From 2a637ad7672f4217bb31bb4adcd102ce041e19f9 Mon Sep 17 00:00:00 2001 From: Rodolfo Alonso Hernandez Date: Fri, 22 Nov 2024 11:07:26 +0000 Subject: [PATCH] Add policy enforcer for QoS policy "tags" service plugin This resource was missing in [1]. This patch should be backported up to 2023.2. [1]https://review.opendev.org/q/I9f3e032739824f268db74c5a1b4f04d353742dbd Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/936036 Conflicts: neutron/conf/policies/qos.py neutron/tests/unit/conf/policies/test_qos.py Related-Bug: #2037002 Change-Id: Ie6210f7dab4d54d734255d3ac2271cac99590f46 (cherry picked from commit 6aaf293ffd24555450ee9c416ec6b4890a91b40f) --- neutron/conf/policies/qos.py | 50 ++++++++ neutron/tests/unit/conf/policies/test_qos.py | 117 +++++++++++++++++++ 2 files changed, 167 insertions(+) diff --git a/neutron/conf/policies/qos.py b/neutron/conf/policies/qos.py index c507a7bdb99..fc988140879 100644 --- a/neutron/conf/policies/qos.py +++ b/neutron/conf/policies/qos.py @@ -19,6 +19,25 @@ from neutron.conf.policies import base DEPRECATED_REASON = """ The QoS API now supports project scope and default roles. """ +RESOURCE_PATH = '/qos/policies/{id}' +TAGS_PATH = RESOURCE_PATH + '/tags' +TAG_PATH = RESOURCE_PATH + '/tags/{tag_id}' + +ACTION_GET_TAGS = [ + {'method': 'GET', 'path': TAGS_PATH}, + {'method': 'GET', 'path': TAG_PATH}, +] +ACTION_PUT_TAGS = [ + {'method': 'PUT', 'path': TAGS_PATH}, + {'method': 'PUT', 'path': TAG_PATH}, +] +ACTION_POST_TAGS = [ + {'method': 'POST', 'path': TAGS_PATH}, +] +ACTION_DELETE_TAGS = [ + {'method': 'DELETE', 'path': TAGS_PATH}, + {'method': 'DELETE', 'path': TAG_PATH}, +] rules = [ @@ -50,6 +69,16 @@ rules = [ deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY) ), + policy.DocumentedRuleDefault( + name='get_policies_tags', + check_str=neutron_policy.policy_or( + base.ADMIN_OR_PROJECT_READER, + 'rule:shared_qos_policy' + ), + scope_types=['project'], + description='Get QoS policy tags', + operations=ACTION_GET_TAGS + ), policy.DocumentedRuleDefault( name='create_policy', check_str=base.ADMIN, @@ -67,6 +96,13 @@ rules = [ deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY) ), + policy.DocumentedRuleDefault( + name='create_policies_tags', + check_str=base.ADMIN, + scope_types=['project'], + description='Create the QoS policy tags', + operations=ACTION_POST_TAGS, + ), policy.DocumentedRuleDefault( name='update_policy', check_str=base.ADMIN, @@ -84,6 +120,13 @@ rules = [ deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY) ), + policy.DocumentedRuleDefault( + name='update_policies_tags', + check_str=base.ADMIN, + scope_types=['project'], + description='Update the QoS policy tags', + operations=ACTION_PUT_TAGS, + ), policy.DocumentedRuleDefault( name='delete_policy', check_str=base.ADMIN, @@ -101,6 +144,13 @@ rules = [ deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY) ), + policy.DocumentedRuleDefault( + name='delete_policies_tags', + check_str=base.ADMIN, + scope_types=['project'], + description='Delete the QoS policy tags', + operations=ACTION_DELETE_TAGS + ), policy.DocumentedRuleDefault( name='get_rule_type', diff --git a/neutron/tests/unit/conf/policies/test_qos.py b/neutron/tests/unit/conf/policies/test_qos.py index b5ee683c981..b05bdcbfcb0 100644 --- a/neutron/tests/unit/conf/policies/test_qos.py +++ b/neutron/tests/unit/conf/policies/test_qos.py @@ -44,6 +44,14 @@ class SystemAdminQosPolicyTests(QosPolicyAPITestCase): base_policy.InvalidScope, policy.enforce, self.context, 'get_policy', self.alt_target) + def test_get_policies_tags(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'get_policies_tags', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'get_policies_tags', self.alt_target) + def test_create_policy(self): self.assertRaises( base_policy.InvalidScope, @@ -52,6 +60,15 @@ class SystemAdminQosPolicyTests(QosPolicyAPITestCase): base_policy.InvalidScope, policy.enforce, self.context, 'create_policy', self.alt_target) + def test_create_policies_tags(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'create_policies_tags', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'create_policies_tags', + self.alt_target) + def test_update_policy(self): self.assertRaises( base_policy.InvalidScope, @@ -60,6 +77,15 @@ class SystemAdminQosPolicyTests(QosPolicyAPITestCase): base_policy.InvalidScope, policy.enforce, self.context, 'update_policy', self.alt_target) + def test_update_policies_tags(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'update_policies_tags', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'update_policies_tags', + self.alt_target) + def test_delete_policy(self): self.assertRaises( base_policy.InvalidScope, @@ -68,6 +94,15 @@ class SystemAdminQosPolicyTests(QosPolicyAPITestCase): base_policy.InvalidScope, policy.enforce, self.context, 'delete_policy', self.alt_target) + def test_delete_policies_tags(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'delete_policies_tags', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'delete_policies_tags', + self.alt_target) + class SystemMemberQosPolicyTests(SystemAdminQosPolicyTests): @@ -95,24 +130,51 @@ class AdminQosPolicyTests(QosPolicyAPITestCase): self.assertTrue( policy.enforce(self.context, 'get_policy', self.alt_target)) + def test_get_policies_tags(self): + self.assertTrue( + policy.enforce(self.context, 'get_policies_tags', self.target)) + self.assertTrue( + policy.enforce(self.context, 'get_policies_tags', self.alt_target)) + def test_create_policy(self): self.assertTrue( policy.enforce(self.context, 'create_policy', self.target)) self.assertTrue( policy.enforce(self.context, 'create_policy', self.alt_target)) + def test_create_policies_tags(self): + self.assertTrue( + policy.enforce(self.context, 'create_policies_tags', self.target)) + self.assertTrue( + policy.enforce(self.context, 'create_policies_tags', + self.alt_target)) + def test_update_policy(self): self.assertTrue( policy.enforce(self.context, 'update_policy', self.target)) self.assertTrue( policy.enforce(self.context, 'update_policy', self.alt_target)) + def test_update_policies_tags(self): + self.assertTrue( + policy.enforce(self.context, 'update_policies_tags', self.target)) + self.assertTrue( + policy.enforce(self.context, 'update_policies_tags', + self.alt_target)) + def test_delete_policy(self): self.assertTrue( policy.enforce(self.context, 'delete_policy', self.target)) self.assertTrue( policy.enforce(self.context, 'delete_policy', self.alt_target)) + def test_delete_policies_tags(self): + self.assertTrue( + policy.enforce(self.context, 'delete_policies_tags', self.target)) + self.assertTrue( + policy.enforce(self.context, 'delete_policies_tags', + self.alt_target)) + class ProjectMemberQosPolicyTests(AdminQosPolicyTests): @@ -127,6 +189,14 @@ class ProjectMemberQosPolicyTests(AdminQosPolicyTests): base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'get_policy', self.alt_target) + def test_get_policies_tags(self): + self.assertTrue( + policy.enforce(self.context, 'get_policies_tags', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_policies_tags', + self.alt_target) + def test_create_policy(self): self.assertRaises( base_policy.PolicyNotAuthorized, @@ -135,6 +205,15 @@ class ProjectMemberQosPolicyTests(AdminQosPolicyTests): base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'create_policy', self.alt_target) + def test_create_policies_tags(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_policies_tags', self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_policies_tags', + self.alt_target) + def test_update_policy(self): self.assertRaises( base_policy.PolicyNotAuthorized, @@ -143,6 +222,15 @@ class ProjectMemberQosPolicyTests(AdminQosPolicyTests): base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'update_policy', self.alt_target) + def test_update_policies_tags(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_policies_tags', self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_policies_tags', + self.alt_target) + def test_delete_policy(self): self.assertRaises( base_policy.PolicyNotAuthorized, @@ -151,6 +239,15 @@ class ProjectMemberQosPolicyTests(AdminQosPolicyTests): base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'delete_policy', self.alt_target) + def test_delete_policies_tags(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_policies_tags', self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_policies_tags', + self.alt_target) + class ProjectReaderQosPolicyTests(ProjectMemberQosPolicyTests): @@ -170,21 +267,41 @@ class ServiceRoleQosPolicyTests(QosPolicyAPITestCase): base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'get_policy', self.target) + def test_get_policies_tags(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_policies_tags', self.target) + def test_create_policy(self): self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'create_policy', self.target) + def test_create_policies_tags(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_policies_tags', self.target) + def test_update_policy(self): self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'update_policy', self.target) + def test_update_policies_tags(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_policies_tags', self.target) + def test_delete_policy(self): self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'delete_policy', self.target) + def test_delete_policies_tags(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_policies_tags', self.target) + class QosRuleTypeAPITestCase(base.PolicyBaseTestCase):