Modify admin_api policy rule
Magnum API's magnum_service:get_all is enforced by admin_api. Modifying the rule to use context_is_admin. Also changing the to_dict() call to include change in roles. Change-Id: I44dda27857945dfd3ad43fa28ea458ce2966388c Closes-Bug: #1503402
This commit is contained in:
Surojit Pathak
parent
30d9ce3f81
commit
deae4e44b0
|
|
@ -2,7 +2,7 @@
|
||||||
"context_is_admin": "role:admin",
|
"context_is_admin": "role:admin",
|
||||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||||
"default": "rule:admin_or_owner",
|
"default": "rule:admin_or_owner",
|
||||||
"admin_api": "is_admin:True",
|
"admin_api": "rule:context_is_admin",
|
||||||
|
|
||||||
"bay:create": "rule:default",
|
"bay:create": "rule:default",
|
||||||
"bay:delete": "rule:default",
|
"bay:delete": "rule:default",
|
||||||
|
|
|
||||||
|
|
@ -65,6 +65,7 @@ class RequestContext(context.RequestContext):
|
||||||
'is_admin': self.is_admin,
|
'is_admin': self.is_admin,
|
||||||
'is_public_api': self.is_public_api,
|
'is_public_api': self.is_public_api,
|
||||||
'read_only': self.read_only,
|
'read_only': self.read_only,
|
||||||
|
'roles': self.roles,
|
||||||
'show_deleted': self.show_deleted,
|
'show_deleted': self.show_deleted,
|
||||||
'request_id': self.request_id,
|
'request_id': self.request_id,
|
||||||
'trust_id': self.trust_id,
|
'trust_id': self.trust_id,
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,7 @@ policy_data = """
|
||||||
"context_is_admin": "role:admin",
|
"context_is_admin": "role:admin",
|
||||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
|
||||||
"default": "rule:admin_or_owner",
|
"default": "rule:admin_or_owner",
|
||||||
"admin_api": "is_admin:True",
|
"admin_api": "rule:context_is_admin",
|
||||||
|
|
||||||
"bay:create": "",
|
"bay:create": "",
|
||||||
"bay:delete": "",
|
"bay:delete": "",
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,7 @@ class ContextTestCase(base.TestCase):
|
||||||
user_id='user-id1',
|
user_id='user-id1',
|
||||||
project_name='tenant1',
|
project_name='tenant1',
|
||||||
project_id='tenant-id1',
|
project_id='tenant-id1',
|
||||||
|
roles=['admin', 'service'],
|
||||||
is_admin=True,
|
is_admin=True,
|
||||||
is_public_api=True,
|
is_public_api=True,
|
||||||
read_only=True,
|
read_only=True,
|
||||||
|
|
@ -46,6 +47,8 @@ class ContextTestCase(base.TestCase):
|
||||||
self.assertEqual("user-id1", ctx.user_id)
|
self.assertEqual("user-id1", ctx.user_id)
|
||||||
self.assertEqual("tenant1", ctx.project_name)
|
self.assertEqual("tenant1", ctx.project_name)
|
||||||
self.assertEqual("tenant-id1", ctx.project_id)
|
self.assertEqual("tenant-id1", ctx.project_id)
|
||||||
|
for role in ctx.roles:
|
||||||
|
self.assertTrue(role in ['admin', 'service'])
|
||||||
self.assertTrue(ctx.is_admin)
|
self.assertTrue(ctx.is_admin)
|
||||||
self.assertTrue(ctx.is_public_api)
|
self.assertTrue(ctx.is_public_api)
|
||||||
self.assertTrue(ctx.read_only)
|
self.assertTrue(ctx.read_only)
|
||||||
|
|
@ -70,6 +73,7 @@ class ContextTestCase(base.TestCase):
|
||||||
self.assertEqual(ctx.is_admin, ctx2.is_admin)
|
self.assertEqual(ctx.is_admin, ctx2.is_admin)
|
||||||
self.assertEqual(ctx.is_public_api, ctx2.is_public_api)
|
self.assertEqual(ctx.is_public_api, ctx2.is_public_api)
|
||||||
self.assertEqual(ctx.read_only, ctx2.read_only)
|
self.assertEqual(ctx.read_only, ctx2.read_only)
|
||||||
|
self.assertEqual(ctx.roles, ctx2.roles)
|
||||||
self.assertEqual(ctx.show_deleted, ctx2.show_deleted)
|
self.assertEqual(ctx.show_deleted, ctx2.show_deleted)
|
||||||
self.assertEqual(ctx.request_id, ctx2.request_id)
|
self.assertEqual(ctx.request_id, ctx2.request_id)
|
||||||
self.assertEqual(ctx.trust_id, ctx2.trust_id)
|
self.assertEqual(ctx.trust_id, ctx2.trust_id)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue