Remove policy rule for get_network:router:external
In legacy RBAC rules get of the network's router:external attribute was available for everyone (rule:regular_user). In new S-RBAC rules it was done to be available for admin users and for PROJECT_READER. This didn't really had the same result as router:external attribute wasn't visible for networks which belongs to other project. Networks which are set to be external are automatically shared with all other projects and each user from such project should be able to check every of visible networks if it is external or not. In overall, extra policy rule for "get_network:router:external" isn't really necessary and this patch removes it. Closes-Bug: #1996836 Change-Id: I5fe4a0134c6ecf5cf28e2f5d59411134546c98b0
This commit is contained in:
parent
c8f65b76c3
commit
0ef4f98825
|
@ -189,20 +189,6 @@ rules = [
|
|||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY)
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_network:router:external',
|
||||
check_str=base.policy_or(
|
||||
base.ADMIN,
|
||||
base.PROJECT_READER),
|
||||
scope_types=['project'],
|
||||
description='Get ``router:external`` attribute of a network',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='get_network:router:external',
|
||||
check_str=base.RULE_ANY,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY)
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_network:segments',
|
||||
check_str=base.ADMIN,
|
||||
|
|
|
@ -140,18 +140,6 @@ class SystemAdminTests(NetworkAPITestCase):
|
|||
self.context, 'get_network',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_network_external(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_network:router:external',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_network:router:external',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_network_segments(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
|
@ -403,22 +391,6 @@ class AdminTests(NetworkAPITestCase):
|
|||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_network', self.alt_target))
|
||||
|
||||
def test_get_network_external(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_network:router:external', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_network:router:external', self.alt_target))
|
||||
|
||||
def test_get_network_segments(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_network:segments', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_network:segments', self.alt_target))
|
||||
|
||||
def test_get_network_provider_network_type(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
|
@ -641,15 +613,6 @@ class ProjectMemberTests(AdminTests):
|
|||
policy.enforce,
|
||||
self.context, 'get_network', self.alt_target)
|
||||
|
||||
def test_get_network_external(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_network:router:external', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_network:router:external', self.alt_target)
|
||||
|
||||
def test_get_network_segments(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
|
|
Loading…
Reference in New Issue