[Secure RBAC] Fix policy to get flavors

Flavors are resources which don't have owner and should be able to
be listed/showed by any user with READER role. This patch fixes policy
for "get_flavor" action to match this requirement.

Additionall it removes "project_id" field from the target object in
the flavor policy unit tests.

Closes-Bug: #2004017
Change-Id: I254e88f7c32343034f4799b63b1088c3f966d7a6
This commit is contained in:
Slawek Kaplonski 2023-02-01 12:22:50 +01:00
parent 06e2e22d31
commit 1c27d8b5b4
2 changed files with 6 additions and 2 deletions

View File

@ -47,7 +47,11 @@ rules = [
),
policy.DocumentedRuleDefault(
name='get_flavor',
check_str=base.ADMIN_OR_PROJECT_READER,
# NOTE: it can't be ADMIN_OR_PROJECT_READER constant from the base
# module because that is using "project_id" in the check string and the
# service_provider resource don't belongs to any project thus such
# check string would fail enforcement.
check_str='role:reader',
description='Get a flavor',
operations=[
{

View File

@ -23,7 +23,7 @@ class FlavorAPITestCase(base.PolicyBaseTestCase):
def setUp(self):
super(FlavorAPITestCase, self).setUp()
self.target = {'project_id': self.project_id}
self.target = {}
class SystemAdminTests(FlavorAPITestCase):