Merge "Update secure RBAC policies accordingly to the new guidelines"
This commit is contained in:
commit
0f1942d8d0
@ -32,7 +32,7 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_address_group',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_OR_PROJECT_READER,
|
||||
base.PROJECT_READER,
|
||||
'rule:shared_address_groups'),
|
||||
description='Get an address group',
|
||||
operations=[
|
||||
@ -45,7 +45,7 @@ rules = [
|
||||
'path': AG_RESOURCE_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='get_address_group',
|
||||
check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER,
|
||||
|
@ -31,7 +31,7 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_address_scope',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
description='Create an address scope',
|
||||
operations=[
|
||||
{
|
||||
@ -39,7 +39,7 @@ rules = [
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='create_address_scope',
|
||||
check_str=base.RULE_ANY,
|
||||
@ -48,7 +48,7 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_address_scope:shared',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
description='Create a shared address scope',
|
||||
operations=[
|
||||
{
|
||||
@ -56,7 +56,7 @@ rules = [
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='create_address_scope:shared',
|
||||
check_str=base.RULE_ADMIN_ONLY,
|
||||
@ -65,7 +65,7 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_address_scope',
|
||||
check_str=base.policy_or(base.SYSTEM_OR_PROJECT_READER,
|
||||
check_str=base.policy_or(base.PROJECT_READER,
|
||||
'rule:shared_address_scopes'),
|
||||
description='Get an address scope',
|
||||
operations=[
|
||||
@ -78,7 +78,7 @@ rules = [
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='get_address_scope',
|
||||
check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER,
|
||||
@ -88,7 +88,7 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_address_scope',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
description='Update an address scope',
|
||||
operations=[
|
||||
{
|
||||
@ -96,7 +96,7 @@ rules = [
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='update_address_scope',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
@ -105,7 +105,7 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_address_scope:shared',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
description='Update ``shared`` attribute of an address scope',
|
||||
operations=[
|
||||
{
|
||||
@ -113,7 +113,7 @@ rules = [
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='update_address_scope:shared',
|
||||
check_str=base.RULE_ADMIN_ONLY,
|
||||
@ -122,7 +122,7 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_address_scope',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
description='Delete an address scope',
|
||||
operations=[
|
||||
{
|
||||
@ -130,7 +130,7 @@ rules = [
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='delete_address_scope',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
|
@ -25,7 +25,7 @@ DEPRECATION_REASON = (
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_auto_allocated_topology',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
check_str=base.PROJECT_READER,
|
||||
description="Get a project's auto-allocated topology",
|
||||
operations=[
|
||||
{
|
||||
@ -33,7 +33,7 @@ rules = [
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='get_auto_allocated_topology',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
@ -42,7 +42,7 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_auto_allocated_topology',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
description="Delete a project's auto-allocated topology",
|
||||
operations=[
|
||||
{
|
||||
@ -50,7 +50,7 @@ rules = [
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='delete_auto_allocated_topology',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
|
@ -25,7 +25,7 @@ DEPRECATION_REASON = (
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_floatingip',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
description='Create a floating IP',
|
||||
operations=[
|
||||
{
|
||||
@ -33,7 +33,7 @@ rules = [
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='create_floatingip',
|
||||
check_str=base.RULE_ANY,
|
||||
@ -42,7 +42,7 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_floatingip:floating_ip_address',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
description='Create a floating IP with a specific IP address',
|
||||
operations=[
|
||||
{
|
||||
@ -50,7 +50,7 @@ rules = [
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='create_floatingip:floating_ip_address',
|
||||
check_str=base.RULE_ADMIN_ONLY,
|
||||
@ -59,7 +59,7 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_floatingip',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
check_str=base.PROJECT_READER,
|
||||
description='Get a floating IP',
|
||||
operations=[
|
||||
{
|
||||
@ -71,7 +71,7 @@ rules = [
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='get_floatingip',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
@ -80,7 +80,7 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_floatingip',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
description='Update a floating IP',
|
||||
operations=[
|
||||
{
|
||||
@ -88,7 +88,7 @@ rules = [
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='update_floatingip',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
@ -97,7 +97,7 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_floatingip',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
description='Delete a floating IP',
|
||||
operations=[
|
||||
{
|
||||
@ -105,7 +105,7 @@ rules = [
|
||||
'path': RESOURCE_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='delete_floatingip',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
|
@ -21,7 +21,7 @@ DEPRECATED_REASON = (
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_floatingip_pool',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
check_str=base.PROJECT_READER,
|
||||
description='Get floating IP pools',
|
||||
operations=[
|
||||
{
|
||||
@ -29,7 +29,7 @@ rules = [
|
||||
'path': '/floatingip_pools',
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='get_floatingip_pool',
|
||||
check_str=base.RULE_ANY,
|
||||
|
@ -30,9 +30,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_floatingip_port_forwarding',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
base.PROJECT_MEMBER,
|
||||
base.RULE_PARENT_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Create a floating IP port forwarding',
|
||||
operations=[
|
||||
{
|
||||
@ -49,9 +49,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_floatingip_port_forwarding',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_OR_PROJECT_READER,
|
||||
base.PROJECT_READER,
|
||||
base.RULE_PARENT_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Get a floating IP port forwarding',
|
||||
operations=[
|
||||
{
|
||||
@ -72,9 +72,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_floatingip_port_forwarding',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
base.PROJECT_MEMBER,
|
||||
base.RULE_PARENT_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Update a floating IP port forwarding',
|
||||
operations=[
|
||||
{
|
||||
@ -91,9 +91,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_floatingip_port_forwarding',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
base.PROJECT_MEMBER,
|
||||
base.RULE_PARENT_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Delete a floating IP port forwarding',
|
||||
operations=[
|
||||
{
|
||||
|
@ -30,9 +30,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_router_conntrack_helper',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
base.PROJECT_MEMBER,
|
||||
base.RULE_PARENT_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Create a router conntrack helper',
|
||||
operations=[
|
||||
{
|
||||
@ -49,9 +49,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_router_conntrack_helper',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_OR_PROJECT_READER,
|
||||
base.PROJECT_READER,
|
||||
base.RULE_PARENT_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Get a router conntrack helper',
|
||||
operations=[
|
||||
{
|
||||
@ -72,9 +72,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_router_conntrack_helper',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
base.PROJECT_MEMBER,
|
||||
base.RULE_PARENT_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Update a router conntrack helper',
|
||||
operations=[
|
||||
{
|
||||
@ -91,9 +91,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_router_conntrack_helper',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
base.PROJECT_MEMBER,
|
||||
base.RULE_PARENT_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Delete a router conntrack helper',
|
||||
operations=[
|
||||
{
|
||||
|
@ -29,8 +29,8 @@ RULE_RESOURCE_PATH = '/metering/metering-label-rules/{id}'
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_metering_label',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Create a metering label',
|
||||
operations=[
|
||||
{
|
||||
@ -46,8 +46,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_metering_label',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get a metering label',
|
||||
operations=[
|
||||
{
|
||||
@ -67,8 +67,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_metering_label',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Delete a metering label',
|
||||
operations=[
|
||||
{
|
||||
@ -84,8 +84,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_metering_label_rule',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Create a metering label rule',
|
||||
operations=[
|
||||
{
|
||||
@ -101,8 +101,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_metering_label_rule',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get a metering label rule',
|
||||
operations=[
|
||||
{
|
||||
@ -122,8 +122,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_metering_label_rule',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Delete a metering label rule',
|
||||
operations=[
|
||||
{
|
||||
|
@ -45,8 +45,8 @@ rules = [
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_network',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Create a network',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -57,8 +57,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_network:shared',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Create a shared network',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -69,8 +69,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_network:router:external',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Create an external network',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -81,8 +81,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_network:is_default',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Specify ``is_default`` attribute when creating a network',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -93,8 +93,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_network:port_security_enabled',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``port_security_enabled`` '
|
||||
'attribute when creating a network'
|
||||
@ -108,8 +108,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_network:segments',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Specify ``segments`` attribute when creating a network',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -120,8 +120,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_network:provider:network_type',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``provider:network_type`` '
|
||||
'when creating a network'
|
||||
@ -135,8 +135,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_network:provider:physical_network',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``provider:physical_network`` '
|
||||
'when creating a network'
|
||||
@ -150,8 +150,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_network:provider:segmentation_id',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``provider:segmentation_id`` when creating a network'
|
||||
),
|
||||
@ -166,12 +166,12 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_network',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_OR_PROJECT_READER,
|
||||
base.PROJECT_READER,
|
||||
'rule:shared',
|
||||
'rule:external',
|
||||
base.RULE_ADVSVC
|
||||
),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Get a network',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -186,8 +186,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_network:router:external',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get ``router:external`` attribute of a network',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -198,8 +198,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_network:segments',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Get ``segments`` attribute of a network',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -210,8 +210,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_network:provider:network_type',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Get ``provider:network_type`` attribute of a network',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -222,8 +222,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_network:provider:physical_network',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Get ``provider:physical_network`` attribute of a network',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -234,8 +234,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_network:provider:segmentation_id',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Get ``provider:segmentation_id`` attribute of a network',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -247,8 +247,8 @@ rules = [
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_network',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Update a network',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -259,8 +259,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_network:segments',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update ``segments`` attribute of a network',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -271,8 +271,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_network:shared',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update ``shared`` attribute of a network',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -283,8 +283,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_network:provider:network_type',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update ``provider:network_type`` attribute of a network',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -295,8 +295,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_network:provider:physical_network',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Update ``provider:physical_network`` '
|
||||
'attribute of a network'
|
||||
@ -310,8 +310,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_network:provider:segmentation_id',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Update ``provider:segmentation_id`` '
|
||||
'attribute of a network'
|
||||
@ -325,8 +325,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_network:router:external',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update ``router:external`` attribute of a network',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -337,8 +337,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_network:is_default',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update ``is_default`` attribute of a network',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -349,8 +349,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_network:port_security_enabled',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Update ``port_security_enabled`` attribute of a network',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -362,8 +362,8 @@ rules = [
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_network',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Delete a network',
|
||||
operations=ACTION_DELETE,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
|
@ -51,8 +51,8 @@ rules = [
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_port',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Create a port',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -65,12 +65,11 @@ rules = [
|
||||
name='create_port:device_owner',
|
||||
check_str=base.policy_or(
|
||||
'not rule:network_device',
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN,
|
||||
base.RULE_ADVSVC,
|
||||
base.RULE_NET_OWNER
|
||||
),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Specify ``device_owner`` attribute when creting a port',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -87,9 +86,8 @@ rules = [
|
||||
check_str=base.policy_or(
|
||||
base.RULE_ADVSVC,
|
||||
base.RULE_NET_OWNER,
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Specify ``mac_address`` attribute when creating a port',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -105,10 +103,9 @@ rules = [
|
||||
check_str=base.policy_or(
|
||||
base.RULE_ADVSVC,
|
||||
base.RULE_NET_OWNER,
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN,
|
||||
'rule:shared'),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Specify ``fixed_ips`` information when creating a port',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -125,9 +122,8 @@ rules = [
|
||||
check_str=base.policy_or(
|
||||
base.RULE_ADVSVC,
|
||||
base.RULE_NET_OWNER,
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Specify IP address in ``fixed_ips`` when creating a port',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -143,10 +139,9 @@ rules = [
|
||||
check_str=base.policy_or(
|
||||
base.RULE_ADVSVC,
|
||||
base.RULE_NET_OWNER,
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN,
|
||||
'rule:shared'),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Specify subnet ID in ``fixed_ips`` when creating a port',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -163,9 +158,8 @@ rules = [
|
||||
check_str=base.policy_or(
|
||||
base.RULE_ADVSVC,
|
||||
base.RULE_NET_OWNER,
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``port_security_enabled`` '
|
||||
'attribute when creating a port'
|
||||
@ -181,8 +175,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_port:binding:host_id',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``binding:host_id`` '
|
||||
'attribute when creating a port'
|
||||
@ -196,8 +190,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_port:binding:profile',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``binding:profile`` attribute '
|
||||
'when creating a port'
|
||||
@ -211,8 +205,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_port:binding:vnic_type',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``binding:vnic_type`` '
|
||||
'attribute when creating a port'
|
||||
@ -227,10 +221,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_port:allowed_address_pairs',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN,
|
||||
base.RULE_NET_OWNER),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``allowed_address_pairs`` '
|
||||
'attribute when creating a port'
|
||||
@ -245,10 +238,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_port:allowed_address_pairs:mac_address',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN,
|
||||
base.RULE_NET_OWNER),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``mac_address` of `allowed_address_pairs`` '
|
||||
'attribute when creating a port'
|
||||
@ -263,10 +255,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_port:allowed_address_pairs:ip_address',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN,
|
||||
base.RULE_NET_OWNER),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``ip_address`` of ``allowed_address_pairs`` '
|
||||
'attribute when creating a port'
|
||||
@ -283,9 +274,9 @@ rules = [
|
||||
name='get_port',
|
||||
check_str=base.policy_or(
|
||||
base.RULE_ADVSVC,
|
||||
base.SYSTEM_OR_PROJECT_READER
|
||||
base.PROJECT_READER
|
||||
),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Get a port',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -298,8 +289,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_port:binding:vif_type',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Get ``binding:vif_type`` attribute of a port',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -310,8 +301,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_port:binding:vif_details',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Get ``binding:vif_details`` attribute of a port',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -322,8 +313,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_port:binding:host_id',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Get ``binding:host_id`` attribute of a port',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -334,8 +325,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_port:binding:profile',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Get ``binding:profile`` attribute of a port',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -346,8 +337,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_port:resource_request',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Get ``resource_request`` attribute of a port',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -362,10 +353,10 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_port',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
base.PROJECT_MEMBER,
|
||||
base.RULE_ADVSVC
|
||||
),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Update a port',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -382,10 +373,9 @@ rules = [
|
||||
'not rule:network_device',
|
||||
base.RULE_ADVSVC,
|
||||
base.RULE_NET_OWNER,
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN
|
||||
),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Update ``device_owner`` attribute of a port',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -400,10 +390,10 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_port:mac_address',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN,
|
||||
base.RULE_ADVSVC
|
||||
),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Update ``mac_address`` attribute of a port',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -419,10 +409,9 @@ rules = [
|
||||
check_str=base.policy_or(
|
||||
base.RULE_ADVSVC,
|
||||
base.RULE_NET_OWNER,
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN
|
||||
),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Specify ``fixed_ips`` information when updating a port',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -438,10 +427,9 @@ rules = [
|
||||
check_str=base.policy_or(
|
||||
base.RULE_ADVSVC,
|
||||
base.RULE_NET_OWNER,
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN
|
||||
),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify IP address in ``fixed_ips`` '
|
||||
'information when updating a port'
|
||||
@ -460,11 +448,10 @@ rules = [
|
||||
check_str=base.policy_or(
|
||||
base.RULE_ADVSVC,
|
||||
base.RULE_NET_OWNER,
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN,
|
||||
'rule:shared'
|
||||
),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify subnet ID in ``fixed_ips`` '
|
||||
'information when updating a port'
|
||||
@ -484,10 +471,9 @@ rules = [
|
||||
check_str=base.policy_or(
|
||||
base.RULE_ADVSVC,
|
||||
base.RULE_NET_OWNER,
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN
|
||||
),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Update ``port_security_enabled`` attribute of a port',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -500,8 +486,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_port:binding:host_id',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update ``binding:host_id`` attribute of a port',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -512,8 +498,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_port:binding:profile',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update ``binding:profile`` attribute of a port',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -525,10 +511,10 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_port:binding:vnic_type',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
base.PROJECT_MEMBER,
|
||||
base.RULE_ADVSVC
|
||||
),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Update ``binding:vnic_type`` attribute of a port',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -542,10 +528,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_port:allowed_address_pairs',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN,
|
||||
base.RULE_NET_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Update ``allowed_address_pairs`` attribute of a port',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -557,10 +542,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_port:allowed_address_pairs:mac_address',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN,
|
||||
base.RULE_NET_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Update ``mac_address`` of ``allowed_address_pairs`` '
|
||||
'attribute of a port'
|
||||
@ -575,10 +559,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_port:allowed_address_pairs:ip_address',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN,
|
||||
base.RULE_NET_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Update ``ip_address`` of ``allowed_address_pairs`` '
|
||||
'attribute of a port'
|
||||
@ -593,9 +576,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_port:data_plane_status',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN,
|
||||
'role:data_plane_integrator'),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Update ``data_plane_status`` attribute of a port',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -609,9 +592,9 @@ rules = [
|
||||
name='delete_port',
|
||||
check_str=base.policy_or(
|
||||
base.RULE_ADVSVC,
|
||||
base.SYSTEM_ADMIN_OR_PROJECT_MEMBER
|
||||
base.PROJECT_MEMBER
|
||||
),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Delete a port',
|
||||
operations=ACTION_DELETE,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
|
@ -23,8 +23,8 @@ The QoS API now supports system scope and default roles.
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_policy',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get QoS policies',
|
||||
operations=[
|
||||
{
|
||||
@ -44,8 +44,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_policy',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Create a QoS policy',
|
||||
operations=[
|
||||
{
|
||||
@ -61,8 +61,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_policy',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update a QoS policy',
|
||||
operations=[
|
||||
{
|
||||
@ -78,8 +78,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_policy',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Delete a QoS policy',
|
||||
operations=[
|
||||
{
|
||||
@ -96,7 +96,12 @@ rules = [
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_rule_type',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
# NOTE: we are using role:admin instead of PROJECT_ADMIN here because
|
||||
# rule_type resource don't belongs to any project so using
|
||||
# PROJECT_ADMIN as check string would cause enforcement error
|
||||
check_str=base.policy_or(
|
||||
"role:admin",
|
||||
base.SYSTEM_READER),
|
||||
scope_types=['system', 'project'],
|
||||
description='Get available QoS rule types',
|
||||
operations=[
|
||||
@ -118,8 +123,8 @@ rules = [
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_policy_bandwidth_limit_rule',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get a QoS bandwidth limit rule',
|
||||
operations=[
|
||||
{
|
||||
@ -140,8 +145,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_policy_bandwidth_limit_rule',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Create a QoS bandwidth limit rule',
|
||||
operations=[
|
||||
{
|
||||
@ -157,8 +162,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_policy_bandwidth_limit_rule',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update a QoS bandwidth limit rule',
|
||||
operations=[
|
||||
{
|
||||
@ -175,8 +180,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_policy_bandwidth_limit_rule',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Delete a QoS bandwidth limit rule',
|
||||
operations=[
|
||||
{
|
||||
@ -194,8 +199,8 @@ rules = [
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_policy_dscp_marking_rule',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get a QoS DSCP marking rule',
|
||||
operations=[
|
||||
{
|
||||
@ -216,8 +221,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_policy_dscp_marking_rule',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Create a QoS DSCP marking rule',
|
||||
operations=[
|
||||
{
|
||||
@ -233,8 +238,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_policy_dscp_marking_rule',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update a QoS DSCP marking rule',
|
||||
operations=[
|
||||
{
|
||||
@ -251,8 +256,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_policy_dscp_marking_rule',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Delete a QoS DSCP marking rule',
|
||||
operations=[
|
||||
{
|
||||
@ -270,8 +275,8 @@ rules = [
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_policy_minimum_bandwidth_rule',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get a QoS minimum bandwidth rule',
|
||||
operations=[
|
||||
{
|
||||
@ -292,8 +297,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_policy_minimum_bandwidth_rule',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Create a QoS minimum bandwidth rule',
|
||||
operations=[
|
||||
{
|
||||
@ -309,8 +314,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_policy_minimum_bandwidth_rule',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update a QoS minimum bandwidth rule',
|
||||
operations=[
|
||||
{
|
||||
@ -327,8 +332,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_policy_minimum_bandwidth_rule',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Delete a QoS minimum bandwidth rule',
|
||||
operations=[
|
||||
{
|
||||
@ -345,8 +350,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_policy_minimum_packet_rate_rule',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get a QoS minimum packet rate rule',
|
||||
operations=[
|
||||
{
|
||||
@ -362,8 +367,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_policy_minimum_packet_rate_rule',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Create a QoS minimum packet rate rule',
|
||||
operations=[
|
||||
{
|
||||
@ -374,8 +379,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_policy_minimum_packet_rate_rule',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update a QoS minimum packet rate rule',
|
||||
operations=[
|
||||
{
|
||||
@ -387,8 +392,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_policy_minimum_packet_rate_rule',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Delete a QoS minimum packet rate rule',
|
||||
operations=[
|
||||
{
|
||||
@ -400,102 +405,156 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_alias_bandwidth_limit_rule',
|
||||
check_str='rule:get_policy_bandwidth_limit_rule',
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get a QoS bandwidth limit rule through alias',
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/qos/alias_bandwidth_limit_rules/{rule_id}/',
|
||||
},
|
||||
]
|
||||
],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='get_alias_bandwidth_limit_rule',
|
||||
check_str=base.RULE_ANY,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY)
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_alias_bandwidth_limit_rule',
|
||||
check_str='rule:update_policy_bandwidth_limit_rule',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update a QoS bandwidth limit rule through alias',
|
||||
operations=[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/qos/alias_bandwidth_limit_rules/{rule_id}/',
|
||||
},
|
||||
]
|
||||
],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='update_alias_bandwidth_limit_rule',
|
||||
check_str=base.RULE_ADMIN_ONLY,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY)
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_alias_bandwidth_limit_rule',
|
||||
check_str='rule:delete_policy_bandwidth_limit_rule',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Delete a QoS bandwidth limit rule through alias',
|
||||
operations=[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/qos/alias_bandwidth_limit_rules/{rule_id}/',
|
||||
},
|
||||
]
|
||||
],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='delete_alias_bandwidth_limit_rule',
|
||||
check_str=base.RULE_ADMIN_ONLY,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY)
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_alias_dscp_marking_rule',
|
||||
check_str='rule:get_policy_dscp_marking_rule',
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get a QoS DSCP marking rule through alias',
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/qos/alias_dscp_marking_rules/{rule_id}/',
|
||||
},
|
||||
]
|
||||
],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='get_alias_dscp_marking_rule',
|
||||
check_str=base.RULE_ANY,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY)
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_alias_dscp_marking_rule',
|
||||
check_str='rule:update_policy_dscp_marking_rule',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update a QoS DSCP marking rule through alias',
|
||||
operations=[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/qos/alias_dscp_marking_rules/{rule_id}/',
|
||||
},
|
||||
]
|
||||
],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='update_alias_dscp_marking_rule',
|
||||
check_str=base.RULE_ADMIN_ONLY,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY)
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_alias_dscp_marking_rule',
|
||||
check_str='rule:delete_policy_dscp_marking_rule',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Delete a QoS DSCP marking rule through alias',
|
||||
operations=[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/qos/alias_dscp_marking_rules/{rule_id}/',
|
||||
},
|
||||
]
|
||||
],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='delete_alias_dscp_marking_rule',
|
||||
check_str=base.RULE_ADMIN_ONLY,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY)
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_alias_minimum_bandwidth_rule',
|
||||
check_str='rule:get_policy_minimum_bandwidth_rule',
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get a QoS minimum bandwidth rule through alias',
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/qos/alias_minimum_bandwidth_rules/{rule_id}/',
|
||||
},
|
||||
]
|
||||
],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='get_alias_minimum_bandwidth_rule',
|
||||
check_str=base.RULE_ANY,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY)
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_alias_minimum_bandwidth_rule',
|
||||
check_str='rule:update_policy_minimum_bandwidth_rule',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update a QoS minimum bandwidth rule through alias',
|
||||
operations=[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/qos/alias_minimum_bandwidth_rules/{rule_id}/',
|
||||
},
|
||||
]
|
||||
],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='update_alias_minimum_bandwidth_rule',
|
||||
check_str=base.RULE_ADMIN_ONLY,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY)
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_alias_minimum_bandwidth_rule',
|
||||
check_str='rule:delete_policy_minimum_bandwidth_rule',
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Delete a QoS minimum bandwidth rule through alias',
|
||||
operations=[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/qos/alias_minimum_bandwidth_rules/{rule_id}/',
|
||||
},
|
||||
]
|
||||
],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='delete_alias_minimum_bandwidth_rule',
|
||||
check_str=base.RULE_ADMIN_ONLY,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY)
|
||||
),
|
||||
]
|
||||
|
||||
|
@ -36,8 +36,8 @@ rules = [
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_rbac_policy',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Create an RBAC policy',
|
||||
operations=[
|
||||
{
|
||||
@ -56,7 +56,7 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_rbac_policy:target_tenant',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN,
|
||||
'(not field:rbac_policy:target_tenant=* and '
|
||||
'not field:rbac_policy:target_project=*)'),
|
||||
description='Specify ``target_tenant`` when creating an RBAC policy',
|
||||
@ -66,7 +66,7 @@ rules = [
|
||||
'path': COLLECTION_PATH,
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='create_rbac_policy:target_tenant',
|
||||
check_str='rule:restrict_wildcard',
|
||||
@ -75,8 +75,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_rbac_policy',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['project', 'system'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Update an RBAC policy',
|
||||
operations=[
|
||||
{
|
||||
@ -95,7 +95,7 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_rbac_policy:target_tenant',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN,
|
||||
base.PROJECT_ADMIN,
|
||||
'(not field:rbac_policy:target_tenant=* and '
|
||||
'not field:rbac_policy:target_project=*)'),
|
||||
description='Update ``target_tenant`` attribute of an RBAC policy',
|
||||
@ -112,12 +112,12 @@ rules = [
|
||||
base.RULE_ADMIN_OR_OWNER),
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_rbac_policy',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['project', 'system'],
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get an RBAC policy',
|
||||
operations=[
|
||||
{
|
||||
@ -137,8 +137,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_rbac_policy',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['project', 'system'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Delete an RBAC policy',
|
||||
operations=[
|
||||
{
|
||||
|
@ -39,8 +39,8 @@ ACTION_GET = [
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_router',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Create a router',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -51,8 +51,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_router:distributed',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Specify ``distributed`` attribute when creating a router',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -63,8 +63,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_router:ha',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Specify ``ha`` attribute when creating a router',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -75,8 +75,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_router:external_gateway_info',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description=('Specify ``external_gateway_info`` '
|
||||
'information when creating a router'),
|
||||
operations=ACTION_POST,
|
||||
@ -88,8 +88,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_router:external_gateway_info:network_id',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description=('Specify ``network_id`` in ``external_gateway_info`` '
|
||||
'information when creating a router'),
|
||||
operations=ACTION_POST,
|
||||
@ -101,8 +101,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_router:external_gateway_info:enable_snat',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description=('Specify ``enable_snat`` in ``external_gateway_info`` '
|
||||
'information when creating a router'),
|
||||
operations=ACTION_POST,
|
||||
@ -114,8 +114,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_router:external_gateway_info:external_fixed_ips',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description=('Specify ``external_fixed_ips`` in '
|
||||
'``external_gateway_info`` information when creating a '
|
||||
'router'),
|
||||
@ -129,8 +129,8 @@ rules = [
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_router',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get a router',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -141,8 +141,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_router:distributed',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Get ``distributed`` attribute of a router',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -153,8 +153,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_router:ha',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Get ``ha`` attribute of a router',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -166,8 +166,8 @@ rules = [
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_router',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Update a router',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -178,8 +178,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_router:distributed',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update ``distributed`` attribute of a router',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -190,8 +190,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_router:ha',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update ``ha`` attribute of a router',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -202,8 +202,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_router:external_gateway_info',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Update ``external_gateway_info`` information of a router',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -214,8 +214,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_router:external_gateway_info:network_id',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description=('Update ``network_id`` attribute of '
|
||||
'``external_gateway_info`` information of a router'),
|
||||
operations=ACTION_PUT,
|
||||
@ -227,8 +227,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_router:external_gateway_info:enable_snat',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description=('Update ``enable_snat`` attribute of '
|
||||
'``external_gateway_info`` information of a router'),
|
||||
operations=ACTION_PUT,
|
||||
@ -240,8 +240,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_router:external_gateway_info:external_fixed_ips',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description=('Update ``external_fixed_ips`` attribute of '
|
||||
'``external_gateway_info`` information of a router'),
|
||||
operations=ACTION_PUT,
|
||||
@ -254,8 +254,8 @@ rules = [
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_router',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Delete a router',
|
||||
operations=ACTION_DELETE,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -267,8 +267,8 @@ rules = [
|
||||
|
||||
policy.DocumentedRuleDefault(
|
||||
name='add_router_interface',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Add an interface to a router',
|
||||
operations=[
|
||||
{
|
||||
@ -284,8 +284,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='remove_router_interface',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Remove an interface from a router',
|
||||
operations=[
|
||||
{
|
||||
@ -301,8 +301,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='add_extraroutes',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Add extra route to a router',
|
||||
operations=[
|
||||
{
|
||||
@ -318,8 +318,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='remove_extraroutes',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Remove extra route from a router',
|
||||
operations=[
|
||||
{
|
||||
|
@ -46,8 +46,8 @@ rules = [
|
||||
# Does an empty string make more sense for create_security_group?
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_security_group',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Create a security group',
|
||||
operations=[
|
||||
{
|
||||
@ -63,8 +63,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_security_group',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get a security group',
|
||||
operations=[
|
||||
{
|
||||
@ -84,8 +84,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_security_group',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Update a security group',
|
||||
operations=[
|
||||
{
|
||||
@ -101,8 +101,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_security_group',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Delete a security group',
|
||||
operations=[
|
||||
{
|
||||
@ -121,8 +121,8 @@ rules = [
|
||||
# Does an empty string make more sense for create_security_group_rule?
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_security_group_rule',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Create a security group rule',
|
||||
operations=[
|
||||
{
|
||||
@ -139,9 +139,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_security_group_rule',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_OR_PROJECT_READER,
|
||||
base.PROJECT_READER,
|
||||
base.RULE_SG_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Get a security group rule',
|
||||
operations=[
|
||||
{
|
||||
@ -161,8 +161,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_security_group_rule',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Delete a security group rule',
|
||||
operations=[
|
||||
{
|
||||
|
@ -22,6 +22,10 @@ DEPRECATION_REASON = (
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_service_provider',
|
||||
# NOTE: it can't be SYSTEM_OR_PROJECT_READER constant from the base
|
||||
# module because that is using "project_id" in the check string and the
|
||||
# service_provider resource don't belongs to any project thus such
|
||||
# check string would fail enforcment.
|
||||
check_str='role:reader',
|
||||
description='Get service providers',
|
||||
operations=[
|
||||
|
@ -40,9 +40,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_subnet',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
base.PROJECT_MEMBER,
|
||||
base.RULE_NET_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Create a subnet',
|
||||
operations=ACTION_POST,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -53,8 +53,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_subnet:segment_id',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``segment_id`` attribute when creating a subnet'
|
||||
),
|
||||
@ -67,8 +67,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_subnet:service_types',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``service_types`` attribute when creating a subnet'
|
||||
),
|
||||
@ -82,9 +82,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_subnet',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_OR_PROJECT_READER,
|
||||
base.PROJECT_READER,
|
||||
'rule:shared'),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Get a subnet',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -97,8 +97,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_subnet:segment_id',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Get ``segment_id`` attribute of a subnet',
|
||||
operations=ACTION_GET,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -110,9 +110,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_subnet',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
base.PROJECT_MEMBER,
|
||||
base.RULE_NET_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Update a subnet',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -123,8 +123,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_subnet:segment_id',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update ``segment_id`` attribute of a subnet',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -135,8 +135,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_subnet:service_types',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update ``service_types`` attribute of a subnet',
|
||||
operations=ACTION_PUT,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
@ -148,9 +148,9 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_subnet',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
base.PROJECT_MEMBER,
|
||||
base.RULE_NET_OWNER),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Delete a subnet',
|
||||
operations=ACTION_DELETE,
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
|
@ -33,8 +33,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_subnetpool',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['project', 'system'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Create a subnetpool',
|
||||
operations=[
|
||||
{
|
||||
@ -50,8 +50,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_subnetpool:shared',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Create a shared subnetpool',
|
||||
operations=[
|
||||
{
|
||||
@ -67,8 +67,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_subnetpool:is_default',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description=(
|
||||
'Specify ``is_default`` attribute when creating a subnetpool'
|
||||
),
|
||||
@ -87,10 +87,10 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_subnetpool',
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_OR_PROJECT_READER,
|
||||
base.PROJECT_READER,
|
||||
'rule:shared_subnetpools'
|
||||
),
|
||||
scope_types=['system', 'project'],
|
||||
scope_types=['project'],
|
||||
description='Get a subnetpool',
|
||||
operations=[
|
||||
{
|
||||
@ -112,8 +112,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_subnetpool',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Update a subnetpool',
|
||||
operations=[
|
||||
{
|
||||
@ -129,8 +129,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_subnetpool:is_default',
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
check_str=base.PROJECT_ADMIN,
|
||||
scope_types=['project'],
|
||||
description='Update ``is_default`` attribute of a subnetpool',
|
||||
operations=[
|
||||
{
|
||||
@ -146,8 +146,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_subnetpool',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Delete a subnetpool',
|
||||
operations=[
|
||||
{
|
||||
@ -163,8 +163,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='onboard_network_subnets',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Onboard existing subnet into a subnetpool',
|
||||
operations=[
|
||||
{
|
||||
@ -180,8 +180,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='add_prefixes',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Add prefixes to a subnetpool',
|
||||
operations=[
|
||||
{
|
||||
@ -197,8 +197,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='remove_prefixes',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['system', 'project'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Remove unallocated prefixes from a subnetpool',
|
||||
operations=[
|
||||
{
|
||||
|
@ -26,8 +26,8 @@ DEPRECATED_REASON = (
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='create_trunk',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['project', 'system'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Create a trunk',
|
||||
operations=[
|
||||
{
|
||||
@ -43,8 +43,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_trunk',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['project', 'system'],
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='Get a trunk',
|
||||
operations=[
|
||||
{
|
||||
@ -64,8 +64,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='update_trunk',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['project', 'system'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Update a trunk',
|
||||
operations=[
|
||||
{
|
||||
@ -81,8 +81,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='delete_trunk',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['project', 'system'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Delete a trunk',
|
||||
operations=[
|
||||
{
|
||||
@ -98,8 +98,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_subports',
|
||||
check_str=base.SYSTEM_OR_PROJECT_READER,
|
||||
scope_types=['project', 'system'],
|
||||
check_str=base.PROJECT_READER,
|
||||
scope_types=['project'],
|
||||
description='List subports attached to a trunk',
|
||||
operations=[
|
||||
{
|
||||
@ -115,8 +115,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='add_subports',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['project', 'system'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Add subports to a trunk',
|
||||
operations=[
|
||||
{
|
||||
@ -132,8 +132,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='remove_subports',
|
||||
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||
scope_types=['project', 'system'],
|
||||
check_str=base.PROJECT_MEMBER,
|
||||
scope_types=['project'],
|
||||
description='Delete subports from a trunk',
|
||||
operations=[
|
||||
{
|
||||
|
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class AddressGroupAPITestCase(base.PolicyBaseTestCase):
|
||||
@ -24,26 +24,64 @@ class AddressGroupAPITestCase(base.PolicyBaseTestCase):
|
||||
def setUp(self):
|
||||
super(AddressGroupAPITestCase, self).setUp()
|
||||
self.target = {'project_id': self.project_id}
|
||||
self.alt_target = {'project_id': self.alt_project_id}
|
||||
|
||||
def test_system_reader_can_get_address_group(self):
|
||||
|
||||
class SystemAdminTests(AddressGroupAPITestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemAdminTests, self).setUp()
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_get_address_group(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, "get_address_group", self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, "get_address_group", self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemMemberTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
|
||||
class SystemReaderTests(SystemMemberTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemReaderTests, self).setUp()
|
||||
self.context = self.system_reader_ctx
|
||||
|
||||
|
||||
class ProjectAdminTests(AddressGroupAPITestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(ProjectAdminTests, self).setUp()
|
||||
self.context = self.project_admin_ctx
|
||||
|
||||
def test_get_address_group(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.system_reader_ctx,
|
||||
"get_address_group", self.target))
|
||||
|
||||
def test_project_reader_can_get_address_group(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.project_reader_ctx,
|
||||
"get_address_group", self.target))
|
||||
|
||||
def test_system_reader_can_get_any_address_group(self):
|
||||
target = {'project_id': 'some-other-project'}
|
||||
self.assertTrue(
|
||||
policy.enforce(self.system_reader_ctx,
|
||||
"get_address_group", target))
|
||||
|
||||
def test_project_reader_can_not_get_address_group_other_tenant(self):
|
||||
target = {'project_id': 'some-other-project'}
|
||||
policy.enforce(self.context, "get_address_group", self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.project_reader_ctx, "get_address_group", target)
|
||||
self.context, "get_address_group", self.alt_target)
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
|
||||
def setUp(self):
|
||||
super(ProjectMemberTests, self).setUp()
|
||||
self.context = self.project_member_ctx
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
def setUp(self):
|
||||
super(ProjectReaderTests, self).setUp()
|
||||
self.context = self.project_reader_ctx
|
||||
|
@ -16,176 +16,214 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class AddressScopeAPITestCase(base.PolicyBaseTestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(AddressScopeAPITestCase, self).setUp()
|
||||
self.target = {
|
||||
'project_id': self.project_id}
|
||||
self.target = {'project_id': self.project_id}
|
||||
self.alt_target = {'project_id': self.alt_project_id}
|
||||
|
||||
def test_system_admin_can_create_address_scope(self):
|
||||
# system_admin_ctx don't have project_id set so it's always call to
|
||||
# create it for "other project"
|
||||
|
||||
class SystemAdminTests(AddressScopeAPITestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemAdminTests, self).setUp()
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_create_address_scope(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_address_scope', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_address_scope', self.alt_target)
|
||||
|
||||
def test_create_address_scope_shared(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_address_scope:shared', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_address_scope:shared', self.alt_target)
|
||||
|
||||
def test_get_address_scope(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_address_scope', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_address_scope', self.alt_target)
|
||||
|
||||
def test_update_address_scope(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_address_scope', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_address_scope', self.alt_target)
|
||||
|
||||
def test_update_address_scope_shared(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_address_scope:shared', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_address_scope:shared', self.alt_target)
|
||||
|
||||
def test_delete_address_scope(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_address_scope', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_address_scope', self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemMemberTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
|
||||
class SystemReaderTests(SystemMemberTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemReaderTests, self).setUp()
|
||||
self.context = self.system_reader_ctx
|
||||
|
||||
|
||||
class ProjectAdminTests(AddressScopeAPITestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(ProjectAdminTests, self).setUp()
|
||||
self.context = self.project_admin_ctx
|
||||
|
||||
def test_create_address_scope(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.system_admin_ctx,
|
||||
'create_address_scope', self.target))
|
||||
|
||||
def test_system_member_can_not_create_address_scope(self):
|
||||
# If system member is not able to do that, it implies that
|
||||
# system_reader also will not be able to do that
|
||||
policy.enforce(self.context, 'create_address_scope', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.system_member_ctx, 'create_address_scope', self.target)
|
||||
self.context, 'create_address_scope', self.alt_target)
|
||||
|
||||
def test_project_member_can_create_address_scope(self):
|
||||
def test_create_address_scope_shared(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.project_member_ctx,
|
||||
'create_address_scope', self.target))
|
||||
|
||||
def test_project_member_can_not_create_address_scope_other_project(self):
|
||||
# If project member is not able to do that, it implies that
|
||||
# project_reader also will not be able to do that
|
||||
target = {'project_id': 'other-project'}
|
||||
policy.enforce(
|
||||
self.context, 'create_address_scope:shared', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.project_member_ctx, 'create_address_scope', target)
|
||||
self.context, 'create_address_scope:shared', self.alt_target)
|
||||
|
||||
def test_system_admin_can_create_shared_address_scope(self):
|
||||
# system_admin_ctx don't have project_id set so it's always call to
|
||||
# create it for "other project"
|
||||
target = self.target.copy()
|
||||
target['shared'] = True
|
||||
def test_get_address_scope(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.system_admin_ctx,
|
||||
'create_address_scope:shared', target))
|
||||
|
||||
def test_system_member_can_not_create_shared_address_scope(self):
|
||||
# If system member is not able to do that, it implies that
|
||||
# system_reader also will not be able to do that
|
||||
target = self.target.copy()
|
||||
target['shared'] = True
|
||||
policy.enforce(self.context, 'get_address_scope', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.system_member_ctx, 'create_address_scope:shared', target)
|
||||
self.context, 'get_address_scope', self.alt_target)
|
||||
|
||||
def test_project_admin_can_not_create_shared_address_scope(self):
|
||||
# If project admin is not able to do that, it implies that
|
||||
# project_member and project_reader also will not be able to do that
|
||||
target = self.target.copy()
|
||||
target['shared'] = True
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.project_admin_ctx, 'create_address_scope:shared', target)
|
||||
|
||||
def test_system_reader_can_get_address_scope(self):
|
||||
def test_update_address_scope(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.system_reader_ctx,
|
||||
'get_address_scope', self.target))
|
||||
policy.enforce(self.context, 'update_address_scope', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_address_scope', self.alt_target)
|
||||
|
||||
def test_project_reader_can_get_address_scope(self):
|
||||
def test_update_address_scope_shared(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.project_reader_ctx,
|
||||
'get_address_scope', self.target))
|
||||
|
||||
def test_project_admin_can_not_get_address_scope_other_project(self):
|
||||
# If project admin is not able to do that, it implies that
|
||||
# project_member and project_reader also will not be able to do that
|
||||
target = {'project_id': 'other-project'}
|
||||
policy.enforce(
|
||||
self.context, 'update_address_scope:shared', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.project_admin_ctx, 'get_address_scope', target)
|
||||
self.context, 'update_address_scope:shared', self.alt_target)
|
||||
|
||||
def test_system_admin_can_update_address_scope(self):
|
||||
# system_admin_ctx don't have project_id set so it's always call to
|
||||
# create it for "other project"
|
||||
def test_delete_address_scope(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.system_admin_ctx,
|
||||
'update_address_scope', self.target))
|
||||
|
||||
def test_system_member_can_not_update_address_scope(self):
|
||||
# If system member is not able to do that, it implies that
|
||||
# system_reader also will not be able to do that
|
||||
policy.enforce(self.context, 'delete_address_scope', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.system_member_ctx, 'update_address_scope', self.target)
|
||||
self.context, 'delete_address_scope', self.alt_target)
|
||||
|
||||
def test_project_member_can_update_address_scope(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.project_member_ctx,
|
||||
'update_address_scope', self.target))
|
||||
|
||||
def test_project_member_can_not_update_address_scope_other_project(self):
|
||||
# If project member is not able to do that, it implies that
|
||||
# project_reader also will not be able to do that
|
||||
target = {'project_id': 'other-project'}
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
|
||||
def setUp(self):
|
||||
super(ProjectMemberTests, self).setUp()
|
||||
self.context = self.project_member_ctx
|
||||
|
||||
def test_create_address_scope_shared(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.project_member_ctx, 'update_address_scope', target)
|
||||
|
||||
def test_system_admin_can_update_shared_address_scope(self):
|
||||
# system_admin_ctx don't have project_id set so it's always call to
|
||||
# create it for "other project"
|
||||
target = self.target.copy()
|
||||
target['shared'] = True
|
||||
self.assertTrue(
|
||||
policy.enforce(self.system_admin_ctx,
|
||||
'update_address_scope:shared', target))
|
||||
|
||||
def test_system_member_can_not_update_shared_address_scope(self):
|
||||
# If system member is not able to do that, it implies that
|
||||
# system_reader also will not be able to do that
|
||||
target = self.target.copy()
|
||||
target['shared'] = True
|
||||
self.context, 'create_address_scope:shared', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.system_member_ctx, 'update_address_scope:shared', target)
|
||||
self.context, 'create_address_scope:shared', self.alt_target)
|
||||
|
||||
def test_project_admin_can_not_update_shared_address_scope(self):
|
||||
# If project admin is not able to do that, it implies that
|
||||
# project_member and project_reader also will not be able to do that
|
||||
target = self.target.copy()
|
||||
target['shared'] = True
|
||||
def test_update_address_scope_shared(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.project_admin_ctx, 'update_address_scope:shared', target)
|
||||
|
||||
def test_system_admin_can_delete_address_scope(self):
|
||||
# system_admin_ctx don't have project_id set so it's always call to
|
||||
# create it for "other project"
|
||||
self.assertTrue(
|
||||
policy.enforce(self.system_admin_ctx,
|
||||
'delete_address_scope', self.target))
|
||||
|
||||
def test_system_member_can_not_delete_address_scope(self):
|
||||
# If system member is not able to do that, it implies that
|
||||
# system_reader also will not be able to do that
|
||||
self.context, 'update_address_scope:shared', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.system_member_ctx, 'delete_address_scope', self.target)
|
||||
self.context, 'update_address_scope:shared', self.alt_target)
|
||||
|
||||
def test_project_member_can_delete_address_scope(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.project_member_ctx,
|
||||
'delete_address_scope', self.target))
|
||||
|
||||
def test_project_member_can_not_delete_address_scope_other_project(self):
|
||||
# If project member is not able to do that, it implies that
|
||||
# project_reader also will not be able to do that
|
||||
target = {'project_id': 'other-project'}
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
def setUp(self):
|
||||
super(ProjectReaderTests, self).setUp()
|
||||
self.context = self.project_reader_ctx
|
||||
|
||||
def test_create_address_scope(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.project_member_ctx, 'delete_address_scope', target)
|
||||
self.context, 'create_address_scope', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_address_scope', self.alt_target)
|
||||
|
||||
def test_update_address_scope(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_address_scope', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_address_scope', self.alt_target)
|
||||
|
||||
def test_delete_address_scope(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_address_scope', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_address_scope', self.alt_target)
|
||||
|
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class AgentAPITestCase(base.PolicyBaseTestCase):
|
||||
|
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
GET_POLICY = 'get_auto_allocated_topology'
|
||||
DELETE_POLICY = 'delete_auto_allocated_topology'
|
||||
@ -37,18 +37,28 @@ class SystemAdminTests(AutoAllocatedTopologyAPITestCase):
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_get_topology(self):
|
||||
# System admins can get topologies for any project.
|
||||
self.assertTrue(policy.enforce(self.context, GET_POLICY, self.target))
|
||||
self.assertTrue(policy.enforce(
|
||||
self.context, GET_POLICY, self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, GET_POLICY, self.target
|
||||
)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, GET_POLICY, self.alt_target
|
||||
)
|
||||
|
||||
def test_delete_topology(self):
|
||||
# System admins can delete topologies for any project.
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, DELETE_POLICY, self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, DELETE_POLICY, self.target
|
||||
)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, DELETE_POLICY, self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, DELETE_POLICY, self.alt_target
|
||||
)
|
||||
|
||||
|
||||
@ -60,12 +70,12 @@ class SystemMemberTests(AutoAllocatedTopologyAPITestCase):
|
||||
|
||||
def test_delete_topology(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, DELETE_POLICY, self.target
|
||||
)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, DELETE_POLICY, self.alt_target
|
||||
)
|
||||
|
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class AvailabilityZoneAPITestCase(base.PolicyBaseTestCase):
|
||||
|
@ -19,9 +19,30 @@ from neutron_lib import context
|
||||
from oslo_config import cfg
|
||||
from oslo_utils import uuidutils
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests import base as tests_base
|
||||
|
||||
|
||||
# According to the community goal guidelines
|
||||
# https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#re-evaluate-project-specific-api-policies
|
||||
# each rule should have only one scope type,
|
||||
# If for any reason, rule needs to have more than one scope, it should be
|
||||
# listed in that list of exceptions.
|
||||
# This is dictionary where key is the rule name and value is list of the
|
||||
# rule scopes, like e.g.:
|
||||
#
|
||||
# {
|
||||
# 'rule_name': ["system", "project"],
|
||||
# 'rule_name_2': ["system", "domain"]
|
||||
# }
|
||||
SCOPE_TYPES_EXCEPTIONS = {
|
||||
'get_flavor_service_profile': ['system', 'project'],
|
||||
'get_flavor': ['system', 'project'],
|
||||
'get_rule_type': ['system', 'project'],
|
||||
'get_service_provider': ['system', 'project'],
|
||||
}
|
||||
|
||||
|
||||
class PolicyBaseTestCase(tests_base.BaseTestCase):
|
||||
|
||||
def setUp(self):
|
||||
@ -76,3 +97,29 @@ class PolicyBaseTestCase(tests_base.BaseTestCase):
|
||||
user_id=self.user_id,
|
||||
roles=['reader'],
|
||||
project_id=self.project_id)
|
||||
|
||||
|
||||
class RuleScopesTestCase(PolicyBaseTestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(RuleScopesTestCase, self).setUp()
|
||||
policy.init()
|
||||
|
||||
def test_rules_are_single_scoped(self):
|
||||
for rule_name, rule in policy._ENFORCER.registered_rules.items():
|
||||
if not rule.scope_types:
|
||||
# If scope types are not set for rule, that's ok
|
||||
continue
|
||||
if len(rule.scope_types) == 1:
|
||||
# If rule has only one scope, it's fine
|
||||
continue
|
||||
else:
|
||||
expected_scope_types = SCOPE_TYPES_EXCEPTIONS.get(
|
||||
rule_name, [])
|
||||
fail_msg = (
|
||||
"Rule %s have scope types %s which are not defined "
|
||||
"in the exceptions list: %s" % (
|
||||
rule_name, rule.scope_types, expected_scope_types))
|
||||
self.assertListEqual(expected_scope_types,
|
||||
rule.scope_types,
|
||||
fail_msg)
|
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class FlavorAPITestCase(base.PolicyBaseTestCase):
|
||||
|
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class FloatingIPAPITestCase(base.PolicyBaseTestCase):
|
||||
@ -38,59 +38,64 @@ class SystemAdminTests(FloatingIPAPITestCase):
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_create_floatingip(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, "create_floatingip", self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, "create_floatingip", self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, "create_floatingip", self.alt_target)
|
||||
|
||||
def test_create_floatingip_with_ip_address(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
"create_floatingip:floating_ip_address",
|
||||
self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, "create_floatingip:floating_ip_address",
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, "create_floatingip:floating_ip_address",
|
||||
self.alt_target)
|
||||
|
||||
def test_get_floatingip(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, "get_floatingip", self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, "get_floatingip", self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, "get_floatingip", self.alt_target)
|
||||
|
||||
def test_update_floatingip(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, "update_floatingip", self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, "update_floatingip", self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, "update_floatingip", self.alt_target)
|
||||
|
||||
def test_delete_floatingip(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, "delete_floatingip", self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, "delete_floatingip", self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, "delete_floatingip", self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberTests(FloatingIPAPITestCase):
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemMemberTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
def test_create_floatingip(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, "create_floatingip", self.target)
|
||||
|
||||
def test_create_floatingip_with_ip_address(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, "create_floatingip:floating_ip_address", self.target)
|
||||
|
||||
def test_get_floatingip(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, "get_floatingip", self.target))
|
||||
|
||||
def test_update_floatingip(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, "update_floatingip", self.target)
|
||||
|
||||
def test_delete_floatingip(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, "delete_floatingip", self.target)
|
||||
|
||||
|
||||
class SystemReaderTests(SystemMemberTests):
|
||||
|
||||
@ -108,19 +113,16 @@ class ProjectAdminTests(FloatingIPAPITestCase):
|
||||
def test_create_floatingip(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, "create_floatingip", self.target))
|
||||
|
||||
def test_create_floatingip_other_project(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, "create_floatingip", self.alt_target)
|
||||
|
||||
def test_create_floatingip_with_ip_address(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, "create_floatingip:floating_ip_address", self.target)
|
||||
self.context, "create_floatingip", self.alt_target)
|
||||
|
||||
def test_create_floatingip_with_ip_address_other_project(self):
|
||||
def test_create_floatingip_with_ip_address(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context,
|
||||
"create_floatingip:floating_ip_address", self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
@ -130,8 +132,6 @@ class ProjectAdminTests(FloatingIPAPITestCase):
|
||||
def test_get_floatingip(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, "get_floatingip", self.target))
|
||||
|
||||
def test_get_floatingip_other_project(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, "get_floatingip", self.alt_target)
|
||||
@ -139,8 +139,6 @@ class ProjectAdminTests(FloatingIPAPITestCase):
|
||||
def test_update_floatingip(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, "update_floatingip", self.target))
|
||||
|
||||
def test_update_floatingip_other_project(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, "update_floatingip", self.alt_target)
|
||||
@ -148,8 +146,6 @@ class ProjectAdminTests(FloatingIPAPITestCase):
|
||||
def test_delete_floatingip(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, "delete_floatingip", self.target))
|
||||
|
||||
def test_delete_floatingip_other_project(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, "delete_floatingip", self.alt_target)
|
||||
@ -161,8 +157,20 @@ class ProjectMemberTests(ProjectAdminTests):
|
||||
super(ProjectMemberTests, self).setUp()
|
||||
self.context = self.project_member_ctx
|
||||
|
||||
def test_create_floatingip_with_ip_address(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, "create_floatingip:floating_ip_address",
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, "create_floatingip:floating_ip_address",
|
||||
self.alt_target)
|
||||
|
||||
class ProjectReaderTests(FloatingIPAPITestCase):
|
||||
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
def setUp(self):
|
||||
super(ProjectReaderTests, self).setUp()
|
||||
@ -171,51 +179,29 @@ class ProjectReaderTests(FloatingIPAPITestCase):
|
||||
def test_create_floatingip(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, "create_floatingip", self.target)
|
||||
|
||||
def test_create_floatingip_other_project(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, "create_floatingip", self.alt_target)
|
||||
|
||||
def test_create_floatingip_with_ip_address(self):
|
||||
policy.enforce,
|
||||
self.context, "create_floatingip", self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, "create_floatingip:floating_ip_address", self.target)
|
||||
|
||||
def test_create_floatingip_with_ip_address_other_project(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, "create_floatingip:floating_ip_address",
|
||||
self.alt_target)
|
||||
|
||||
def test_get_floatingip(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, "get_floatingip", self.target))
|
||||
|
||||
def test_get_floatingip_other_project(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, "get_floatingip", self.alt_target)
|
||||
self.context, "create_floatingip", self.alt_target)
|
||||
|
||||
def test_update_floatingip(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, "update_floatingip", self.target)
|
||||
|
||||
def test_update_floatingip_other_project(self):
|
||||
policy.enforce,
|
||||
self.context, "update_floatingip", self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, "update_floatingip", self.alt_target)
|
||||
policy.enforce,
|
||||
self.context, "update_floatingip", self.alt_target)
|
||||
|
||||
def test_delete_floatingip(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, "delete_floatingip", self.target)
|
||||
|
||||
def test_delete_floatingip_other_project(self):
|
||||
policy.enforce,
|
||||
self.context, "delete_floatingip", self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, "delete_floatingip", self.alt_target)
|
||||
policy.enforce,
|
||||
self.context, "delete_floatingip", self.alt_target)
|
||||
|
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class FloatingipPoolsAPITestCase(base.PolicyBaseTestCase):
|
||||
@ -33,9 +33,10 @@ class SystemAdminTests(FloatingipPoolsAPITestCase):
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_get_floatingip_pool(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_floatingip_pool',
|
||||
self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_floatingip_pool', self.target)
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
|
@ -19,7 +19,7 @@ from oslo_policy import policy as base_policy
|
||||
from oslo_utils import uuidutils
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class FloatingipPortForwardingAPITestCase(base.PolicyBaseTestCase):
|
||||
@ -53,44 +53,52 @@ class SystemAdminTests(FloatingipPortForwardingAPITestCase):
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_create_fip_pf(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_floatingip_port_forwarding',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_floatingip_port_forwarding',
|
||||
self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_floatingip_port_forwarding',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_floatingip_port_forwarding',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_fip_pf(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_floatingip_port_forwarding',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_floatingip_port_forwarding',
|
||||
self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_floatingip_port_forwarding',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_floatingip_port_forwarding',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_fip_pf(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_floatingip_port_forwarding',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_floatingip_port_forwarding',
|
||||
self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_floatingip_port_forwarding',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_floatingip_port_forwarding',
|
||||
self.alt_target)
|
||||
|
||||
def test_delete_fip_pf(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'delete_floatingip_port_forwarding',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'delete_floatingip_port_forwarding',
|
||||
self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_floatingip_port_forwarding',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_floatingip_port_forwarding',
|
||||
self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
@ -99,42 +107,6 @@ class SystemMemberTests(SystemAdminTests):
|
||||
super(SystemMemberTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
def test_create_fip_pf(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_floatingip_port_forwarding',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_floatingip_port_forwarding',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_fip_pf(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_floatingip_port_forwarding',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_floatingip_port_forwarding',
|
||||
self.alt_target)
|
||||
|
||||
def test_delete_fip_pf(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_floatingip_port_forwarding',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_floatingip_port_forwarding',
|
||||
self.alt_target)
|
||||
|
||||
|
||||
class SystemReaderTests(SystemMemberTests):
|
||||
|
||||
|
@ -19,7 +19,7 @@ from oslo_policy import policy as base_policy
|
||||
from oslo_utils import uuidutils
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class L3ConntrackHelperAPITestCase(base.PolicyBaseTestCase):
|
||||
@ -53,36 +53,44 @@ class SystemAdminTests(L3ConntrackHelperAPITestCase):
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_create_router_conntrack_helper(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router_conntrack_helper', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router_conntrack_helper', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_router_conntrack_helper', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_router_conntrack_helper', self.alt_target)
|
||||
|
||||
def test_get_router_conntrack_helper(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_router_conntrack_helper', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_router_conntrack_helper', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_router_conntrack_helper', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_router_conntrack_helper', self.alt_target)
|
||||
|
||||
def test_update_router_conntrack_helper(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_router_conntrack_helper', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_router_conntrack_helper', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_router_conntrack_helper', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_router_conntrack_helper', self.alt_target)
|
||||
|
||||
def test_delete_router_conntrack_helper(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'delete_router_conntrack_helper', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'delete_router_conntrack_helper', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_router_conntrack_helper', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_router_conntrack_helper', self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
@ -91,36 +99,6 @@ class SystemMemberTests(SystemAdminTests):
|
||||
super(SystemMemberTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
def test_create_router_conntrack_helper(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router_conntrack_helper', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router_conntrack_helper', self.alt_target)
|
||||
|
||||
def test_update_router_conntrack_helper(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router_conntrack_helper', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router_conntrack_helper', self.alt_target)
|
||||
|
||||
def test_delete_router_conntrack_helper(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_router_conntrack_helper', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_router_conntrack_helper', self.alt_target)
|
||||
|
||||
|
||||
class SystemReaderTests(SystemMemberTests):
|
||||
|
||||
|
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class LocalIPAPITestCase(base.PolicyBaseTestCase):
|
||||
|
@ -19,7 +19,7 @@ from oslo_policy import policy as base_policy
|
||||
from oslo_utils import uuidutils
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class LocalIPAssociationAPITestCase(base.PolicyBaseTestCase):
|
||||
|
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class LoggingAPITestCase(base.PolicyBaseTestCase):
|
||||
|
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class MeteringAPITestCase(base.PolicyBaseTestCase):
|
||||
@ -34,52 +34,64 @@ class SystemAdminTests(MeteringAPITestCase):
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_create_metering_label(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_metering_label', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_metering_label', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_metering_label', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_metering_label', self.alt_target)
|
||||
|
||||
def test_get_metering_label(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_metering_label', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_metering_label', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_metering_label', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_metering_label', self.alt_target)
|
||||
|
||||
def test_delete_metering_label(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'delete_metering_label', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'delete_metering_label', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_metering_label', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_metering_label', self.alt_target)
|
||||
|
||||
def test_create_metering_label_rule(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_metering_label_rule', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_metering_label_rule', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_metering_label_rule', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_metering_label_rule', self.alt_target)
|
||||
|
||||
def test_get_metering_label_rule(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_metering_label_rule', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_metering_label_rule', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_metering_label_rule', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_metering_label_rule', self.alt_target)
|
||||
|
||||
def test_delete_metering_label_rule(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'delete_metering_label_rule', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'delete_metering_label_rule', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_metering_label_rule', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_metering_label_rule', self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
@ -88,46 +100,6 @@ class SystemMemberTests(SystemAdminTests):
|
||||
super(SystemMemberTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
def test_create_metering_label(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_metering_label', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_metering_label', self.alt_target)
|
||||
|
||||
def test_delete_metering_label(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_metering_label', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_metering_label', self.alt_target)
|
||||
|
||||
def test_create_metering_label_rule(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_metering_label_rule', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_metering_label_rule', self.alt_target)
|
||||
|
||||
def test_delete_metering_label_rule(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_metering_label_rule', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_metering_label_rule', self.alt_target)
|
||||
|
||||
|
||||
class SystemReaderTests(SystemMemberTests):
|
||||
|
||||
@ -142,6 +114,64 @@ class ProjectAdminTests(MeteringAPITestCase):
|
||||
super(ProjectAdminTests, self).setUp()
|
||||
self.context = self.project_admin_ctx
|
||||
|
||||
def test_create_metering_label(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_metering_label', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_metering_label', self.alt_target)
|
||||
|
||||
def test_get_metering_label(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_metering_label', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_metering_label', self.alt_target)
|
||||
|
||||
def test_delete_metering_label(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_metering_label', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_metering_label', self.alt_target)
|
||||
|
||||
def test_create_metering_label_rule(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_metering_label_rule', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_metering_label_rule', self.alt_target)
|
||||
|
||||
def test_get_metering_label_rule(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_metering_label_rule', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_metering_label_rule', self.alt_target)
|
||||
|
||||
def test_delete_metering_label_rule(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'delete_metering_label_rule', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_metering_label_rule', self.alt_target)
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
|
||||
def setUp(self):
|
||||
super(ProjectMemberTests, self).setUp()
|
||||
self.context = self.project_member_ctx
|
||||
|
||||
def test_create_metering_label(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
@ -152,16 +182,6 @@ class ProjectAdminTests(MeteringAPITestCase):
|
||||
policy.enforce,
|
||||
self.context, 'create_metering_label', self.alt_target)
|
||||
|
||||
def test_get_metering_label(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_metering_label', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_metering_label', self.alt_target)
|
||||
|
||||
def test_delete_metering_label(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
@ -182,16 +202,6 @@ class ProjectAdminTests(MeteringAPITestCase):
|
||||
policy.enforce,
|
||||
self.context, 'create_metering_label_rule', self.alt_target)
|
||||
|
||||
def test_get_metering_label_rule(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_metering_label_rule', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_metering_label_rule', self.alt_target)
|
||||
|
||||
def test_delete_metering_label_rule(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
@ -203,13 +213,6 @@ class ProjectAdminTests(MeteringAPITestCase):
|
||||
self.context, 'delete_metering_label_rule', self.alt_target)
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
|
||||
def setUp(self):
|
||||
super(ProjectMemberTests, self).setUp()
|
||||
self.context = self.project_member_ctx
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
def setUp(self):
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class NetworkIPAvailabilityAPITestCase(base.PolicyBaseTestCase):
|
||||
|
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class NetworkSegmentRangeAPITestCase(base.PolicyBaseTestCase):
|
||||
|
@ -19,7 +19,7 @@ from oslo_policy import policy as base_policy
|
||||
from oslo_utils import uuidutils
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class PortAPITestCase(base.PolicyBaseTestCase):
|
||||
@ -54,309 +54,12 @@ class SystemAdminTests(PortAPITestCase):
|
||||
super(SystemAdminTests, self).setUp()
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_create_port(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_port', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_port', self.alt_target))
|
||||
|
||||
def test_create_port_with_device_owner(self):
|
||||
target = self.target.copy()
|
||||
target['device_owner'] = 'network:test'
|
||||
alt_target = self.alt_target.copy()
|
||||
alt_target['device_owner'] = 'network:test'
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:device_owner', target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:device_owner', alt_target))
|
||||
|
||||
def test_create_port_with_mac_address(self):
|
||||
target = self.target.copy()
|
||||
target['mac_address'] = 'aa:bb:cc:dd:ee:ff'
|
||||
alt_target = self.alt_target.copy()
|
||||
alt_target['mac_address'] = 'aa:bb:cc:dd:ee:ff'
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:mac_address', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:mac_address', self.alt_target))
|
||||
|
||||
def test_create_port_with_fixed_ips(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:fixed_ips', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:fixed_ips', self.alt_target))
|
||||
|
||||
def test_create_port_with_fixed_ips_and_ip_address(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:fixed_ips:ip_address', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:fixed_ips:ip_address',
|
||||
self.alt_target))
|
||||
|
||||
def test_create_port_with_fixed_ips_and_subnet_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:fixed_ips:subent_id', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:fixed_ips:subent_id', self.alt_target))
|
||||
|
||||
def test_create_port_with_port_security_enabled(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:port_security_enabled', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:port_security_enabled',
|
||||
self.alt_target))
|
||||
|
||||
def test_create_port_with_binding_host_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:binding:host_id', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:binding:host_id', self.alt_target))
|
||||
|
||||
def test_create_port_with_binding_profile(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:binding:profile', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:binding:profile', self.alt_target))
|
||||
|
||||
def test_create_port_with_binding_vnic_type(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:binding:vnic_type', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:binding:vnic_type', self.alt_target))
|
||||
|
||||
def test_create_port_with_allowed_address_pairs(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:allowed_address_pairs', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:allowed_address_pairs',
|
||||
self.alt_target))
|
||||
|
||||
def test_create_port_with_allowed_address_pairs_and_mac_address(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:allowed_address_pairs:mac_address',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:allowed_address_pairs:mac_address',
|
||||
self.alt_target))
|
||||
|
||||
def test_create_port_with_allowed_address_pairs_and_ip_address(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:allowed_address_pairs:ip_address',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:allowed_address_pairs:ip_address',
|
||||
self.alt_target))
|
||||
|
||||
def test_get_port(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_port', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_port', self.alt_target))
|
||||
|
||||
def test_get_port_binding_vif_type(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_port:binding:vif_type', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_port:binding:vif_type', self.alt_target))
|
||||
|
||||
def test_get_port_binding_vif_details(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_port:binding:vif_details', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_port:binding:vif_details', self.alt_target))
|
||||
|
||||
def test_get_port_binding_host_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_port:binding:host_id', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_port:binding:host_id', self.alt_target))
|
||||
|
||||
def test_get_port_binding_profile(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_port:binding:profile', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_port:binding:profile', self.alt_target))
|
||||
|
||||
def test_get_port_resource_request(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_port:resource_request', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_port:resource_request', self.alt_target))
|
||||
|
||||
def test_update_port(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_port', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_port', self.alt_target))
|
||||
|
||||
def test_update_port_with_device_owner(self):
|
||||
target = self.target.copy()
|
||||
target['device_owner'] = 'network:test'
|
||||
alt_target = self.alt_target.copy()
|
||||
alt_target['device_owner'] = 'network:test'
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:device_owner', target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:device_owner', alt_target))
|
||||
|
||||
def test_update_port_with_mac_address(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:mac_address', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:mac_address', self.alt_target))
|
||||
|
||||
def test_update_port_with_fixed_ips(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:fixed_ips', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:fixed_ips', self.alt_target))
|
||||
|
||||
def test_update_port_with_fixed_ips_and_ip_address(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:fixed_ips:ip_address', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:fixed_ips:ip_address',
|
||||
self.alt_target))
|
||||
|
||||
def test_update_port_with_fixed_ips_and_subnet_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:fixed_ips:subent_id', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:fixed_ips:subent_id', self.alt_target))
|
||||
|
||||
def test_update_port_with_port_security_enabled(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:port_security_enabled', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:port_security_enabled',
|
||||
self.alt_target))
|
||||
|
||||
def test_update_port_with_binding_host_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:binding:host_id', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:binding:host_id', self.alt_target))
|
||||
|
||||
def test_update_port_with_binding_profile(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:binding:profile', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:binding:profile', self.alt_target))
|
||||
|
||||
def test_update_port_with_binding_vnic_type(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:binding:vnic_type', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:binding:vnic_type', self.alt_target))
|
||||
|
||||
def test_update_port_with_allowed_address_pairs(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:allowed_address_pairs', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:allowed_address_pairs',
|
||||
self.alt_target))
|
||||
|
||||
def test_update_port_with_allowed_address_pairs_and_mac_address(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:allowed_address_pairs:mac_address',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:allowed_address_pairs:mac_address',
|
||||
self.alt_target))
|
||||
|
||||
def test_update_port_with_allowed_address_pairs_and_ip_address(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:allowed_address_pairs:ip_address',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:allowed_address_pairs:ip_address',
|
||||
self.alt_target))
|
||||
|
||||
def test_update_port_data_plane_status(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:data_plane_status', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:data_plane_status', self.alt_target))
|
||||
|
||||
def test_delete_port(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_port', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_port', self.alt_target))
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemMemberTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
def test_create_port(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port', self.alt_target)
|
||||
|
||||
def test_create_port_with_device_owner(self):
|
||||
@ -375,126 +78,184 @@ class SystemMemberTests(SystemAdminTests):
|
||||
|
||||
def test_create_port_with_mac_address(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:mac_address',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:mac_address',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_port_with_fixed_ips(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:fixed_ips',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:fixed_ips',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_port_with_fixed_ips_and_ip_address(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:fixed_ips:ip_address',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:fixed_ips:ip_address',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_port_with_fixed_ips_and_subnet_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:fixed_ips:subnet_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:fixed_ips:subnet_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_port_with_port_security_enabled(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:port_security_enabled',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:port_security_enabled',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_port_with_binding_host_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:binding:host_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:binding:host_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_port_with_binding_profile(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:binding:profile',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:binding:profile',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_port_with_binding_vnic_type(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:binding:vnic_type',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:binding:vnic_type',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_port_with_allowed_address_pairs(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_port:allowed_address_pairs',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_port:allowed_address_pairs',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_port_with_allowed_address_pairs_and_mac_address(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_port:allowed_address_pairs:mac_address',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_port:allowed_address_pairs:mac_address',
|
||||
self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_port:allowed_address_pairs:mac_address',
|
||||
self.target)
|
||||
|
||||
def test_create_port_with_allowed_address_pairs_and_ip_address(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_port:allowed_address_pairs:ip_address',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_port:allowed_address_pairs:ip_address',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_port(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port', self.alt_target)
|
||||
|
||||
def test_get_port_binding_vif_type(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:binding:vif_type',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:binding:vif_type',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_port_binding_vif_details(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:binding:vif_details',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:binding:vif_details',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_port_binding_host_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:binding:host_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:binding:host_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_port_binding_profile(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:binding:profile',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:binding:profile',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_port_resource_request(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:resource_request',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:resource_request',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port', self.alt_target)
|
||||
|
||||
def test_update_port_with_device_owner(self):
|
||||
@ -513,137 +274,146 @@ class SystemMemberTests(SystemAdminTests):
|
||||
|
||||
def test_update_port_with_mac_address(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:mac_address',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:mac_address',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_with_fixed_ips(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:fixed_ips',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:fixed_ips',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_with_fixed_ips_and_ip_address(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:fixed_ips:ip_address',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:fixed_ips:ip_address',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_with_fixed_ips_and_subnet_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:fixed_ips:subnet_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:fixed_ips:subnet_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_with_port_security_enabled(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:port_security_enabled',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:port_security_enabled',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_with_binding_host_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:binding:host_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:binding:host_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_with_binding_profile(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:binding:profile',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:binding:profile',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_with_binding_vnic_type(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:binding:vnic_type',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:binding:vnic_type',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_with_allowed_address_pairs(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_port:allowed_address_pairs', self.target)
|
||||
self.context, 'update_port:allowed_address_pairs',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_port:allowed_address_pairs', self.alt_target)
|
||||
self.context, 'update_port:allowed_address_pairs',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_with_allowed_address_pairs_and_mac_address(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_port:allowed_address_pairs:mac_address',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_port:allowed_address_pairs:mac_address',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_with_allowed_address_pairs_and_ip_address(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_port:allowed_address_pairs:ip_address',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_port:allowed_address_pairs:ip_address',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_data_plane_status(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_port:data_plane_status', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_port:data_plane_status', self.alt_target)
|
||||
|
||||
def test_delete_port(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'delete_port', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'delete_port', self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemMemberTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
|
||||
class SystemReaderTests(SystemMemberTests):
|
||||
|
||||
def setUp(self):
|
||||
@ -723,22 +493,20 @@ class ProjectAdminTests(PortAPITestCase):
|
||||
self.alt_target)
|
||||
|
||||
def test_create_port_with_binding_host_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:binding:host_id', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:binding:host_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'create_port:binding:host_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_port_with_binding_profile(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_port:binding:profile', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'create_port:binding:profile',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'create_port:binding:profile',
|
||||
self.alt_target)
|
||||
|
||||
@ -791,52 +559,47 @@ class ProjectAdminTests(PortAPITestCase):
|
||||
policy.enforce, self.context, 'get_port', self.alt_target)
|
||||
|
||||
def test_get_port_binding_vif_type(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_port:binding:vif_type', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:binding:vif_type',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:binding:vif_type',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_port_binding_vif_details(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_port:binding:vif_details', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:binding:vif_details',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:binding:vif_details',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_port_binding_host_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_port:binding:host_id', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:binding:host_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:binding:host_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_port_binding_profile(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_port:binding:profile', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:binding:profile',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:binding:profile',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_port_resource_request(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_port:resource_request', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'get_port:resource_request',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:resource_request',
|
||||
self.alt_target)
|
||||
|
||||
@ -861,10 +624,9 @@ class ProjectAdminTests(PortAPITestCase):
|
||||
alt_target)
|
||||
|
||||
def test_update_port_with_mac_address(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'update_port:mac_address',
|
||||
self.target)
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'update_port:mac_address', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'update_port:mac_address',
|
||||
@ -907,22 +669,20 @@ class ProjectAdminTests(PortAPITestCase):
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_with_binding_host_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:binding:host_id', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:binding:host_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'update_port:binding:host_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_with_binding_profile(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:binding:profile', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce, self.context, 'update_port:binding:profile',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'update_port:binding:profile',
|
||||
self.alt_target)
|
||||
|
||||
@ -968,10 +728,10 @@ class ProjectAdminTests(PortAPITestCase):
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_data_plane_status(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_port:data_plane_status', self.target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_port:data_plane_status',
|
||||
self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
@ -1057,21 +817,21 @@ class ProjectMemberTests(ProjectAdminTests):
|
||||
|
||||
def test_create_port_with_binding_host_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'create_port:binding:host_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'create_port:binding:host_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_port_with_binding_profile(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'create_port:binding:profile',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'create_port:binding:profile',
|
||||
self.alt_target)
|
||||
|
||||
@ -1113,51 +873,51 @@ class ProjectMemberTests(ProjectAdminTests):
|
||||
|
||||
def test_get_port_binding_vif_type(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:binding:vif_type',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:binding:vif_type',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_port_binding_vif_details(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:binding:vif_details',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:binding:vif_details',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_port_binding_host_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:binding:host_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:binding:host_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_port_binding_profile(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:binding:profile',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:binding:profile',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_port_resource_request(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:resource_request',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'get_port:resource_request',
|
||||
self.alt_target)
|
||||
|
||||
@ -1227,21 +987,21 @@ class ProjectMemberTests(ProjectAdminTests):
|
||||
|
||||
def test_update_port_with_binding_host_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'update_port:binding:host_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'update_port:binding:host_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_port_with_binding_profile(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'update_port:binding:profile',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce, self.context, 'update_port:binding:profile',
|
||||
self.alt_target)
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class QuoatsAPITestCase(base.PolicyBaseTestCase):
|
||||
|
@ -17,7 +17,7 @@ from oslo_policy import policy as base_policy
|
||||
import testscenarios
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class RbacAPITestCase(testscenarios.WithScenarios, base.PolicyBaseTestCase):
|
||||
@ -50,53 +50,58 @@ class SystemAdminTests(RbacAPITestCase):
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_create_rbac_policy(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_rbac_policy', self.wildcard_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_rbac_policy', self.wildcard_alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_rbac_policy', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_rbac_policy', self.alt_target)
|
||||
|
||||
def test_create_rbac_policy_target_tenant(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_rbac_policy:target_tenant',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_rbac_policy:target_tenant',
|
||||
self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_rbac_policy:target_tenant',
|
||||
self.wildcard_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_rbac_policy:target_tenant',
|
||||
self.wildcard_alt_target)
|
||||
|
||||
def test_update_rbac_policy(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_rbac_policy', self.wildcard_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_rbac_policy', self.wildcard_alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_rbac_policy', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_rbac_policy', self.alt_target)
|
||||
|
||||
def test_update_rbac_policy_target_tenant(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_rbac_policy:target_tenant',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_rbac_policy:target_tenant',
|
||||
self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_rbac_policy:target_tenant',
|
||||
self.wildcard_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_rbac_policy:target_tenant',
|
||||
self.wildcard_alt_target)
|
||||
|
||||
def test_get_rbac_policy(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_rbac_policy', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_rbac_policy', self.alt_target))
|
||||
|
||||
def test_delete_rbac_policy(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_rbac_policy', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'delete_rbac_policy', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_rbac_policy', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_rbac_policy', self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
@ -105,60 +110,6 @@ class SystemMemberTests(SystemAdminTests):
|
||||
super(SystemMemberTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
def test_create_rbac_policy(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_rbac_policy', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_rbac_policy', self.alt_target)
|
||||
|
||||
def test_create_rbac_policy_target_tenant(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_rbac_policy:target_tenant',
|
||||
self.wildcard_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_rbac_policy:target_tenant',
|
||||
self.wildcard_alt_target)
|
||||
|
||||
def test_update_rbac_policy(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_rbac_policy', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_rbac_policy', self.alt_target)
|
||||
|
||||
def test_update_rbac_policy_target_tenant(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_rbac_policy:target_tenant',
|
||||
self.wildcard_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_rbac_policy:target_tenant',
|
||||
self.wildcard_alt_target)
|
||||
|
||||
def test_delete_rbac_policy(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_rbac_policy', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_rbac_policy', self.alt_target)
|
||||
|
||||
|
||||
class SystemReaderTests(SystemMemberTests):
|
||||
|
||||
@ -182,11 +133,9 @@ class ProjectAdminTests(RbacAPITestCase):
|
||||
self.context, 'create_rbac_policy', self.alt_target)
|
||||
|
||||
def test_create_rbac_policy_target_tenant(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_rbac_policy:target_tenant',
|
||||
self.wildcard_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_rbac_policy:target_tenant', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
@ -202,11 +151,9 @@ class ProjectAdminTests(RbacAPITestCase):
|
||||
self.context, 'update_rbac_policy', self.alt_target)
|
||||
|
||||
def test_update_rbac_policy_target_tenant(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_rbac_policy:target_tenant',
|
||||
self.wildcard_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'update_rbac_policy:target_tenant', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
@ -236,6 +183,30 @@ class ProjectMemberTests(ProjectAdminTests):
|
||||
super(ProjectMemberTests, self).setUp()
|
||||
self.context = self.project_member_ctx
|
||||
|
||||
def test_create_rbac_policy_target_tenant(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_rbac_policy:target_tenant',
|
||||
self.wildcard_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_rbac_policy:target_tenant',
|
||||
self.wildcard_alt_target)
|
||||
|
||||
def test_update_rbac_policy_target_tenant(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_rbac_policy:target_tenant',
|
||||
self.wildcard_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_rbac_policy:target_tenant',
|
||||
self.wildcard_alt_target)
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
|
@ -17,7 +17,7 @@ from oslo_policy import policy as base_policy
|
||||
from oslo_utils import uuidutils
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class RouterAPITestCase(base.PolicyBaseTestCase):
|
||||
@ -34,389 +34,13 @@ class SystemAdminTests(RouterAPITestCase):
|
||||
super(SystemAdminTests, self).setUp()
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_create_router(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_router', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_router', self.alt_target))
|
||||
|
||||
def test_create_router_distributed(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:distributed', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:distributed', self.alt_target))
|
||||
|
||||
def test_create_router_ha(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:ha', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:ha', self.alt_target))
|
||||
|
||||
def test_create_router_external_gateway_info(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:external_gateway_info', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:external_gateway_info',
|
||||
self.alt_target))
|
||||
|
||||
def test_create_router_external_gateway_info_network_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:external_gateway_info:network_id',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:external_gateway_info:network_id',
|
||||
self.alt_target))
|
||||
|
||||
def test_create_router_external_gateway_info_enable_snat(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:external_gateway_info:enable_snat',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:external_gateway_info:enable_snat',
|
||||
self.alt_target))
|
||||
|
||||
def test_create_router_external_gateway_info_external_fixed_ips(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context,
|
||||
'create_router:external_gateway_info:external_fixed_ips',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context,
|
||||
'create_router:external_gateway_info:external_fixed_ips',
|
||||
self.alt_target))
|
||||
|
||||
def test_get_router(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_router', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_router', self.alt_target))
|
||||
|
||||
def test_get_router_distributed(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_router:distributed', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_router:distributed', self.alt_target))
|
||||
|
||||
def test_get_router_ha(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_router:ha', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_router:ha', self.alt_target))
|
||||
|
||||
def test_update_router(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_router', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_router', self.alt_target))
|
||||
|
||||
def test_update_router_distributed(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_router:distributed', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_router:distributed', self.alt_target))
|
||||
|
||||
def test_update_router_ha(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_router:ha', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_router:ha', self.alt_target))
|
||||
|
||||
def test_update_router_external_gateway_info(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_router:external_gateway_info', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_router:external_gateway_info',
|
||||
self.alt_target))
|
||||
|
||||
def test_update_router_external_gateway_info_network_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_router:external_gateway_info:network_id',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_router:external_gateway_info:network_id',
|
||||
self.alt_target))
|
||||
|
||||
def test_update_router_external_gateway_info_enable_snat(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_router:external_gateway_info:enable_snat',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_router:external_gateway_info:enable_snat',
|
||||
self.alt_target))
|
||||
|
||||
def test_update_router_external_gateway_info_external_fixed_ips(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context,
|
||||
'update_router:external_gateway_info:external_fixed_ips',
|
||||
self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context,
|
||||
'update_router:external_gateway_info:external_fixed_ips',
|
||||
self.alt_target))
|
||||
|
||||
def test_delete_router(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_router', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_router', self.alt_target))
|
||||
|
||||
def test_add_router_interface(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'add_router_interface', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'add_router_interface', self.alt_target))
|
||||
|
||||
def test_remove_router_interface(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'remove_router_interface', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'remove_router_interface', self.alt_target))
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemMemberTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
def test_create_router(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_router', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router', self.alt_target)
|
||||
|
||||
def test_create_router_distributed(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:distributed', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:distributed', self.alt_target)
|
||||
|
||||
def test_create_router_ha(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:ha', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:ha', self.alt_target)
|
||||
|
||||
def test_create_router_external_gateway_info(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_router_external_gateway_info_network_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info:network_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info:network_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_router_external_gateway_info_enable_snat(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info:enable_snat',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info:enable_snat',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_router_external_gateway_info_external_fixed_ips(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
'create_router:external_gateway_info:external_fixed_ips',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
'create_router:external_gateway_info:external_fixed_ips',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_router(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router', self.alt_target)
|
||||
|
||||
def test_update_router_distributed(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:distributed', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:distributed', self.alt_target)
|
||||
|
||||
def test_update_router_ha(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:ha', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:ha', self.alt_target)
|
||||
|
||||
def test_update_router_external_gateway_info(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_router_external_gateway_info_network_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info:network_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info:network_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_router_external_gateway_info_enable_snat(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info:enable_snat',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info:enable_snat',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_router_external_gateway_info_external_fixed_ips(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
'update_router:external_gateway_info:external_fixed_ips',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
'update_router:external_gateway_info:external_fixed_ips',
|
||||
self.alt_target)
|
||||
|
||||
def test_delete_router(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_router', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_router', self.alt_target)
|
||||
|
||||
def test_add_router_interface(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'add_router_interface', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'add_router_interface', self.alt_target)
|
||||
|
||||
def test_remove_router_interface(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'remove_router_interface', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'remove_router_interface', self.alt_target)
|
||||
|
||||
|
||||
class SystemReaderTests(SystemMemberTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemReaderTests, self).setUp()
|
||||
self.context = self.system_reader_ctx
|
||||
|
||||
|
||||
class ProjectAdminTests(RouterAPITestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(ProjectAdminTests, self).setUp()
|
||||
self.context = self.project_admin_ctx
|
||||
|
||||
def test_create_router(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_router', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_router', self.alt_target)
|
||||
|
||||
@ -441,23 +65,25 @@ class ProjectAdminTests(RouterAPITestCase):
|
||||
self.context, 'create_router:ha', self.alt_target)
|
||||
|
||||
def test_create_router_external_gateway_info(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:external_gateway_info',
|
||||
self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_router_external_gateway_info_network_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:external_gateway_info:network_id',
|
||||
self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info:network_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info:network_id',
|
||||
self.alt_target)
|
||||
@ -489,10 +115,12 @@ class ProjectAdminTests(RouterAPITestCase):
|
||||
self.alt_target)
|
||||
|
||||
def test_get_router(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_router', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_router', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_router', self.alt_target)
|
||||
|
||||
@ -517,10 +145,12 @@ class ProjectAdminTests(RouterAPITestCase):
|
||||
self.context, 'get_router:ha', self.alt_target)
|
||||
|
||||
def test_update_router(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_router', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_router', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_router', self.alt_target)
|
||||
|
||||
@ -544,6 +174,228 @@ class ProjectAdminTests(RouterAPITestCase):
|
||||
policy.enforce,
|
||||
self.context, 'update_router:ha', self.alt_target)
|
||||
|
||||
def test_update_router_external_gateway_info(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_router_external_gateway_info_network_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info:network_id',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info:network_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_router_external_gateway_info_enable_snat(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info:enable_snat',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info:enable_snat',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_router_external_gateway_info_external_fixed_ips(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
'update_router:external_gateway_info:external_fixed_ips',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
'update_router:external_gateway_info:external_fixed_ips',
|
||||
self.alt_target)
|
||||
|
||||
def test_delete_router(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_router', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_router', self.alt_target)
|
||||
|
||||
def test_add_router_interface(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'add_router_interface', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'add_router_interface', self.alt_target)
|
||||
|
||||
def test_remove_router_interface(self):
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'remove_router_interface', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'remove_router_interface', self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemMemberTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
|
||||
class SystemReaderTests(SystemMemberTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemReaderTests, self).setUp()
|
||||
self.context = self.system_reader_ctx
|
||||
|
||||
|
||||
class ProjectAdminTests(RouterAPITestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(ProjectAdminTests, self).setUp()
|
||||
self.context = self.project_admin_ctx
|
||||
|
||||
def test_create_router(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_router', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router', self.alt_target)
|
||||
|
||||
def test_create_router_distributed(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_router:distributed', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:distributed', self.alt_target)
|
||||
|
||||
def test_create_router_ha(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_router:ha', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:ha', self.alt_target)
|
||||
|
||||
def test_create_router_external_gateway_info(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:external_gateway_info',
|
||||
self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_router_external_gateway_info_network_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:external_gateway_info:network_id',
|
||||
self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info:network_id',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_router_external_gateway_info_enable_snat(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_router:external_gateway_info:enable_snat',
|
||||
self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info:enable_snat',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_router_external_gateway_info_external_fixed_ips(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context,
|
||||
'create_router:external_gateway_info:external_fixed_ips',
|
||||
self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
'create_router:external_gateway_info:external_fixed_ips',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_router(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_router', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_router', self.alt_target)
|
||||
|
||||
def test_get_router_distributed(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_router:distributed', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_router:distributed', self.alt_target)
|
||||
|
||||
def test_get_router_ha(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_router:ha', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_router:ha', self.alt_target)
|
||||
|
||||
def test_update_router(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_router', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router', self.alt_target)
|
||||
|
||||
def test_update_router_distributed(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'update_router:distributed', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:distributed', self.alt_target)
|
||||
|
||||
def test_update_router_ha(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_router:ha', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:ha', self.alt_target)
|
||||
|
||||
def test_update_router_external_gateway_info(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
@ -567,26 +419,24 @@ class ProjectAdminTests(RouterAPITestCase):
|
||||
self.alt_target)
|
||||
|
||||
def test_update_router_external_gateway_info_enable_snat(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_router:external_gateway_info:enable_snat',
|
||||
self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info:enable_snat',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info:enable_snat',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_router_external_gateway_info_external_fixed_ips(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context,
|
||||
'update_router:external_gateway_info:external_fixed_ips',
|
||||
self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
'update_router:external_gateway_info:external_fixed_ips',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
'update_router:external_gateway_info:external_fixed_ips',
|
||||
@ -625,6 +475,118 @@ class ProjectMemberTests(ProjectAdminTests):
|
||||
super(ProjectMemberTests, self).setUp()
|
||||
self.context = self.project_member_ctx
|
||||
|
||||
def test_create_router_distributed(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:distributed', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:distributed', self.alt_target)
|
||||
|
||||
def test_create_router_ha(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:ha', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:ha', self.alt_target)
|
||||
|
||||
def test_create_router_external_gateway_info_enable_snat(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info:enable_snat',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_router:external_gateway_info:enable_snat',
|
||||
self.alt_target)
|
||||
|
||||
def test_create_router_external_gateway_info_external_fixed_ips(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
'create_router:external_gateway_info:external_fixed_ips',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
'create_router:external_gateway_info:external_fixed_ips',
|
||||
self.alt_target)
|
||||
|
||||
def test_get_router_distributed(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_router:distributed', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_router:distributed', self.alt_target)
|
||||
|
||||
def test_get_router_ha(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_router:ha', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_router:ha', self.alt_target)
|
||||
|
||||
def test_update_router_distributed(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:distributed', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:distributed', self.alt_target)
|
||||
|
||||
def test_update_router_ha(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:ha', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:ha', self.alt_target)
|
||||
|
||||
def test_update_router_external_gateway_info_enable_snat(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info:enable_snat',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_router:external_gateway_info:enable_snat',
|
||||
self.alt_target)
|
||||
|
||||
def test_update_router_external_gateway_info_external_fixed_ips(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
'update_router:external_gateway_info:external_fixed_ips',
|
||||
self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
'update_router:external_gateway_info:external_fixed_ips',
|
||||
self.alt_target)
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
@ -756,17 +718,24 @@ class SystemAdminExtrarouteTests(ExtrarouteAPITestCase):
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_add_extraroute(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'add_extraroutes', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'add_extraroutes', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'add_extraroutes', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'add_extraroutes', self.alt_target)
|
||||
|
||||
def test_remove_extraroute(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'remove_extraroutes', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'remove_extraroutes', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'remove_extraroutes', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'remove_extraroutes', self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberExtrarouteTests(SystemAdminExtrarouteTests):
|
||||
@ -775,26 +744,6 @@ class SystemMemberExtrarouteTests(SystemAdminExtrarouteTests):
|
||||
super(SystemMemberExtrarouteTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
def test_add_extraroute(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'add_extraroutes', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'add_extraroutes', self.alt_target)
|
||||
|
||||
def test_remove_extraroute(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'remove_extraroutes', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'remove_extraroutes', self.alt_target)
|
||||
|
||||
|
||||
class SystemReaderExtrarouteTests(SystemMemberExtrarouteTests):
|
||||
|
||||
|
@ -19,7 +19,7 @@ from oslo_policy import policy as base_policy
|
||||
from oslo_utils import uuidutils
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class SecurityGroupAPITestCase(base.PolicyBaseTestCase):
|
||||
@ -37,32 +37,44 @@ class SystemAdminSecurityGroupTests(SecurityGroupAPITestCase):
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_create_security_group(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_security_group', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_security_group', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_security_group', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_security_group', self.alt_target)
|
||||
|
||||
def test_get_security_group(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_security_group', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_security_group', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_security_group', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_security_group', self.alt_target)
|
||||
|
||||
def test_update_security_group(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_security_group', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_security_group', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_security_group', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_security_group', self.alt_target)
|
||||
|
||||
def test_delete_security_group(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_security_group', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'delete_security_group', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_security_group', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_security_group', self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberSecurityGroupTests(SystemAdminSecurityGroupTests):
|
||||
@ -71,36 +83,6 @@ class SystemMemberSecurityGroupTests(SystemAdminSecurityGroupTests):
|
||||
super(SystemMemberSecurityGroupTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
def test_create_security_group(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_security_group', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_security_group', self.alt_target)
|
||||
|
||||
def test_update_security_group(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_security_group', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_security_group', self.alt_target)
|
||||
|
||||
def test_delete_security_group(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_security_group', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_security_group', self.alt_target)
|
||||
|
||||
|
||||
class SystemReaderSecurityGroupTests(SystemMemberSecurityGroupTests):
|
||||
|
||||
@ -171,14 +153,6 @@ class ProjectReaderSecurityGroupTests(ProjectMemberSecurityGroupTests):
|
||||
policy.enforce,
|
||||
self.context, 'create_security_group', self.alt_target)
|
||||
|
||||
def test_get_security_group(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_security_group', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_security_group', self.alt_target)
|
||||
|
||||
def test_update_security_group(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
@ -231,28 +205,34 @@ class SystemAdminSecurityGroupRuleTests(SecurityGroupRuleAPITestCase):
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_create_security_group_rule(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_security_group_rule', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_security_group_rule', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_security_group_rule', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_security_group_rule', self.alt_target)
|
||||
|
||||
def test_get_security_group_rule(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_security_group_rule', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_security_group_rule', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_security_group_rule', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_security_group_rule', self.alt_target)
|
||||
|
||||
def test_delete_security_group_rule(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'delete_security_group_rule', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'delete_security_group_rule', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_security_group_rule', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_security_group_rule', self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberSecurityGroupRuleTests(SystemAdminSecurityGroupRuleTests):
|
||||
@ -261,26 +241,6 @@ class SystemMemberSecurityGroupRuleTests(SystemAdminSecurityGroupRuleTests):
|
||||
super(SystemMemberSecurityGroupRuleTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
def test_create_security_group_rule(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_security_group_rule', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_security_group_rule', self.alt_target)
|
||||
|
||||
def test_delete_security_group_rule(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_security_group_rule', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_security_group_rule', self.alt_target)
|
||||
|
||||
|
||||
class SystemReaderSecurityGroupRuleTests(SystemMemberSecurityGroupRuleTests):
|
||||
|
||||
|
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class SegmentAPITestCase(base.PolicyBaseTestCase):
|
||||
|
@ -14,7 +14,7 @@
|
||||
# limitations under the License.
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class ServiceTypeAPITestCase(base.PolicyBaseTestCase):
|
||||
|
@ -19,7 +19,7 @@ from oslo_policy import policy as base_policy
|
||||
from oslo_utils import uuidutils
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class SubnetAPITestCase(base.PolicyBaseTestCase):
|
||||
@ -54,68 +54,94 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_create_subnet(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_subnet', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_subnet', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet', self.alt_target)
|
||||
|
||||
def test_create_subnet_segment_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_subnet:segment_id', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_subnet:segment_id', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.alt_target)
|
||||
|
||||
def test_create_subnet_service_types(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_subnet:service_types', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_subnet:service_types', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types', self.alt_target)
|
||||
|
||||
def test_get_subnet(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnet', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnet', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet', self.alt_target)
|
||||
|
||||
def test_get_subnet_segment_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_subnet:segment_id', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'get_subnet:segment_id', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet:segment_id', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet:segment_id', self.alt_target)
|
||||
|
||||
def test_update_subnet(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnet', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnet', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet', self.alt_target)
|
||||
|
||||
def test_update_subnet_segment_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_subnet:segment_id', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_subnet:segment_id', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.alt_target)
|
||||
|
||||
def test_update_subnet_service_types(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_subnet:service_types', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_subnet:service_types', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types', self.alt_target)
|
||||
|
||||
def test_delete_subnet(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnet', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnet', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnet', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnet', self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
@ -124,76 +150,6 @@ class SystemMemberTests(SystemAdminTests):
|
||||
super(SystemMemberTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
def test_create_subnet(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet', self.alt_target)
|
||||
|
||||
def test_create_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.alt_target)
|
||||
|
||||
def test_create_subnet_service_types(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types', self.alt_target)
|
||||
|
||||
def test_update_subnet(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet', self.alt_target)
|
||||
|
||||
def test_update_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.alt_target)
|
||||
|
||||
def test_update_subnet_service_types(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types', self.alt_target)
|
||||
|
||||
def test_delete_subnet(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnet', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnet', self.alt_target)
|
||||
|
||||
|
||||
class SystemReaderTests(SystemMemberTests):
|
||||
|
||||
@ -217,22 +173,20 @@ class ProjectAdminTests(SubnetAPITestCase):
|
||||
self.context, 'create_subnet', self.alt_target)
|
||||
|
||||
def test_create_subnet_segment_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_subnet:segment_id', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.alt_target)
|
||||
|
||||
def test_create_subnet_service_types(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_subnet:service_types', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types', self.alt_target)
|
||||
|
||||
@ -245,12 +199,10 @@ class ProjectAdminTests(SubnetAPITestCase):
|
||||
self.context, 'get_subnet', self.alt_target)
|
||||
|
||||
def test_get_subnet_segment_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnet:segment_id', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet:segment_id', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet:segment_id', self.alt_target)
|
||||
|
||||
@ -263,22 +215,20 @@ class ProjectAdminTests(SubnetAPITestCase):
|
||||
self.context, 'update_subnet', self.alt_target)
|
||||
|
||||
def test_update_subnet_segment_id(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'update_subnet:segment_id', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.alt_target)
|
||||
|
||||
def test_update_subnet_service_types(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'update_subnet:service_types', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types', self.alt_target)
|
||||
|
||||
@ -297,6 +247,56 @@ class ProjectMemberTests(ProjectAdminTests):
|
||||
super(ProjectMemberTests, self).setUp()
|
||||
self.context = self.project_member_ctx
|
||||
|
||||
def test_create_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.alt_target)
|
||||
|
||||
def test_create_subnet_service_types(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types', self.alt_target)
|
||||
|
||||
def test_get_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet:segment_id', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet:segment_id', self.alt_target)
|
||||
|
||||
def test_update_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.alt_target)
|
||||
|
||||
def test_update_subnet_service_types(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types', self.alt_target)
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
|
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class SubnetpoolAPITestCase(base.PolicyBaseTestCase):
|
||||
@ -34,72 +34,104 @@ class SystemAdminTests(SubnetpoolAPITestCase):
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_create_subnetpool(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_subnetpool', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_subnetpool', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool', self.alt_target)
|
||||
|
||||
def test_create_subnetpool_shared(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_subnetpool:shared', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_subnetpool:shared', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:shared', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:shared', self.alt_target)
|
||||
|
||||
def test_create_subnetpool_default(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_subnetpool:is_default', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'create_subnetpool:is_default', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:is_default', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:is_default', self.alt_target)
|
||||
|
||||
def test_get_subnetpool(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnetpool', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnetpool', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnetpool', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnetpool', self.alt_target)
|
||||
|
||||
def test_update_subnetpool(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnetpool', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnetpool', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnetpool', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnetpool', self.alt_target)
|
||||
|
||||
def test_update_subnetpool_default(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_subnetpool:is_default', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'update_subnetpool:is_default', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnetpool:is_default', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnetpool:is_default', self.alt_target)
|
||||
|
||||
def test_delete_subnetpool(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnetpool', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnetpool', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnetpool', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnetpool', self.alt_target)
|
||||
|
||||
def test_onboard_network_subnets(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'onboard_network_subnets', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context,
|
||||
'onboard_network_subnets', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'onboard_network_subnets', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'onboard_network_subnets', self.alt_target)
|
||||
|
||||
def test_add_prefixes(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'add_prefixes', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'add_prefixes', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'add_prefixes', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'add_prefixes', self.alt_target)
|
||||
|
||||
def test_remove_prefixes(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'remove_prefixes', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'remove_prefixes', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'remove_prefixes', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'remove_prefixes', self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
@ -108,96 +140,6 @@ class SystemMemberTests(SystemAdminTests):
|
||||
super(SystemMemberTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
def test_create_subnetpool(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool', self.alt_target)
|
||||
|
||||
def test_create_subnetpool_shared(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:shared', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:shared', self.alt_target)
|
||||
|
||||
def test_create_subnetpool_default(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:is_default', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:is_default', self.alt_target)
|
||||
|
||||
def test_update_subnetpool(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnetpool', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnetpool', self.alt_target)
|
||||
|
||||
def test_update_subnetpool_default(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnetpool:is_default', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnetpool:is_default', self.alt_target)
|
||||
|
||||
def test_delete_subnetpool(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnetpool', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnetpool', self.alt_target)
|
||||
|
||||
def test_onboard_network_subnets(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'onboard_network_subnets', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'onboard_network_subnets', self.alt_target)
|
||||
|
||||
def test_add_prefixes(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'add_prefixes', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'add_prefixes', self.alt_target)
|
||||
|
||||
def test_remove_prefixes(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'remove_prefixes', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'remove_prefixes', self.alt_target)
|
||||
|
||||
|
||||
class SystemReaderTests(SystemMemberTests):
|
||||
|
||||
@ -221,22 +163,20 @@ class ProjectAdminTests(SubnetpoolAPITestCase):
|
||||
self.context, 'create_subnetpool', self.alt_target)
|
||||
|
||||
def test_create_subnetpool_shared(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_subnetpool:shared', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:shared', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:shared', self.alt_target)
|
||||
|
||||
def test_create_subnetpool_default(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_subnetpool:default', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:is_default', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:is_default', self.alt_target)
|
||||
|
||||
@ -257,12 +197,11 @@ class ProjectAdminTests(SubnetpoolAPITestCase):
|
||||
self.context, 'update_subnetpool', self.alt_target)
|
||||
|
||||
def test_update_subnetpool_default(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'update_subnetpool:default', self.target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnetpool:is_default', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnetpool:is_default', self.alt_target)
|
||||
|
||||
@ -306,6 +245,36 @@ class ProjectMemberTests(ProjectAdminTests):
|
||||
super(ProjectMemberTests, self).setUp()
|
||||
self.context = self.project_member_ctx
|
||||
|
||||
def test_create_subnetpool_shared(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:shared', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:shared', self.alt_target)
|
||||
|
||||
def test_create_subnetpool_default(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:is_default', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnetpool:is_default', self.alt_target)
|
||||
|
||||
def test_update_subnetpool_default(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnetpool:is_default', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnetpool:is_default', self.alt_target)
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
|
@ -16,7 +16,7 @@
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
from neutron.tests.unit.conf.policies import test_base as base
|
||||
|
||||
|
||||
class TrunkAPITestCase(base.PolicyBaseTestCase):
|
||||
@ -34,46 +34,74 @@ class SystemAdminTests(TrunkAPITestCase):
|
||||
self.context = self.system_admin_ctx
|
||||
|
||||
def test_create_trunk(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_trunk', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_trunk', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_trunk', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_trunk', self.alt_target)
|
||||
|
||||
def test_get_trunk(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_trunk', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_trunk', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_trunk', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_trunk', self.alt_target)
|
||||
|
||||
def test_update_trunk(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_trunk', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_trunk', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_trunk', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_trunk', self.alt_target)
|
||||
|
||||
def test_delete_trunk(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_trunk', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_trunk', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_trunk', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_trunk', self.alt_target)
|
||||
|
||||
def test_get_subports(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subports', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subports', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subports', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subports', self.alt_target)
|
||||
|
||||
def test_add_subports(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'add_subports', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'add_subports', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'add_subports', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'add_subports', self.alt_target)
|
||||
|
||||
def test_remove_subports(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'remove_subports', self.target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'remove_subports', self.alt_target))
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'remove_subports', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'remove_subports', self.alt_target)
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
@ -82,56 +110,6 @@ class SystemMemberTests(SystemAdminTests):
|
||||
super(SystemMemberTests, self).setUp()
|
||||
self.context = self.system_member_ctx
|
||||
|
||||
def test_create_trunk(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_trunk', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_trunk', self.alt_target)
|
||||
|
||||
def test_update_trunk(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_trunk', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_trunk', self.alt_target)
|
||||
|
||||
def test_delete_trunk(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_trunk', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_trunk', self.alt_target)
|
||||
|
||||
def test_add_subports(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'add_subports', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'add_subports', self.alt_target)
|
||||
|
||||
def test_remove_subports(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'remove_subports', self.target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'remove_subports', self.alt_target)
|
||||
|
||||
|
||||
class SystemReaderTests(SystemMemberTests):
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user