[S-RBAC] Get availability zone API available for READER role

API call get_availability_zone should be available in new policies for all users with READER role as this is kind of the same what was in the old policies (ANY). Closes-bug: #2016266 Change-Id: I8a99bc52bd815fb3395e902fc8f85cf5f187e288
2023-04-14 10:38:52 +02:00 · 2023-04-14 10:38:52 +02:00 · 6b5acb5835
parent 18bc5b82a1
commit 6b5acb5835
2 changed files with 5 additions and 9 deletions
--- a/neutron/conf/policies/availability_zone.py
+++ b/neutron/conf/policies/availability_zone.py
@ -14,8 +14,6 @@ from neutron_lib import policy as neutron_policy
 from oslo_log import versionutils
 from oslo_policy import policy

-from neutron.conf.policies import base
-
 DEPRECATION_REASON = (
    "The Availability Zone API now supports project scope and default roles.")

@ -23,7 +21,11 @@ DEPRECATION_REASON = (
 rules = [
    policy.DocumentedRuleDefault(
        name='get_availability_zone',
-        check_str=base.ADMIN,
+        # NOTE: it can't be ADMIN_OR_PROJECT_READER constant from the base
+        # module because that is using "project_id" in the check string and the
+        # availability_zone resource don't belongs to any project thus such
+        # check string would fail enforcement.
+        check_str='role:reader',
        description='List availability zones',
        operations=[
            {
--- a/neutron/tests/unit/conf/policies/test_availability_zone.py
+++ b/neutron/tests/unit/conf/policies/test_availability_zone.py
@ -70,12 +70,6 @@ class ProjectMemberTests(AdminTests):
        super(ProjectMemberTests, self).setUp()
        self.context = self.project_member_ctx

-    def test_get_availability_zone(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, "get_availability_zone", self.target)
-

 class ProjectReaderTests(ProjectMemberTests):