diff --git a/neutron/conf/policies/base.py b/neutron/conf/policies/base.py index 52751f5d6c8..fe3514d9505 100644 --- a/neutron/conf/policies/base.py +++ b/neutron/conf/policies/base.py @@ -22,6 +22,10 @@ SERVICE = 'rule:service_api' # there is now ADMIN role ADMIN = "rule:admin_only" +# This check string is the primary use case for the project's manager who is +# more privileged user then typical MEMBER of the project. +PROJECT_MANAGER = 'role:manager and project_id:%(project_id)s' + # This check string is the primary use case for typical end-users, who are # working with resources that belong to a project (e.g., creating ports and # routers). @@ -38,6 +42,8 @@ PROJECT_READER = 'role:reader and project_id:%(project_id)s' # project member should only be able to delete routers in their project). ADMIN_OR_SERVICE = ( '(' + ADMIN + ') or (' + SERVICE + ')') +ADMIN_OR_PROJECT_MANAGER = ( + '(' + ADMIN + ') or (' + PROJECT_MANAGER + ')') ADMIN_OR_PROJECT_MEMBER = ( '(' + ADMIN + ') or (' + PROJECT_MEMBER + ')') ADMIN_OR_PROJECT_READER = ( @@ -54,8 +60,11 @@ RULE_SG_OWNER = 'rule:sg_owner' # that becasue those resources (QOS rules, FIP PFs) don't have project_id # attribute at all and they belongs to the same project as parent resource (QoS # policy, FIP). +PARENT_OWNER_MANAGER = 'role:manager and ' + RULE_PARENT_OWNER PARENT_OWNER_MEMBER = 'role:member and ' + RULE_PARENT_OWNER PARENT_OWNER_READER = 'role:reader and ' + RULE_PARENT_OWNER +ADMIN_OR_PARENT_OWNER_MANAGER = ( + '(' + ADMIN + ') or (' + PARENT_OWNER_MANAGER + ')') ADMIN_OR_PARENT_OWNER_MEMBER = ( '(' + ADMIN + ') or (' + PARENT_OWNER_MEMBER + ')') ADMIN_OR_PARENT_OWNER_READER = ( diff --git a/neutron/conf/policies/floatingip.py b/neutron/conf/policies/floatingip.py index a3e31c7c86d..100c7a14ed2 100644 --- a/neutron/conf/policies/floatingip.py +++ b/neutron/conf/policies/floatingip.py @@ -58,7 +58,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='create_floatingip:floating_ip_address', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PROJECT_MANAGER, description='Create a floating IP with a specific IP address', operations=[ { diff --git a/neutron/conf/policies/logging.py b/neutron/conf/policies/logging.py index ad3ad604c9f..7b7f37d51ae 100644 --- a/neutron/conf/policies/logging.py +++ b/neutron/conf/policies/logging.py @@ -28,7 +28,7 @@ RESOURCE_PATH = '/log/logs/{id}' rules = [ policy.DocumentedRuleDefault( name='get_loggable_resource', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PROJECT_MANAGER, scope_types=['project'], description='Get loggable resources', operations=[ @@ -45,7 +45,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='create_log', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PROJECT_MANAGER, scope_types=['project'], description='Create a network log', operations=[ @@ -62,7 +62,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='get_log', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PROJECT_MANAGER, scope_types=['project'], description='Get a network log', operations=[ @@ -83,7 +83,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='update_log', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PROJECT_MANAGER, scope_types=['project'], description='Update a network log', operations=[ @@ -100,7 +100,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='delete_log', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PROJECT_MANAGER, scope_types=['project'], description='Delete a network log', operations=[ diff --git a/neutron/conf/policies/metering.py b/neutron/conf/policies/metering.py index 5b8eae92233..899b9b127ba 100644 --- a/neutron/conf/policies/metering.py +++ b/neutron/conf/policies/metering.py @@ -30,7 +30,7 @@ RULE_RESOURCE_PATH = '/metering/metering-label-rules/{id}' rules = [ policy.DocumentedRuleDefault( name='create_metering_label', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PROJECT_MANAGER, scope_types=['project'], description='Create a metering label', operations=[ @@ -68,7 +68,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='delete_metering_label', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PROJECT_MANAGER, scope_types=['project'], description='Delete a metering label', operations=[ @@ -85,7 +85,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='create_metering_label_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PROJECT_MANAGER, scope_types=['project'], description='Create a metering label rule', operations=[ @@ -123,7 +123,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='delete_metering_label_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PROJECT_MANAGER, scope_types=['project'], description='Delete a metering label rule', operations=[ diff --git a/neutron/conf/policies/port.py b/neutron/conf/policies/port.py index f58fab1200b..cd6316a0f56 100644 --- a/neutron/conf/policies/port.py +++ b/neutron/conf/policies/port.py @@ -83,6 +83,7 @@ rules = [ check_str=neutron_policy.policy_or( 'not rule:network_device', base.ADMIN_OR_SERVICE, + base.PROJECT_MANAGER, base.NET_OWNER_MEMBER ), scope_types=['project'], @@ -101,6 +102,7 @@ rules = [ name='create_port:mac_address', check_str=neutron_policy.policy_or( base.ADMIN_OR_SERVICE, + base.PROJECT_MANAGER, base.NET_OWNER_MEMBER), scope_types=['project'], description='Specify ``mac_address`` attribute when creating a port', @@ -117,6 +119,7 @@ rules = [ name='create_port:fixed_ips', check_str=neutron_policy.policy_or( base.ADMIN_OR_SERVICE, + base.PROJECT_MANAGER, base.NET_OWNER_MEMBER, 'rule:shared'), scope_types=['project'], @@ -135,6 +138,7 @@ rules = [ name='create_port:fixed_ips:ip_address', check_str=neutron_policy.policy_or( base.ADMIN_OR_SERVICE, + base.PROJECT_MANAGER, base.NET_OWNER_MEMBER), scope_types=['project'], description='Specify IP address in ``fixed_ips`` when creating a port', @@ -151,6 +155,7 @@ rules = [ name='create_port:fixed_ips:subnet_id', check_str=neutron_policy.policy_or( base.ADMIN_OR_SERVICE, + base.PROJECT_MANAGER, base.NET_OWNER_MEMBER, 'rule:shared'), scope_types=['project'], @@ -169,6 +174,7 @@ rules = [ name='create_port:port_security_enabled', check_str=neutron_policy.policy_or( base.ADMIN_OR_SERVICE, + base.PROJECT_MANAGER, base.NET_OWNER_MEMBER), scope_types=['project'], description=( @@ -233,7 +239,9 @@ rules = [ ), policy.DocumentedRuleDefault( name='create_port:allowed_address_pairs', - check_str=base.ADMIN_OR_NET_OWNER_MEMBER, + check_str=neutron_policy.policy_or( + base.ADMIN_OR_NET_OWNER_MEMBER, + base.PROJECT_MANAGER), scope_types=['project'], description=( 'Specify ``allowed_address_pairs`` ' @@ -248,7 +256,9 @@ rules = [ ), policy.DocumentedRuleDefault( name='create_port:allowed_address_pairs:mac_address', - check_str=base.ADMIN_OR_NET_OWNER_MEMBER, + check_str=neutron_policy.policy_or( + base.ADMIN_OR_NET_OWNER_MEMBER, + base.PROJECT_MANAGER), scope_types=['project'], description=( 'Specify ``mac_address` of `allowed_address_pairs`` ' @@ -263,7 +273,9 @@ rules = [ ), policy.DocumentedRuleDefault( name='create_port:allowed_address_pairs:ip_address', - check_str=base.ADMIN_OR_NET_OWNER_MEMBER, + check_str=neutron_policy.policy_or( + base.ADMIN_OR_NET_OWNER_MEMBER, + base.PROJECT_MANAGER), scope_types=['project'], description=( 'Specify ``ip_address`` of ``allowed_address_pairs`` ' @@ -407,6 +419,7 @@ rules = [ check_str=neutron_policy.policy_or( 'not rule:network_device', base.ADMIN_OR_SERVICE, + base.PROJECT_MANAGER, base.NET_OWNER_MEMBER, ), scope_types=['project'], @@ -425,6 +438,7 @@ rules = [ name='update_port:mac_address', check_str=neutron_policy.policy_or( base.ADMIN_OR_SERVICE, + base.PROJECT_MANAGER ), scope_types=['project'], description='Update ``mac_address`` attribute of a port', @@ -441,6 +455,7 @@ rules = [ name='update_port:fixed_ips', check_str=neutron_policy.policy_or( base.ADMIN_OR_SERVICE, + base.PROJECT_MANAGER, base.NET_OWNER_MEMBER ), scope_types=['project'], @@ -458,6 +473,7 @@ rules = [ name='update_port:fixed_ips:ip_address', check_str=neutron_policy.policy_or( base.ADMIN_OR_SERVICE, + base.PROJECT_MANAGER, base.NET_OWNER_MEMBER ), scope_types=['project'], @@ -478,6 +494,7 @@ rules = [ name='update_port:fixed_ips:subnet_id', check_str=neutron_policy.policy_or( base.ADMIN_OR_SERVICE, + base.PROJECT_MANAGER, base.NET_OWNER_MEMBER, 'rule:shared' ), @@ -500,6 +517,7 @@ rules = [ name='update_port:port_security_enabled', check_str=neutron_policy.policy_or( base.ADMIN_OR_SERVICE, + base.PROJECT_MANAGER, base.NET_OWNER_MEMBER ), scope_types=['project'], @@ -556,7 +574,9 @@ rules = [ ), policy.DocumentedRuleDefault( name='update_port:allowed_address_pairs', - check_str=base.ADMIN_OR_NET_OWNER_MEMBER, + check_str=neutron_policy.policy_or( + base.ADMIN_OR_NET_OWNER_MEMBER, + base.PROJECT_MANAGER), scope_types=['project'], description='Update ``allowed_address_pairs`` attribute of a port', operations=ACTION_PUT, @@ -568,7 +588,9 @@ rules = [ ), policy.DocumentedRuleDefault( name='update_port:allowed_address_pairs:mac_address', - check_str=base.ADMIN_OR_NET_OWNER_MEMBER, + check_str=neutron_policy.policy_or( + base.ADMIN_OR_NET_OWNER_MEMBER, + base.PROJECT_MANAGER), scope_types=['project'], description=( 'Update ``mac_address`` of ``allowed_address_pairs`` ' @@ -583,7 +605,9 @@ rules = [ ), policy.DocumentedRuleDefault( name='update_port:allowed_address_pairs:ip_address', - check_str=base.ADMIN_OR_NET_OWNER_MEMBER, + check_str=neutron_policy.policy_or( + base.ADMIN_OR_NET_OWNER_MEMBER, + base.PROJECT_MANAGER), scope_types=['project'], description=( 'Update ``ip_address`` of ``allowed_address_pairs`` ' diff --git a/neutron/conf/policies/qos.py b/neutron/conf/policies/qos.py index c507a7bdb99..a9edc6d286a 100644 --- a/neutron/conf/policies/qos.py +++ b/neutron/conf/policies/qos.py @@ -52,7 +52,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='create_policy', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PROJECT_MANAGER, scope_types=['project'], description='Create a QoS policy', operations=[ @@ -69,7 +69,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='update_policy', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PROJECT_MANAGER, scope_types=['project'], description='Update a QoS policy', operations=[ @@ -86,7 +86,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='delete_policy', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PROJECT_MANAGER, scope_types=['project'], description='Delete a QoS policy', operations=[ @@ -152,7 +152,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='create_policy_bandwidth_limit_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Create a QoS bandwidth limit rule', operations=[ @@ -169,7 +169,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='update_policy_bandwidth_limit_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Update a QoS bandwidth limit rule', operations=[ @@ -187,7 +187,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='delete_policy_bandwidth_limit_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Delete a QoS bandwidth limit rule', operations=[ @@ -223,7 +223,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='create_policy_packet_rate_limit_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Create a QoS packet rate limit rule', operations=[ @@ -235,7 +235,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='update_policy_packet_rate_limit_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Update a QoS packet rate limit rule', operations=[ @@ -248,7 +248,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='delete_policy_packet_rate_limit_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Delete a QoS packet rate limit rule', operations=[ @@ -284,7 +284,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='create_policy_dscp_marking_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Create a QoS DSCP marking rule', operations=[ @@ -301,7 +301,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='update_policy_dscp_marking_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Update a QoS DSCP marking rule', operations=[ @@ -319,7 +319,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='delete_policy_dscp_marking_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Delete a QoS DSCP marking rule', operations=[ @@ -360,7 +360,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='create_policy_minimum_bandwidth_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Create a QoS minimum bandwidth rule', operations=[ @@ -377,7 +377,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='update_policy_minimum_bandwidth_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Update a QoS minimum bandwidth rule', operations=[ @@ -395,7 +395,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='delete_policy_minimum_bandwidth_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Delete a QoS minimum bandwidth rule', operations=[ @@ -430,7 +430,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='create_policy_minimum_packet_rate_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Create a QoS minimum packet rate rule', operations=[ @@ -442,7 +442,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='update_policy_minimum_packet_rate_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Update a QoS minimum packet rate rule', operations=[ @@ -455,7 +455,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='delete_policy_minimum_packet_rate_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Delete a QoS minimum packet rate rule', operations=[ @@ -485,7 +485,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='update_alias_bandwidth_limit_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Update a QoS bandwidth limit rule through alias', operations=[ @@ -502,7 +502,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='delete_alias_bandwidth_limit_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Delete a QoS bandwidth limit rule through alias', operations=[ @@ -536,7 +536,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='update_alias_dscp_marking_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Update a QoS DSCP marking rule through alias', operations=[ @@ -553,7 +553,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='delete_alias_dscp_marking_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Delete a QoS DSCP marking rule through alias', operations=[ @@ -587,7 +587,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='update_alias_minimum_bandwidth_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Update a QoS minimum bandwidth rule through alias', operations=[ @@ -604,7 +604,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='delete_alias_minimum_bandwidth_rule', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PARENT_OWNER_MANAGER, scope_types=['project'], description='Delete a QoS minimum bandwidth rule through alias', operations=[ diff --git a/neutron/conf/policies/quotas.py b/neutron/conf/policies/quotas.py index 309c50747a8..3e7a7603d81 100644 --- a/neutron/conf/policies/quotas.py +++ b/neutron/conf/policies/quotas.py @@ -28,7 +28,7 @@ RESOURCE_PATH = '/quota/{id}' rules = [ policy.DocumentedRuleDefault( name='get_quota', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_PROJECT_MANAGER, scope_types=['project'], description='Get a resource quota', operations=[ diff --git a/neutron/tests/unit/conf/policies/test_address_group.py b/neutron/tests/unit/conf/policies/test_address_group.py index 86fabb19b76..0c1ef8bf16f 100644 --- a/neutron/tests/unit/conf/policies/test_address_group.py +++ b/neutron/tests/unit/conf/policies/test_address_group.py @@ -71,6 +71,21 @@ class AdminTests(AddressGroupAPITestCase): policy.enforce(self.context, "get_address_group", self.alt_target)) +class ProjectManagerTests(AdminTests): + + def setUp(self): + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx + + def test_get_address_group(self): + self.assertTrue( + policy.enforce(self.context, "get_address_group", self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "get_address_group", self.alt_target) + + class ProjectMemberTests(AdminTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_address_scope.py b/neutron/tests/unit/conf/policies/test_address_scope.py index c0f9325bd3b..1f263bfd54b 100644 --- a/neutron/tests/unit/conf/policies/test_address_scope.py +++ b/neutron/tests/unit/conf/policies/test_address_scope.py @@ -158,6 +158,65 @@ class AdminTests(AddressScopeAPITestCase): self.context, 'delete_address_scope', self.alt_target)) +class ProjectManagerTests(AdminTests): + + def setUp(self): + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx + + def test_create_address_scope(self): + self.assertTrue( + policy.enforce(self.context, 'create_address_scope', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_address_scope', self.alt_target) + + def test_create_address_scope_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_address_scope:shared', self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_address_scope:shared', self.alt_target) + + def test_get_address_scope(self): + self.assertTrue( + policy.enforce(self.context, 'get_address_scope', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_address_scope', self.alt_target) + + def test_update_address_scope(self): + self.assertTrue( + policy.enforce(self.context, 'update_address_scope', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_address_scope', self.alt_target) + + def test_update_address_scope_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_address_scope:shared', self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_address_scope:shared', self.alt_target) + + def test_delete_address_scope(self): + self.assertTrue( + policy.enforce(self.context, 'delete_address_scope', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_address_scope', self.alt_target) + + class ProjectMemberTests(AdminTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_agent.py b/neutron/tests/unit/conf/policies/test_agent.py index fb1673a1157..082954b9d8a 100644 --- a/neutron/tests/unit/conf/policies/test_agent.py +++ b/neutron/tests/unit/conf/policies/test_agent.py @@ -186,11 +186,11 @@ class AdminTests(AgentAPITestCase): "get_l3-agents", self.target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_agent(self): self.assertRaises( @@ -265,6 +265,12 @@ class ProjectMemberTests(AdminTests): self.context, "get_l3-agents", self.target) +class ProjectMemberTests(ProjectManagerTests): + def setUp(self): + super(ProjectManagerTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_auto_allocated_topology.py b/neutron/tests/unit/conf/policies/test_auto_allocated_topology.py index 2eb1826375a..b689a82371d 100644 --- a/neutron/tests/unit/conf/policies/test_auto_allocated_topology.py +++ b/neutron/tests/unit/conf/policies/test_auto_allocated_topology.py @@ -107,11 +107,11 @@ class AdminTests(AutoAllocatedTopologyAPITestCase): policy.enforce(self.context, DELETE_POLICY, self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_get_topology(self): self.assertTrue(policy.enforce(self.context, GET_POLICY, self.target)) @@ -134,6 +134,13 @@ class ProjectMemberTests(AdminTests): ) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_availability_zone.py b/neutron/tests/unit/conf/policies/test_availability_zone.py index bf6295c5dae..6ba21a8da07 100644 --- a/neutron/tests/unit/conf/policies/test_availability_zone.py +++ b/neutron/tests/unit/conf/policies/test_availability_zone.py @@ -64,7 +64,14 @@ class AdminTests(AvailabilityZoneAPITestCase): policy.enforce(self.context, "get_availability_zone", self.target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): + + def setUp(self): + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx + + +class ProjectMemberTests(ProjectManagerTests): def setUp(self): super(ProjectMemberTests, self).setUp() diff --git a/neutron/tests/unit/conf/policies/test_base.py b/neutron/tests/unit/conf/policies/test_base.py index c930c804e6e..6881a5ef385 100644 --- a/neutron/tests/unit/conf/policies/test_base.py +++ b/neutron/tests/unit/conf/policies/test_base.py @@ -89,7 +89,11 @@ class PolicyBaseTestCase(tests_base.BaseTestCase): def _prepare_project_scope_personas(self): self.project_admin_ctx = context.Context( user_id=self.user_id, - roles=['admin', 'member', 'reader'], + roles=['admin', 'manager', 'member', 'reader'], + project_id=self.project_id) + self.project_manager_ctx = context.Context( + user_id=self.user_id, + roles=['manager', 'member', 'reader'], project_id=self.project_id) self.project_member_ctx = context.Context( user_id=self.user_id, diff --git a/neutron/tests/unit/conf/policies/test_default_security_group_rules.py b/neutron/tests/unit/conf/policies/test_default_security_group_rules.py index 1091d792f6a..3bc4719b471 100644 --- a/neutron/tests/unit/conf/policies/test_default_security_group_rules.py +++ b/neutron/tests/unit/conf/policies/test_default_security_group_rules.py @@ -88,12 +88,12 @@ class AdminDefaultSecurityGroupRuleTests(DefaultSecurityGroupRuleAPITestCase): 'delete_default_security_group_rule', self.target)) -class ProjectMemberDefaultSecurityGroupRuleTests( +class ProjectManagerDefaultSecurityGroupRuleTests( AdminDefaultSecurityGroupRuleTests): def setUp(self): - super(ProjectMemberDefaultSecurityGroupRuleTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerDefaultSecurityGroupRuleTests, self).setUp() + self.context = self.project_manager_ctx def test_create_default_security_group_rule(self): self.assertRaises( @@ -113,6 +113,14 @@ class ProjectMemberDefaultSecurityGroupRuleTests( self.context, 'delete_default_security_group_rule', self.target) +class ProjectMemberDefaultSecurityGroupRuleTests( + ProjectManagerDefaultSecurityGroupRuleTests): + + def setUp(self): + super(ProjectMemberDefaultSecurityGroupRuleTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderDefaultSecurityGroupRuleTests( ProjectMemberDefaultSecurityGroupRuleTests): diff --git a/neutron/tests/unit/conf/policies/test_flavor.py b/neutron/tests/unit/conf/policies/test_flavor.py index 71a309045a5..08e2229b6be 100644 --- a/neutron/tests/unit/conf/policies/test_flavor.py +++ b/neutron/tests/unit/conf/policies/test_flavor.py @@ -152,11 +152,11 @@ class AdminTests(FlavorAPITestCase): 'delete_flavor_service_profile', self.target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_flavor(self): self.assertRaises( @@ -215,6 +215,13 @@ class ProjectMemberTests(AdminTests): self.target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_floatingip.py b/neutron/tests/unit/conf/policies/test_floatingip.py index 1a8431422bd..969d6b03417 100644 --- a/neutron/tests/unit/conf/policies/test_floatingip.py +++ b/neutron/tests/unit/conf/policies/test_floatingip.py @@ -180,11 +180,11 @@ class AdminTests(FloatingIPAPITestCase): policy.enforce(self.context, "delete_floatingip", self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_floatingip(self): self.assertTrue( @@ -195,11 +195,8 @@ class ProjectMemberTests(AdminTests): self.context, "create_floatingip", self.alt_target) def test_create_floatingip_with_ip_address(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, - self.context, "create_floatingip:floating_ip_address", - self.target) + self.assertTrue( + policy.enforce(self.context, "create_floatingip", self.target)) self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, @@ -245,6 +242,25 @@ class ProjectMemberTests(AdminTests): policy.enforce, self.context, "delete_floatingip", self.alt_target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + def test_create_floatingip_with_ip_address(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "create_floatingip:floating_ip_address", + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "create_floatingip:floating_ip_address", + self.alt_target) + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_floatingip_pools.py b/neutron/tests/unit/conf/policies/test_floatingip_pools.py index 9f3e2986f35..990313da876 100644 --- a/neutron/tests/unit/conf/policies/test_floatingip_pools.py +++ b/neutron/tests/unit/conf/policies/test_floatingip_pools.py @@ -69,11 +69,11 @@ class AdminTests(FloatingipPoolsAPITestCase): self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_get_floatingip_pool(self): self.assertTrue( @@ -85,6 +85,13 @@ class ProjectMemberTests(AdminTests): self.context, 'get_floatingip_pool', self.alt_target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_floatingip_port_forwarding.py b/neutron/tests/unit/conf/policies/test_floatingip_port_forwarding.py index 325dad1eb89..76faacf0980 100644 --- a/neutron/tests/unit/conf/policies/test_floatingip_port_forwarding.py +++ b/neutron/tests/unit/conf/policies/test_floatingip_port_forwarding.py @@ -197,11 +197,11 @@ class AdminTests(FloatingipPortForwardingAPITestCase): self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_fip_pf(self): with mock.patch.object(self.plugin_mock, 'get_floatingip', @@ -264,6 +264,13 @@ class ProjectMemberTests(AdminTests): self.alt_target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py b/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py index f3d78cec1eb..6777e6ecc25 100644 --- a/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py +++ b/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py @@ -146,11 +146,11 @@ class AdminTests(L3ConntrackHelperAPITestCase): 'delete_router_conntrack_helper', self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_router_conntrack_helper(self): self.assertTrue( @@ -189,6 +189,13 @@ class ProjectMemberTests(AdminTests): self.context, 'delete_router_conntrack_helper', self.alt_target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_local_ip.py b/neutron/tests/unit/conf/policies/test_local_ip.py index 08e3ec34e7d..c7117b7f0aa 100644 --- a/neutron/tests/unit/conf/policies/test_local_ip.py +++ b/neutron/tests/unit/conf/policies/test_local_ip.py @@ -103,11 +103,11 @@ class AdminTests(LocalIPAPITestCase): policy.enforce(self.context, "delete_local_ip", self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_local_ip(self): self.assertTrue( @@ -138,6 +138,13 @@ class ProjectMemberTests(AdminTests): policy.enforce, self.context, "delete_local_ip", self.alt_target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(LocalIPAPITestCase): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_local_ip_association.py b/neutron/tests/unit/conf/policies/test_local_ip_association.py index e146c33615d..c3be90b5b59 100644 --- a/neutron/tests/unit/conf/policies/test_local_ip_association.py +++ b/neutron/tests/unit/conf/policies/test_local_ip_association.py @@ -140,11 +140,11 @@ class AdminTests(LocalIPAssociationAPITestCase): self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_local_ip_port_association(self): self.assertTrue( @@ -180,6 +180,13 @@ class ProjectMemberTests(AdminTests): self.alt_target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_logging.py b/neutron/tests/unit/conf/policies/test_logging.py index facd6257e86..04e9609dc84 100644 --- a/neutron/tests/unit/conf/policies/test_logging.py +++ b/neutron/tests/unit/conf/policies/test_logging.py @@ -99,7 +99,34 @@ class AdminTests(LoggingAPITestCase): policy.enforce(self.context, 'delete_log', self.target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): + + def setUp(self): + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx + + def test_get_loggable_resource(self): + self.assertTrue( + policy.enforce(self.context, 'get_loggable_resource', self.target)) + + def test_create_log(self): + self.assertTrue( + policy.enforce(self.context, 'create_log', self.target)) + + def test_get_log(self): + self.assertTrue( + policy.enforce(self.context, 'get_log', self.target)) + + def test_update_log(self): + self.assertTrue( + policy.enforce(self.context, 'update_log', self.target)) + + def test_delete_log(self): + self.assertTrue( + policy.enforce(self.context, 'delete_log', self.target)) + + +class ProjectMemberTests(ProjectManagerTests): def setUp(self): super(ProjectMemberTests, self).setUp() diff --git a/neutron/tests/unit/conf/policies/test_metering.py b/neutron/tests/unit/conf/policies/test_metering.py index d43507e34b9..11068c6b868 100644 --- a/neutron/tests/unit/conf/policies/test_metering.py +++ b/neutron/tests/unit/conf/policies/test_metering.py @@ -160,7 +160,65 @@ class AdminTests(MeteringAPITestCase): self.context, 'delete_metering_label_rule', self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): + + def setUp(self): + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx + + def test_create_metering_label(self): + self.assertTrue( + policy.enforce(self.context, 'create_metering_label', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_metering_label', self.alt_target) + + def test_get_metering_label(self): + self.assertTrue( + policy.enforce(self.context, 'get_metering_label', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_metering_label', self.alt_target) + + def test_delete_metering_label(self): + self.assertTrue( + policy.enforce(self.context, 'delete_metering_label', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_metering_label', self.alt_target) + + def test_create_metering_label_rule(self): + self.assertTrue( + policy.enforce( + self.context, 'create_metering_label_rule', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_metering_label_rule', self.alt_target) + + def test_get_metering_label_rule(self): + self.assertTrue( + policy.enforce( + self.context, 'get_metering_label_rule', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_metering_label_rule', self.alt_target) + + def test_delete_metering_label_rule(self): + self.assertTrue( + policy.enforce( + self.context, 'delete_metering_label_rule', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_metering_label_rule', self.alt_target) + + +class ProjectMemberTests(ProjectManagerTests): def setUp(self): super(ProjectMemberTests, self).setUp() diff --git a/neutron/tests/unit/conf/policies/test_ndp_proxy.py b/neutron/tests/unit/conf/policies/test_ndp_proxy.py index 528d3c185bc..dd82f3bddd3 100644 --- a/neutron/tests/unit/conf/policies/test_ndp_proxy.py +++ b/neutron/tests/unit/conf/policies/test_ndp_proxy.py @@ -119,11 +119,11 @@ class AdminTests(NDPProxyAPITestCase): policy.enforce(self.context, "delete_ndp_proxy", self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_ndp_proxy(self): self.assertTrue( @@ -155,6 +155,13 @@ class ProjectMemberTests(AdminTests): policy.enforce, self.context, "delete_ndp_proxy", self.alt_target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_network.py b/neutron/tests/unit/conf/policies/test_network.py index b91a4ed539c..ee1c4ea6f55 100644 --- a/neutron/tests/unit/conf/policies/test_network.py +++ b/neutron/tests/unit/conf/policies/test_network.py @@ -555,11 +555,11 @@ class AdminTests(NetworkAPITestCase): self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_network(self): self.assertTrue( @@ -834,6 +834,13 @@ class ProjectMemberTests(AdminTests): self.context, 'delete_networks_tags', self.alt_target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_network_ip_availability.py b/neutron/tests/unit/conf/policies/test_network_ip_availability.py index 61a78afbc77..3eb67f4c665 100644 --- a/neutron/tests/unit/conf/policies/test_network_ip_availability.py +++ b/neutron/tests/unit/conf/policies/test_network_ip_availability.py @@ -65,11 +65,11 @@ class AdminTests(NetworkIPAvailabilityAPITestCase): self.target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_get_network_ip_availability(self): self.assertRaises( @@ -78,6 +78,13 @@ class ProjectMemberTests(AdminTests): self.context, 'get_network_ip_availability', self.target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_network_segment_range.py b/neutron/tests/unit/conf/policies/test_network_segment_range.py index 2ab007afe89..7b9e73d58fe 100644 --- a/neutron/tests/unit/conf/policies/test_network_segment_range.py +++ b/neutron/tests/unit/conf/policies/test_network_segment_range.py @@ -131,11 +131,11 @@ class AdminTests(NetworkSegmentRangeAPITestCase): 'delete_network_segment_ranges_tags', self.target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_network_segment_range(self): self.assertRaises( @@ -180,6 +180,13 @@ class ProjectMemberTests(AdminTests): self.context, 'delete_network_segment_ranges_tags', self.target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_port.py b/neutron/tests/unit/conf/policies/test_port.py index dd1460ef610..c61669d2034 100644 --- a/neutron/tests/unit/conf/policies/test_port.py +++ b/neutron/tests/unit/conf/policies/test_port.py @@ -754,11 +754,11 @@ class AdminTests(PortAPITestCase): policy.enforce(self.context, 'delete_port', self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_port(self): self.assertTrue( @@ -782,50 +782,45 @@ class ProjectMemberTests(AdminTests): alt_target) def test_create_port_with_mac_address(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, self.context, 'create_port:mac_address', - self.target) + self.assertTrue( + policy.enforce(self.context, + 'create_port:mac_address', self.target)) self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'create_port:mac_address', self.alt_target) def test_create_port_with_fixed_ips(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, self.context, 'create_port:fixed_ips', - self.target) + self.assertTrue( + policy.enforce(self.context, + 'create_port:fixed_ips', self.target)) self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'create_port:fixed_ips', self.alt_target) def test_create_port_with_fixed_ips_and_ip_address(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, self.context, 'create_port:fixed_ips:ip_address', - self.target) + self.assertTrue( + policy.enforce(self.context, + 'create_port:fixed_ips:ip_address', self.target)) self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'create_port:fixed_ips:ip_address', self.alt_target) def test_create_port_with_fixed_ips_and_subnet_id(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, self.context, 'create_port:fixed_ips:subnet_id', - self.target) + self.assertTrue( + policy.enforce(self.context, + 'create_port:fixed_ips:subnet_id', self.target)) self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'create_port:fixed_ips:subnet_id', self.alt_target) def test_create_port_with_port_security_enabled(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, self.context, 'create_port:port_security_enabled', - self.target) + self.assertTrue( + policy.enforce(self.context, + 'create_port:port_security_enabled', self.target)) self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'create_port:port_security_enabled', @@ -861,11 +856,9 @@ class ProjectMemberTests(AdminTests): self.alt_target) def test_create_port_with_allowed_address_pairs(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, - self.context, 'create_port:allowed_address_pairs', - self.target) + self.assertTrue( + policy.enforce(self.context, + 'create_port:allowed_address_pairs', self.target)) self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, @@ -873,11 +866,10 @@ class ProjectMemberTests(AdminTests): self.alt_target) def test_create_port_with_allowed_address_pairs_and_mac_address(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, - self.context, 'create_port:allowed_address_pairs:mac_address', - self.target) + self.assertTrue( + policy.enforce(self.context, + 'create_port:allowed_address_pairs:mac_address', + self.target)) self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, @@ -885,11 +877,10 @@ class ProjectMemberTests(AdminTests): self.alt_target) def test_create_port_with_allowed_address_pairs_and_ip_address(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, - self.context, 'create_port:allowed_address_pairs:ip_address', - self.target) + self.assertTrue( + policy.enforce(self.context, + 'create_port:allowed_address_pairs:ip_address', + self.target)) self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, @@ -1003,6 +994,267 @@ class ProjectMemberTests(AdminTests): policy.enforce, self.context, 'update_port:device_owner', alt_target) + def test_update_port_with_mac_address(self): + self.assertTrue( + policy.enforce( + self.context, 'update_port:mac_address', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_port:mac_address', + self.alt_target) + + def test_update_port_with_fixed_ips(self): + self.assertTrue( + policy.enforce(self.context, + 'update_port:fixed_ips', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_port:fixed_ips', + self.alt_target) + + def test_update_port_with_fixed_ips_and_ip_address(self): + self.assertTrue( + policy.enforce(self.context, + 'update_port:fixed_ips:ip_address', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_port:fixed_ips:ip_address', + self.alt_target) + + def test_update_port_with_fixed_ips_and_subnet_id(self): + self.assertTrue( + policy.enforce(self.context, + 'update_port:fixed_ips:subnet_id', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_port:fixed_ips:subnet_id', + self.alt_target) + + def test_update_port_with_port_security_enabled(self): + self.assertTrue( + policy.enforce(self.context, + 'update_port:port_security_enabled', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_port:port_security_enabled', + self.alt_target) + + def test_update_port_with_binding_host_id(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_port:binding:host_id', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_port:binding:host_id', + self.alt_target) + + def test_update_port_with_binding_profile(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_port:binding:profile', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_port:binding:profile', + self.alt_target) + + def test_update_port_with_binding_vnic_type(self): + self.assertTrue( + policy.enforce(self.context, + 'update_port:binding:vnic_type', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_port:binding:vnic_type', + self.alt_target) + + def test_update_port_with_allowed_address_pairs(self): + self.assertTrue( + policy.enforce(self.context, + 'update_port:allowed_address_pairs', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_port:allowed_address_pairs', + self.alt_target) + + def test_update_port_with_allowed_address_pairs_and_mac_address(self): + self.assertTrue( + policy.enforce(self.context, + 'update_port:allowed_address_pairs:mac_address', + self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_port:allowed_address_pairs:mac_address', + self.alt_target) + + def test_update_port_with_allowed_address_pairs_and_ip_address(self): + self.assertTrue( + policy.enforce(self.context, + 'update_port:allowed_address_pairs:ip_address', + self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_port:allowed_address_pairs:ip_address', + self.alt_target) + + def test_update_port_data_plane_status(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_port:data_plane_status', self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_port:data_plane_status', self.alt_target) + + def test_update_port_hints(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_port:hints', self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_port:hints', self.alt_target) + + def test_update_ports_tags(self): + self.assertTrue( + policy.enforce(self.context, 'update_ports_tags', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_ports_tags', self.alt_target) + + def test_delete_port(self): + self.assertTrue( + policy.enforce(self.context, 'delete_port', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_port', self.alt_target) + + +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + def test_create_port_with_device_owner(self): + target = self.target.copy() + target['device_owner'] = 'network:test' + alt_target = self.alt_target.copy() + alt_target['device_owner'] = 'network:test' + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:device_owner', + target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:device_owner', + alt_target) + + def test_create_port_with_mac_address(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:mac_address', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:mac_address', + self.alt_target) + + def test_create_port_with_fixed_ips(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:fixed_ips', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:fixed_ips', + self.alt_target) + + def test_create_port_with_fixed_ips_and_ip_address(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:fixed_ips:ip_address', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:fixed_ips:ip_address', + self.alt_target) + + def test_create_port_with_fixed_ips_and_subnet_id(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:fixed_ips:subnet_id', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:fixed_ips:subnet_id', + self.alt_target) + + def test_create_port_with_port_security_enabled(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:port_security_enabled', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:port_security_enabled', + self.alt_target) + + def test_create_port_with_allowed_address_pairs(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_port:allowed_address_pairs', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_port:allowed_address_pairs', + self.alt_target) + + def test_create_port_with_allowed_address_pairs_and_mac_address(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_port:allowed_address_pairs:mac_address', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_port:allowed_address_pairs:mac_address', + self.alt_target) + + def test_create_port_with_allowed_address_pairs_and_ip_address(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_port:allowed_address_pairs:ip_address', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_port:allowed_address_pairs:ip_address', + self.alt_target) + + def test_update_port_with_device_owner(self): + target = self.target.copy() + target['device_owner'] = 'network:test' + alt_target = self.alt_target.copy() + alt_target['device_owner'] = 'network:test' + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_port:device_owner', + target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_port:device_owner', + alt_target) + def test_update_port_with_mac_address(self): self.assertRaises( base_policy.PolicyNotAuthorized, @@ -1053,35 +1305,6 @@ class ProjectMemberTests(AdminTests): policy.enforce, self.context, 'update_port:port_security_enabled', self.alt_target) - def test_update_port_with_binding_host_id(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, self.context, 'update_port:binding:host_id', - self.target) - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, self.context, 'update_port:binding:host_id', - self.alt_target) - - def test_update_port_with_binding_profile(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, self.context, 'update_port:binding:profile', - self.target) - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, self.context, 'update_port:binding:profile', - self.alt_target) - - def test_update_port_with_binding_vnic_type(self): - self.assertTrue( - policy.enforce(self.context, - 'update_port:binding:vnic_type', self.target)) - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, self.context, 'update_port:binding:vnic_type', - self.alt_target) - def test_update_port_with_allowed_address_pairs(self): self.assertRaises( base_policy.PolicyNotAuthorized, @@ -1118,40 +1341,6 @@ class ProjectMemberTests(AdminTests): self.context, 'update_port:allowed_address_pairs:ip_address', self.alt_target) - def test_update_port_data_plane_status(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, - self.context, 'update_port:data_plane_status', self.target) - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, - self.context, 'update_port:data_plane_status', self.alt_target) - - def test_update_port_hints(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, - self.context, 'update_port:hints', self.target) - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, - self.context, 'update_port:hints', self.alt_target) - - def test_update_ports_tags(self): - self.assertTrue( - policy.enforce(self.context, 'update_ports_tags', self.target)) - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, self.context, 'update_ports_tags', self.alt_target) - - def test_delete_port(self): - self.assertTrue( - policy.enforce(self.context, 'delete_port', self.target)) - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, self.context, 'delete_port', self.alt_target) - class ProjectReaderTests(ProjectMemberTests): diff --git a/neutron/tests/unit/conf/policies/test_port_bindings.py b/neutron/tests/unit/conf/policies/test_port_bindings.py index 722ebd5bdba..43e2cd6f6b3 100644 --- a/neutron/tests/unit/conf/policies/test_port_bindings.py +++ b/neutron/tests/unit/conf/policies/test_port_bindings.py @@ -100,11 +100,11 @@ class AdminTests(PortBindingsAPITestCase): self.context, "activate", self.target) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_get_port_binding(self): self.assertRaises( @@ -113,6 +113,13 @@ class ProjectMemberTests(AdminTests): self.context, "get_port_binding", self.target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_qos.py b/neutron/tests/unit/conf/policies/test_qos.py index b5ee683c981..07cb2132192 100644 --- a/neutron/tests/unit/conf/policies/test_qos.py +++ b/neutron/tests/unit/conf/policies/test_qos.py @@ -114,7 +114,42 @@ class AdminQosPolicyTests(QosPolicyAPITestCase): policy.enforce(self.context, 'delete_policy', self.alt_target)) -class ProjectMemberQosPolicyTests(AdminQosPolicyTests): +class ProjectManagerQosPolicyTests(AdminQosPolicyTests): + + def setUp(self): + super(ProjectManagerQosPolicyTests, self).setUp() + self.context = self.project_manager_ctx + + def test_get_policy(self): + self.assertTrue( + policy.enforce(self.context, 'get_policy', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_policy', self.alt_target) + + def test_create_policy(self): + self.assertTrue( + policy.enforce(self.context, 'create_policy', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_policy', self.alt_target) + + def test_update_policy(self): + self.assertTrue( + policy.enforce(self.context, 'update_policy', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_policy', self.alt_target) + + def test_delete_policy(self): + self.assertTrue( + policy.enforce(self.context, 'delete_policy', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_policy', self.alt_target) + + +class ProjectMemberQosPolicyTests(ProjectManagerQosPolicyTests): def setUp(self): super(ProjectMemberQosPolicyTests, self).setUp() @@ -231,7 +266,14 @@ class AdminQosRuleTypeTests(QosRuleTypeAPITestCase): policy.enforce(self.context, 'get_rule_type', self.target)) -class ProjectMemberQosRuleTypeTests(AdminQosRuleTypeTests): +class ProjectManagerQosRuleTypeTests(AdminQosRuleTypeTests): + + def setUp(self): + super(ProjectManagerQosRuleTypeTests, self).setUp() + self.context = self.project_manager_ctx + + +class ProjectMemberQosRuleTypeTests(ProjectManagerQosRuleTypeTests): def setUp(self): super(ProjectMemberQosRuleTypeTests, self).setUp() @@ -477,12 +519,11 @@ class AdminQosBandwidthLimitRuleTests(QosRulesAPITestCase): self.alt_target)) -class ProjectMemberQosBandwidthLimitRuleTests( - AdminQosBandwidthLimitRuleTests): +class ProjectManagerQosBandwidthLimitRuleTests(QosRulesAPITestCase): def setUp(self): - super(ProjectMemberQosBandwidthLimitRuleTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerQosBandwidthLimitRuleTests, self).setUp() + self.context = self.project_manager_ctx def test_get_policy_bandwidth_limit_rule(self): with mock.patch.object(self.plugin_mock, "get_policy", @@ -512,6 +553,85 @@ class ProjectMemberQosBandwidthLimitRuleTests( self.context, 'get_alias_bandwidth_limit_rule', self.alt_target) + def test_create_policy_bandwidth_limit_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce(self.context, + 'create_policy_bandwidth_limit_rule', + self.target)) + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_policy_bandwidth_limit_rule', + self.alt_target) + + def test_update_policy_bandwidth_limit_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce(self.context, + 'update_policy_bandwidth_limit_rule', + self.target)) + # And the same for aliases + self.assertTrue( + policy.enforce(self.context, + 'update_alias_bandwidth_limit_rule', + self.target)) + + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_policy_bandwidth_limit_rule', + self.alt_target) + + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_alias_bandwidth_limit_rule', + self.alt_target) + + def test_delete_policy_bandwidth_limit_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce(self.context, + 'delete_policy_bandwidth_limit_rule', + self.target)) + # And the same for aliases + self.assertTrue( + policy.enforce(self.context, + 'delete_alias_bandwidth_limit_rule', + self.target)) + + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_policy_bandwidth_limit_rule', + self.alt_target) + + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_alias_bandwidth_limit_rule', + self.alt_target) + + +class ProjectMemberQosBandwidthLimitRuleTests( + ProjectManagerQosBandwidthLimitRuleTests): + + def setUp(self): + super(ProjectMemberQosBandwidthLimitRuleTests, self).setUp() + self.context = self.project_member_ctx + def test_create_policy_bandwidth_limit_rule(self): self.assertRaises( base_policy.PolicyNotAuthorized, @@ -745,12 +865,11 @@ class AdminQosPacketRateLimitRuleTests(QosRulesAPITestCase): self.alt_target)) -class ProjectMemberQosPacketRateLimitRuleTests( - AdminQosPacketRateLimitRuleTests): +class ProjectManagerQosPacketRateLimitRuleTests(QosRulesAPITestCase): def setUp(self): - super(ProjectMemberQosPacketRateLimitRuleTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerQosPacketRateLimitRuleTests, self).setUp() + self.context = self.project_manager_ctx def test_get_policy_packet_rate_limit_rule(self): with mock.patch.object(self.plugin_mock, "get_policy", @@ -768,6 +887,60 @@ class ProjectMemberQosPacketRateLimitRuleTests( self.context, 'get_policy_packet_rate_limit_rule', self.alt_target) + def test_create_policy_packet_rate_limit_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce(self.context, + 'create_policy_packet_rate_limit_rule', + self.target)) + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_policy_packet_rate_limit_rule', + self.alt_target) + + def test_update_policy_packet_rate_limit_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce(self.context, + 'update_policy_packet_rate_limit_rule', + self.target)) + + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_policy_packet_rate_limit_rule', + self.alt_target) + + def test_delete_policy_packet_rate_limit_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce(self.context, + 'delete_policy_packet_rate_limit_rule', + self.target)) + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_policy_packet_rate_limit_rule', + self.alt_target) + + +class ProjectMemberQosPacketRateLimitRuleTests( + ProjectManagerQosPacketRateLimitRuleTests): + + def setUp(self): + super(ProjectMemberQosPacketRateLimitRuleTests, self).setUp() + self.context = self.project_member_ctx + def test_create_policy_packet_rate_limit_rule(self): self.assertRaises( base_policy.PolicyNotAuthorized, @@ -1042,12 +1215,11 @@ class AdminQosDSCPMarkingRuleTests(QosRulesAPITestCase): self.alt_target)) -class ProjectMemberQosDSCPMarkingRuleTests( - AdminQosDSCPMarkingRuleTests): +class ProjectManagerQosDSCPMarkingRuleTests(QosRulesAPITestCase): def setUp(self): - super(ProjectMemberQosDSCPMarkingRuleTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerQosDSCPMarkingRuleTests, self).setUp() + self.context = self.project_manager_ctx def test_get_policy_dscp_marking_rule(self): with mock.patch.object(self.plugin_mock, "get_policy", @@ -1076,6 +1248,81 @@ class ProjectMemberQosDSCPMarkingRuleTests( self.context, 'get_alias_dscp_marking_rule', self.alt_target) + def test_create_policy_dscp_marking_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce(self.context, + 'create_policy_dscp_marking_rule', + self.target)) + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_policy_dscp_marking_rule', + self.alt_target) + + def test_update_policy_dscp_marking_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce(self.context, + 'update_policy_dscp_marking_rule', + self.target)) + # And the same for aliases + self.assertTrue( + policy.enforce(self.context, + 'update_alias_dscp_marking_rule', + self.target)) + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_policy_dscp_marking_rule', + self.alt_target) + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_alias_dscp_marking_rule', + self.alt_target) + + def test_delete_policy_dscp_marking_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce(self.context, + 'delete_policy_dscp_marking_rule', + self.target)) + # And the same for aliases + self.assertTrue( + policy.enforce(self.context, + 'delete_alias_dscp_marking_rule', + self.target)) + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_policy_dscp_marking_rule', + self.alt_target) + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_alias_dscp_marking_rule', + self.alt_target) + + +class ProjectMemberQosDSCPMarkingRuleTests( + ProjectManagerQosDSCPMarkingRuleTests): + + def setUp(self): + super(ProjectMemberQosDSCPMarkingRuleTests, self).setUp() + self.context = self.project_member_ctx + def test_create_policy_dscp_marking_rule(self): self.assertRaises( base_policy.PolicyNotAuthorized, @@ -1397,12 +1644,11 @@ class AdminQosMinimumBandwidthRuleTests(QosRulesAPITestCase): self.alt_target)) -class ProjectMemberQosMinimumBandwidthRuleTests( - AdminQosMinimumBandwidthRuleTests): +class ProjectManagerQosMinimumBandwidthRuleTests(QosRulesAPITestCase): def setUp(self): - super(ProjectMemberQosMinimumBandwidthRuleTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerQosMinimumBandwidthRuleTests, self).setUp() + self.context = self.project_manager_ctx def test_get_policy_minimum_bandwidth_rule(self): with mock.patch.object(self.plugin_mock, "get_policy", @@ -1431,6 +1677,83 @@ class ProjectMemberQosMinimumBandwidthRuleTests( self.context, 'get_alias_minimum_bandwidth_rule', self.alt_target) + def test_create_policy_minimum_bandwidth_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce( + self.context, 'create_policy_minimum_bandwidth_rule', + self.target)) + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_policy_minimum_bandwidth_rule', + self.alt_target) + + def test_update_policy_minimum_bandwidth_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce( + self.context, 'update_policy_minimum_bandwidth_rule', + self.target)) + # And the same for aliases + self.assertTrue( + policy.enforce( + self.context, 'update_alias_minimum_bandwidth_rule', + self.target)) + + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_policy_minimum_bandwidth_rule', + self.alt_target) + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_alias_minimum_bandwidth_rule', + self.alt_target) + + def test_delete_policy_minimum_bandwidth_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce( + self.context, 'delete_policy_minimum_bandwidth_rule', + self.target)) + # And the same for aliases + self.assertTrue( + policy.enforce( + self.context, 'delete_alias_minimum_bandwidth_rule', + self.target)) + + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_policy_minimum_bandwidth_rule', + self.alt_target) + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_alias_minimum_bandwidth_rule', + self.alt_target) + + +class ProjectMemberQosMinimumBandwidthRuleTests( + ProjectManagerQosMinimumBandwidthRuleTests): + + def setUp(self): + super(ProjectMemberQosMinimumBandwidthRuleTests, self).setUp() + self.context = self.project_member_ctx + def test_create_policy_minimum_bandwidth_rule(self): self.assertRaises( base_policy.PolicyNotAuthorized, @@ -1741,12 +2064,11 @@ class AdminQosMinimumPacketRateRuleTests(QosRulesAPITestCase): self.alt_target)) -class ProjectMemberQosMinimumPacketRateRuleTests( - AdminQosMinimumPacketRateRuleTests): +class ProjectManagerQosMinimumPacketRateRuleTests(QosRulesAPITestCase): def setUp(self): - super(ProjectMemberQosMinimumPacketRateRuleTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerQosMinimumPacketRateRuleTests, self).setUp() + self.context = self.project_manager_ctx def test_get_policy_minimum_packet_rate_rule(self): with mock.patch.object(self.plugin_mock, "get_policy", @@ -1775,6 +2097,83 @@ class ProjectMemberQosMinimumPacketRateRuleTests( self.context, 'get_alias_minimum_packet_rate_rule', self.alt_target) + def test_create_policy_minimum_packet_rate_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce(self.context, + 'create_policy_minimum_packet_rate_rule', + self.target)) + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_policy_minimum_packet_rate_rule', + self.alt_target) + + def test_update_policy_minimum_packet_rate_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce(self.context, + 'update_policy_minimum_packet_rate_rule', + self.target)) + # And the same for aliases + self.assertTrue( + policy.enforce(self.context, + 'update_alias_minimum_packet_rate_rule', + self.target)) + + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_policy_minimum_packet_rate_rule', + self.alt_target) + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_alias_minimum_packet_rate_rule', + self.alt_target) + + def test_delete_policy_minimum_packet_rate_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertTrue( + policy.enforce(self.context, + 'delete_policy_minimum_packet_rate_rule', + self.target)) + # And the same for aliases + self.assertTrue( + policy.enforce(self.context, + 'delete_alias_minimum_packet_rate_rule', + self.target)) + + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.alt_qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_policy_minimum_packet_rate_rule', + self.alt_target) + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_alias_minimum_packet_rate_rule', + self.alt_target) + + +class ProjectMemberQosMinimumPacketRateRuleTests( + ProjectManagerQosMinimumPacketRateRuleTests): + + def setUp(self): + super(ProjectMemberQosMinimumPacketRateRuleTests, self).setUp() + self.context = self.project_member_ctx + def test_create_policy_minimum_packet_rate_rule(self): self.assertRaises( base_policy.PolicyNotAuthorized, diff --git a/neutron/tests/unit/conf/policies/test_quotas.py b/neutron/tests/unit/conf/policies/test_quotas.py index 4a1a8ddb499..160374b44ba 100644 --- a/neutron/tests/unit/conf/policies/test_quotas.py +++ b/neutron/tests/unit/conf/policies/test_quotas.py @@ -103,17 +103,15 @@ class AdminTests(QuoatsAPITestCase): policy.enforce(self.context, 'delete_quota', self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_get_quota(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, - self.context, 'get_quota', self.target) + self.assertTrue( + policy.enforce(self.context, 'get_quota', self.target)) self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, @@ -140,6 +138,23 @@ class ProjectMemberTests(AdminTests): self.context, 'delete_quota', self.alt_target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + def test_get_quota(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_quota', self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_quota', self.alt_target) + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_rbac.py b/neutron/tests/unit/conf/policies/test_rbac.py index e1913485478..52e050913bd 100644 --- a/neutron/tests/unit/conf/policies/test_rbac.py +++ b/neutron/tests/unit/conf/policies/test_rbac.py @@ -170,11 +170,11 @@ class AdminTests(RbacAPITestCase): self.context, 'delete_rbac_policy', self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_rbac_policy(self): self.assertTrue( @@ -233,6 +233,13 @@ class ProjectMemberTests(AdminTests): self.context, 'delete_rbac_policy', self.alt_target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_router.py b/neutron/tests/unit/conf/policies/test_router.py index f29fde7353b..6bee941ac68 100644 --- a/neutron/tests/unit/conf/policies/test_router.py +++ b/neutron/tests/unit/conf/policies/test_router.py @@ -564,11 +564,11 @@ class AdminTests(RouterAPITestCase): 'remove_router_interface', self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_router(self): self.assertTrue( @@ -829,6 +829,13 @@ class ProjectMemberTests(AdminTests): self.context, 'remove_router_interface', self.alt_target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_security_group.py b/neutron/tests/unit/conf/policies/test_security_group.py index 49ec0fb5197..8cfc352947f 100644 --- a/neutron/tests/unit/conf/policies/test_security_group.py +++ b/neutron/tests/unit/conf/policies/test_security_group.py @@ -180,11 +180,11 @@ class AdminSecurityGroupTests(SecurityGroupAPITestCase): self.alt_target)) -class ProjectMemberSecurityGroupTests(AdminSecurityGroupTests): +class ProjectManagerSecurityGroupTests(AdminSecurityGroupTests): def setUp(self): - super(ProjectMemberSecurityGroupTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerSecurityGroupTests, self).setUp() + self.context = self.project_manager_ctx def test_create_security_group(self): self.assertTrue( @@ -244,6 +244,13 @@ class ProjectMemberSecurityGroupTests(AdminSecurityGroupTests): self.context, 'delete_security_groups_tags', self.alt_target) +class ProjectMemberSecurityGroupTests(ProjectManagerSecurityGroupTests): + + def setUp(self): + super(ProjectMemberSecurityGroupTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderSecurityGroupTests(ProjectMemberSecurityGroupTests): def setUp(self): @@ -474,11 +481,11 @@ class AdminSecurityGroupRuleTests(SecurityGroupRuleAPITestCase): 'delete_security_group_rule', self.alt_target)) -class ProjectMemberSecurityGroupRuleTests(AdminSecurityGroupRuleTests): +class ProjectManagerSecurityGroupRuleTests(AdminSecurityGroupRuleTests): def setUp(self): - super(ProjectMemberSecurityGroupRuleTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerSecurityGroupRuleTests, self).setUp() + self.context = self.project_manager_ctx def test_create_security_group_rule(self): self.assertTrue( @@ -530,6 +537,14 @@ class ProjectMemberSecurityGroupRuleTests(AdminSecurityGroupRuleTests): self.context, 'delete_security_group_rule', self.alt_target) +class ProjectMemberSecurityGroupRuleTests( + ProjectManagerSecurityGroupRuleTests): + + def setUp(self): + super(ProjectMemberSecurityGroupRuleTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderSecurityGroupRuleTests(ProjectMemberSecurityGroupRuleTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_segment.py b/neutron/tests/unit/conf/policies/test_segment.py index 1aeae7d91c5..977c8ac2000 100644 --- a/neutron/tests/unit/conf/policies/test_segment.py +++ b/neutron/tests/unit/conf/policies/test_segment.py @@ -124,11 +124,11 @@ class AdminTests(SegmentAPITestCase): policy.enforce(self.context, 'delete_segments_tags', self.target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_segment(self): self.assertRaises( @@ -173,6 +173,13 @@ class ProjectMemberTests(AdminTests): self.context, 'delete_segments_tags', self.target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_service_type.py b/neutron/tests/unit/conf/policies/test_service_type.py index 67ba3a7e925..207da3add8a 100644 --- a/neutron/tests/unit/conf/policies/test_service_type.py +++ b/neutron/tests/unit/conf/policies/test_service_type.py @@ -64,7 +64,14 @@ class AdminTests(ServiceTypeAPITestCase): policy.enforce(self.context, 'get_service_provider', self.target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): + + def setUp(self): + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx + + +class ProjectMemberTests(ProjectManagerTests): def setUp(self): super(ProjectMemberTests, self).setUp() diff --git a/neutron/tests/unit/conf/policies/test_subnet.py b/neutron/tests/unit/conf/policies/test_subnet.py index a8fb6f8fc80..b6725e4e2fb 100644 --- a/neutron/tests/unit/conf/policies/test_subnet.py +++ b/neutron/tests/unit/conf/policies/test_subnet.py @@ -391,11 +391,11 @@ class AdminTests(SubnetAPITestCase): self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_subnet(self): self.assertTrue( @@ -550,6 +550,13 @@ class ProjectMemberTests(AdminTests): self.context, 'delete_subnets_tags', self.alt_target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_subnetpool.py b/neutron/tests/unit/conf/policies/test_subnetpool.py index a7a35e6da5f..c8fda26a0f7 100644 --- a/neutron/tests/unit/conf/policies/test_subnetpool.py +++ b/neutron/tests/unit/conf/policies/test_subnetpool.py @@ -276,11 +276,11 @@ class AdminTests(SubnetpoolAPITestCase): policy.enforce(self.context, 'remove_prefixes', self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_subnetpool(self): self.assertTrue( @@ -396,6 +396,13 @@ class ProjectMemberTests(AdminTests): self.context, 'remove_prefixes', self.alt_target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/neutron/tests/unit/conf/policies/test_trunk.py b/neutron/tests/unit/conf/policies/test_trunk.py index 205d33eab2a..866656fee54 100644 --- a/neutron/tests/unit/conf/policies/test_trunk.py +++ b/neutron/tests/unit/conf/policies/test_trunk.py @@ -197,11 +197,11 @@ class AdminTests(TrunkAPITestCase): policy.enforce(self.context, 'remove_subports', self.alt_target)) -class ProjectMemberTests(AdminTests): +class ProjectManagerTests(AdminTests): def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx + super(ProjectManagerTests, self).setUp() + self.context = self.project_manager_ctx def test_create_trunk(self): self.assertTrue( @@ -260,6 +260,13 @@ class ProjectMemberTests(AdminTests): self.context, 'remove_subports', self.alt_target) +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): diff --git a/releasenotes/notes/Add-support-for-the-MANAGER-role-in-the-RBAC-policies-3173cb9bd64836ad.yaml b/releasenotes/notes/Add-support-for-the-MANAGER-role-in-the-RBAC-policies-3173cb9bd64836ad.yaml new file mode 100644 index 00000000000..2e625fd906a --- /dev/null +++ b/releasenotes/notes/Add-support-for-the-MANAGER-role-in-the-RBAC-policies-3173cb9bd64836ad.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Neutron API RBAC policies now support by default the project MANAGER role. + Please refer to the `community goal + `_ + for more information.