self.assertEqual(ctx.is_admin, ctx2.is_admin)
self.assertEqual(ctx.is_public_api, ctx2.is_public_api)
self.assertEqual(ctx.read_only, ctx2.read_only)
self.assertEqual(ctx.roles, ctx2.roles)
self.assertEqual(ctx.show_deleted, ctx2.show_deleted)
self.assertEqual(ctx.request_id, ctx2.request_id)
self.assertEqual(ctx.trust_id, ctx2.trust_id)

Loading…
Cancel
Save