[S-RBAC] Get availability zone API available for READER role
API call get_availability_zone should be available in new policies for all users with READER role as this is kind of the same what was in the old policies (ANY). Closes-bug: #2016266 Change-Id: I8a99bc52bd815fb3395e902fc8f85cf5f187e288
This commit is contained in:
parent
18bc5b82a1
commit
6b5acb5835
|
@ -14,8 +14,6 @@ from neutron_lib import policy as neutron_policy
|
|||
from oslo_log import versionutils
|
||||
from oslo_policy import policy
|
||||
|
||||
from neutron.conf.policies import base
|
||||
|
||||
DEPRECATION_REASON = (
|
||||
"The Availability Zone API now supports project scope and default roles.")
|
||||
|
||||
|
@ -23,7 +21,11 @@ DEPRECATION_REASON = (
|
|||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_availability_zone',
|
||||
check_str=base.ADMIN,
|
||||
# NOTE: it can't be ADMIN_OR_PROJECT_READER constant from the base
|
||||
# module because that is using "project_id" in the check string and the
|
||||
# availability_zone resource don't belongs to any project thus such
|
||||
# check string would fail enforcement.
|
||||
check_str='role:reader',
|
||||
description='List availability zones',
|
||||
operations=[
|
||||
{
|
||||
|
|
|
@ -70,12 +70,6 @@ class ProjectMemberTests(AdminTests):
|
|||
super(ProjectMemberTests, self).setUp()
|
||||
self.context = self.project_member_ctx
|
||||
|
||||
def test_get_availability_zone(self):
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, "get_availability_zone", self.target)
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
|
|
Loading…
Reference in New Issue