Merge "Allow network owner reader to get subnets" into stable/2024.2
This commit is contained in:
commit
13938b0473
@ -117,7 +117,7 @@ rules = [
|
||||
base.PROJECT_READER,
|
||||
'rule:shared',
|
||||
'rule:external_network',
|
||||
base.ADMIN_OR_NET_OWNER_MEMBER,
|
||||
base.ADMIN_OR_NET_OWNER_READER,
|
||||
),
|
||||
scope_types=['project'],
|
||||
description='Get a subnet',
|
||||
@ -150,7 +150,7 @@ rules = [
|
||||
base.PROJECT_READER,
|
||||
'rule:shared',
|
||||
'rule:external_network',
|
||||
base.ADMIN_OR_NET_OWNER_MEMBER,
|
||||
base.ADMIN_OR_NET_OWNER_READER,
|
||||
),
|
||||
scope_types=['project'],
|
||||
description='Get the subnet tags',
|
||||
|
@ -79,6 +79,13 @@ class SubnetAPITestCase(base.PolicyBaseTestCase):
|
||||
'network_id': self.ext_alt_network['id'],
|
||||
'ext_parent_network_id': self.ext_alt_network['id'],
|
||||
'router:external': True}
|
||||
# This is the case where the network belongs to the project but not
|
||||
# the subnet.
|
||||
self.alt_target_own_net = {
|
||||
'project_id': self.alt_project_id,
|
||||
'tenant_id': self.alt_project_id,
|
||||
'network_id': self.network['id'],
|
||||
'ext_parent_network_id': self.network['id']}
|
||||
|
||||
def get_network(context, id, fields=None):
|
||||
return networks.get(id)
|
||||
@ -109,6 +116,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet', self.alt_target_own_net)
|
||||
|
||||
def test_create_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
@ -124,6 +135,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.alt_target_own_net)
|
||||
|
||||
def test_create_subnet_service_types(self):
|
||||
self.assertRaises(
|
||||
@ -139,6 +154,11 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types',
|
||||
self.alt_target_own_net)
|
||||
|
||||
def test_create_subnets_tags(self):
|
||||
self.assertRaises(
|
||||
@ -153,6 +173,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnets_tags', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnets_tags', self.alt_target_own_net)
|
||||
|
||||
def test_get_subnet(self):
|
||||
self.assertRaises(
|
||||
@ -171,6 +195,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet', self.alt_target_own_net)
|
||||
|
||||
def test_get_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
@ -185,6 +213,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet:segment_id', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet:segment_id', self.alt_target_own_net)
|
||||
|
||||
def test_get_subnets_tags(self):
|
||||
self.assertRaises(
|
||||
@ -203,6 +235,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnets_tags', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnets_tags', self.alt_target_own_net)
|
||||
|
||||
def test_update_subnet(self):
|
||||
self.assertRaises(
|
||||
@ -217,6 +253,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet', self.alt_target_own_net)
|
||||
|
||||
def test_update_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
@ -232,6 +272,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.alt_target_own_net)
|
||||
|
||||
def test_update_subnet_service_types(self):
|
||||
self.assertRaises(
|
||||
@ -247,6 +291,11 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types',
|
||||
self.alt_target_own_net)
|
||||
|
||||
def test_update_subnets_tags(self):
|
||||
self.assertRaises(
|
||||
@ -261,6 +310,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnets_tags', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnets_tags', self.alt_target_own_net)
|
||||
|
||||
def test_delete_subnet(self):
|
||||
self.assertRaises(
|
||||
@ -275,6 +328,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnet', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnet', self.alt_target_own_net)
|
||||
|
||||
def test_delete_subnets_tags(self):
|
||||
self.assertRaises(
|
||||
@ -289,6 +346,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnets_tags', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnets_tags', self.alt_target_own_net)
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
@ -319,6 +380,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.target_net_alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_subnet', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_create_subnet_segment_id(self):
|
||||
self.assertTrue(
|
||||
@ -331,6 +395,10 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_subnet:segment_id', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_subnet:segment_id',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_create_subnet_service_types(self):
|
||||
self.assertTrue(
|
||||
@ -343,6 +411,10 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_subnet:service_types', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_subnet:service_types',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_create_subnets_tags(self):
|
||||
self.assertTrue(
|
||||
@ -353,6 +425,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_subnets_tags',
|
||||
self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_subnets_tags',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_get_subnet(self):
|
||||
self.assertTrue(
|
||||
@ -365,6 +440,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.target_net_ext_alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnet', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_get_subnet_segment_id(self):
|
||||
self.assertTrue(
|
||||
@ -375,6 +453,10 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_subnet:segment_id', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_subnet:segment_id',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_get_subnets_tags(self):
|
||||
self.assertTrue(
|
||||
@ -387,6 +469,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.target_net_ext_alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnets_tags', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnets_tags',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_update_subnet(self):
|
||||
self.assertTrue(
|
||||
@ -396,6 +481,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.target_net_alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnet', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_update_subnet_segment_id(self):
|
||||
self.assertTrue(
|
||||
@ -408,6 +496,10 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'update_subnet:segment_id', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'update_subnet:segment_id',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_update_subnet_service_types(self):
|
||||
self.assertTrue(
|
||||
@ -430,6 +522,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnets_tags',
|
||||
self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnets_tags',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_delete_subnet(self):
|
||||
self.assertTrue(
|
||||
@ -439,6 +534,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.target_net_alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnet', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_delete_subnets_tags(self):
|
||||
self.assertTrue(
|
||||
@ -449,6 +547,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnets_tags',
|
||||
self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnets_tags',
|
||||
self.alt_target_own_net))
|
||||
|
||||
|
||||
class ProjectManagerTests(AdminTests):
|
||||
@ -468,6 +569,9 @@ class ProjectManagerTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_create_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
@ -483,6 +587,10 @@ class ProjectManagerTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.alt_target_own_net)
|
||||
|
||||
def test_create_subnet_service_types(self):
|
||||
self.assertRaises(
|
||||
@ -498,6 +606,11 @@ class ProjectManagerTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types',
|
||||
self.alt_target_own_net)
|
||||
|
||||
def test_create_subnets_tags(self):
|
||||
self.assertTrue(
|
||||
@ -509,6 +622,9 @@ class ProjectManagerTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnets_tags', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_subnets_tags',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_get_subnet(self):
|
||||
self.assertTrue(
|
||||
@ -523,6 +639,9 @@ class ProjectManagerTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_get_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
@ -537,6 +656,10 @@ class ProjectManagerTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet:segment_id', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet:segment_id', self.alt_target_own_net)
|
||||
|
||||
def test_get_subnets_tags(self):
|
||||
self.assertTrue(
|
||||
@ -551,6 +674,9 @@ class ProjectManagerTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnets_tags', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnets_tags',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_update_subnet(self):
|
||||
self.assertTrue(
|
||||
@ -562,6 +688,9 @@ class ProjectManagerTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_update_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
@ -577,6 +706,10 @@ class ProjectManagerTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.alt_target_own_net)
|
||||
|
||||
def test_update_subnet_service_types(self):
|
||||
self.assertRaises(
|
||||
@ -592,6 +725,11 @@ class ProjectManagerTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types',
|
||||
self.alt_target_own_net)
|
||||
|
||||
def test_update_subnets_tags(self):
|
||||
self.assertTrue(
|
||||
@ -603,6 +741,9 @@ class ProjectManagerTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnets_tags', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnets_tags',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_delete_subnet(self):
|
||||
self.assertTrue(
|
||||
@ -614,6 +755,9 @@ class ProjectManagerTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnet', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_delete_subnets_tags(self):
|
||||
self.assertTrue(
|
||||
@ -625,6 +769,9 @@ class ProjectManagerTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnets_tags', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnets_tags',
|
||||
self.alt_target_own_net))
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectManagerTests):
|
||||
@ -653,6 +800,10 @@ class ProjectReaderTests(ProjectMemberTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet', self.alt_target_own_net)
|
||||
|
||||
def test_create_subnets_tags(self):
|
||||
self.assertRaises(
|
||||
@ -667,6 +818,10 @@ class ProjectReaderTests(ProjectMemberTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnets_tags', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnets_tags', self.alt_target_own_net)
|
||||
|
||||
def test_update_subnet(self):
|
||||
self.assertRaises(
|
||||
@ -681,6 +836,10 @@ class ProjectReaderTests(ProjectMemberTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet', self.alt_target_own_net)
|
||||
|
||||
def test_update_subnets_tags(self):
|
||||
self.assertRaises(
|
||||
@ -695,6 +854,10 @@ class ProjectReaderTests(ProjectMemberTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnets_tags', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnets_tags', self.alt_target_own_net)
|
||||
|
||||
def test_delete_subnet(self):
|
||||
self.assertRaises(
|
||||
@ -709,6 +872,10 @@ class ProjectReaderTests(ProjectMemberTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnet', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnet', self.alt_target_own_net)
|
||||
|
||||
def test_delete_subnets_tags(self):
|
||||
self.assertRaises(
|
||||
@ -723,6 +890,10 @@ class ProjectReaderTests(ProjectMemberTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnets_tags', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnets_tags', self.alt_target_own_net)
|
||||
|
||||
|
||||
class ServiceRoleTests(SubnetAPITestCase):
|
||||
|
@ -0,0 +1,7 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
Subnet policies have been updated to allow other users to operate on them.
|
||||
Network owners and readers can now retrieve the subnet and project members
|
||||
can now update and delete the subnet. For more information, see bug
|
||||
`2038646 <https://launchpad.net/bugs/2038646>`_.
|
Loading…
x
Reference in New Issue
Block a user