Browse Source

Merge "Migrate address-group API to the new secure rbac rules" into stable/wallaby

changes/12/784412/1
Zuul 2 weeks ago
committed by Gerrit Code Review
parent
commit
1a4f7a8a50
2 changed files with 64 additions and 3 deletions
  1. +15
    -3
      neutron/conf/policies/address_group.py
  2. +49
    -0
      neutron/tests/unit/conf/policies/test_address_group.py

+ 15
- 3
neutron/conf/policies/address_group.py View File

@ -10,6 +10,7 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from neutron.conf.policies import base
@ -18,6 +19,9 @@ from neutron.conf.policies import base
AG_COLLECTION_PATH = '/address-groups'
AG_RESOURCE_PATH = '/address-groups/{id}'
DEPRECATION_REASON = (
"The Address scope API now supports system scope and default roles.")
rules = [
policy.RuleDefault(
@ -27,8 +31,9 @@ rules = [
),
policy.DocumentedRuleDefault(
name='get_address_group',
check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER,
'rule:shared_address_groups'),
check_str=base.policy_or(
base.SYSTEM_OR_PROJECT_READER,
'rule:shared_address_groups'),
description='Get an address group',
operations=[
{
@ -39,7 +44,14 @@ rules = [
'method': 'GET',
'path': AG_RESOURCE_PATH,
},
]
],
scope_types=['system', 'project'],
deprecated_rule=policy.DeprecatedRule(
name='get_address_group',
check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER,
'rule:shared_address_groups'),
deprecated_reason=DEPRECATION_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
),
]


+ 49
- 0
neutron/tests/unit/conf/policies/test_address_group.py View File

@ -0,0 +1,49 @@
# Copyright (c) 2021 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_policy import policy as base_policy
from neutron import policy
from neutron.tests.unit.conf.policies import base
class AddressGroupAPITestCase(base.PolicyBaseTestCase):
def setUp(self):
super(AddressGroupAPITestCase, self).setUp()
self.target = {'project_id': self.project_id}
def test_system_reader_can_get_address_group(self):
self.assertTrue(
policy.enforce(self.system_reader_ctx,
"get_address_group", self.target))
def test_project_reader_can_get_address_group(self):
self.assertTrue(
policy.enforce(self.project_reader_ctx,
"get_address_group", self.target))
def test_system_reader_can_get_any_address_group(self):
target = {'project_id': 'some-other-project'}
self.assertTrue(
policy.enforce(self.system_reader_ctx,
"get_address_group", target))
def test_project_reader_can_not_get_address_group_other_tenant(self):
target = {'project_id': 'some-other-project'}
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.project_reader_ctx, "get_address_group", target)

Loading…
Cancel
Save