openstack
/
neutron
Code Issues Proposed changes

Add ADMIN role and remove scope from the check strings 

This patch should finally complete phase 1 of Secure RBAC community
goal [1] where it was agreed that there will be just 4 personas:
* ADMIN
* PROJECT_ADMIN
* PROJECT_MEMBER
* PROJECT_READER

System scope personas will be added in next phases of the community
goal.
To complete phase 1 in Neutron, this patch removes hardcoded system scope
from the check strings in system scope personas - that way it can be
controlled by the config option and enforced by oslo_policy only when
enabled.
It also skips all SYSTEM_MEMBER and SYSTEM_READER related unit tests. We
can re-enable them in the future where we will have those personas
working in Neutron.

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1

Change-Id: Iafa8ec1d9710ff404450ad0a64baf56a0f993756
This commit is contained in:
Slawek Kaplonski 2022-04-08 14:31:57 +02:00
parent 4f9313fca1
commit c4618857b0
40 changed files with 250 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
neutron/conf/policies/agent.py
View File

@ -25,7 +25,7 @@ DEPRECATION_REASON = (
rules = [
policy.DocumentedRuleDefault(
name='get_agent',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description='Get an agent',
operations=[
{
@ -46,7 +46,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='update_agent',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Update an agent',
operations=[
{
@ -63,7 +63,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='delete_agent',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Delete an agent',
operations=[
{
@ -80,7 +80,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='create_dhcp-network',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Add a network to a DHCP agent',
operations=[
{
@ -97,7 +97,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='get_dhcp-networks',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description='List networks on a DHCP agent',
operations=[
{
@ -114,7 +114,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='delete_dhcp-network',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Remove a network from a DHCP agent',
operations=[
{
@ -131,7 +131,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='create_l3-router',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Add a router to an L3 agent',
operations=[
{
@ -148,7 +148,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='get_l3-routers',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description='List routers on an L3 agent',
operations=[
{
@ -165,7 +165,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='delete_l3-router',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Remove a router from an L3 agent',
operations=[
{
@ -182,7 +182,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='get_dhcp-agents',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description='List DHCP agents hosting a network',
operations=[
{
@ -199,7 +199,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='get_l3-agents',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description='List L3 agents hosting a router',
operations=[
{

2
neutron/conf/policies/availability_zone.py
View File

@ -22,7 +22,7 @@ DEPRECATION_REASON = (
rules = [
policy.DocumentedRuleDefault(
name='get_availability_zone',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description='List availability zones',
operations=[
{

19
neutron/conf/policies/base.py
View File

@ -33,26 +33,33 @@ RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC = policy_or(RULE_ADMIN_OR_NET_OWNER,
RULE_ADVSVC)
RULE_ADMIN_OR_PARENT_OWNER = 'rule:admin_or_ext_parent_owner'
# For completion of the phase 1
# https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1
# there is now ADMIN role
ADMIN = "rule:admin_only"
# Generic policy check string for system administrators. These are the people
# who need the highest level of authorization to operate the deployment.
# They're allowed to create, read, update, or delete any system-specific
# resource. They can also operate on project-specific resources where
# applicable (e.g., removing networks or routers)
SYSTEM_ADMIN = 'role:admin and system_scope:all'
SYSTEM_ADMIN = 'role:admin'
# SYSTEM_MEMBER and SYSTEM_READER roles aren't really used as for now, they
# will be after completion of whole Secure-RBAC goal
# Generic policy check string for system users who don't require all the
# authorization that system administrators typically have. This persona, or
# check string, typically isn't used by default, but it's existence it useful
# in the event a deployment wants to offload some administrative action from
# system administrator to system members
SYSTEM_MEMBER = 'role:member and system_scope:all'
SYSTEM_MEMBER = 'role:member'
# Generic policy check string for read-only access to system-level resources.
# This persona is useful for someone who needs access for auditing or even
# support. These users are also able to view project-specific resources where
# applicable (e.g., listing all networks in the deployment, regardless of the
# project they belong to).
SYSTEM_READER = 'role:reader and system_scope:all'
SYSTEM_READER = 'role:reader'
# This check string is reserved for actions that require the highest level of
# authorization on a project or resources within the project (e.g., setting the
@ -73,10 +80,8 @@ PROJECT_READER = 'role:reader and project_id:%(project_id)s'
# protecting APIs designed to operate with multiple scopes (e.g., a system
# administrator should be able to delete any router in the deployment, a
# project member should only be able to delete routers in their project).
SYSTEM_ADMIN_OR_PROJECT_MEMBER = (
'(' + SYSTEM_ADMIN + ') or (' + PROJECT_MEMBER + ')')
SYSTEM_OR_PROJECT_READER = (
'(' + SYSTEM_READER + ') or (' + PROJECT_READER + ')')
ADMIN_OR_PROJECT_READER = (
'(' + ADMIN + ') or (' + PROJECT_READER + ')')
# Additional rules needed in Neutron
RULE_NET_OWNER = 'rule:network_owner'

22
neutron/conf/policies/flavor.py
View File

@ -30,7 +30,7 @@ DEPRECATION_REASON = (
rules = [
policy.DocumentedRuleDefault(
name='create_flavor',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Create a flavor',
operations=[
{
@ -47,7 +47,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='get_flavor',
check_str=base.SYSTEM_OR_PROJECT_READER,
check_str=base.ADMIN_OR_PROJECT_READER,
description='Get a flavor',
operations=[
{
@ -68,7 +68,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='update_flavor',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Update a flavor',
operations=[
{
@ -85,7 +85,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='delete_flavor',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Delete a flavor',
operations=[
{
@ -103,7 +103,7 @@ rules = [
policy.DocumentedRuleDefault(
name='create_service_profile',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Create a service profile',
operations=[
{
@ -120,7 +120,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='get_service_profile',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
description='Get a service profile',
operations=[
{
@ -141,7 +141,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='update_service_profile',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Update a service profile',
operations=[
{
@ -158,7 +158,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='delete_service_profile',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Delete a service profile',
operations=[
{
@ -176,7 +176,7 @@ rules = [
policy.RuleDefault(
name='get_flavor_service_profile',
check_str=base.SYSTEM_OR_PROJECT_READER,
check_str=base.ADMIN_OR_PROJECT_READER,
description=(
'Get a flavor associated with a given service profiles. '
'There is no corresponding GET operations in API currently. '
@ -191,7 +191,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='create_flavor_service_profile',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Associate a flavor with a service profile',
operations=[
{
@ -208,7 +208,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='delete_flavor_service_profile',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
description='Disassociate a flavor with a service profile',
operations=[
{

10
neutron/conf/policies/logging.py
View File

@ -27,7 +27,7 @@ RESOURCE_PATH = '/log/logs/{id}'
rules = [
policy.DocumentedRuleDefault(
name='get_loggable_resource',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
scope_types=['system'],
description='Get loggable resources',
operations=[
@ -44,7 +44,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='create_log',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
scope_types=['system'],
description='Create a network log',
operations=[
@ -61,7 +61,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='get_log',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
scope_types=['system'],
description='Get a network log',
operations=[
@ -82,7 +82,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='update_log',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
scope_types=['system'],
description='Update a network log',
operations=[
@ -99,7 +99,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='delete_log',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
scope_types=['system'],
description='Delete a network log',
operations=[

2
neutron/conf/policies/network_ip_availability.py
View File

@ -23,7 +23,7 @@ The network IP availability API now support system scope and default roles.
rules = [
policy.DocumentedRuleDefault(
name='get_network_ip_availability',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
scope_types=['system'],
description='Get network IP availability',
operations=[

8
neutron/conf/policies/network_segment_range.py
View File

@ -29,7 +29,7 @@ RESOURCE_PATH = '/network_segment_ranges/{id}'
rules = [
policy.DocumentedRuleDefault(
name='create_network_segment_range',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
scope_types=['system'],
description='Create a network segment range',
operations=[
@ -46,7 +46,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='get_network_segment_range',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
scope_types=['system'],
description='Get a network segment range',
operations=[
@ -67,7 +67,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='update_network_segment_range',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
scope_types=['system'],
description='Update a network segment range',
operations=[
@ -84,7 +84,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='delete_network_segment_range',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
scope_types=['system'],
description='Delete a network segment range',
operations=[

7
neutron/conf/policies/qos.py
View File

@ -96,12 +96,7 @@ rules = [
policy.DocumentedRuleDefault(
name='get_rule_type',
# NOTE: we are using role:admin instead of PROJECT_ADMIN here because
# rule_type resource don't belongs to any project so using
# PROJECT_ADMIN as check string would cause enforcement error
check_str=base.policy_or(
"role:admin",
base.SYSTEM_READER),
check_str=base.ADMIN,
scope_types=['system', 'project'],
description='Get available QoS rule types',
operations=[

6
neutron/conf/policies/quotas.py
View File

@ -27,7 +27,7 @@ RESOURCE_PATH = '/quota/{id}'
rules = [
policy.DocumentedRuleDefault(
name='get_quota',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
scope_types=['system'],
description='Get a resource quota',
operations=[
@ -48,7 +48,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='update_quota',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
scope_types=['system'],
description='Update a resource quota',
operations=[
@ -65,7 +65,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='delete_quota',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
scope_types=['system'],
description='Delete a resource quota',
operations=[

8
neutron/conf/policies/segment.py
View File

@ -25,7 +25,7 @@ RESOURCE_PATH = '/segments/{id}'
rules = [
policy.DocumentedRuleDefault(
name='create_segment',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
scope_types=['system'],
description='Create a segment',
operations=[
@ -42,7 +42,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='get_segment',
check_str=base.SYSTEM_READER,
check_str=base.ADMIN,
scope_types=['system'],
description='Get a segment',
operations=[
@ -63,7 +63,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='update_segment',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
scope_types=['system'],
description='Update a segment',
operations=[
@ -80,7 +80,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='delete_segment',
check_str=base.SYSTEM_ADMIN,
check_str=base.ADMIN,
scope_types=['system'],
description='Delete a segment',
operations=[

2
neutron/conf/policies/service_type.py
View File

@ -22,7 +22,7 @@ DEPRECATION_REASON = (
rules = [
policy.DocumentedRuleDefault(
name='get_service_provider',
# NOTE: it can't be SYSTEM_OR_PROJECT_READER constant from the base
# NOTE: it can't be ADMIN_OR_PROJECT_READER constant from the base
# module because that is using "project_id" in the check string and the
# service_provider resource don't belongs to any project thus such
# check string would fail enforcment.

4
neutron/tests/unit/conf/policies/test_address_group.py
View File

@ -47,6 +47,8 @@ class SystemAdminTests(AddressGroupAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -54,6 +56,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_address_scope.py
View File

@ -97,6 +97,8 @@ class SystemAdminTests(AddressScopeAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -104,6 +106,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_agent.py
View File

@ -92,6 +92,8 @@ class SystemAdminTests(AgentAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -135,6 +137,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_auto_allocated_topology.py
View File

@ -65,6 +65,8 @@ class SystemAdminTests(AutoAllocatedTopologyAPITestCase):
class SystemMemberTests(AutoAllocatedTopologyAPITestCase):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -84,6 +86,8 @@ class SystemMemberTests(AutoAllocatedTopologyAPITestCase):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

57
neutron/tests/unit/conf/policies/test_availability_zone.py
View File

@ -25,13 +25,58 @@ class AvailabilityZoneAPITestCase(base.PolicyBaseTestCase):
super(AvailabilityZoneAPITestCase, self).setUp()
self.target = {}
def test_system_reader_can_get_availability_zone(self):
self.assertTrue(
policy.enforce(self.system_reader_ctx, "get_availability_zone",
self.target))
def test_project_reader_can_not_get_availability_zone(self):
class SystemAdminTests(AvailabilityZoneAPITestCase):
def setUp(self):
super(SystemAdminTests, self).setUp()
self.context = self.system_admin_ctx
def test_get_availability_zone(self):
self.assertTrue(
policy.enforce(self.context, "get_availability_zone", self.target))
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx
class ProjectAdminTests(AvailabilityZoneAPITestCase):
def setUp(self):
super(ProjectAdminTests, self).setUp()
self.context = self.project_admin_ctx
def test_get_availability_zone(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.project_reader_ctx, "get_availability_zone", self.target)
self.context, "get_availability_zone", self.target)
class ProjectMemberTests(ProjectAdminTests):
def setUp(self):
super(ProjectMemberTests, self).setUp()
self.context = self.project_member_ctx
class ProjectReaderTests(ProjectMemberTests):
def setUp(self):
super(ProjectReaderTests, self).setUp()
self.context = self.project_reader_ctx

4
neutron/tests/unit/conf/policies/test_flavor.py
View File

@ -84,6 +84,8 @@ class SystemAdminTests(FlavorAPITestCase):
class SystemMemberTests(FlavorAPITestCase):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -149,6 +151,8 @@ class SystemMemberTests(FlavorAPITestCase):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_floatingip.py
View File

@ -93,6 +93,8 @@ class SystemAdminTests(FloatingIPAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -100,6 +102,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_floatingip_pools.py
View File

@ -42,6 +42,8 @@ class SystemAdminTests(FloatingipPoolsAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -49,6 +51,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_floatingip_port_forwarding.py
View File

@ -104,6 +104,8 @@ class SystemAdminTests(FloatingipPortForwardingAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -111,6 +113,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py
View File

@ -96,6 +96,8 @@ class SystemAdminTests(L3ConntrackHelperAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -103,6 +105,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_local_ip.py
View File

@ -61,6 +61,8 @@ class SystemAdminTests(LocalIPAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -68,6 +70,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_local_ip_association.py
View File

@ -92,6 +92,8 @@ class SystemAdminTests(LocalIPAssociationAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -99,6 +101,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_logging.py
View File

@ -56,6 +56,8 @@ class SystemAdminTests(LoggingAPITestCase):
class SystemMemberTests(LoggingAPITestCase):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -86,6 +88,8 @@ class SystemMemberTests(LoggingAPITestCase):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_metering.py
View File

@ -97,6 +97,8 @@ class SystemAdminTests(MeteringAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -104,6 +106,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_ndp_proxy.py
View File

@ -77,6 +77,8 @@ class SystemAdminTests(NDPProxyAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -84,6 +86,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_network.py
View File

@ -303,6 +303,8 @@ class SystemAdminTests(NetworkAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -310,6 +312,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_network_ip_availability.py
View File

@ -41,6 +41,8 @@ class SystemAdminTests(NetworkIPAvailabilityAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -48,6 +50,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_member_ctx

4
neutron/tests/unit/conf/policies/test_network_segment_range.py
View File

@ -56,6 +56,8 @@ class SystemAdminTests(NetworkSegmentRangeAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -81,6 +83,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_port.py
View File

@ -410,6 +410,8 @@ class SystemAdminTests(PortAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -417,6 +419,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

24
neutron/tests/unit/conf/policies/test_qos.py
View File

@ -72,6 +72,8 @@ class SystemAdminQosPolicyTests(QosPolicyAPITestCase):
class SystemMemberQosPolicyTests(SystemAdminQosPolicyTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberQosPolicyTests, self).setUp()
self.context = self.system_member_ctx
@ -79,6 +81,8 @@ class SystemMemberQosPolicyTests(SystemAdminQosPolicyTests):
class SystemReaderQosPolicyTests(SystemMemberQosPolicyTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderQosPolicyTests, self).setUp()
self.context = self.system_reader_ctx
@ -177,6 +181,8 @@ class SystemAdminQosRuleTypeTests(QosRuleTypeAPITestCase):
class SystemMemberQosRuleTypeTests(SystemAdminQosRuleTypeTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberQosRuleTypeTests, self).setUp()
self.context = self.system_member_ctx
@ -184,6 +190,8 @@ class SystemMemberQosRuleTypeTests(SystemAdminQosRuleTypeTests):
class SystemReaderQosRuleTypeTests(SystemMemberQosRuleTypeTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderQosRuleTypeTests, self).setUp()
self.context = self.system_reader_ctx
@ -337,6 +345,8 @@ class SystemMemberQosBandwidthLimitRuleTests(
SystemAdminQosBandwidthLimitRuleTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberQosBandwidthLimitRuleTests, self).setUp()
self.context = self.system_member_ctx
@ -345,6 +355,8 @@ class SystemReaderQosBandwidthLimitRuleTests(
SystemMemberQosBandwidthLimitRuleTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderQosBandwidthLimitRuleTests, self).setUp()
self.context = self.system_reader_ctx
@ -603,6 +615,8 @@ class SystemAdminQosDSCPMarkingRuleTests(QosRulesAPITestCase):
class SystemMemberQosDSCPMarkingRuleTests(SystemAdminQosDSCPMarkingRuleTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberQosDSCPMarkingRuleTests, self).setUp()
self.context = self.system_member_ctx
@ -610,6 +624,8 @@ class SystemMemberQosDSCPMarkingRuleTests(SystemAdminQosDSCPMarkingRuleTests):
class SystemReaderQosDSCPMarkingRuleTests(SystemMemberQosDSCPMarkingRuleTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderQosDSCPMarkingRuleTests, self).setUp()
self.context = self.system_reader_ctx
@ -869,6 +885,8 @@ class SystemMemberQosMinimumBandwidthRuleTests(
SystemAdminQosMinimumBandwidthRuleTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberQosMinimumBandwidthRuleTests, self).setUp()
self.context = self.system_member_ctx
@ -877,6 +895,8 @@ class SystemReaderQosMinimumBandwidthRuleTests(
SystemMemberQosMinimumBandwidthRuleTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderQosMinimumBandwidthRuleTests, self).setUp()
self.context = self.system_reader_ctx
@ -1136,6 +1156,8 @@ class SystemMemberQosMinimumPacketRateRuleTests(
SystemAdminQosMinimumPacketRateRuleTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberQosMinimumPacketRateRuleTests, self).setUp()
self.context = self.system_member_ctx
@ -1144,6 +1166,8 @@ class SystemReaderQosMinimumPacketRateRuleTests(
SystemMemberQosMinimumPacketRateRuleTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderQosMinimumPacketRateRuleTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_quotas.py
View File

@ -55,6 +55,8 @@ class SystemAdminTests(QuoatsAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -82,6 +84,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_rbac.py
View File

@ -107,6 +107,8 @@ class SystemAdminTests(RbacAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -114,6 +116,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

8
neutron/tests/unit/conf/policies/test_router.py
View File

@ -258,6 +258,8 @@ class SystemAdminTests(RouterAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -265,6 +267,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx
@ -741,6 +745,8 @@ class SystemAdminExtrarouteTests(ExtrarouteAPITestCase):
class SystemMemberExtrarouteTests(SystemAdminExtrarouteTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberExtrarouteTests, self).setUp()
self.context = self.system_member_ctx
@ -748,6 +754,8 @@ class SystemMemberExtrarouteTests(SystemAdminExtrarouteTests):
class SystemReaderExtrarouteTests(SystemMemberExtrarouteTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderExtrarouteTests, self).setUp()
self.context = self.system_reader_ctx

8
neutron/tests/unit/conf/policies/test_security_group.py
View File

@ -80,6 +80,8 @@ class SystemAdminSecurityGroupTests(SecurityGroupAPITestCase):
class SystemMemberSecurityGroupTests(SystemAdminSecurityGroupTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberSecurityGroupTests, self).setUp()
self.context = self.system_member_ctx
@ -87,6 +89,8 @@ class SystemMemberSecurityGroupTests(SystemAdminSecurityGroupTests):
class SystemReaderSecurityGroupTests(SystemMemberSecurityGroupTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderSecurityGroupTests, self).setUp()
self.context = self.system_reader_ctx
@ -238,6 +242,8 @@ class SystemAdminSecurityGroupRuleTests(SecurityGroupRuleAPITestCase):
class SystemMemberSecurityGroupRuleTests(SystemAdminSecurityGroupRuleTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberSecurityGroupRuleTests, self).setUp()
self.context = self.system_member_ctx
@ -245,6 +251,8 @@ class SystemMemberSecurityGroupRuleTests(SystemAdminSecurityGroupRuleTests):
class SystemReaderSecurityGroupRuleTests(SystemMemberSecurityGroupRuleTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderSecurityGroupRuleTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_segment.py
View File

@ -52,6 +52,8 @@ class SystemAdminTests(SegmentAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -77,6 +79,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

10
neutron/tests/unit/conf/policies/test_service_type.py
View File

@ -38,6 +38,8 @@ class SystemAdminTests(ServiceTypeAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -45,16 +47,22 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx
class ProjectAdminTests(SystemAdminTests):
class ProjectAdminTests(ServiceTypeAPITestCase):
def setUp(self):
super(ProjectAdminTests, self).setUp()
self.context = self.project_admin_ctx
def test_get_service_provider(self):
self.assertTrue(
policy.enforce(self.context, 'get_service_provider', self.target))
class ProjectMemberTests(ProjectAdminTests):

4
neutron/tests/unit/conf/policies/test_subnet.py
View File

@ -147,6 +147,8 @@ class SystemAdminTests(SubnetAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -154,6 +156,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_subnetpool.py
View File

@ -137,6 +137,8 @@ class SystemAdminTests(SubnetpoolAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -144,6 +146,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx

4
neutron/tests/unit/conf/policies/test_trunk.py
View File

@ -107,6 +107,8 @@ class SystemAdminTests(TrunkAPITestCase):
class SystemMemberTests(SystemAdminTests):
def setUp(self):
self.skipTest("SYSTEM_MEMBER persona isn't supported in phase1 of the "
"community goal")
super(SystemMemberTests, self).setUp()
self.context = self.system_member_ctx
@ -114,6 +116,8 @@ class SystemMemberTests(SystemAdminTests):
class SystemReaderTests(SystemMemberTests):
def setUp(self):
self.skipTest("SYSTEM_READER persona isn't supported in phase1 of the "
"community goal")
super(SystemReaderTests, self).setUp()
self.context = self.system_reader_ctx