openstack
/
neutron
Code Issues Proposed changes

Add policy rules for extraroute-atomic API 

This patch adds default RBAC policy rules for {add,remove}-extraroute
API which was introduces few cycles ago.
To be consistent with rules for other APIs, it adds deprecated "old
style" rules and rules with personas and scopes at once.

Change-Id: I185055b9387a1d473e3a2b8903f35c3f490c6f31
This commit is contained in:
Slawek Kaplonski 2021-06-14 14:50:30 +02:00
parent f042d690be
commit 4df01d6eaa
2 changed files with 164 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
neutron/conf/policies/router.py
View File

@ -299,6 +299,40 @@ rules = [
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='add_extraroutes',
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
description='Add extra route to a router',
operations=[
{
'method': 'PUT',
'path': '/routers/{id}/add_extraroutes',
},
],
deprecated_rule=policy.DeprecatedRule(
name='add_extraroutes',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since="Xena")
),
policy.DocumentedRuleDefault(
name='remove_extraroutes',
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
description='Remove extra route from a router',
operations=[
{
'method': 'PUT',
'path': '/routers/{id}/remove_extraroutes',
},
],
deprecated_rule=policy.DeprecatedRule(
name='remove_extraroutes',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since="Xena")
),
]

130
neutron/tests/unit/conf/policies/test_router.py
View File

@ -14,6 +14,7 @@
# limitations under the License.
from oslo_policy import policy as base_policy
from oslo_utils import uuidutils
from neutron import policy
from neutron.tests.unit.conf.policies import base
@ -728,3 +729,132 @@ class ProjectReaderTests(ProjectMemberTests):
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'remove_router_interface', self.alt_target)
class ExtrarouteAPITestCase(base.PolicyBaseTestCase):
def setUp(self):
super(ExtrarouteAPITestCase, self).setUp()
self.router = {
'id': uuidutils.generate_uuid(),
'project_id': self.project_id}
self.target = {
'project_id': self.project_id,
'router_id': self.router['id'],
'ext_parent_router_id': self.router['id']}
self.alt_target = {
'project_id': self.alt_project_id,
'router_id': self.router['id'],
'ext_parent_router_id': self.router['id']}
class SystemAdminExtrarouteTests(ExtrarouteAPITestCase):
def setUp(self):
super(SystemAdminExtrarouteTests, self).setUp()
self.context = self.system_admin_ctx
def test_add_extraroute(self):
self.assertTrue(
policy.enforce(self.context, 'add_extraroutes', self.target))
self.assertTrue(
policy.enforce(self.context, 'add_extraroutes', self.alt_target))
def test_remove_extraroute(self):
self.assertTrue(
policy.enforce(self.context, 'remove_extraroutes', self.target))
self.assertTrue(
policy.enforce(
self.context, 'remove_extraroutes', self.alt_target))
class SystemMemberExtrarouteTests(SystemAdminExtrarouteTests):
def setUp(self):
super(SystemMemberExtrarouteTests, self).setUp()
self.context = self.system_member_ctx
def test_add_extraroute(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'add_extraroutes', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'add_extraroutes', self.alt_target)
def test_remove_extraroute(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'remove_extraroutes', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'remove_extraroutes', self.alt_target)
class SystemReaderExtrarouteTests(SystemMemberExtrarouteTests):
def setUp(self):
super(SystemReaderExtrarouteTests, self).setUp()
self.context = self.system_reader_ctx
class ProjectAdminExtrarouteTests(ExtrarouteAPITestCase):
def setUp(self):
super(ProjectAdminExtrarouteTests, self).setUp()
self.context = self.project_admin_ctx
def test_add_extraroute(self):
self.assertTrue(
policy.enforce(self.context, 'add_extraroutes', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'remove_extraroutes', self.alt_target)
def test_remove_extraroute(self):
self.assertTrue(
policy.enforce(self.context, 'remove_extraroutes', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'remove_extraroutes', self.alt_target)
class ProjectMemberExtrarouteTests(ProjectAdminExtrarouteTests):
def setUp(self):
super(ProjectMemberExtrarouteTests, self).setUp()
self.context = self.project_member_ctx
class ProjectReaderExtrarouteTests(ProjectMemberExtrarouteTests):
def setUp(self):
super(ProjectReaderExtrarouteTests, self).setUp()
self.context = self.project_reader_ctx
def test_add_extraroute(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'add_extraroutes', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'add_extraroutes', self.alt_target)
def test_remove_extraroute(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'remove_extraroutes', self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'remove_extraroutes', self.alt_target)