Merge "Check proper config option to see if scope is enforced or not"

This commit is contained in:
Zuul 2022-05-30 11:25:21 +00:00 committed by Gerrit Code Review
commit 37ddc2cbae
4 changed files with 11 additions and 20 deletions

View File

@ -124,7 +124,7 @@ class ContextBase(oslo_context.RequestContext):
if 'admin' not in [x.lower() for x in context.roles]:
context.roles = context.roles + ["admin"]
if cfg.CONF.oslo_policy.enforce_new_defaults:
if cfg.CONF.oslo_policy.enforce_scope:
context.system_scope = 'all'
return context

View File

@ -178,7 +178,7 @@ def model_query_scope_is_project(context, model):
# TODO(slaweq): Remove that old is_admin check and always check scopes
# when old, deprecated rules will be removed and only rules with new
# personas will be supported
if cfg.CONF.oslo_policy.enforce_new_defaults:
if cfg.CONF.oslo_policy.enforce_scope:
# Unless a context is a system_scope token, query should be scoped to a
# single project_id
return context.system_scope != 'all'

View File

@ -91,8 +91,7 @@ class TestUtils(base.BaseTestCase):
mock_populate.assert_called_once_with({'name': 'n'})
def test_model_query_scope_is_project_admin_old_defaults(self):
cfg.CONF.set_override(
'enforce_new_defaults', False, group='oslo_policy')
cfg.CONF.set_override('enforce_scope', False, group='oslo_policy')
ctx = context.Context(
project_id='some project',
is_admin=True,
@ -108,8 +107,7 @@ class TestUtils(base.BaseTestCase):
utils.model_query_scope_is_project(ctx, model))
def test_model_query_scope_is_project_advsvc_old_defaults(self):
cfg.CONF.set_override(
'enforce_new_defaults', False, group='oslo_policy')
cfg.CONF.set_override('enforce_scope', False, group='oslo_policy')
ctx = context.Context(
project_id='some project',
is_admin=False,
@ -125,8 +123,7 @@ class TestUtils(base.BaseTestCase):
utils.model_query_scope_is_project(ctx, model))
def test_model_query_scope_is_project_regular_user_old_defaults(self):
cfg.CONF.set_override(
'enforce_new_defaults', False, group='oslo_policy')
cfg.CONF.set_override('enforce_scope', False, group='oslo_policy')
ctx = context.Context(
project_id='some project',
is_admin=False,
@ -142,8 +139,7 @@ class TestUtils(base.BaseTestCase):
utils.model_query_scope_is_project(ctx, model))
def test_model_query_scope_is_project_system_scope_old_defaults(self):
cfg.CONF.set_override(
'enforce_new_defaults', False, group='oslo_policy')
cfg.CONF.set_override('enforce_scope', False, group='oslo_policy')
ctx = context.Context(system_scope='all')
model = mock.Mock(project_id='project')
@ -156,8 +152,7 @@ class TestUtils(base.BaseTestCase):
utils.model_query_scope_is_project(ctx, model))
def test_model_query_scope_is_project_admin_new_defaults(self):
cfg.CONF.set_override(
'enforce_new_defaults', True, group='oslo_policy')
cfg.CONF.set_override('enforce_scope', True, group='oslo_policy')
ctx = context.Context(
project_id='some project',
is_admin=True,
@ -173,8 +168,7 @@ class TestUtils(base.BaseTestCase):
utils.model_query_scope_is_project(ctx, model))
def test_model_query_scope_is_project_advsvc_new_defaults(self):
cfg.CONF.set_override(
'enforce_new_defaults', True, group='oslo_policy')
cfg.CONF.set_override('enforce_scope', True, group='oslo_policy')
ctx = context.Context(
project_id='some project',
is_admin=False,
@ -190,8 +184,7 @@ class TestUtils(base.BaseTestCase):
utils.model_query_scope_is_project(ctx, model))
def test_model_query_scope_is_project_regular_user_new_defaults(self):
cfg.CONF.set_override(
'enforce_new_defaults', True, group='oslo_policy')
cfg.CONF.set_override('enforce_scope', True, group='oslo_policy')
ctx = context.Context(
project_id='some project',
is_admin=False,
@ -207,8 +200,7 @@ class TestUtils(base.BaseTestCase):
utils.model_query_scope_is_project(ctx, model))
def test_model_query_scope_is_project_system_scope_new_defaults(self):
cfg.CONF.set_override(
'enforce_new_defaults', True, group='oslo_policy')
cfg.CONF.set_override('enforce_scope', True, group='oslo_policy')
ctx = context.Context(
system_scope='all')
model = mock.Mock(project_id='project')

View File

@ -151,8 +151,7 @@ class TestNeutronContext(_base.BaseTestCase):
self.assertTrue(elevated2_ctx.is_admin)
def test_neutron_context_elevated_system_scope_for_new_policies(self):
cfg.CONF.set_override(
'enforce_new_defaults', True, group='oslo_policy')
cfg.CONF.set_override('enforce_scope', True, group='oslo_policy')
ctx = context.Context('user_id', 'tenant_id')
self.assertFalse(ctx.is_admin)
self.assertNotEqual('all', ctx.system_scope)