Migrate address-group API to the new secure rbac rules
This commit updates the port policies to understand scope checking and
account
for a read-only role. This is part of a broader series of changes across
OpenStack to provide a consistent RBAC experience and improve
security.
It also adds new UT to test new API policies for address-group API.
Change-Id: Ibcd6084b30d923803723caffbf61bf2a60c6a408
(cherry picked from commit fd6ee70c3d
)
This commit is contained in:
parent
1d06fd915b
commit
201ea2af16
|
@ -10,6 +10,7 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_log import versionutils
|
||||
from oslo_policy import policy
|
||||
|
||||
from neutron.conf.policies import base
|
||||
|
@ -18,6 +19,9 @@ from neutron.conf.policies import base
|
|||
AG_COLLECTION_PATH = '/address-groups'
|
||||
AG_RESOURCE_PATH = '/address-groups/{id}'
|
||||
|
||||
DEPRECATION_REASON = (
|
||||
"The Address scope API now supports system scope and default roles.")
|
||||
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
|
@ -27,8 +31,9 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_address_group',
|
||||
check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER,
|
||||
'rule:shared_address_groups'),
|
||||
check_str=base.policy_or(
|
||||
base.SYSTEM_OR_PROJECT_READER,
|
||||
'rule:shared_address_groups'),
|
||||
description='Get an address group',
|
||||
operations=[
|
||||
{
|
||||
|
@ -39,7 +44,14 @@ rules = [
|
|||
'method': 'GET',
|
||||
'path': AG_RESOURCE_PATH,
|
||||
},
|
||||
]
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
deprecated_rule=policy.DeprecatedRule(
|
||||
name='get_address_group',
|
||||
check_str=base.policy_or(base.RULE_ADMIN_OR_OWNER,
|
||||
'rule:shared_address_groups'),
|
||||
deprecated_reason=DEPRECATION_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY)
|
||||
),
|
||||
]
|
||||
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
# Copyright (c) 2021 Red Hat Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
# implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
from oslo_policy import policy as base_policy
|
||||
|
||||
from neutron import policy
|
||||
from neutron.tests.unit.conf.policies import base
|
||||
|
||||
|
||||
class AddressGroupAPITestCase(base.PolicyBaseTestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(AddressGroupAPITestCase, self).setUp()
|
||||
self.target = {'project_id': self.project_id}
|
||||
|
||||
def test_system_reader_can_get_address_group(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.system_reader_ctx,
|
||||
"get_address_group", self.target))
|
||||
|
||||
def test_project_reader_can_get_address_group(self):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.project_reader_ctx,
|
||||
"get_address_group", self.target))
|
||||
|
||||
def test_system_reader_can_get_any_address_group(self):
|
||||
target = {'project_id': 'some-other-project'}
|
||||
self.assertTrue(
|
||||
policy.enforce(self.system_reader_ctx,
|
||||
"get_address_group", target))
|
||||
|
||||
def test_project_reader_can_not_get_address_group_other_tenant(self):
|
||||
target = {'project_id': 'some-other-project'}
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.project_reader_ctx, "get_address_group", target)
|
Loading…
Reference in New Issue