Merge "Allow network owner reader to get subnets" into stable/2024.1
This commit is contained in:
commit
d2bed18af4
@ -97,7 +97,7 @@ rules = [
|
||||
check_str=neutron_policy.policy_or(
|
||||
base.PROJECT_READER,
|
||||
'rule:shared',
|
||||
base.ADMIN_OR_NET_OWNER_MEMBER,
|
||||
base.ADMIN_OR_NET_OWNER_READER,
|
||||
),
|
||||
scope_types=['project'],
|
||||
description='Get a subnet',
|
||||
@ -128,7 +128,8 @@ rules = [
|
||||
check_str=neutron_policy.policy_or(
|
||||
base.PROJECT_READER,
|
||||
'rule:shared',
|
||||
base.ADMIN_OR_NET_OWNER_MEMBER,
|
||||
'rule:external_network',
|
||||
base.ADMIN_OR_NET_OWNER_READER,
|
||||
),
|
||||
scope_types=['project'],
|
||||
description='Get the subnet tags',
|
||||
|
@ -57,6 +57,13 @@ class SubnetAPITestCase(base.PolicyBaseTestCase):
|
||||
'tenant_id': self.alt_project_id,
|
||||
'network_id': self.alt_network['id'],
|
||||
'ext_parent_network_id': self.alt_network['id']}
|
||||
# This is the case where the network belongs to the project but not
|
||||
# the subnet.
|
||||
self.alt_target_own_net = {
|
||||
'project_id': self.alt_project_id,
|
||||
'tenant_id': self.alt_project_id,
|
||||
'network_id': self.network['id'],
|
||||
'ext_parent_network_id': self.network['id']}
|
||||
|
||||
def get_network(context, id, fields=None):
|
||||
return networks.get(id)
|
||||
@ -87,6 +94,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet', self.alt_target_own_net)
|
||||
|
||||
def test_create_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
@ -102,6 +113,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.alt_target_own_net)
|
||||
|
||||
def test_create_subnet_service_types(self):
|
||||
self.assertRaises(
|
||||
@ -117,6 +132,11 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types',
|
||||
self.alt_target_own_net)
|
||||
|
||||
def test_get_subnet(self):
|
||||
self.assertRaises(
|
||||
@ -131,6 +151,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet', self.alt_target_own_net)
|
||||
|
||||
def test_get_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
@ -145,6 +169,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet:segment_id', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet:segment_id', self.alt_target_own_net)
|
||||
|
||||
def test_get_subnets_tags(self):
|
||||
self.assertRaises(
|
||||
@ -159,6 +187,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnets_tags', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnets_tags', self.alt_target_own_net)
|
||||
|
||||
def test_update_subnet(self):
|
||||
self.assertRaises(
|
||||
@ -173,6 +205,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet', self.alt_target_own_net)
|
||||
|
||||
def test_update_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
@ -188,6 +224,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.alt_target_own_net)
|
||||
|
||||
def test_update_subnet_service_types(self):
|
||||
self.assertRaises(
|
||||
@ -203,6 +243,11 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types',
|
||||
self.alt_target_own_net)
|
||||
|
||||
def test_update_subnets_tags(self):
|
||||
self.assertRaises(
|
||||
@ -217,6 +262,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnets_tags', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnets_tags', self.alt_target_own_net)
|
||||
|
||||
def test_delete_subnet(self):
|
||||
self.assertRaises(
|
||||
@ -231,6 +280,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnet', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnet', self.alt_target_own_net)
|
||||
|
||||
def test_delete_subnets_tags(self):
|
||||
self.assertRaises(
|
||||
@ -245,6 +298,10 @@ class SystemAdminTests(SubnetAPITestCase):
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnets_tags', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.InvalidScope,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnets_tags', self.alt_target_own_net)
|
||||
|
||||
|
||||
class SystemMemberTests(SystemAdminTests):
|
||||
@ -275,6 +332,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.target_net_alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_subnet', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_create_subnet_segment_id(self):
|
||||
self.assertTrue(
|
||||
@ -287,6 +347,10 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_subnet:segment_id', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_subnet:segment_id',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_create_subnet_service_types(self):
|
||||
self.assertTrue(
|
||||
@ -299,6 +363,10 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_subnet:service_types', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'create_subnet:service_types',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_get_subnet(self):
|
||||
self.assertTrue(
|
||||
@ -308,6 +376,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.target_net_alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnet', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_get_subnet_segment_id(self):
|
||||
self.assertTrue(
|
||||
@ -318,6 +389,10 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_subnet:segment_id', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'get_subnet:segment_id',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_get_subnets_tags(self):
|
||||
self.assertTrue(
|
||||
@ -327,6 +402,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.target_net_alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnets_tags', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnets_tags',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_update_subnet(self):
|
||||
self.assertTrue(
|
||||
@ -336,6 +414,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.target_net_alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnet', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_update_subnet_segment_id(self):
|
||||
self.assertTrue(
|
||||
@ -348,6 +429,10 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'update_subnet:segment_id', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(
|
||||
self.context, 'update_subnet:segment_id',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_update_subnet_service_types(self):
|
||||
self.assertTrue(
|
||||
@ -370,6 +455,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnets_tags',
|
||||
self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnets_tags',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_delete_subnet(self):
|
||||
self.assertTrue(
|
||||
@ -379,6 +467,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.target_net_alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnet', self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_delete_subnets_tags(self):
|
||||
self.assertTrue(
|
||||
@ -389,6 +480,9 @@ class AdminTests(SubnetAPITestCase):
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnets_tags',
|
||||
self.alt_target))
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnets_tags',
|
||||
self.alt_target_own_net))
|
||||
|
||||
|
||||
class ProjectMemberTests(AdminTests):
|
||||
@ -408,6 +502,9 @@ class ProjectMemberTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'create_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_create_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
@ -423,6 +520,10 @@ class ProjectMemberTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:segment_id', self.alt_target_own_net)
|
||||
|
||||
def test_create_subnet_service_types(self):
|
||||
self.assertRaises(
|
||||
@ -438,6 +539,11 @@ class ProjectMemberTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet:service_types',
|
||||
self.alt_target_own_net)
|
||||
|
||||
def test_get_subnet(self):
|
||||
self.assertTrue(
|
||||
@ -449,6 +555,9 @@ class ProjectMemberTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_get_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
@ -463,6 +572,10 @@ class ProjectMemberTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet:segment_id', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnet:segment_id', self.alt_target_own_net)
|
||||
|
||||
def test_get_subnets_tags(self):
|
||||
self.assertTrue(
|
||||
@ -474,6 +587,9 @@ class ProjectMemberTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'get_subnets_tags', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'get_subnets_tags',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_update_subnet(self):
|
||||
self.assertTrue(
|
||||
@ -485,6 +601,9 @@ class ProjectMemberTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_update_subnet_segment_id(self):
|
||||
self.assertRaises(
|
||||
@ -500,6 +619,10 @@ class ProjectMemberTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:segment_id', self.alt_target_own_net)
|
||||
|
||||
def test_update_subnet_service_types(self):
|
||||
self.assertRaises(
|
||||
@ -515,6 +638,11 @@ class ProjectMemberTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet:service_types',
|
||||
self.alt_target_own_net)
|
||||
|
||||
def test_update_subnets_tags(self):
|
||||
self.assertTrue(
|
||||
@ -526,6 +654,9 @@ class ProjectMemberTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnets_tags', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'update_subnets_tags',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_delete_subnet(self):
|
||||
self.assertTrue(
|
||||
@ -537,6 +668,9 @@ class ProjectMemberTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnet', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnet',
|
||||
self.alt_target_own_net))
|
||||
|
||||
def test_delete_subnets_tags(self):
|
||||
self.assertTrue(
|
||||
@ -548,6 +682,9 @@ class ProjectMemberTests(AdminTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnets_tags', self.alt_target)
|
||||
self.assertTrue(
|
||||
policy.enforce(self.context, 'delete_subnets_tags',
|
||||
self.alt_target_own_net))
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
@ -569,6 +706,10 @@ class ProjectReaderTests(ProjectMemberTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'create_subnet', self.alt_target_own_net)
|
||||
|
||||
def test_update_subnet(self):
|
||||
self.assertRaises(
|
||||
@ -583,6 +724,10 @@ class ProjectReaderTests(ProjectMemberTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnet', self.alt_target_own_net)
|
||||
|
||||
def test_update_subnets_tags(self):
|
||||
self.assertRaises(
|
||||
@ -597,6 +742,10 @@ class ProjectReaderTests(ProjectMemberTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnets_tags', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'update_subnets_tags', self.alt_target_own_net)
|
||||
|
||||
def test_delete_subnet(self):
|
||||
self.assertRaises(
|
||||
@ -611,6 +760,10 @@ class ProjectReaderTests(ProjectMemberTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnet', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnet', self.alt_target_own_net)
|
||||
|
||||
def test_delete_subnets_tags(self):
|
||||
self.assertRaises(
|
||||
@ -625,6 +778,10 @@ class ProjectReaderTests(ProjectMemberTests):
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnets_tags', self.alt_target)
|
||||
self.assertRaises(
|
||||
base_policy.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context, 'delete_subnets_tags', self.alt_target_own_net)
|
||||
|
||||
|
||||
class ServiceRoleTests(SubnetAPITestCase):
|
||||
|
@ -0,0 +1,7 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
Subnet policies have been updated to allow other users to operate on them.
|
||||
Network owners and readers can now retrieve the subnet and project members
|
||||
can now update and delete the subnet. For more information, see bug
|
||||
`2038646 <https://launchpad.net/bugs/2038646>`_.
|
Loading…
x
Reference in New Issue
Block a user